why would a spammer care if their IP is listed in SCBL

[kamaraju]

I have read the various FAQs, "read this before posting" threads and could not find answer to this question.

Let me first summarize my understanding of how spamcop works. The user reports his/her spam to spamcop. Spamcop parses the spam and contacts the actual ISPs/open relays etc., who were involved in sending that spam email. After some time if no necessary action is taken by the spammer, then the appropriate IP address gets added to SCBL. Other people who use this SCBL may choose to block/tag emails coming from these "spam sending IPs". So far am I correct?

If the above is correct, then my question is why would a spammer care if his IP is blocked by other ISPs? I mean, the spammer can still keep sending spam and choose to ignore all the undeliverable/bounced messages. How would it affect the spammer? Why would the spammer stop just because his email is blocked by some mail administrators?

I am sorry if this is a stupid question. But I searched the forums+google with search terms like "what happens when a spammer is listed in scbl" etc., May be I was using the wrong search terms. If you can point to a webpage which talks about solution to this problem, I would be happy to read it.

thanks

raju

[Derek T]

If the above is correct, then my question is why would a spammer care if his IP is blocked by other ISPs?

First of all welcome to the forum and thanks for reading the FAQ

Your understanding is correct and the short answer is, s/he doesn't care, the spammer can and will always move on to another trojanned machine/hacked server. SpamCop is there (in my view) for three reasons:

1. (Getting rarer all the time) listing/reports gives a heads-up to a white-hat ISP with whom the spammer has enrolled and they are kicked off. Black-hat ISPs dont give a sh** and allow them to continue.

2. (Much more common) listing/reports gives a heads-up to the white-hat ISP that someone on their network is trojanned or someone has exploited a hole in their defences: they fix the problem asap and SpamCop is so aggressive and so responsive that this often happens during the spew so the amount of spam in the world can be reduced. For black-hat ISPs see above.

3. (And most importantly) RECEIVING ISPs can tag (recommended) or reject (not recommended but saves a LOT of money) mail from listed servers, keeping their customers' inboxes free of clutter.

[Miss Betsy]

Let me first summarize my understanding of how spamcop works. The user reports his/her spam to spamcop. Spamcop parses the spam and contacts the actual ISPs/open relays etc., who were involved in sending that spam email. After some time if no necessary action is taken by the spammer, then the appropriate IP address gets added to SCBL. Other people who use this SCBL may choose to block/tag emails coming from these "spam sending IPs". So far am I correct?

It is not quite correct. The IP address is added to scbl according to a complicated algorithym where many factors are involved. spam trap hits will get an IP address listed sooner than reports from reporters. The IP address stays on the scbl until there are no more reports. The 'no more reports' is based on the time the spam was sent, not the time the report was made. The only 'action' that can be taken is to stop sending spam. Some server admins will stop it almost immediately after getting a spamcop report.

If the above is correct, then my question is why would a spammer care if his IP is blocked by other ISPs? I mean, the spammer can still keep sending spam and choose to ignore all the undeliverable/bounced messages. How would it affect the spammer? Why would the spammer stop just because his email is blocked by some mail administrators?

If the spammer owned his own IP address, then possibly he wouldn't care. Though it might be more and more difficult to get anyone to accept email from that IP address whether or not they used the scbl.

However, usually they are using someone else's IP address perhaps along with many other customers. That server admin cares that his legitimate customers are blocked and so doesn't allow the spammer to come online.

I don't know much about the technical side of spamming. However, blocklists have worked so well at preventing the spammer from using an IP address directly that much spam is now sent to computers that have been infected with a trojan and that infected machine sends the spam without the owner knowing it.

It is the *sending* end of email that controls spam by not allowing email in great quantities to leave without knowing that it is legitimate and by responding quickly to reports of spam. Internet service providers have all kinds of ways to detect spam that is leaving and can stop it. The blocklists and other ways of filtering out spam are useless to stop spammers. Blocklists, however, have encouraged IP admins to not allow spam so that they can send legitimate email and have it received by everyone.

Miss Betsy

[turetzsr]

<snip>

Let me first summarize my understanding of how spamcop works. The user reports his/her spam to spamcop. Spamcop parses the spam and contacts the actual ISPs/open relays etc., who were involved in sending that spam email. After some time if no necessary action is taken by the spammer, then the appropriate IP address gets added to SCBL. Other people who use this SCBL may choose to block/tag emails coming from these "spam sending IPs". So far am I correct?

<snip>

It is not quite correct.

<snip>

Hi, Raju!

...First, I wish to associate myself with Derek T's first sentence in his reply, above.

...Another qualification to add to Miss Betsy's qualification of your understanding: SpamCop does not "contact the actual ISPs/open relays, etc., who were involved in sending that spam email." The SpamCop parser offers to send a message to the (one) abuse address it believes to be responsible for the (one) server through which the spam was sent. I may have misunderstood but I thought you implied that you thought the parser (automatically) sent messages to more than one e-mail address (for more than one server involved in the sending of the spam) whereas it only sends to one. For a bit more (and probably clearer) explanation of this, please see Glossary Entry "spam Source Report".

...Hopefully, someone more familiar with the process than am I will either correct what I've written here or explain it better than did I. <g>