Jump to content

Does Spamcop even help the problem?


sickofthefrigginspam

Recommended Posts

Most responsible/major/national ISP IP's are currently on a blacklist.

major/national does not equal responsible. In fact, historically major corporations are the most irresponsible of everyone's resources. The only way that they become responsible is by law (not practical for the internet) or by overwhelming negative public opinion. I personally find that I, the consumer, am not able to control the methods that major/national ISP's to control spam - because the details and methods are not available to me, the consumer - to be more horrifying than spam. I like to have an informed opinion and the ability to choose among alternatives. I do not want some ISP policy to determine what is allowed in my in box unless I know what they are using and can choose my ISP based on that criterion.

They may have an infected customer PC or be compromised, so all the

clients get hurt

So do the passengers on a bus get hurt if the bus operator is incompetent or careless. Passengers on airplanes complain of delays if there is a mechanical problem, but they understand the necessity of checks and delays. There is no reason for people to think that email service always has to be perfect. OTOH, if there are constant outages because of ISP policy, then they have every right to complain to the ISP or find a reliable one.

Miss Betsy

Link to comment
Share on other sites

I'm one of those who gets 100+ spams per day. Currently two or three of them get through SpamCop's filters, and when I report them, I feel I'm doing some good, for - rightly or wrongly - I assume I'm alerting somebody to a new spammer.

Maybe I'm only alerting a machine, but I get satisfaction from thinking that the reporting of spam results in the discouraging of spammers.

Reading the posts in this forum undermines this satisfaction a little. There are certainly people who think SpamCop is not doing a good job, but their arguments are far too technical for me. So let me invite you to review the following paragraphs:

When an item of spam is reported, I believe the "IP address" (a bunch of numbers separated by dots) goes onto some kind of blacklist. There is, I believe, an "IP host" involved (a business or organization which "owns" a series of IP addresses) and sometimes - when is not always clear - all mail emanating from all IP addresses owned by that host are then blacklisted.

The effect of a blacklist is not clear to me either. If the IP from which I send my email is part of a blacklisted host, sometimes I might never know. My email disappears into the ether, and only when I meet the recipient on the street and say "Did you get my email?" that it turns out he never got it.

For example, this happened to me recently with respect to incoming mail from a friend (you can view my befuddled post in the help forum under Will anyone help me understand this header?) where SpamCop defined his email as spam and put it in "Held Mail." He never knew his outgoing mail was treated that way.

Only if my ISP (look at me! Forced to use all these dratted initials just like a tech-head!) sends him a message - and not all do - saying "Your message has been blocked as spam" would he become aware of his ISP's blacklisted status.

I might be missing something here. My status with SpamCop is as a "mole." It's as if I "whisper" the IP addresses of my spam to SpamCop, and they are placed on a blacklist without any notice to their administrators. Maybe if I were the other kind of SpamCop customer, notices would go out to all administrators of all IP addresses that send me what I declare to be spam. But that makes me wonder whether being a "mole" is doing more harm than good!

Meanwhile, other posts in this forum suggest that spammer technology has reached the point where they can "fake" an IP address - or is it that they can hijack someone else's computer from a remote location and literally send out their emails from it? Blacklisting that computer's IP - provided notice is sent to their administrator - would thus get them to quickly work to get a defence against hijacking. Again, I wonder if my "mole" status prevents this worthy process from happening?

Congratulations for reading this far!

Now, the acid test:

I want to compliment Miss Betsy. Her posts are invariably reasoned, calm, and written in ordinary language. Some of the other volunteers use a lot of technical jargon, and I don't understand what they are saying. And, it is also true that some volunteers use snappy remarks that can intimidate the newbie. The acid test is, I sincerely hope that a person reading this and wishing to help me understand things more fully, will be able to respond with the patience and tone Miss Betsy commonly uses. There are others who use that tone - but she stands out. I have never been rudely treated in this forum (others have been in my opinion), but I have sometimes been totally mystified by jargonese in what are clearly intended to be helpful answers to my questions.

Stephen Underwood Posted: Apr 21 2004, 07:55 AM

1. I refuse to give up the address I have used for 8+ years because of spammers. It is well circulated among my friends and family, especially those I'm not in contact with regularly.

2. I use spamcop because I want to stop spammers (or at least bother them), and I can not do that if I don't receive spam.

Like Stephen Underwood (another courteous person, I might add), I have used my email address for 9+ years, and have correspondents from all over the world. I cannot possibly notify them all should I change my address in an attempt to defeat spammers. I'd rather pay SpamCop to help me sort through the 100+ items of spam per day. Also, like Stephen, I hope I'm doing something to stop, or at least bother, the spammers.

I'm reading and replying in this topic because I need some reassurance that I really am helping to stop or bother them.

Finally. I have a very full life, and only visit the forum in rare moments of free time - once every couple of weeks. I visit because I'm curious about this very topic - does SpamCop even help???

Thanks for going all the way to the bottom of this post! You're a trooper!

Tony

Link to comment
Share on other sites

Hi, Tony!

<snip>

So let me invite you to review the following paragraphs:

When an item of spam is reported, I believe the "IP address" (a bunch of numbers separated by dots) goes onto some kind of blacklist.

...Not exactly. As I understand it, SpamCop.net uses a formula that involves the number of total e-mails it sees coming from that IP address (it takes samples, it doesn't try to count every e-mail), the number of spam reports and the number of different users who are reporting the spam. That's to ensure, for example, that a lone report from a lone reporting user does not cause the IP address to be unfairly listed.

There is, I believe, an "IP host" involved (a business or organization which "owns" a series of IP addresses) and sometimes - when is not always clear - all mail emanating from all IP addresses owned by that host are then blacklisted.

...That's not my understanding -- only IP addresses that are reported are listed. Plus any IP address sending e-mail to "spam traps."

The effect of a blacklist is not clear to me either.  If the IP from which I send my email is part of a blacklisted host, sometimes I might never know.  My email disappears into the ether, and only when I meet the recipient on the street and say "Did you get my email?"  that it turns out he never got it.

...That could happen if the e-mail service to which you are sending e-mail does not tell you. Seems that many (most?) do send you a return e-mail to tell you. It could also happen if the e-mail were never delivered -- Internet does not guarantee e-mail delivery.

For example, this happened to me recently with respect to incoming mail from a friend (you can view my befuddled post in the help forum under Will anyone help me understand this header?) where SpamCop defined his email as spam and put it in "Held Mail." He never knew his outgoing mail was treated that way.

...Sounds like your friend either didn't read all the information provided to him or he needs to complain that he did not receive all the information he needs to understand how his e-mail service works. Also, unless your friend uses the SpamCop.net e-mail service, SpamCop did not put your e-mail in his "Held Mail" -- his e-mail service provided did that.

Only if my ISP (look at me!  Forced to use all these dratted initials just like a tech-head!) sends him a message - and not all do - saying "Your message has been blocked as spam" would he become aware of his ISP's blacklisted status.

...Whoa! You've changed things around, now! :) <g> Above, you hypothesized your e-mail provider's or ISP's IP address is on the block list and your friend's e-mail provider is blocking your e-mail; now you're hypothisizing that your friend's e-mail provider or ISP IP address is on a block list and your e-mail provider is blocking it! :huh: <confused> But, yes, in this case if your e-mail provider failed to send your friend a message, he would never know that his e-mail provider's or ISP's IP address was listed. In which case, you and he should complain to your e-mail provider.

I might be missing something here.  My status with SpamCop is as a "mole."  It's as if I "whisper" the IP addresses of my spam to SpamCop, and they are placed on a blacklist without any notice to their administrators.  Maybe if I were the other kind of SpamCop customer, notices would go out to all administrators of all IP addresses that send me what I declare to be spam.  But that makes me wonder whether being a "mole" is doing more harm than good!

...Mole status allegedly makes it less likely that spammers will discover that you are reporting them (keeping them from trying to retaliate against you). Yes, as I understand it, if all spam reports for an IP address came from mole reporters, the administrators of that IP address would not receive a notice. However, I would think it likely that either a customer would eventually discover that and complain to that administrator that her/ his e-mail was being blocked or a non-mole reporter would submit a report.

Meanwhile, other posts in this forum suggest that spammer technology has reached the point where they can "fake" an IP address - or is it that they can hijack someone else's computer from a remote location and literally send out their emails from it?

...The latter, I'm guessing.

Blacklisting that computer's IP - provided notice is sent to their administrator - would thus get them to quickly work to get a defence against hijacking.  Again, I wonder if my "mole" status prevents this worthy process from happening?

...See above.

Congratulations for reading this far!

...Whew! :) <g>

Now, the acid test:

I want to compliment Miss Betsy.  Her posts are invariably reasoned, calm, and written in ordinary language.  Some of the other volunteers use a lot of technical jargon, and I don't understand what they are saying.  And, it is also true that some volunteers use snappy remarks that can intimidate the newbie.  The acid test is, I sincerely hope that a person reading this and wishing to help me understand things more fully, will be able to respond with the patience and tone Miss Betsy commonly uses.  There are others who use that tone - but she stands out.  I have never been rudely treated in this forum (others have been in my opinion), but I have sometimes been totally mystified by jargonese in what are clearly intended to be helpful answers to my questions.

...If there's jargon you don't understand, I'd encourage you to check out The Net Abuse Jargon File and/ or ask for a translation. And if you find anything in my reply that's either rude or jargonish, please let me know and I'll try to correct it! :) <g>

Link to comment
Share on other sites

When an item of spam is reported, I believe the "IP address" (a bunch of numbers separated by dots) goes onto some kind of blacklist. There is, I believe, an "IP host" involved (a business or organization which "owns" a series of IP addresses) and sometimes - when is not always clear - all mail emanating from all IP addresses owned by that host are then blacklisted.

No, only the IP address that is sending spam. The problem is that sometimes there are many users using the same IP address (when it is a business). They 'share' the same IP address. so if one person spams (or has a trojan or sends anti viral messages to a spamtrap), then *all* the users who share that IP address are blocked and most of them are entirely innocent.

The effect of a blacklist is not clear to me either. If the IP from which I send my email is part of a blacklisted host, sometimes I might never know. My email disappears into the ether, and only when I meet the recipient on the street and say "Did you get my email?" that it turns out he never got it.

That is much more likely to happen if you are using a content filter since it is often difficult to find a real email amongst all the spam. content filters are quirky and one never knows what they will catch.

Most blocklists are used at the server level and so a message is automatically returned to the sender. IMHO, it is one of the advantages of the blocklist.

For example, this happened to me recently with respect to incoming mail from a friend (you can view my befuddled post in the help forum under Will anyone help me understand this header?) where SpamCop defined his email as spam and put it in "Held Mail." He never knew his outgoing mail was treated that way.

That's the disadvantage to using spamcop blocklist to tag suspected spam, IMHO. However, unlike content filters it is very easy to remedy being caught by a blocklist and tagged as spam. There are four options: the sender can raise cain with his ISP; he can use another IP address (such as hotmail or yahoo) to communicate with you, he can change email service providers, or sometimes, you can 'whitelist' his email address so that the server knows his email is ok.

IMHO, the *sender* is the one who should go to the effort of fixing the problem and getting reliable email service. The only way spam can be effectively stopped is at the sending end. Therefore, anyone who patronizes a spam friendly or irresponsible provider is contributing to the spam problem. Some people cannot change providers, but there is always web email. The very last option to take is to whitelist.

Part of the reason that people consider spamcop blocklist to be too aggressive is that there are numerous errors that can be made and then completely innocent senders and businesses have their email blocked until they can contact the deputies and correct the listing.

IMHO, life is full of problems. We endure construction delays on the highways. We have internet outages from backhoes and storms. We sometimes have our travel blocked by fire engines or ambulances. Computers go down in banks, grocerystores, and other retail places and lines become long. As long as spamcop responds promptly to spamcop errors and the percentage of errors is decently low, IMHO, it is just one of those things in life, one has to put up with because there are careless, irresponsible, and criminal people who make life difficult for the rest of us.

IMHO, the best thing about spamcop is that there is something that the average person can *do* about spam. I have listened to, and debated, other ways of controlling spam. I still have not been convinced that there is better way than blocklists. IMHO, there should be many more reliable blocklists based on a variety of criteria so that more ISP's would use them. IMHO, if more consumers (end users who are technically non-fluent) knew that spam is caused primarily by greedy, irresponsible, and incompetent ISP's and that blocklists can stop it if *senders* of email take responsibility for choosing reliable email service, then most people would no longer be bothered by spam because consumers would demand blocking.

I can't understand why some ISP's have not capitalized on this and started a PR campaign. But the people who know how to run the servers and write the programs don't seem to be also gifted in other forms of communication.

I, too, have a full and busy life, but I find the solution to spam a fascinating societal problem - the internet is a new frontier and the way we approach the problem will determine what kind of internet society there will be in the future, IMHO. And I don't have time to edit my 'free flow' sentences. Sorry.

Miss Betsy

Link to comment
Share on other sites

Yes, Miss Betsy, the Internet is a "new frontier".

SpamCop Julian has appointed himself the Marshall, and has given badges

to a few Deputies - and there are a whole bunch of snitches that help them.

They also act as Judge, Jury and Executioner and often punish the innocent.

It's just like a lawless wild west town - too many guns and too few brains.

SpamCop is part of the problem, not the solution to it.

Link to comment
Share on other sites

Yes, Miss Betsy, the Internet is a "new frontier".

SpamCop Julian has appointed himself the Marshall, and has given badges

to a few Deputies - and there are a whole bunch of snitches that help them.

They also act as Judge, Jury and Executioner and often punish the innocent.

It's just like a lawless wild west town - too many guns and too few brains.

SpamCop is part of the problem, not the solution to it.

...To any newbies who may have bothered to read this far: yourbuddy has contributed much useful information to these fora but this is an example of one that is a result of his refusing to understand how SpamCop.net works. Unless you accept the theory that the provider of useful information is responsible for any misuse of that information, you would be well advised to take what (s)he writes with a healthy dose of salt.

Link to comment
Share on other sites

Yes, Miss Betsy, the Internet is a "new frontier".

SpamCop Julian has appointed himself the Marshall, and has given badges

to a few Deputies - and there are a whole bunch of snitches that help them.

They also act as Judge, Jury and Executioner and often punish the innocent.

It's just like a lawless wild west town - too many guns and too few brains.

SpamCop is part of the problem, not the solution to it.

...To any newbies who may have bothered to read this far: yourbuddy has contributed much useful information to these fora but this is an example of one that is a result of his refusing to understand how SpamCop.net works. Unless you accept the theory that the provider of useful information is responsible for any misuse of that information, you would be well advised to take what (s)he writes with a healthy dose of salt.

Unless you accept the fact that the provider of often incorrect

information is responsible for any use of that information.

Link to comment
Share on other sites

often incorrect information

Going with the plethora of IPs seen to be listed, it would be my opinion that your word "often" should really read "rare" ... no way to prove it, I'm just comparing the vast numbers listed and the so few complaints of wrongful listings ... noting that the posts here and in the newsgroups are made by those few that actually got impacted, and a major portion of those complainers often end up finding out that their "secure" system had in fact been compromised in one form or another ... which causes that rare wrongful listing issue to actually end up being even rarer than that suggested by the numbers of postings ...

Link to comment
Share on other sites

Ok, "rare" it is, why not ...

But in those instances it disrupts hundreds of users of that ISP.

It "might" disupt some users ... this also goes back to a user on the impacted system would have to try to send an e-mail to another ISP system that was using the SpamCop DNSbl .... and even that would only be an issue if that other ISP was using the BL to block, vice the recommended TAG action ... once again, here's some scoping down of your catastrophic claims ....

Agreed that a wrongful listing is bad, but I'm just having a hard time going along with your representaion of the numbers involved .... and as often pointed out, if one's life depends on the delivery of an e-mail, one should already have contingency plans in place to cover problems such as this, as delivery has never been guaranteed under the SMTP guise ....

Link to comment
Share on other sites

...for 48 hours, or less if the admin provides confirming information to the deputies that it's a false positive.

I still think that repeated offenders should have more than 48h, and in increasing time length, depending on how badly they offend. I get spam in a 48h cycle, from same domains, seems some ISPs are just not relyable and do nothing to fix their problem..

Link to comment
Share on other sites

Ok, "rare" it is, why not ...

But in those instances it disrupts hundreds of users of that ISP.

Out of the millions of email users worldwide. Everyone here has agreed that there are innocent bystanders affected, just as in life. 0.01% (100/1000000) is quite remarkable if you think about it. Other DNSBL's block many more innocent bystanders.

Spamcop works to fix the errors that affect those innocent bystanders when it is appropriate.

However, if said user is using an ISP which supports spammers (bad neighborhood), it is up to the innocent bystander to change ISP (move to a different neighborhood), protect themselves (use other mail services) or call the authorities (their ISP) to complain/report the problems.

SpamCop is not the police, judge, jury or executioner. They are the neighborhood watch working (filing reports) with the police (ISP again) to clean up the streets.

Link to comment
Share on other sites

Well! Truly helpful answers from Steve T. (turetzsr) and from Miss Betsy.

I thought "yourbuddy" had waved goodbye, but he/she weighed in, and folks responded to his entries with remarks that seem laden with old history, and frankly I couldn't understand them.

However, in my quest for understanding, and because of today's postings, I now gather that it is the single offending IP address that is blocked, not a whole set of them, and once a non-mole reports the address, those who send from it get a message to the effect that the IP is a source of spam. I also think I saw somewhere that the blocking only lasts 48 hours! (which, if true, amazes me for its shortness of duration - I wonder how effective it can be!).

QUOTE (turetzsr [at] Apr 26 2004, 06:21 PM)

...Whoa! You've changed things around, now!

Sorry about that! I did try too many perspectives to come at my example. I began by speculating about what might happen were I myself ever to unwittingly send email from a compromised IP address, but then I thought of my friend's email to me which had been put into my "held mail" box, and from then on my remarks were from the perspective of the recipient of good email from a bad IP address (this last phrase could not have been written by me this morning, because only now do I understand that it is the IP address, not the entire ISP that is blocked).

I would like to continue thinking about my friend's email for a minute: In our city, there are only two internet service providers for the general client (there are others for businesses, I believe, but not very many). I belong to one, and my friend belongs to the other. His email was identified as possible spam by SpamCop and put in my "held mail" folder. I don't think he ever knew his message was thought to be from a spammer. I certainly didn't tell him (perhaps I should have). I simply whitelisted his email address and went on my merry way.

Two days later an email to me from another friend - a member of my own ISP - was also put into my "held mail" folder. Again, I said nothing, whitelisted the sender, and carried on with my life.

All this says to me that our city's two main ISP's are having some of their auto-generated IP addresses hijacked. Perhaps we - my correspondents and I - should be alerting these two fairly big companies that this is happening.

If readers wish to comment in the helpful vein I have been seeing in this forum, please do.

Meanwhile, thanks again to Miss Betsy, Steve "turetzsr" T., Stephen Underwood, dra007, and Wazoo, for their informative replies. I think I am understanding things just a bit better. My, but it's complicated!

Tony

ps. and thanks, turetzsr, for the link to the Net Abuse Jargon dictionary! T.

Link to comment
Share on other sites

would like to continue thinking about my friend's email for a minute: In our city, there are only two internet service providers for the general client (there are others for businesses, I believe, but not very many). I belong to one, and my friend belongs to the other. His email was identified as possible spam by SpamCop and put in my "held mail" folder. I don't think he ever knew his message was thought to be from a spammer. I certainly didn't tell him (perhaps I should have). I simply whitelisted his email address and went on my merry way.

I don't use the spamcop email service, but IIUC (if I understand correctly) it uses other filters besides the spamcop bl. I know that spamassassin is one of them (an extremely good content filter) and I believe that you can also choose to use other blocklists like spamhaus.

So there could be a multitude of reasons why your friends' emails were 'held' as possible spam. Typing in all caps is one that spamassassin catches no matter what the content.

There is a place on the site map page of the spamcop web site where you can enter the IP address of the different ISP's and see whether it is on the spamcop blocklist. Before you notify your ISP, you should be sure of the reason. If they are on the spamcop blocklist, they will have gotten reports probably - if not from spamcop, from other users.

There are different criteria for putting IP addresses on a blocklist. There are 'public' blocklists (that anyone can use), but any server administrator can block any IP address for any reason. There are some who will block an IP address because the person threatened to get a lawyer when he posted in protest. Another private rule is that if viruses are received for 10 days in a row from a particular IP address, that IP address is blocked for 30 days.

The primary public blocklists usually have a unique purpose. There is one blocklist that blocks open proxies, another that blocks open relays, another that blocks not only IP addresses where spam comes from, but if they don't stop the spam, blocks the neighboring IP addresses.

spamcop's purpose is a real time blocklist that notifies the ISP that a spam run is in progress, prevents others from receiving the spam until the ISP can fix it, and stops blocking when no more spam is reported. Unfortunately, there are ISP's who never fix the problem. That means that those IP addresses, more or less, stay on the spamcop blocklist (unless the spammer takes a vacation and no spam is received).

In addition, spammers use the reports to find ways around the blocklist (instead of stopping the spam as 'whitehat' ISP's do - whitehat from the old cowboy movies where the hero wore a white hat and the villian wore a black one). So, there have been changes, such as mole reporting, to combat the blackhat ISP's. Also, now ISP's have found more ways of preventing spammers so that whitehat ISP's rarely get a spamcop report. And the spammers are using open proxies and compromised computers to send the spam so that when reports are sent, they are sent to people who don't have control over the spammer either, but need to fix a computer.

Many people have suggested a VirusCop that would allow technically non-fluent people to report viruses to the proper source. The main difference in that blocklist would be where it would report and how the blocklist would operate - for instance, instead of dropping off automatically, it would drop off upon notification from the ISP that the problem was fixed. I would like to see a blocklist that reported bulk email sent without the proper RFC header information. And I would like an open proxy or compromised computer list that notified the administrators. Since I am not technically fluent, I don't understand why there can't be an open proxy list that uses the same software as the spammer to find open proxies, send an automatic report to the admin, and list them on a bl. The proxy would stay on the list until the next scan, even if fixed, but if fixed would drop off then. Of course, the spammers could use the list to find holes which they can spam through, but that would be even more of an incentive for administrators to make sure that they didn't have holes and to fix them quickly because then they will get on other antispam blocklists.

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...