Jump to content

SpamCop Blacklist getting toothless?


proski

Recommended Posts

Posted

I'm a paid subscriber. I have noticed that very little spam to my SpamCop address is blocked by the SpamCop blacklist. Most spam is blocked by SpamAssassin, and quite a lot of spam is getting to my INBOX.

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

Very few spam would come through. I remember that about a third or all spam as shown by http://www.spamcop.net/reportheld?action=heldlog was blocked by bl.spamcop.net.

Back then, the biggest problem wasn't the spam getting through - it were false positives, i.e. legitimate messages getting to the Held Mail folder. One day I got fed with it and disabled two blacklists that cause virtually all of the false positives - list.dsbl.org and dnsbl.sorbs.net. I also upped the SpamAssassin limit to 6 to allow some very technical posts with lots of unusual punctuation.

As one would expect, false positives became quite rare, while more spam started getting to the INBOX. But over time, the amount of spam getting though the filters grew dramatically, exceeding the legitimate e-mail traffic, including several mailing lists I'm subscribed to.

Initially, I attributed it to increased cleverness of the spammers. However, I noticed one anomaly. Very few spams are blocked by bl.spamcop.net now. Absolute majority of spams are blocked by SpamAssassin, even despite the limit increased to 6. I don't have any reliable statistics, but bl.spamcop.net catches one or two spams of 100-150 spams I'm getting in a day. I would say bl.spamcop.net almost certainly catches less than 5% of the spam I'm getting.

I'm reporting all the spam that comes to me. My average reporting time is 4 hours. Am I wasting my time on those reports? Is bl.spamcop.net getting too lenient to spammers?

Posted

I recall this question being asked previously in the Email forum.

WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

Andrew

Posted
WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

I'm pretty sure that the SA routine happens first, because according to the headers of messages put into our Held Mail due to the SA score, the IP addresses aren't even checked...here's an example:

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=11

whereas the next item in my current Held Mail is more like this:

X-SpamCop-Checked: 192.168.1.101 x.x.x.x x.x.x.x 219.114.33.118

X-SpamCop-Disposition: Blocked bl.spamcop.net

(I masked the two IPs having to do with my Mailhosts)

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

DT

Posted

My recollection was that SpamAssassin is pretty much first, the SpamCopDNSBL last .... However, not finding a post from JT that actually says this in here .... noting that all the SpamAssassin discussion stuff dates back to early 2004 timeframe .. which suggests that it may have possibly been a newsgroup post ... different seaarch criteria, too many windows open for too long here, I'll let the search work get handled by someone else ....

Posted

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

Anyway, I think I see more spam getting through than blocked by SCBL. And it's pretty "spammy", although it lacks the exact characteristics SpamAssassin is looking for. It also has patterns suggesting that spam is sent by the same people.

The spam that gets through all the time:

spam containing "pußIicidad" in subject, always from Peru

Canadian pharmacy

"Russian teens", usually misspelled and with a female name in From

pump-and-dump using a GIF image for the message and some meaningless text

spam that used to get through until I put them to my personal blacklist:

bizsyscon.com (radio hardware)

mwart.com (medieval weapons)

beautysak.com (cosmetics)

I've just disabled all blacklists and Spamassassin, leaving only SCBL. Let's see what I'll get overnight.

Posted

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

That is my configuration just about since I started with SpamCop ~4 years ago. I have very few false positives after whitelisting for the first month or so. I have maybe a dozen or so entries in the whitelist. My percentage of spam into the inbox has varied a little from time to time, but always back to a normal false negative of about 1/month.

SpamAssassin was placed as the first scan about a year ago now. My first post on the subject is here: http://forum.spamcop.net/forums/index.php?...ost&p=35389

Posted

SpamAssassin was placed as the first scan about a year ago now.

Thanks for the link! That answers some of my questions.

I should have concentrated my initial post on one problem, namely SCBL being ineffective.

So far, 1 of 4 spams has been blocked:

[52224] yamasaki2525[at]hotmail.co.jp (=?ISO-2022-JP?B?GyRCJWIlSyU/ITw1XkpnPTghKiEqGyhC?= Preview )

Thu, 28 Sep 2006 19:33:59 -0400 (Blocked bl.spamcop.net)

[52225] lznoiybdszl[at]yahoo.co.jp (=?iso-2022-jp?B?GyRCTSUkNyQkOEBNVSRyJCskMSRGJCQkPyRAJCQkPyQzJEghIjtkJE8bKEI=?= Preview )

Thu, 28 Sep 2006 19:34:22 -0400 ()

[52226] tomwblvq[at]acculab.com (Young aphrodisiac Cuties good Videeo! Preview )

Thu, 28 Sep 2006 17:14:58 -0400 ()

[52227] jaimeerhart[at]x-provider.com (Oristano/ E' morto il parlamentare di Forza Italia Ignazio Manunza Preview )

Thu, 28 Sep 2006 17:49:13 -0500 ()

I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

Posted

Thanks for the link! That answers some of my questions.

I should have concentrated my initial post on one problem, namely SCBL being ineffective.

So far, 1 of 4 spams has been blocked:

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through. In the past few years, there have been only a few times where spam was regularly slipping through. Usually, it only lasts for a couple of days until the filters catch up.

Posted

I am experiencing the same high rate slip throughs with similar setings, I will bring some tracking urls next time I report. Oddly spampal recognizes the majority of these and it uses similar filtering.

Posted
I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

and for that, my original search pattern would work, again referencing 2004 discussions in here .... using the 'word' link Search at the top of the screen .... SpamAssassin as the keyword, jefft as the poster, select "as posts" ... do it .... a number of discussions, attempts, results on various 'additional' tools, bits, etc.

Posted

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through.

These are the four spams that slipped through SCBL since I turned off other filters:

http://www.spamcop.net/sc?id=z1082903827z6...87d9d2eb2745aez

http://www.spamcop.net/sc?id=z1082903838z4...5241fad58efed3z

http://www.spamcop.net/sc?id=z1082903847zb...31d97fb62ddb1fz

http://www.spamcop.net/sc?id=z1082988037z2...b5a252abceda20z

Posted

Here's one that slipped through:

http://www.spamcop.net/sc?id=z1083657607z5...f665721b1c5a10z

The source wasn't on the SCBL because nobody else has reported it yet. Maybe we need more reporters, assuming that the spam sources seem to be multiplying?

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL:

Dear Home Owner,

Your crd. rating doesn't matter to us. If you own property

and need immediate capital to use any way you want or simply want

to cutback your monthly payments by a third or more,

fill out this simple, secure one minute form for an instant quote.

No sensitive information will be asked on the form

Don't worry about acceptance, your cr. will not disqualify you

we specialize in all kinds of ratings.

(url deleted)

Regards,

Cole Peoples

Approval Manager

________________________________________________

fun stuff:

bonnet it applicate may absorption try apron be

chemotherapy be afire it apparel be broadside and

ceres it cauliflower a contort see acetic the

betray it's doctrinaire a calamus may cutset may

cutout some clip not albany but brainstorm it's

artillery be befit in deforest a bricklaying may

coroutine but centerline and beachcomb try dialect not

The SA tests mentioned in the headers that I withheld were: "SARE_SPEC_XXGEOCITIE5,UNPARSEABLE_RELAY" (and yes, I carefully mess with the headers....the spam sources don't need to know the details of my filtering technology....they only need to see what the headers *would* have looked like without all that extra processing).

I previously had my Brazil and Argentina blocklists turned "off" in my SC email settings, but I've just turned them "on" as well as the other two that I wasn't using, and lowered my SA threshhold to 4.

BTW, a lot of the stuff in this topic is specific to SC Email accounts, but it started off being about the SCBL, so I suppose it still belongs here in the Blocklist Help forum.

DT

Posted

The net result is that about one third of spam is caught by SCBL. Perhaps my e-mail address is known to the "best" spammers using the most "advanced" methods of spam delivery via zombies :(

Posted
The net result is that about one third of spam is caught by SCBL.

I don't think that's a bad statistic...it would be nice if it were higher, but the number of zombies seems to have grown exponentially, so the SCBL can only keep up with that if reporting activity is similarly increased, and perhaps if the threhholds for listing an IP were made more aggressive. Failing that, we must rely on a "cocktail" of multiple BLs and SpamAssassin, which can bring the amount caught/blocked/held/whatever much closer to 100%, with few false positives.

DT

  • 2 weeks later...
Posted

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL

Email filters really need to be looked at as stop-gap solutions - they do nothing to discourage spammers from spamming (if anything, they'll spam even more to try to bypass them). Therefore spam victims need to consider more aggressive strategies to deter spammers, specifically ones that harm their business (or "bizness").

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads. Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me). This is discussed further in the Refi FormFiller (GreaseMonkey) v1.0 thread.

Posted
<snip>

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads.

...That doesn't sound like a good idea. It's doing the same thing spammers do -- hog up the internet with garbage.
Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me).

<snip>

...This sounds like listwashing, which others in these fora have mentioned to be something not to be encouraged.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...