Jump to content

SpamCop Blacklist getting toothless?


proski

Recommended Posts

I'm a paid subscriber. I have noticed that very little spam to my SpamCop address is blocked by the SpamCop blacklist. Most spam is blocked by SpamAssassin, and quite a lot of spam is getting to my INBOX.

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

Very few spam would come through. I remember that about a third or all spam as shown by http://www.spamcop.net/reportheld?action=heldlog was blocked by bl.spamcop.net.

Back then, the biggest problem wasn't the spam getting through - it were false positives, i.e. legitimate messages getting to the Held Mail folder. One day I got fed with it and disabled two blacklists that cause virtually all of the false positives - list.dsbl.org and dnsbl.sorbs.net. I also upped the SpamAssassin limit to 6 to allow some very technical posts with lots of unusual punctuation.

As one would expect, false positives became quite rare, while more spam started getting to the INBOX. But over time, the amount of spam getting though the filters grew dramatically, exceeding the legitimate e-mail traffic, including several mailing lists I'm subscribed to.

Initially, I attributed it to increased cleverness of the spammers. However, I noticed one anomaly. Very few spams are blocked by bl.spamcop.net now. Absolute majority of spams are blocked by SpamAssassin, even despite the limit increased to 6. I don't have any reliable statistics, but bl.spamcop.net catches one or two spams of 100-150 spams I'm getting in a day. I would say bl.spamcop.net almost certainly catches less than 5% of the spam I'm getting.

I'm reporting all the spam that comes to me. My average reporting time is 4 hours. Am I wasting my time on those reports? Is bl.spamcop.net getting too lenient to spammers?

Link to comment
Share on other sites

I recall this question being asked previously in the Email forum.

WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

Andrew

Link to comment
Share on other sites

WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

I'm pretty sure that the SA routine happens first, because according to the headers of messages put into our Held Mail due to the SA score, the IP addresses aren't even checked...here's an example:

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=11

whereas the next item in my current Held Mail is more like this:

X-SpamCop-Checked: 192.168.1.101 x.x.x.x x.x.x.x 219.114.33.118

X-SpamCop-Disposition: Blocked bl.spamcop.net

(I masked the two IPs having to do with my Mailhosts)

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

DT

Link to comment
Share on other sites

My recollection was that SpamAssassin is pretty much first, the SpamCopDNSBL last .... However, not finding a post from JT that actually says this in here .... noting that all the SpamAssassin discussion stuff dates back to early 2004 timeframe .. which suggests that it may have possibly been a newsgroup post ... different seaarch criteria, too many windows open for too long here, I'll let the search work get handled by someone else ....

Link to comment
Share on other sites

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

Anyway, I think I see more spam getting through than blocked by SCBL. And it's pretty "spammy", although it lacks the exact characteristics SpamAssassin is looking for. It also has patterns suggesting that spam is sent by the same people.

The spam that gets through all the time:

spam containing "pu├čIicidad" in subject, always from Peru

Canadian pharmacy

"Russian teens", usually misspelled and with a female name in From

pump-and-dump using a GIF image for the message and some meaningless text

spam that used to get through until I put them to my personal blacklist:

bizsyscon.com (radio hardware)

mwart.com (medieval weapons)

beautysak.com (cosmetics)

I've just disabled all blacklists and Spamassassin, leaving only SCBL. Let's see what I'll get overnight.

Link to comment
Share on other sites

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

That is my configuration just about since I started with SpamCop ~4 years ago. I have very few false positives after whitelisting for the first month or so. I have maybe a dozen or so entries in the whitelist. My percentage of spam into the inbox has varied a little from time to time, but always back to a normal false negative of about 1/month.

SpamAssassin was placed as the first scan about a year ago now. My first post on the subject is here: http://forum.spamcop.net/forums/index.php?...ost&p=35389

Link to comment
Share on other sites

SpamAssassin was placed as the first scan about a year ago now.

Thanks for the link! That answers some of my questions.

I should have concentrated my initial post on one problem, namely SCBL being ineffective.

So far, 1 of 4 spams has been blocked:

[52224] yamasaki2525[at]hotmail.co.jp (=?ISO-2022-JP?B?GyRCJWIlSyU/ITw1XkpnPTghKiEqGyhC?= Preview )

Thu, 28 Sep 2006 19:33:59 -0400 (Blocked bl.spamcop.net)

[52225] lznoiybdszl[at]yahoo.co.jp (=?iso-2022-jp?B?GyRCTSUkNyQkOEBNVSRyJCskMSRGJCQkPyRAJCQkPyQzJEghIjtkJE8bKEI=?= Preview )

Thu, 28 Sep 2006 19:34:22 -0400 ()

[52226] tomwblvq[at]acculab.com (Young aphrodisiac Cuties good Videeo! Preview )

Thu, 28 Sep 2006 17:14:58 -0400 ()

[52227] jaimeerhart[at]x-provider.com (Oristano/ E' morto il parlamentare di Forza Italia Ignazio Manunza Preview )

Thu, 28 Sep 2006 17:49:13 -0500 ()

I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

Link to comment
Share on other sites

Thanks for the link! That answers some of my questions.

I should have concentrated my initial post on one problem, namely SCBL being ineffective.

So far, 1 of 4 spams has been blocked:

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through. In the past few years, there have been only a few times where spam was regularly slipping through. Usually, it only lasts for a couple of days until the filters catch up.

Link to comment
Share on other sites

I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

and for that, my original search pattern would work, again referencing 2004 discussions in here .... using the 'word' link Search at the top of the screen .... SpamAssassin as the keyword, jefft as the poster, select "as posts" ... do it .... a number of discussions, attempts, results on various 'additional' tools, bits, etc.

Link to comment
Share on other sites

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through.

These are the four spams that slipped through SCBL since I turned off other filters:

http://www.spamcop.net/sc?id=z1082903827z6...87d9d2eb2745aez

http://www.spamcop.net/sc?id=z1082903838z4...5241fad58efed3z

http://www.spamcop.net/sc?id=z1082903847zb...31d97fb62ddb1fz

http://www.spamcop.net/sc?id=z1082988037z2...b5a252abceda20z

Link to comment
Share on other sites

Link to comment
Share on other sites

Here's one that slipped through:

http://www.spamcop.net/sc?id=z1083657607z5...f665721b1c5a10z

The source wasn't on the SCBL because nobody else has reported it yet. Maybe we need more reporters, assuming that the spam sources seem to be multiplying?

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL:

Dear Home Owner,

Your crd. rating doesn't matter to us. If you own property

and need immediate capital to use any way you want or simply want

to cutback your monthly payments by a third or more,

fill out this simple, secure one minute form for an instant quote.

No sensitive information will be asked on the form

Don't worry about acceptance, your cr. will not disqualify you

we specialize in all kinds of ratings.

(url deleted)

Regards,

Cole Peoples

Approval Manager

________________________________________________

fun stuff:

bonnet it applicate may absorption try apron be

chemotherapy be afire it apparel be broadside and

ceres it cauliflower a contort see acetic the

betray it's doctrinaire a calamus may cutset may

cutout some clip not albany but brainstorm it's

artillery be befit in deforest a bricklaying may

coroutine but centerline and beachcomb try dialect not

The SA tests mentioned in the headers that I withheld were: "SARE_SPEC_XXGEOCITIE5,UNPARSEABLE_RELAY" (and yes, I carefully mess with the headers....the spam sources don't need to know the details of my filtering technology....they only need to see what the headers *would* have looked like without all that extra processing).

I previously had my Brazil and Argentina blocklists turned "off" in my SC email settings, but I've just turned them "on" as well as the other two that I wasn't using, and lowered my SA threshhold to 4.

BTW, a lot of the stuff in this topic is specific to SC Email accounts, but it started off being about the SCBL, so I suppose it still belongs here in the Blocklist Help forum.

DT

Link to comment
Share on other sites

The net result is that about one third of spam is caught by SCBL.

I don't think that's a bad statistic...it would be nice if it were higher, but the number of zombies seems to have grown exponentially, so the SCBL can only keep up with that if reporting activity is similarly increased, and perhaps if the threhholds for listing an IP were made more aggressive. Failing that, we must rely on a "cocktail" of multiple BLs and SpamAssassin, which can bring the amount caught/blocked/held/whatever much closer to 100%, with few false positives.

DT

Link to comment
Share on other sites

  • 2 weeks later...

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL

Email filters really need to be looked at as stop-gap solutions - they do nothing to discourage spammers from spamming (if anything, they'll spam even more to try to bypass them). Therefore spam victims need to consider more aggressive strategies to deter spammers, specifically ones that harm their business (or "bizness").

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads. Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me). This is discussed further in the Refi FormFiller (GreaseMonkey) v1.0 thread.

Link to comment
Share on other sites

<snip>

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads.

...That doesn't sound like a good idea. It's doing the same thing spammers do -- hog up the internet with garbage.
Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me).

<snip>

...This sounds like listwashing, which others in these fora have mentioned to be something not to be encouraged.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...