Spamcop position on auto-responders & spamtrap addresses

[adrien]

Hi all.

We recently got blacklisted by spamcop, for the given reason that we emailed a spam-trap address, and I can only imagine it is due to one of the several auto-responder systems we run.

So I read the Spamcop position on auto-responders, and that we shouldn't use them.

Well this forum used one. It sent an email to the address I entered in the registration.

Our forum needs to use one as well, to verify the person's address who signed up.

As does our commerce site.

As does our support desk.

It's simply not an option to turn this off.

So the spamcop FAQ, whilst possibly of some use to individuals, is not useful for organisations who need to run auto-responders. SPF and DKIM only work if the domain has records. But if an email address is entered by an HTTP form, there's no MTA IP to check, nor DKIM.

So it seems the spam-trap system is wide open to abuse, and can be used to get innocent servers listed by anyone who happens to know (or is able to guess) honeypot addresses.

We've been operating the mail server for 18 years, and we've never spammed anyone. To be listed is a serious problem for us.

What happens if the list of spam-trap addresses got leaked or hacked? Are the addresses cycled, or expired?

[turetzsr]

Hi, adrien,

...Please have a look at SpamCop Wiki article "SpamTrap." If you do not feel that the SpamCop blacklist logic is working as it should, please contact the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net. Please be aware, however, that they will probably not be willing to discuss the details of their spamtraps with you. However, one would hope that they would be happy to entertain a well-reasoned and convincing request to look into a potential problem with their logic in handling confirmation e-mails.

[SpamCopAdmin]

Autoresponders are OK if you are responding to signups or support requests, etc.

Autoresponders are NOT ok if you're responding to spam coming in with forged return addresses. The return address on spam is always either fake or forged. No spammer in his right mind is going to use his own email address on his junk. Sending mail to those addresses is an abuse in its own right.

Our trap addresses are a proprietary secret. None have ever been revealed since SpamCop was created.

If you are sending to trap addresses, it is because you are adding unconfirmed addresses to your mailing list without the address owner's permission.

You may want to review and implement the "best practices" policies outlined at this web site:

http://cluelessmailers.org/info/listmanagement.html

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

[turetzsr]

...Thanks, Don.

...adrien, how did you get the registration e-mail address? Was it via an e-mail? If so, I believe that Don's reply answers your question. If not, for example if the e-mail address was "registered" via an online form or some other method than via an e-mail, please let us know here (if you are so inclined; that part is optional) and (unless he posts a follow-up indicating otherwise) also send a note to Don at the e-mail address he included in his post to explain how you got the e-mail address to which you sent the auto-response and what the content of that auto-response was. The e-mail address to which you sent the auto-response might also help him help you.

[ByronK]

Don, thanks for this reply, and I truly appreciate what spamcop is trying to do to fight spam. Our mail server uses Spamcop, so what I am about to say is a request for clarification, and not a complaint.

Our mail server does not spam, and we do not allow mailing lists of any sort. But, we do allow auto-responders. HOWEVER, we enforce strict SPF checking on any outbound mail that is generated by our auto-responders, and if it fails, the autoresponder does not reply back to the sender (to avoid back scatter).

You mention that your trap addresses are a proprietary secret and have never been revealed. How do you keep spammers from guessing it and using it as a forged "from" address, perhaps as an attempt to attack spamcop by souring the email community's view of spamcop (due to erroneous black listings).

EXAMPLE: one of our users had a vacation message (auto responder) turned on. An email came in, seemingly FROM your spam trap address. The auto responder checked and passed SPF on it and responded to the spam trap address (obviously forged). Spamcop then blacklisted our server (this has actually happened twice in the last month). Spamcop verifies my intuition and tells me that we were blocked because "System has sent mail to SpamCop spam traps in the past week".

Observations/questions: Does Spamcop use strict SPF records on the spam trap domain? Is the spam trap address something a spammer can guess? Has there been an uptick in spammers doing this type of forgery on purpose in order to annoy us and get us to turn against spamcop? Am I missing anything obvious? Any input you can shed on this frustrating situation would be very much welcomed.

Thanks in advance, ByronK

[turetzsr]

Hi, ByronK,

...It may not be a complete answer to your question but please see SpamCop FAQ entry "Why are auto responders bad?"

...If no one comes by here with a more complete reply, please refer this question to the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net.

...Good luck!

[ByronK]

(this post deleted by poster, and replacement post added below)

[ByronK]

OK, I tracked down my problem with the help of my mail server software vendor. Turn out my problem was that the forged message came from a server listed with an orbs accept rule, so my mail server software skipped spf checking, and thus failed to realize it was a forgery. In other words, Orbs "accept" trumped SPF checking. The spammer sent out through a server listed in our orbs forwarding database. My software vendor is patching it so that SPF is always checked, even if the sending server is whitelisted in Orbs.

Hope that helps someone else!

ByronK

[turetzsr]

...Thanks for taking the time to let us know, ByronK!