one-time delisting ?

[scip]

Hello,

the faq states that delisting is possible only once. What's the motivation behind this? Why is there no online testing too, which many others provide for postmasters to make sure that the bug/hole/whatsoever is really fixed before issuing the delisting?

kind regards, Tom

[Miss Betsy]

The spamcop blocklist is automatic. When the spam stops, the IP address is delisted. For most whitehats, there is very little time on the list if a spammer happens to slip through (infrequently) so there is no need for whitehats to ask for delisting. The one-time delisting was added recently and I forget the reasons why. It is only a one-time delisting because, of course, spammers could exploit it.

There is probably no testing because the ultimate test is whether spam keeps coming or not which is indicated by the scbl. Since I am not a sys admin, I don't know about these things, but I expect there are lots of ways to test whether an exploit has been fixed.

Spamcop has a very narrow focus which is to notify adminstrators of IP addresses when spam is reported. If that report is ignored, then the scbl prevents spam from reaching the inboxes of those who use the scbl. At the present time, it does alert sys admins of exploits or open relays or proxies since 80% of all spam now comes that way, but unlike other places, its purpose is not to close those holes - just to report spam no matter why it is being allowed.

Perhaps you will get a better reply from someone else who knows more about running servers and so pays better attention to the details.

Miss Betsy

[scip]

The spamcop blocklist is automatic.  When the spam stops, the IP address is delisted.

So, it does frequently spam tests, doesn't it? Is this documented somewhere, what exactly is tested? And which test matches for my site?

It is only a one-time delisting because, of course, spammers could exploit it.

Well, you could add a ticket number to the administrator notify which makes sure that only authorized personel is able to initiate the delisting. Maybe you take this as feature request?

there are lots of ways to test  whether an exploit has been fixed.

That was not my question, of course do I know how to test my site myself. I wanted to know WHAT the spamcop system (robot, agent?) exactly does? There could be a list of currently tested spam-indicators with names, like e.g. spam assasin already does. The admin notification could then contain a list of one or more IDs of matched spam tests. This would enable the admin to know where to look at. No digging blindly around. I hope I made it clear now.

At the present time, it does alert sys admins of exploits or open relays or proxies since 80%

In fact, I never received such a report, users notified me that some destinations are rejecting us. I then visited the report site and there were no substantial information, which test matched, nor could I view the original report of the person who reported us initially.

Perhaps you will get a better reply from someone else who knows more about running servers and so pays better attention to the details.

Well, I know that. But I am only the admin of a customer system. They tell me what to do, I cannot decide anything myself. You may agree with me that this is very annoying, but that's the situation here. In this very case the site were reported because of a bounce issue, which is also discussed elsewhere here (the faq, if I remember right), but at the moment I am not allowed to do something against this. So, the next time the site will be reported, they will be offline to all sites which they communicate with by email. In addition I will have no further way to delist the site because of the one-time behavior mentioned above. In the end, the customer will complain and stuff, I may loose my job, because I am unable to help them because they don't allow me to do so (and, of course they do not understand the key problem if I try to explain it). So, you do not fight spam with this, but put people in risk of loosing their job. You might find this view overdrawn, I just draw it to show my current problem.

kind regards, Tom

[Derek T]

So, it does frequently spam tests, doesn't it? Is this documented somewhere, what exactly is tested? And which test matches for my site?

Well, you could add a ticket number to the administrator notify which makes sure that only authorized personel is able to initiate the delisting. Maybe you take this as feature request?

That was not my question, of course do I know how to test my site myself. I wanted to know WHAT the spamcop system (robot, agent?) exactly does? There could be a list of currently tested spam-indicators with names, like e.g. spam assasin already does. The admin notification could then contain a list of one or more IDs of matched spam tests. This would enable the admin to know where to look at. No digging blindly around. I hope I made it clear now.

In fact, I never received such a report, users notified me that some destinations are rejecting us. I then visited the report site and there were no substantial information, which test matched, nor could I view the original report of the person who reported us initially.

Well, I know that. But I am only the admin of a customer system. They tell me what to do, I cannot decide anything myself. You may agree with me that this is very annoying, but that's the situation here. In this very case the site were reported because of a bounce issue, which is also discussed elsewhere here (the faq, if I remember right), but at the moment I am not allowed to do something against this. So, the next time the site will be reported, they will be offline to all sites which they communicate with by email. In addition I will have no further way to delist the site because of the one-time behavior mentioned above. In the end, the customer will complain and stuff, I may loose my job, because I am unable to help them because they don't allow me to do so (and, of course they do not understand the key problem if I try to explain it). So, you do not fight spam with this, but put people in risk of loosing their job. You might find this view overdrawn, I just draw it to show my current problem.

kind regards, Tom

SpamCop does absolutely no tests whatsoever. Neither does it block anything whatsoever, as even the briefest perusal of the FAQ would have told you. It merely lists the IP addresses of current sources of spam. IPs are listed automatically ojn the basis of reports of spam and mail sent to spamtraps. Once the spew stops they are de-listed automatically too. Reprts are sent to the registered abuse address of the IP.

Post the IP you believe to be listed here for more help.

[Miss Betsy]

So, it does frequently spam tests, doesn't it? Is this documented somewhere, what exactly is tested? And which test matches for my site?

No, spamcop does no tests. People use spamcop as a tool to send reports to the abuse desks of the IP addresses from where they have gotten spam - the criteria of which is that it is unsolicited email including misdirected bounces and, perhaps, viruses. I say 'perhaps' because I haven't kept up with whether it still rejects viruses sometimes.

If there are enough reports, or if the spam is reported by a spam trap which has never been used for email, then, according to a complicated algorithym, it is published on a blocklist as a source of spam. Spamcop uses the blocklist to tag email from those IP addresses for the clients of the spamcop email service. Other ISPs use it to block email.

Well, you could add a ticket number to the administrator notify which makes sure that only authorized personel is able to initiate the delisting. Maybe you take this as feature request?

Unfortunately some spammers have their own IP spaces and are the authorized person. Not to mention the ISPs who have no problem with spammers using their resources.

In fact, I never received such a report, users notified me that some destinations are rejecting us. I then visited the report site and there were no substantial information, which test matched, nor could I view the original report of the person who reported us initially.

The report may be going to an upstream. However, spamtraps do not send reports so if your reports were due to misdirected bounces hitting spam traps, then there would be no reports. Again, spammers were using the reports to evade the blocklist so that they are no longer published.

In the end, the customer will complain and stuff, I may loose my job, because I am unable to help them because they don't allow me to do so (and, of course they do not understand the key problem if I try to explain it).

I can see that you are between a rock and a hard place. I don't quite understand what your job is or whether the customer or your bosses don't understand the problem if you try to explain it.

Your basic problem is dealing with the customer, and I would try to pass their complaints to your bosses - emphasizing the fact that the bosses are tying your hands by not allowing you to fix the problem and that if you explain it clearly to the customer, then the customer is likely to take his business to another ISP who doesn't use misdirected bounces. If you don't explain it clearly to the customer, then the customer just gets mad because he keeps getting blocked and will probably take his business elsewhere also. Perhaps the bosses will listen then - usually they are concerned about the bottom line. If you were really brave and clever, you could explain it to the customer what it is that is causing the blocking and then encourage them to see the bosses to complain.

I don't think that there is anything you can say to customers that if it is understandable, that wouldn't make them decide to take their business elsewhere.

Miss Betsy

[scip]

Thanks for your answers, I do now better understand it.

Once the spew stops they are de-listed automatically too.

Ok, how does the system determine if the spews has stopped?

However, we are now listed again. I will now install an accesslist, which rejects unknown users on the mailgateway per SMTP, so, no bounces will be sent anymore. What will I have to do to get rid of the listing? Shall I fill out such a dispute form mentioned on the listing page? Or, would it be enough to tell you here the IP? Just in case the latter is enough: the ip is 194.145.146.5.

Thanks in advance, Tom

[Jeff G.]

It is more accurate to state that once the reports and emails to spamtraps stop, the listing is removed after 48 hours. Also, please see http://www.spamcop.net/w3m?action=checkblo...p=194.145.146.5, which currently indicates the following:

194.145.146.5 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

• System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
  
• It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.
  

Additional potential problems

(these factors do not directly result in spamcop listing)

• System administrator has already delisted this system once
  

Because of the above problems, express-delisting is not available

Listing History

In the past 41 hours, it has been listed 2 times for a total of 36 hours

Reading between the lines, it was listed automatically about 41 hours ago for about 8 hours, delisted by a System Administrator for about 5 hours, and relisted automatically about 28 hours ago.

[Wazoo]

the faq states that delisting is possible only once. What's the motivation behind this?

Primarily to lighten the e-mail and research load for the Deputies .. giving the admin an easy way to clear the listing if the problem really was fixed. Howver, as stated, the problems are supposed to be actually made before trying to use this easy option.

Why is there no online testing too, which many others provide for postmasters to make sure that the bug/hole/whatsoever is really fixed before issuing the delisting?

Test for what? The SpamCopDNSBL is based on traffic seen from a source IP ... so if there are no user complains/reports, there are no spamtrap hits, there is nothing to test.

[Ellen]

Hello,

the faq states that delisting is possible only once. What's the motivation behind this? Why is there no online testing too, which many others provide for postmasters to make sure that the bug/hole/whatsoever is really fixed before issuing the delisting?

kind regards, Tom

25150[/snapback]

We do not do any testing. The list is driven by user spam reports and spamtrap hits. It is irrelevant to the SpamCop blocklist as to what specific exploit the spammer has used to send the spam thru your system; i.e. whether it is a virus/worm infection, a php or cgi exploit, an SMTP/AUTH problem or just a spammer who signed up for an account. We auto delist after 24 hours of no reports or spamtrap hits.

Additionally we added the one time delist feature for admins who had a problem, found it and fixed it and want to use the expedited delist. It is a one time event because the intent was not and is not to allow people to simply keep delisting themselves endlessly without figuring out what the problem is and fixing it.

[Miss Betsy]

What will I have to do to get rid of the listing?

If you have fixed the problem, the IP address will 'age' off the blocklist because there are no more reports of spam. The algorithym times the aging off based on no more spam by the time in the email so even if people haven't looked at their email yet, it won't increase the time on the blocklist.

The automatic nature of the spamcop blocklists is one of the distinguishing features of the spamcop blocklist. The only way you can be delisted by a person is if a mistake has been made on spamcop's side. No one can bribe, whine, or badger hir way off the list. Neither can anyone add to the list because they don't like you.

Miss Betsy

[kca]

If you have fixed the problem, the IP address will 'age' off the blocklist because there are no more reports of spam.  The algorithym times the aging off based on no more spam by the time in the email so even if people haven't looked at their email yet, it won't increase the time on the blocklist.

The automatic nature of the spamcop blocklists is one of the distinguishing features of the spamcop blocklist.  The only way you can be delisted by a person is if a mistake has been made on spamcop's side.  No one can bribe, whine, or badger hir way off the list.  Neither can anyone add to the list because they don't like you.

Miss Betsy

25234[/snapback]

Greetings,

yes its an old thread but i thought i'd reply anyway. If nothing else the threshold on the spam traps should be upped. According to spamcop's summary reports, you've received 2 instances of spam from my domain (ssd.com) in the last week. I think thats a ridiculously low number of emails to trigger being listed. Just my 2 cents. Other than that i like your service and wish we could start using it.

K

[StevenUnderwood]

Personally, I think it should be only one spamtrap report to trigger a listing, since spamtrap addresses have never been used anywhere, they should not be sent ANY mail. However, it is set to 2 in case someone signs up a trap address to a list. If only one message is sent and is dropped from the list unless a reply is received, the trap will not trigger a listing.

As you have probably seen: http://mailsc.spamcop.net/w3m?action=blche...p=68.21.232.136

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

So it looks like you found yourself blocked, delisted without finding/fixing the problem and are now stuck with the full lenght of the listing.

What is your explanation for your servers sending email to an address that has never been used anywhere?

Do you send non-delivery messages to forged email addresses of innocent people and spamtraps?

Do you operate a mailing list that allows people to signup any address they want without confirming that they control and want the traffic?

[kca]

What is your explanation for your servers sending email to an address that has never been used anywhere?

Do you send non-delivery messages to forged email addresses of innocent people and spamtraps?

Do you operate a mailing list that allows people to signup any address they want without confirming that they control and want the traffic?

25279[/snapback]

I would have to say its probably non-delivery reports if anything. We dont operate any lists like what you mention. I just think its rather unrealistic to have it set for only 2 messages. For this very reason. And also, the delist option should at least apply per incident. Our previous listing occurred back in January. Yes i understand that the traps are mailboxes that are unlisted anywhere....but I still think that 2 messages as the trigger is unreasonable. But i guess thats just me.

Thanks,

K

[Derek T]

I would have to say its probably non-delivery reports if anything.

25281[/snapback]

It's something! Don't guess: find out and FIX IT if you want to stay off the list!

[kca]

It's something! Don't guess: find out and FIX IT if you want to stay off the list!

25302[/snapback]

Obviously i want to stay off the list. I only came here to voice my opinion that the criteria that is used (2 incidents and your on) is a bit draconian and that there should be something a bit more flexible than a one-time delisting option. I appreciate SpamCop as much as anyone else. Hell I wish i could get those higher up the food chain to use it, since a number of our clients do. Unfortunately they take a dim view of blacklisting services.

If i'm guessing its because theres no type of notification that would tell me otherwise what email we sent that caused us to be listed. SO, based on what i've read, it would have to be our undeliverable responses that caused this.

K

[StevenUnderwood]

If i'm guessing its because theres no type of notification that would tell me otherwise what email we sent that caused us to be listed. SO, based on what i've read, it would have to be our undeliverable responses that caused this.

You could contact deputies<at>spamcop.net and ask nicely for them to check out the actual messages that were sent to the spamtraps. They will not show you the actual messages, but have been know to let people know whether it was a bounce, out of office, or actual spam message.

[kca]

You could contact deputies<at>spamcop.net and ask nicely for them to check out the actual messages that were sent to the spamtraps.  They will not show you the actual messages, but have been know to let people know whether it was a bounce, out of office, or actual spam message.

25307[/snapback]

Steven,

Thanks for that bit of info, I was just reading the same, as i sit here waiting for the Mrs. to give up the bathroom so i can get ready for work. I'll give that a try.

K

[turetzsr]

<snip>

Ok, how does the system determine if the spews has stopped?

25174[/snapback]

...Reports from us SpamCop users and from spam traps stop.

However, we are now listed again. I will now install an accesslist, which rejects unknown users on the mailgateway per SMTP, so, no bounces will be sent anymore.

25174[/snapback]

...Well, that might not be enough -- what about "Out of Office" messages or other automated e-mails configured by your users?

What will I have to do to get rid of the listing?

<snip>

25174[/snapback]

...Basically, find out all the sources of e-mail messages to "innocent bystanders" (e-mail addresses that have been forged by evildoers) and stop them from happening any more.