rkollmeyer Posted November 9, 2005 Posted November 9, 2005 I have had an ongoing issue of ending up on the Spamcop blacklist several times over the last year. I'm working on trying to find out exactly <b>why</b> I keep getting listed on this blacklist. You will see in the following link that we have been listed in the Spamcop List http://www.spamcop.net/w3m?action=checkblo...=66.148.194.226 The cause for the listing is listed as our system has sent mail to spam traps in the last week. If you take a look at Senderbase, our volume of e-mail is relatively steady, with only a 14% increase over the last 30 days, certainly not out of the ordinary. http://www.senderbase.org/?searchBy=ipaddr...=66.148.194.226 If you take a look at DNSStuff.com, Spamcop is the only spam list that we are on: http://www.dnsstuff.com/tools/ip4r.ch?ip=66.148.194.226 We are trying to figure out why. I do have a theory as to how it could possibly be happening, but I'm not certain. We use a spam screening program called "spam Lion" which works on a whitelist validation system. When a new user to sends mail into our domain, they will receive an auto reply stating that we use the spam Lion product and they must validate their e-mail address before spam Lion passes it to the end user. Could this message be considered enough to get it listed on the blacklist somehow? Let's say an e-mail was sent to address[at]myemail.com from (or appearing as from) one of the SpamCop Trap addresses. My spam Filtering software will bounce back a message with a link for a real user to click on and validate their e-mail address. If this somehow gets sent to the trap address, it will list me, correct? Is there any way to prevent any of this from happening? Is my theory impossible in SpamCop's eyes, or what? This is the only plausable explanation that I have been able to come up with, if anyone has any other ideas, please let me know. The last 3 times we have been listed on SpamCop, I have monitored our firewall and there is no excess amounts of traffic coming from within the network, so I know none of our machines have been compromised. Thanks, Rich Kollmeyer
dbiel Posted November 9, 2005 Posted November 9, 2005 Most likely cause, bouncing messges to forged reply addresses. see Why Am I Blocked? FAQ, Please read before posting
Jeff G. Posted November 9, 2005 Posted November 9, 2005 Hi, and welcome! spam Lion appears to be using "Challenge/Response (CR)". SpamCop doesn't recommend CR systems - they are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of On what type of email should I (not) use SpamCop? and the Challenge/response spam filtering section of Why are auto-responders (and delayed bounces) bad?. Please see http://forum.spamcop.net/forums/index.php?showtopic=85 for more info. Thanks!
Merlyn Posted November 9, 2005 Posted November 9, 2005 We are trying to figure out why. I do have a theory as to how it could possibly be happening, but I'm not certain. We use a spam screening program called "spam Lion" which works on a whitelist validation system. When a new user to sends mail into our domain, they will receive an auto reply stating that we use the spam Lion product and they must validate their e-mail address before spam Lion passes it to the end user. Could this message be considered enough to get it listed on the blacklist somehow? Thanks, Rich Kollmeyer 35747[/snapback] Yes. Actually this kind of system makes you part of the spam problem. Most spam nowadays is sent with forged "From" and "Reply-To" addresses. Your system then tries to validate the sender by sending a reply to an innocent victim. Most people call this a Challenge Response (C/R) system. In this day and age of spam you should re-think your email management.
rkollmeyer Posted November 9, 2005 Author Posted November 9, 2005 Most likely cause, bouncing messges to forged reply addresses. see Why Am I Blocked? FAQ, Please read before posting 35749[/snapback] So. . . if I'm reading this correctly. . . "is using auto-responses that are replying to spam with forged spamtrap email addresses (such as Out-of-Office/Vacation notices, virus notifications, and 'bounces' created after accepting the email);" My SMTP Server that runs spam Lion accepts the e-mail, then sends a validation e-mail back to the sender (similar to what would happen if an out of office reply would have been sent), then I will likely get listed on the SpamCop blacklist. Obviously what I'm doing is not spamming, although the number of replies are created by spammers sending messages to me. The question I have then is what can I do to prevent this from happening in the future? Dump my current spam filtering system in favor of a different spam blocking program? Thanks, Rich Kollmeyer
Jeff G. Posted November 9, 2005 Posted November 9, 2005 Dump my current spam filtering system in favor of a different spam blocking program?35754[/snapback] Yes, unless spam Lion's programmers come out with a non-CR system and free upgrade that fits your definition of "my current".
StevenUnderwood Posted November 9, 2005 Posted November 9, 2005 My SMTP Server that runs spam Lion accepts the e-mail, then sends a validation e-mail back to the sender (similar to what would happen if an out of office reply would have been sent), then I will likely get listed on the SpamCop blacklist. 35754[/snapback] If any message has a spamtrap address (good spamtrap addresses have been picked up by spammers), you will be listed immediately. If any of the messages you are challenging goes to a valid user (quite often), that person can report your challenge as spam since it is unsolicited (they did not send the riginal) and keep you listed. Even if the innocent forged address does not report you, you are simply pushing all your spam onto other innocent people who have nothing to do with the spam, other than having their names sold tot he same lists your addresses are on.Obviously what I'm doing is not spamming, although the number of replies are created by spammers sending messages to me. The question I have then is what can I do to prevent this from happening in the future? Dump my current spam filtering system in favor of a different spam blocking program? 35754[/snapback] Yes Dump C/R quickly. It is NO LONGER an accepted method (just like OOO messages).
dbiel Posted November 9, 2005 Posted November 9, 2005 Obviously what I'm doing is not spamming, although the number of replies are created by spammers sending messages to me. The question I have then is what can I do to prevent this from happening in the future? Dump my current spam filtering system in favor of a different spam blocking program?35754[/snapback] In the good old days, that would be true; but today it is considered a form of spamming. It is just another cases of the bad guys (spammers) taking something good (auto responders) and making them become a major problem. Consider this example. A spammer uses your email address as the reply to address and sends out 1 million messages (this does actually happen) A large number get bounced back by auto responders. You received 2,000+ auto replies in your mail box within one hour. Would this be acceptable to you? "Obviously what I'm doing is not spamming" not so any more.
Wazoo Posted November 9, 2005 Posted November 9, 2005 If any message has a spamtrap address (good spamtrap addresses have been picked up by spammers), you will be listed immediately. 35757[/snapback] In all fairness, let's remember to point out the math involved ... one "response to a spamtrap" probably won't get a listing, but that a spamtrap hit carries such a penalty in the formula .... SnderBase stats show a 3.6 volume, which per http://forum.spamcop.net/forums/index.php?showtopic=4556 is shown as; Magnitude 3 = 1.34 Thousand Estimated Daily Email Volume Magnitude 4 = 13.4 Thousand Estimated Daily Email Volume so let's say approximately 10K e-mails a day .... run on over to http://www.spamcop.net/fom-serve/cache/297.html and look at the math there ... Once upon a time, there was a 2% threshold involved, but I believe that this number has changed a bit due to some other scoring parameters. But, it should be clear that a single spamtrap hit should not be sufficient in this instance ...
Derek T Posted November 11, 2005 Posted November 11, 2005 Just a thought. If challenge/response could be made to work at the SMTP-reject level, sending a 5xx error rather than accepting the message and bouncing to the return envelope, would that be an acceptable anti-spam system? Most likely it's not technically feasible and this is a stupid question but has anyone gone down this path? MODERATORS: move to lounge if you think this innapropriate here - it seems a long time since we came across a C/R problem - I thought they'd died out!
Miss Betsy Posted November 11, 2005 Posted November 11, 2005 C/R has not died out. Earthlink uses it, though I don't know whether they use the return path. I wouldn't think so since there have not been a lot of complaints here about Earthlink being blocked. The main problem about C/R (and for that matter after acceptance filters such as spamassassin) is that it puts the cost of controlling spam on the receiver rather than the sender. If spam control is to work, the *sender* has to be responsible for choosing a reliable ISP and those who use bulk email need to pay for the extra safeguards in order to prevent spammers. Miss Betsy
StevenUnderwood Posted November 11, 2005 Posted November 11, 2005 Just a thought. If challenge/response could be made to work at the SMTP-reject level, sending a 5xx error rather than accepting the message and bouncing to the return envelope, would that be an acceptable anti-spam system? Most likely it's not technically feasible and this is a stupid question but has anyone gone down this path? 35836[/snapback] This would basically be greylisting where the first connection is rejected with a 4xx (try again later) message than a time window is opened. Most legitimate servers will automatically resend after a while.
justauser Posted November 11, 2005 Posted November 11, 2005 This would basically be greylisting where the first connection is rejected with a 4xx (try again later) message than a time window is opened. Most legitimate servers will automatically resend after a while.35839[/snapback] SpamCop's mailserver(s) that deliver mailhost configuration emails don't automatically resend like this, do they? If not, why not?
StevenUnderwood Posted November 11, 2005 Posted November 11, 2005 SpamCop's mailserver(s) that deliver mailhost configuration emails don't automatically resend like this, do they? If not, why not? 35840[/snapback] They are one of many that are not using a standard email server packagge with that capability. They just dump the message with no error tracking...you are performing the error tracking with "Why did I not get the reply" questions.
Jeff G. Posted November 11, 2005 Posted November 11, 2005 They are one of many that are not using a standard email server packagge with that capability. They just dump the message with no error tracking...you are performing the error tracking with "Why did I not get the reply" questions.35846[/snapback] Isn't that a violation of "mail that cannot be transmitted immediately MUST be queued and periodically retried by the sender" per Section 5.3.1.1 of Internet Standard #3 and RFC 1123 "Requirements for Internet Hosts -- Application and Support"?
Wazoo Posted November 11, 2005 Posted November 11, 2005 Isn't that a violation of "mail that cannot be transmitted immediately MUST be queued and periodically retried by the sender" per Section 5.3.1.1 of Internet Standard #3 and RFC 1123 "Requirements for Internet Hosts -- Application and Support"? 35849[/snapback] "In the eyes of the beholder" .... philosophy of the creator .. things like that .... The RFC is built around the concept of an e-mail provider ensuring that "e-mail" will get delivered ... Things like the "mailhost probe" (not speaking for Julian) may be considered a simple "trasnmittal of data using the SMTP mechanism" rather than an actual "e-mail" .... coupled with that there will be no attempt to get into a postion where one could make the claim that "SpamCop is spamming me" .. so one shot is all there is. If it works, mission is accomplished. If it doesn't work, user has to get the ssue resolved.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.