Jump to content

SpamCop blocking challenges from our users


dhjdhjdhj

Recommended Posts

Posted

Every now and again, we receive a report that an identity query sent out by one of our customers (in response to their receiving an initial message from someone they don't know) has been blocked by SpamCop.

The message that we get back claims that we are "Spamvertising" based on the URL that is contained in the customer's outgoing message (example URL is below). The URL simply opens a page that allows the original sender of a message to fill in a form to identify themselves to the person they are trying to contact. Our webpage has only our company name and a brief message about ChoiceMail One (which we put in because so many people responding to messages kept asking for more information about our product).

In particular, these identity queries are ONLY sent to people who try to contact a ChoiceMail One user - they are NEVER sent out unsolicited.

Therefore, we would like to understand why SpamCop has chosen to block these messages and what can be done to remove such blocks.

Thanks in advance,

David Jameson

CTO, DigiPortal Software Inc

------------------------------------------------------------

Example URL (with bogus email address) so our identity query page can be viewed.

http://cm.digiportal.com/cgi-bin/cmregiste...14nTdv8bmpZZozw

Posted
Every now and again, we receive a report that an identity query sent out by one of our customers (in response to their receiving an initial message from someone they don't know) has been blocked by SpamCop.

The message that we get back claims that we are "Spamvertising" based on the URL that is contained in the customer's outgoing message (example URL is below). The URL simply opens a page that allows the original sender of a message to fill in a form to identify themselves to the person they are trying to contact. Our webpage has only our company name and a brief message about ChoiceMail One (which we put in because so many people responding to messages kept asking for more information about our product).

In particular, these identity queries are ONLY sent to people who try to contact a ChoiceMail One user - they are NEVER sent out unsolicited.

It looks like ChoiceMail One is a challenge response system.

The problem is that if one of your users gets a spam or virus with a forged from address, your challenge system sends out an email to the forged email address. While this protects your users, it results in increased unsolicted mail to users outside the ChoiceMail system.

Posted
In particular, these identity queries are ONLY sent to people who try to contact a ChoiceMail One user - they are NEVER sent out unsolicited.

Therefore, we would like to understand why SpamCop has chosen to block these messages and what can be done to remove such blocks.

Oh, you may want to read the following discussion.

http://forum.spamcop.net/forums/index.php?showtopic=100

Posted
Every now and again, we receive a report that an identity

query sent out by one of our customers (in response to their

receiving an initial message from someone they don't know) has been

blocked by SpamCop.

Does your system send form letters to people whose return address has

been forged into spams? If so you are sending them unsolicited bulk

email aka "spam".

...  [snip]

In particular, these identity queries are ONLY sent to people who try

to contact a ChoiceMail One user - they are NEVER sent out

unsolicited.

Are you sure ? Your system is NEVER fooled by forged

return addresses?

Therefore, we would like to understand why SpamCop has chosen to

block these messages and what can be done to remove such blocks.

... [snip]

Could it be that your system is sending challenges to innocent

victims whose return address has been forged into spams? Could it be

that these innocent victims find the challenges annoying since

they're already having to deal with bounces and angry responses

caused by the forgery?

Unless you are sure that you are sending the challenge to the

original sender you should reconsider your procedure. You are

spamming anyone who didn't actually send the message your system is

challenging.

Posted

It looks like ChoiceMail One is a challenge response system.

The problem is that if one of your users gets a spam or virus with a forged from address, your challenge system sends out an email to the forged email address.  While this protects your users, it results in increased unsolicted mail to users outside the ChoiceMail system.

ChoiceMail absolutely includes C/R but as a last resort - it tries to remove as much spam as it can by passive analyis first. I understand completely the issue you raise - and I would argue that one must deal with the underlying problem here which is to help ensure that everyone is using AV software etc. Further, if someone receives a message with a forged address from someone else, that's essentially identity theft and the person whose email address was forged is prevented from discovering that fact due to SpamCop.

SpamCop is essentially shooting the messenger. There are a number of different ways to try and stop spam - we're all trying hard to stop it - but we should not need to step on each others' toes - we're on the same side!

Posted
Further, if someone receives a message with a forged address from someone else, that's essentially identity theft and the person whose email address was forged is prevented from discovering that fact due to SpamCop.

When a virus spoofs someone's e-mail address, sending them a notification e-mail is the worse thing that can be done.

On many of the forums that I am on, a common complaint is that people are losing real e-mai because their mail box is full of bounced viruses, or virus detection notices, and they can not delete them fast enough to stay under quota. If these abusive hosts had used SMTP rejects instead, then the spoofed e-mail victim would not be losing mail.

A C/R system that does not use SMTP reject codes to deliver the challenges adds to the mess.

As no I.P. has been posted, looking up any spamcop.net reports becomes a guessing game, and nothing from spamcop.net shows up with any of the obvious ones associated with your system.

Challenge responses were tried by spamcop back in it's early days.

It was determined to cause far more problems than it solved, and it was dropped.

If you are going to send a challenge, use an SMTP 5xx reject code with associated text to send it. That way it will go back to the true originating server, and if it is a real mail server it will deliver the notification to the sender that until they approve your link, their mail may not be read.

Using this method is probably the only way your challenges could not possibly be mistaken for spam, and if a spam complaint was made, it would be directed at the mail server that generated the DSN, not yours for rejecting the message.

And a report of your link in the DSN that was caused by your SMTP reject of the mail would not count toward the blocking list.

Inspite of what anyone's personal opinion of C/R systems, according to the deputies they are not reportable through spamcop.net, and people reporting them are subject to displine by the deputies.

How ever the spamtraps in use by spamcop.net may have different criteria on what they cause to be listed.

And other DNSbl services also operate spamtraps, so if a challenge goes to one of their challenges it could result in a listing. See the www.dnsbl.au.sorbs.net spamtrap zone for example.

Some people will not respond to challenge responses sent to them for real e-mail, and some of them have outbound e-mail addresses that do not match their inbound e-mail domains.

Others have decided that if they get a challenge for a spam or virus that is spoofing their e-mail address, they will approve it to go through.

And yesterday it was reported in the RISKS digest recently that spammers have figured out how to use programs to answer the challenges like the one your service has presented. So far they are using this mainly to sign up for free e-mail services to send spam from.

 http://www.moensted.dk/spam/?addr=cm.digiportal.com&Submit=Submit
Resolved cm.digiportal.com to 207.50.193.1
cm.digiportal.com has no MX records -> [digiportal.com has 2 MX records ns3.computer.net.(50) minimoog.digiportal.com.(10)] 

http://www.moensted.dk/spam/?addr=ns3.computer.net.&Submit=Submit

+ NJABLDYNA NJABL list of dynamic ip spaces: dynablock.njabl.org -> 127.0.0.3
Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html [removal]
dul.dnsbl.sorbs.net. says exception granted.

Looks like one of your mail servers is still listed in a few places as being on a DHCP address.

-John

Personal Opinion Only

Posted
Every now and again, we receive a report that an identity

query sent out by one of our customers (in response to their

receiving an initial message from someone they don't know) has been

blocked by SpamCop.

...  [snip]

In particular, these identity queries are ONLY sent to people who try

to contact a ChoiceMail One user - they are NEVER sent out

unsolicited.

Are you sure ? Your system is NEVER fooled by forged

return addresses?

Therefore, we would like to understand why SpamCop has chosen to

block these messages and what can be done to remove such blocks.

... [snip]

Could it be that your system is sending challenges to innocent

victims whose return address has been forged into spams? Could it be

that these innocent victims find the challenges annoying since

they're already having to deal with bounces and angry responses

caused by the forgery?

Unless you are sure that you are sending the challenge to the

original sender you should reconsider your procedure. You are

spamming anyone who didn't actually send the message your system is

challenging.

Well, WE are not sending anything. Individual users who are protected by ChoiceMail are sending messages out to email addresses from whom they get messages. They are NOT sending out bulk messages to arbitrary people - they are responding specifically to incoming messages. That is NOT the definition of spam.

We agree completely that a forged message can theoretically cause a problem - obviously if all parties had challenge/response, that would not happen. I would also point out that if someone's email address is being used without their permission, then they need to find out about it - they can find out through receving an unexpected challenge from ChoiceMail but again SpamCop prevents this, which is a pity.

Does your system send form letters to people whose return address has

been forged into spams?  If so you are sending them unsolicited bulk

email aka "spam".

Posted
I understand completely the issue you raise - and I would argue that one must deal with the underlying problem here which is to help ensure that everyone is using AV software etc.  Further, if someone receives a message with a forged address from someone else, that's essentially identity theft and the person whose email address was forged is prevented from discovering that fact due to SpamCop.

SpamCop is essentially shooting the messenger. There are a number of different ways to try and stop spam - we're all trying hard to stop it - but we should not need to step on each others' toes - we're on the same side!

It's not just an issue of those compromised by viruses. 99% of the spam that I receive comes from a forged address. 80% of the email that is attempted delivery to me is spam. While it may be "identity" theft there is no means for the "average" person to do anything about it.

Spamcop does nothing to prevent people from knowing that their email address was forged into an email.

Your system is fine for protecting your users, but it *does* run the risk of generating spam for the rest of us. Just because your users like a C/R system doesn't mean that I want to get challenges to spam that your customers received. I get enough of my own spam. The problem is that you are protecting your users at the expense of the rest of the community.

Posted

Well, WE are not sending anything. Individual users who are protected by ChoiceMail are sending messages out to email addresses from whom they get messages. They are NOT sending out bulk messages to arbitrary people - they are responding specifically to incoming messages. That is NOT the definition of spam.

We agree completely that a forged message can theoretically cause a problem - obviously if all parties had challenge/response, that would not happen. I would also point out that if someone's email address is being used without their permission, then they need to find out about it - they can find out through receving an unexpected challenge from ChoiceMail but again SpamCop prevents this, which is a pity.

You also face the problem that your customers may not be as discriminating as they could be in allowing the challenges to forged addresses and many of those forged addresses could be spam traps. Since Email to spam traps has never, by definitiion, been solicited a challenge to a spam trap will get the originating IP address listed until the stream of unsolicited challenges stops.

Then of course there are the many 'dummy' addresses that legitimate order systems, booking confirmations, mail lists etc that your customer will not know the address of which will also be challenged with no human to respond at the other end.

I think you'll find that the overwhelming opinion here is that C/R systems are flawed.

Andrew

Posted

First of all, thanks for your thoughtful responses.

A C/R system that does not use SMTP reject codes to deliver the challenges adds to the mess.

Agree completely. But CM users are at the mercy of their ISP's SMTP servers to send messages. Rememer, these challenges are NOT coming from us - they're coming from individual users. Don't confuse our system with some of the services out there where challenges for all subscribers are handled by a centralised SMTP server.

As no I.P. has been posted, looking up any spamcop.net reports becomes a guessing game, and nothing from spamcop.net shows up with any of the obvious ones associated with your system.

The reports that have come back to us do not seem to be about the challenge/response process per se. They seem to be complaining about the CONTENT of the message and in particular that the URL used in the messages is "Spamvertising". As I said before, we (DigiPortal) are NOT sending out ANY messages to anyone.

Challenge responses were tried by spamcop back in it's early days.

It was determined to cause far more problems than it solved, and it was dropped.

Interesting - so the notion is "it didn't work the way it was done by SpamCop, therefore it will never work". It's a good job Thomas Edison (and many others before and after) didn't give up quite so quickly when their first efforts failed. Almost every criticism I have seen about C/R has been based on poor implementation rather than on conceptual issues (and we work extremely hard to address conceptual problems as well as making sure we have a good implementation :-) C/R in conjunction with other techniques to whittle down received spam first reduces challenges to a small number - there's no question that sending challenges out blindly in response to every received message is a bad idea. We certainly continue to improve our system in this manner - at this point, out of an average of about 400 spam messages a day coming to me personally, my CM system is only sending out about 12 challenges. I expect that to be reduced even more soon.

In spite of what anyone's personal opinion of C/R systems, according to the deputies they are not reportable through spamcop.net, and people reporting them are subject to displine by the deputies.

This is good to know. Is that policy written down anywhere officially that we could reference?

Some people will not respond to challenge responses sent to them for real e-mail, and some of them have outbound e-mail addresses that do not match their inbound e-mail domains.

Yep - understood - now one gets down to an interesting philosophical issue. So ignoring the forged email problem for now, if you (say) send me (say) a message and get a challenge back from me (because you aren't already known to me), YOU get to decide how to balance the importance of the message you sent me with the aggravation (if that's how you feel) of having to fill in a challenge. If you decide that it's not worth responding to the challenge, you have implicitly put a low value on the importance of my reading your original message. If you don't think the message was important for me to see, then why on earth should I waste my time reading it.

And yesterday it was reported in the RISKS digest recently that spammers have figured out how to use programs to answer the challenges like the one your service has presented.  So far they are using this mainly to sign up for free e-mail services to send spam from.

Hmmm, we heard about a system recently where spammers were hijacking challenges and sticking them on porn sites hoping real users would fill them in. Is this the same thing?

We had a good chuckle over that one, complimented (silently) the spammers on their ingenuity (it's a shame they waste their talents this way) and figured out at least 3 different trivial ways to prevent our system from being fooled by it which we'll throw in to our system in the next few weeks just in case.

(If the RISKS DIGEST was talking about something else, then I would appreciate a reference to the article)

Looks like one of your mail servers is still listed in a few places as being on a DHCP address.

But it isn't - and never was. Not sure how to go about addressing this (or whether it's even worth trying to address it) but thanks for letting me know.

Posted
Well, WE are not sending anything. Individual users who are protected by ChoiceMail are sending messages out to email addresses from whom they get messages. They are NOT sending out bulk messages to arbitrary people - they are responding specifically to incoming messages. That is NOT the definition of spam.

Do I understand that your users are personally going through their "held" list and selecting which messages are to receive the challenge. I have never seen a C/R that works this way. It would cut down on this type of problem. There are few messages I receive that are not obviously spam just be reading the subject and sender. It would mean more work for your users, but that is part of being a good netizen.

Unless the "Individual users who are protected by ChoiceMail" are personnaly overseeing this process, then it is indeed ChoiceMail sending out the messages.

Do you explain to your users that the challenges being sent are often going to an innocent third party, filling their inboxes? Most people I have encountered in real life pushing these systems have dropped them when this aspect is explained.

spam is NOT about CONTENT, it is about CONSENT. Your users have not been given consent to send the challenge to the forged email account.

Posted
Well, WE are not sending anything. Individual users who are protected by ChoiceMail are sending messages out to email addresses from whom they get messages. They are NOT sending out bulk messages to arbitrary people - they are responding specifically to incoming messages. That is NOT the definition of spam.

So you're saying that your users go through their held mail and send

challenges to senders they don't recognize, and that each challenge

is a personalized message in compliance with standards such as

outlined at MAPS?

We agree completely that a forged message can theoretically cause a problem - obviously if all parties had challenge/response, that would not happen. I would also point out that if someone's email address is being used without their permission, then they need to find out about it - they can find out through receving an unexpected challenge from ChoiceMail but again SpamCop prevents this, which is a pity.

Fortunately most Internet users aren't that inconsiderate of others.

I suspect the quanity of bounces and the occasional angry responses

from spam recipients is more than enough to alert most users that

their address has been forged into a spam. I doubt that the added

burden of challenges sent to them in response to emails they didn't

send is of much additional help.

Posted
Yep - understood - now one gets down to an interesting philosophical issue. So ignoring the forged email problem for now, if you (say) send me (say) a message and get a challenge back from me (because you aren't already known to me), YOU get to decide how to balance the importance of the message you sent me with the aggravation (if that's how you feel) of having to fill in a challenge. If you decide that it's not worth responding to the challenge, you have implicitly put a low value on the importance of my reading your original message. If you don't think the message was important for me to see, then why on earth should I waste my time reading it.

Confirmations for mailing lists, online purchace receipts,

order/backorder status emails, communications from web hosts & domain

registrars may be sent from 'dead' addresses and have individualized

response addresses or URLs contained in the message body. Does the

fact that these challenges go unanswered also mean that the email has

an implicit low value too?

Posted
Confirmations for mailing lists, online purchace receipts,

order/backorder status emails, communications from web hosts & domain

registrars may be sent from 'dead' addresses and have individualized

response addresses or URLs contained in the message body. Does the

fact that these challenges go unanswered also mean that the email has

an implicit low value too?

Not at all! However, those things show up as a CONSEQUENCE of something one does. A purchase receipt shows up because I ordered something - I KNOW to go look for the receipt because I KNOW to expect it. Such things come from known domains and it's generally feasible to use permission rules to check the received headers (say) to validate incoming mail from places where one routinely receives status info.

Incidentally, on numerous occasions, I (and I'm sure many others) have proposed a very simple scheme where the vendor would include your name in the TO field of all mail sent back to you. Alternatively, with only a little more effort, they would provide another field for a PIN number. Then, when you're filling in your name and email address, you could include extra information known only to you. For example, I might put

David 1234 Jameson

david[at]digiportal.com

All messages would then have the format

"David 1234 Jameson" <david[at]digiportal.com>

spam-blocking systems could recognise your personal code and allow the message through (without a challenge). This mechanism has the further advantage that the vendor could guarantee that you would never actually receive (accept) spam fail from that vendor since it would be missing the PIN code.

Such processes, if widely adopted, would help tremendously.

Posted
Alternatively, with only a little more effort, they would provide another field for a PIN number.  Then, when you're filling in your name and email address, you could include extra information known only to you. For example, I might put

David 1234 Jameson

david[at]digiportal.com

All messages would then have the format

"David 1234 Jameson" <david[at]digiportal.com>

spam-blocking systems could recognise your personal code and allow the message through (without a challenge). This mechanism has the further advantage that the vendor could guarantee that you would never actually receive (accept) spam fail from that vendor since it would be missing the PIN code.

Such processes, if widely adopted, would help tremendously.

Way toooooo funny. You've yet to answer most of the questions asked about why your C/R is so much different than all the others. You keep on defending the C/R process, even though the flaws have been repeatedly tossed out. You've yet to leave a clue that you have gone over and read through the mailblocks thread.

And then you toss out yet another possible concept, qualyfied by the phrase "if widely adopted" ... Yet, if I can point out, you came here ticked off over another "widely adopted" plan of simply blocking sources of spam ... yeah, I know you've said that stuff from "your" system isn't spam, but ... hey, I'm still giggling ... "if widely adopted" .. that's a good one .... thanks.

Not intended as a flame, just boggled at the other end of your proposed "neat" solution. Yet another field in a database that can't easily be verified as to its accuracy .... looking at it from the side of the mythical vendor with the many thousands of "known good, opted-in" customers in its mailing list.

Posted
Not at all! However, those things show up as a CONSEQUENCE of something one does. A purchase receipt shows up because I ordered something - I KNOW to go look for the receipt because I KNOW to expect it. Such things come from known domains and it's generally feasible to use permission rules to check the received headers (say) to validate incoming mail from places where one routinely receives status info.

That's not necessarily true. I once ordered a book online from $MAJOR_DOMAIN, as things turned out my receipt and shipping confirmation came from the publisher's warehouse. $MAJOR_DOMAIN took the order (and presumably their cut) but the publisher handled the CC receipt, order confirmation, and shipping info emails. I thought the CC receipt & order confirmation emails were spam until I read the message bodies (I caught on by the time the shipping confirmation was sent)

And, when I first got my domain I had the site hosted with my registrar. The registrar required domain owners to receive 'policy' and 'official' emails as part of the registration & hosting agreements ("hype" was optional). During the first few days I got emails from a number of different departments, and for the next few months that I hosted there I got a few emails from various departments. As I see it my choices would be to whitelist *[at]registrar.tld (which would open me up to spams forging the registrar's domain) or I'd have to sort through a list of held mail looking for something they sent me (and I can do that without using C/R, in fact I do since anything not whitelisted goes to my 'held' folder).

[snip]

David 1234 Jameson

david[at]digiportal.com

All messages would then have the format

"David 1234 Jameson" <david[at]digiportal.com>

spam-blocking systems could recognise your personal code and allow the message through (without a challenge).

If my PIN can be recognized without a challenge, what's to stop an unethical vendor from selling my "FirstName PIN LastName" <username[at]domain.tld> to spammers?

This mechanism has the further advantage that the vendor could guarantee that you would never actually receive (accept) spam fail from that vendor since it would be missing the PIN code.

Why would spam from the vendor be missing the PIN? Are you saying they're temporary and would be challenged if used more than once?

Posted

There is a E-Mail provider named Bluebottle that uses the number system. Here what it says on

their option page under the Verification section:

  Reply Only - Requires the sender whose address is not in your Allowed list to simply reply to the verification request. Doing so will automatically add their email address to your Allowed list.

  Full Name - Requires the sender whose address is not in your Allowed list to reply to the verification request including your full name in the subject line. Doing so will automatically add their email address to your Allowed list. Your full name is currently set to "xxxxx xxxxx".

Verification Key - This feature allows the selection of a four digit PIN which a sender can add to the subject line to automatically add their address to your Allowed list. The sender will need to include the number within parentheses - For example, if your Verification Key was 3193, this should be entered into the subject line as (3193).

Also when you send an e-mail to someone they are added to your Allowed list.

Bluebottle is a Free e-mail service w/15mb of storage. Webmail/POP3/IMAP available and their

URL is http://www.bluebottle.com

Charlie Collins

Posted

After reading the whole topic I relized that the discussion deviated from it's original heading.

SpamCop and many other organizations are trying hard to protect the regular users from uncontrolable bulk mail. The question is - should we work together or fight over who has a better protection systems.

One glove will never fit everyone and therefore INDIVIDUAL USER MUST BE IN CONTROL.

Systems like SpamCop might work for some of us, but not for others. C/R systems might not be for everyone, but if implemented right they can protect individual user or an organization which is using it.

I have the right to protect my mailbox and my family from incredible amount and content of spam messages. If a spammer uses your email address to send me those messages that is a completely different issue - one more serious as it involves identity theft. You should know about it and take mesures to protect yourself.

Yahoo proposed a digital signatures for all email addresses. Somethiung like a root certificates where you will be able to verify that the message really came from the email address that is in the message headers. If this idea transforms into reality all the issues you have stated here against C/R systems will not be valid as every message received by your C/R system will first be evaluated for validity of sender and processed afterwards. This will prevent identity theft and will make sure that challenge messages are send only to the persons who really contacted you.

Until that is in place however - a user has a right to protect itself as the spam problem has gone out of hand.

As you will see from my signature I work with DigiPortal Software in developing ChoiceMail, but I tried to make my message be general.

___________________________

Nebojsa Djogo

VP, Software Development

DigiPortal Software

Posted
a user has a right to protect itself as the spam problem has gone out of hand.

We have a right to protect ourselves from erroneous C/R challenges, and from actual spam emanating from mailblocks.com servers. If your software doesn't bounce or challenge Novarg/Mydoom worm product, it's better than Mailblocks' software.

Posted
If my PIN can be recognized without a challenge, what's to stop an unethical vendor from selling my "FirstName PIN LastName" <username[at]domain.tld> to spammers?

Nothing. But if that's your concern than (a) you can trivially change your PIN and (B) you can tell who sold the list and © you should know better than to do business with an unethical vendor (it's not hard to find out).

Personally, I would use a different PIN with each vendor so mail coming to me from amazon.com would be checked against one pin number whereas mail coming from another vendor would be checked against a different PIN number.

Yet another field in a database that can't easily be verified as to its accuracy .... looking at it from the side of the mythical vendor with the many thousands of "known good, opted-in" customers in its mailing list.

Verified by WHOM? I don't want the vendor to verify it. The USER can controls whether he/she gets mail from that vendor - opt-In that REALLY works.

Do I understand that your users are personally going through their "held" list and selecting which messages are to receive the challenge.

That's an option - automatic challenges can be switched off if a user so chooses. Some of our users choose this model, others use challenges - their choice.

If your software doesn't bounce or challenge Novarg/Mydoom worm product, it's better than Mailblocks' software.

We are NOT Mailblocks.com!

You can already create a permission rule in ChoiceMail that will detect the presence of an attachment and associate it with an action that says "Don't send identity query". Even more trivially, if you're using a decent anti-virus program that removes attachments containing a virus, then it will typically add a header indicating that it did so. In this case, you can just create a ChoiceMail permission rule that detects that header and doesn't send out challenges.

We have a right to protect ourselves from erroneous C/R challenges, and from actual spam emanating from mailblocks.com servers.

You ABSOLUTELY have that right and I would be the last to argue against this. But if you (and others would care to read my original posting, all I wanted to know was WHY challenges coming from a few users were being blocked with a reason called "Spamvertising". I was NEVER asking for the blocks to be removed or to start a debate about the merits of one process vs. another.

My interpretration of that word was "advertising via spam" which we are not doing. As for eroneous C/R challenges, I understand this concern completely and, as I've said before, we continue to work on improving our analysis to reduce these as much as possible.

If by "Spamvertising" you mean "challenge/response" then fine - but change the reason to "challenge/response" so we (and others) UNDERSTAND why it was blocked. I didn't know that mailblocks.com was actually sending out spam too. That's also interesting to know.

Posted
We have a right to protect ourselves from erroneous C/R challenges, and from actual spam emanating from mailblocks.com servers

Absolutely! Specially if these C/R systems are not implemented right. Keep in mind though that if someone is using your email address to send me a message you most likely have a bigger problem on your hands (identity theft) and solving that problem will solve all the others assotiated with it.

If your software doesn't bounce or challenge Novarg/Mydoom worm product, it's better than Mailblocks' software.

ChoiceMail has a sophisticated tools that compliment our C/R system. In fact our C/R system can be completely optional is user wants to turn it off.

We have something called "Permission Rules" which are basically filters that can react to message headers and execute certain actions. One of the actions is "Do not send a challenge message". Other include delete message, approve message and so on...

For example ... one of the messages I received from this forum has following headers added by SPamAssassin

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level:

X-spam-Status: hits=1.0 tests=DATE_MISSING version=2.63

I can easily write a rule in ChoiceMail that reacts to these headers and allow the message trough without challenge if SpamAssassin "thinks" that the message is 100% not spam. I can also easily write a rule that will not send a challenge is SpamAssassin "thinks" that the message is a certain spam. I am sure that we can somehow detect the "Novarg/Mydoom" messages somehow and create a rule that will not send the challenge out.

The point is that we are trying to allow user to be in full control and use any anti-spam tools that are available.

Posted
My interpretration of that word (spamvertising) was "advertising via spam" which we are not doing.

Your C/R is being seen as spam by the receiver (possibly forged). This topis has been covered I believe and I will not go further with it.

If you have a link to your web site in that message, spamcop will send, in addition to the report to the source of the message, a warning to the admin of the web site basically stating that the link to your site was found in a spam message. A site will never be blocked in the scbl for spamvertising. Some hosts have been known to disable web sites that these warnings are sent to, sometimes incorrectly thinking that their site will be blacklisted because of it.

Hope this helps answer your original question.

Posted
If you have a link to your web site in that message, spamcop will send.......

....Hope this helps answer your original question.

Yes, it does - thank you - this is all I needed to know. Our ISP was forwarding SpamCop messages to us and we needed to understand what they meant.

Thank you for putting up with the enemy :-)

Cheers,

David Jameson

Posted

Hi, David,

If you have a link to your web site in that message, spamcop will send.......

....Hope this helps answer your original question.

Yes, it does - thank you - this is all I needed to know. Our ISP was forwarding SpamCop messages to us and we needed to understand what they meant.

Thank you for putting up with the enemy :-)

Cheers,

David Jameson

...Enemy? As you said, we're [more-or-less] on the same side! The major difference is that my colleagues begin from their experience with C/R, which is negative, whereas you start from yours, which is positive.

...Your postings, while IMHO seemed somewhat more defensive of C/R than your later posts suggest, were much more reasoned and reasonable than the ones we have seen from MailBlocks users -- thanks! :)

Posted

C/R systems are usefull when you have a mailbox that needs to handle mostly auto replies, but let the human generated messages through.

The spamcop.net report sender has such a C/R system on it.

But for end users using it to challenge potential spam, it really has some severe limitations, as has been pointed out.

If something can be reliably identified as spam, there is no need to send a challenge, and if it can not, is it worth bothering innocent victims any more to save the person the time to peek at the message?

CI can easily write a rule in ChoiceMail that reacts to these headers and allow the message trough without challenge if SpamAssassin "thinks" that the message is 100% not spam. I can also easily write a rule that will not send a challenge is SpamAssassin "thinks" that the message is a certain spam. I am sure that we can somehow detect the "Novarg/Mydoom" messages somehow and create a rule that will not send the challenge out.

The point is that we are trying to allow user to be in full control and use any anti-spam tools that are available.

Ok, to minimize the possibiltiy of anoying innocent victims:

Start out with a rule that says if the sending I.P. is in an open proxy list, or an open relay list, or sbl-xbl.spamhuas.org, not to send a challenge.

There are several open proxy lists, and sometimes mulitple ones need to be checked for complete coverage. The sbl-xbl.spamhaus.org gives good coverage. The xbl zone lists compromised systems sending spam, and the sbl zone lists domains owned by spammers.

If it is in one of these type of lists, there is a 99.9999999 percent chance that it is spam, and that any challenge will go to an inocent victim. In the few cases that the challenge will go to the spammer, most of the ones will just answer it with another spam.

Or it will go to a spamtrap, and spamcop.net is not the only DNSbl that operates spamtraps. While the spamcop.net listings have a max life of 48 hours until after the last spam report, other DNSbls will not unlist automatically.

And really, there should be no reason that the user's mail server is even accepting e-mail from known open proxies.

If the incoming e-mail has a bad rDNS, then there is over an 80% chance that it is spam, challenging it will probably still go to an innocent victim or a spamtrap.

If the incoming e-mail is in the MAPS-DUL or other MAPS lists(paid service, they have a free plan for some users), then it is 100% spam. No need to challenge.

If the incoming e-mail is on DUL.DNSBL.SORBS.NET, there is an over 99 % chance that it is spam, but that list does have some real mail servers in it because of ISP's mixing their static business pools with their DHCP pools.

Now if the incoming e-mail has a bad rDNS or is in a DHCP pool, and also listed in bl.spamcop.net, the odds of it being a real mail server have got to be exceedingly small, for one thing, the rDNS is a RFC violation. So that is another set of e-mail that there is no need to challenge about.

Now this is a determination that can be made to accurately screen out most of the spam, and you have not even looked at the content of the message yet.

Now SpamAssasin can not do this next step yet, but there are people working on adding it on. Maybe you can put it in your product.

For the remaining mail that is still unknown, you can check the URLs that are present in it. If the URL does not resolve, there is a 50% chance it is spam, or a report about spam. If it is from a spamcop.net listed I.P. address or a dul.dnsbl.sorbs.net address, it is 100% chance of spam.

If the I.P. address that the URL resolves to resides in sbl-xbl.spamhaus.org then there is a 100% chance of the message being spam, or a report about spam. If it is from a dul.dnsbl.sorbs.net address, then 100% chance of spam.

And anything with an executable or zip file from someone that is not whitelisted should not be challenged. It is a virus or a trojan.

With these rules, the amount of messages could qualified to be challenged should be minimal, and I would recommend instead of challenges that the user inspect the few DUL addresses that are not weeded out by this and whitelist them.

And these rules are reliable in the fact that they are not paying attention to most of the content in the spam, so that there is no way for the spammers to work around them in the long term. A spammer might get through in the few minutes of a run from a new open proxy, but if they are referencing a URL, it likely will be already spamhaus or SPEWS listed.

And unless your Auntie is trying to tell you where she got a great deal on pills that have been laboratory tested to contain fecal matter and insect parts, there is not much chance of a real e-mail being flagged by mistake.

But you should warn your users that if their challenge goes to a spamtrap, it could cause their mail server to automatically get listed. SORBS.NET operates spamtraps like that, and so do others.

But if you know it is spam or a virus, there is no point in challenging it. The test.com domain has been rendered unusable from abusive bouncing, and there are people on the spamcop newsgroups and other forums that report that their residential ISP mailboxes are filling up with useless virus reports and bounces faster than they can drain them, so they are losing real e-mail.

-John

Personal Opinion Only

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...