[Resolved] SpamCop spamtraps

[thatsaspam]

You are starting to take the argument to extremes where it is no longer making sense (which is why Wazoo moved it).

No, I'm just pointing out possible scenarios, which put holes in your dogmatic approach. You seem unwilling to accept that things happen outside of your experience.

What does not make sense to me is why your primary email is down so much to use your secondary for the same message twice. You are extending your facts to fit your argument.

Actually, I'm not extending any facts at all, this is just an example of a probable scenario. If I said that there was only one bounce at the secondary, and that was enough to make the sender think they were being ignored, would that be acceptable.

There are many reasons a server may be unavailable, I'm sure I don't need to enumerate them for you.

Email is closer to tying a note to a rock and throwing it over the wall.

Yes, that's how we all view it, except the one or two people in the world who might believe it is a mission critical reliable medium.

Intersting divergence right there. If most of the mail at that point is spam of course you would drop it.

Sorry, I'm not seeing a divergence. I didn't say anywhere there that the secondary wasn't using some kind of filtering - which I think is the point you are trying to latch on to. I'll be more explicit: if the secondary has filtered the mail and let some proportion of it through, is it appropriate to just silently drop that mail if it is misaddressed for some reason?

Steven thinks it is, I think it isn't - that seems to be the difference in approach.

Many networks are seeing 90%+ of messaging being spam.

Prior to filtering, yes, perhaps. But I'm not seeing anything like that post-filtering.

But when , however that is resolved and it is put behind you, reverting to the refrain (I can understand) you are finding tedious - not hitting a spamtrap and not "spamming" (however unfair the characterization) are not the same thing. No moderator, would resile from that and I doubt many other SC forum or NG participants would either.

Sorry, I'm not quite able to parse that paragraph: one can be a spammer and not hit a spamtrap and/or one can hit a spamtrap and not be a spammer?

If that's what you are saying, then, yes, I agree.

As it is, I don't currently have a problem with the way SpamCop works - it's still in use on my servers. My only issue is that we were blacklisted, and currently I cannot do anything about that because the "deputies" won't give me the information to fix the problem. Effectively this means that we could get listed every couple of weeks, for want of a little information.

Just to reiterate, I've found that there is a serious bug with the list software. So far the developer has not responded. Which I think means we'll have to transition to another list server. What this doesn't mean is that the problem goes away - because the spamtrap address is still in the "clean" list.

Apart from that Farelf I don't think we have much to disagree on - ie the parts of your post that I haven't responded to are not an issue between us.

[Farelf]

...Sorry, I'm not quite able to parse that paragraph: one can be a spammer and not hit a spamtrap and/or one can hit a spamtrap and not be a spammer?...

Convoluted phrasing on my part. OoO autoresponses to people who didn't send the trigger message are regarded as spam by some/many and are reportable.

To extend from that, if you have filtered out/isolated the spam then it isn't a problem except for the occasional false negative. Which should never be a spamtrap and is therefore unlikely to get you listed.

A compromised spamtrap is imaginable - one which could be deliberately or otherwise fed into a mail stream as a reply to address or a forged from address. A spam trap address will be (one supposes) virtually immune from dictionary attacks and the like (which might offer some clue or at least reduce the possibilities when considering a list which might include a spamtrap address - but there again the tricky part might be entirely in the domain name which needn't look out of the ordinary, considering what passes for ordinary). The deputies must be constantly alert to the possibility of a spamtrap address "escaping" to the wild. I can't offer anything constructive.

[thatsaspam]

I can't offer anything constructive.

But thanks for trying. I think your analysis of the situation is more or less the same as mine.

To tie this thread up, here's what I have confirmed with the SpamCop admins:

*******

Our mail host was listed due to a single email to a single spamtrap address (so, you may ask again, "what is it that you don't understand about a single report not causing a blacklisting?")

There were no user reports of spam from our host (I'd take a guess that you probably need to be sending tens of thousands of spam mails at a time to trigger two user reports - perhaps even hundreds of thousands - our biggest list, and the one that caused this blacklisting, is 4,300 users, so no surprises there).

The admins won't tell me the spamtrap address (again no surprise).

This list sent email to the same spamtrap address in June (SpamCop only keeps records for 90 days), but this did not trigger a blacklisting.

This same spamtrap address has been in use for at least two years (which means that it could have received messages from our list dozens of times).

I can't really work out what the blacklisting criteria is, other than it looks possible that the more mail you send the less likely you are to be blacklisted (ie because we've been relatively quiet for the last month or so we got blacklisted for the August mailing, and maybe June was busier so we didn't!?)

********

I'll take a look through the list to see if there are any candidates for this spamtrap address, but I reckon it's a pretty impossible task - I've seen some pretty weird addresses in there and I know they are genuine.

I think it's possible that this spamtrap address has been compromised, and it has been maliciously inserted into our list by way of the bug I mentioned earlier. I've explained this to the admins, but they seem to have their orders (ie they aren't going to do anything to help me track it down).

Thanks for your various feedback.

[Wazoo]

Marked as Resolved. Though not happy at the tremendous lack of information available on any of it.

[Telarin]

Quick question. If you are confirming signup address using closed loop opt-in, how could the address have gotten onto your list? Someone could have signed it up, but they would not have been able to confirm it, as the confirmation email would have gone to a spamtrap.

It seems very improbable that two people would have tried to sign up the same spamtrap address. It seems equally improbably that the spamtrap is compromised, and has not shown substantially more suspicious traffic than the 2 emails in question.

I think we are still missing a key piece of information somewhere. Couldn't say if it is information from the deputies or from the OP that is missing, or if it is just pure random chance, however improbable that has caused this listing against all odds.

[turetzsr]

<snip>

Our mail host was listed due to a single email to a single spamtrap address (so, you may ask again, "what is it that you don't understand about a single report not causing a blacklisting?")

<snip>

...Interesting! That's not my understanding (of course, my understanding could be mistaken). I will send a note off to the SpamCop Deputies asking for clarification.

...Thanks!

[Miss Betsy]

I think we are still missing a key piece of information somewhere. Couldn't say if it is information from the deputies or from the OP that is missing, or if it is just pure random chance, however improbable that has caused this listing against all odds.

My guess is that is was from the list where someone requests to be on that list and is added by an administrator. The chances of typo could happen there, maybe. Otherwise, if the other lists are confirmed subscription, then it would be difficult to get a compromised address in them.

Perhaps, what the OP could do is to send a confirmation email to that list explaining the problem.

Miss Betsy

[Snowbat]

Quick question. If you are confirming signup address using closed loop opt-in, how could the address have gotten onto your list? Someone could have signed it up, but they would not have been able to confirm it, as the confirmation email would have gone to a spamtrap.

If a malicious user can predict the confirmation URL (by having signed up previously and seeing an abusable format), it is trivial to confirm requests sent to other addresses. I once demonstrated this to a mailing list owner who swore blind his confirmation system was secure but his list was hitting spamtraps - I don't recall the exact flaw but it was either his system used the same token for each confirmation request or it used a serial counter that incremented by one each time and was easy to predict.

Closed loop opt-in alone is not enough - it needs a unique unguessable token for each request.

[at]thatsaspam

If you are unable to identify the bad address, you could ask your list members to resubscribe (perhaps after your developer fixes the verification exploit). Another possibility is sending to a limited number of addresses every day while monitoring the blocklist to try to identify the spamtrap address.

[Telarin]

If a malicious user can predict the confirmation URL (by having signed up previously and seeing an abusable format), it is trivial to confirm requests sent to other addresses. I once demonstrated this to a mailing list owner who swore blind his confirmation system was secure but his list was hitting spamtraps - I don't recall the exact flaw but it was either his system used the same token for each confirmation request or it used a serial counter that incremented by one each time and was easy to predict.

You're absolutely right Snowbat, I hadn't even considered that. When I think closed loop opt-in, I automatically assume that there will be some kind of unique, random token involved. Every instance I have built I have done that way for just the reasons you mention. It hadn't even occured to me that someone would built a system that didn't involve an appropriately random token, but there is so much bad software floating around out there, I guess it really wouldn't surprise me too much to see something like that in production somewhere.

[thatsaspam]

Quick question. If you are confirming signup address using closed loop opt-in, how could the address have gotten onto your list? Someone could have signed it up, but they would not have been able to confirm it, as the confirmation email would have gone to a spamtrap.

Software bug, as mentioned above. Also, from the discussion I had with the admins it appears that that you can get listed for responding to a subrequest (though that didn't happen in this case), and the admins will manually delist if that's the case (no idea how long that takes).

It seems very improbable that two people would have tried to sign up the same spamtrap address. It seems equally improbably that the spamtrap is compromised, and has not shown substantially more suspicious traffic than the 2 emails in question.

On this your guess is as good as mine - I can't trace it because i don't have the information. There could have been more hits to that address from our list, going back "at least two years", but SpamCop only keeps records for 90 days.

I think we are still missing a key piece of information somewhere. Couldn't say if it is information from the deputies or from the OP that is missing, or if it is just pure random chance, however improbable that has caused this listing against all odds.

I'm definitely missing a key piece of information!

My guess is that is was from the list where someone requests to be on that list and is added by an administrator. The chances of typo could happen there, maybe. Otherwise, if the other lists are confirmed subscription, then it would be difficult to get a compromised address in them.

I don't think it's a typo, and it's unlikely that an admin input or changed the details, for this list.

Perhaps, what the OP could do is to send a confirmation email to that list explaining the problem.

Unfortunately my opinion on this is that if you asked everyone to reconfirm then you could well lose 90% of the list. That's because it's an announce list, not a discussion list. People read it as and when they feel like it. I think you'll have to take my word for it on that, I've got the experience with this particular list.

[thatsaspam]

If you are unable to identify the bad address, you could ask your list members to resubscribe (perhaps after your developer fixes the verification exploit). Another possibility is sending to a limited number of addresses every day while monitoring the blocklist to try to identify the spamtrap address.

See above for problems with resubscription.

From the feedback I have from the developer the bug isn't going to be fixed in a hurry. This is unacceptable to me in a lot of ways, but we're transitioning to new list server software ASAP. Unfortunately this only prevents future exploits, when the list moves to new software the "bad" address will go with it.

I've already figured out how I can "discover" the bad address, but it may take a little while as the listing criteria results in a sort of randomisation - you can't guarantee to be listed by sending to a single spamtrap address (although you can be so listed). I'll have to figure out some special delivery routine for that list, so that when we hit the spamtrap (eventually) we'll be able to narrow it down. Then at some future point we'll narrow it down some more, until...

Hmm, I think I'll then have compromised one of those secret spamtrap addresses they don't want to tell me.

Anyway, I think that's the only way to trace it.

It hadn't even occured to me that someone would built a system that didn't involve an appropriately random token, but there is so much bad software floating around out there...

Let's just say "there's a lot of bad software out there"...

There is a bug, I've confirmed that with another user of the list software. This may be the source of the spamtrap address on the list, it may not. There could be another bug...

Again, I'm kind of powerless to do anything about it because I can't trace the problem. I don't even really have a timeframe for tracing it except that it could have happened some time between the end of 1996 and June 2007.

Thanks for the feedback.

[dra007]

As it happens lists are sold by spammers for a profit and use of such lists are seen as spam no matter how you look at it...they are unsolicitated and unwanted....

The idiot spammers occasionally spam all of us with such lists, here is one reported today:

Aug 20 - Aug 24: With every purchase of our Physician Directory comes absolutely FREE a Contact List for Dentists, Nursing Homes and Hospitals

Licensed Physicians in the USA

788,786 in total - 17,400 emails

Many popular specialties like Emergency Medicine, Plastic Surgery, OBGYN, Oncology, Pediatrics and more

Sort by over a dozen different fields

New Price: $353

*** BONUS: Get the 3 lists below as a bonus when you order the MD data ***

Database of US Hospitals

complete contact information for CEO's, CFO's, Directors and more - over 23,000 listings in total for more than 7,000 hospitals in the USA

Contact List of US Dentists

597,000 dentists and dental services ( a $300 value!)

Nursing Homes in the USA

includes over 31,589 Senior administrators, 11,288 Nursing Directors in over 14,706 Nursing Homes in the United States. (value: $249)

or call: 206-6xx-xxxx

[thatsaspam]

As it happens lists are sold by spammers for a profit and use of such lists are seen as spam no matter how you look at it...they are unsolicitated and unwanted....

The idiot spammers occasionally spam all of us with such lists, here is one reported today:

Not really sure what point you are trying to make. Spammers collect lists of addresses, and they sell them to other people - a lot of these addresses are scraped off web sites, and a *lot* of them are simply fake addresses that someone had made up to bulk out the numbers (anyone that runs a mail host will tell you of the huge number of delivery attempts that come in to not only non-existent addresses, but addresses that have never existed).

I think we all know this and we all agree that this is spam.

But, we never collected addresses from anyone's web site, and we never bought a list from anyone (on occasion we have used other people's lists to promote special offers or events - with their permission). In all cases all the lists were 100% opt-in and confirmed. And we didn't send information about cross-stitch to people who were interested in PHP.

In this particular case people opted-in to get a list of news announcements every two-four weeks. That's what they got.

I hope you're not suggesting that there's no such thing as legitimate announcement lists?

[Merlyn]

That all depends on what your definition of legitimate is.

If it is not confirmed then you cannot be sure.

[Farelf]

For a "closed" topic, this one certainly has legs! Not to worry, there's still some useful commentary being added. I don't know that it's quite so useful but some of the posts in the Crikey case have at least passing relevance (effect of reputation on SCBL listing criteria, list management, etc.) though there was no implication of spamtraps in that one (from memory).

[thatsaspam]

That all depends on what your definition of legitimate is.

If it is not confirmed then you cannot be sure.

Well, that's currently an open question. We've set up the list to "confirm" subscriptions to it. I think we'd all agree that is then legitimate. The problematic part is that there's a bug that apparently lets users by-pass this confirmation.

I think I've stated all of this above.

Rectification of fault is ongoing.