Spamblocking service blocked

[capybara]

I use Bigfish spam screening (inbound and outbound), and twice this month one of their servers got listed - apparently based primarily on NDRs and virus-generated mail. The virus-generated mail appeared only to have occurred during brief windows between virus introduction and anti-virus definition release.

The listing this morning said (in summary):

63.161.60.61 - LISTED, reported 40 times by 20 users.

The specific examples listed were mostly NDRs and virus-generated mail, with a couple of spam messages at the end.

Customers of services like Bigfish attempt to reduce their own potential for abuse by minimizing incoming viruses and spam, by screening outgoing mail.

Some questions:

Did the reported messages actually originate from the listed Bigfish server or was it just a step along the way?

Why do NDRs and virus-generated messages seem to count toward listing on the BL?

How does a mail service provider stay off the list if it only takes a few messages out of millions to gain a listing?

Does SpamCop work with mail service providers any differently from the way you work with postmaster at jo bloe dot ix dot com?

[turetzsr]

Hi, capybara!

...Good questions. The answers to some of them can be found in the FAQs. Some useful ones are:

• SpamCop - Help for spam report recipients
  
• Pinned: FAQ Entry: Why is my email blocked?
  
• Who appointed you the "cop" of the internet? Where do you get off?
  
• How can I be de-listed
  
• Pinned: Why Am I Blocked FAQ
  
• Pinned: Cost of spam
  
• FAQ: I have been falsely and/or maliciously accused of spamming, what can I do?
  
• How can I get removed from SpamCop's blocking system?
  

[capybara]

...Good questions.  The answers to some of them can be found in the FAQs.

Thanks for the references! I looked at most of them before I originally posted, but you listed some I had not yet visited and I reread a couple of others.

From http://forum.spamcop.net/forums/index.php?showtopic=140&st=5

quote

Also according to what deputiies have posted in the past, spamcop.net users are not to report viruses, auto-acks, challenges from challenge response systems, or bounces.

Those reporters are said to be warned, fined from paid accounts, or banned from using spamcop.net for reporting depending on the case.

/quote

Is this actually enforced? If so, most of the reports against Bigfish might qualify for some action.

I don't bounce mail for any reason and I do my best to quelch automated responses that are not directly useful. But I know that some other users of Bigfish do send NDRs and other automated messages that get triggered by viruses and spam.

It's clear that delisting is automated, 48 hours after the last spam (or misreported spam). But I see people reporting NDRs every day, and I don't see how a large mail screening service will ever get delisted for more than a few hours at a time.

Sorry if I'm getting a little jumpy. I'm worried that the price to pay for reducing spam is to end up with my own email blocked by SpamCop users. This seems self-defeating

[StevenUnderwood]

Is this actually enforced? If so, most of the reports against Bigfish might qualify for some action.

The bigfish administration should be reporting any violations back to spamcop (I believe there is a link for them to follow).

However, many of the recent incorrect blocks have been caused when NDR's and other automated messages are send to the spamtrap addresses spamcop utilizes.

In this case there are no reports sent to the admins. The admins should contact a deputy to see if that is the case and start the removal process.

That being said, NDR's and other automated messages that are sent to the sender address in the message are likely going to the wrong people and should be disabled. There are too many viruses and spammers which forge this information to make that a useful tool. Messages should be refused during the SMTP transaction, delivered to the final address or simply dropped.

[Wazoo]

Is this actually enforced? If so, most of the reports against Bigfish might qualify for some action.

Yes, it's enforced. But it takes action from the ISP in question to show that it's justified.

It's clear that delisting is automated, 48 hours after the last spam (or misreported spam). But I see people reporting NDRs every day, and I don't see how a large mail screening service will ever get delisted for more than a few hours at a time.

The 48 hours is a worst-case scenario .. there's actually a bit of a math formula that's invoked, number of reports, amount of mail seen, spamtraps, and time. And if documented and verified, there are circumstances where a Deputy may take some immediate action, causing things to happen much faster.

If your definition of "NDR" is Non-Delivery Reports, then yes, this seems to be an actionable item for the Deputies. Flip side is that if this NDR isn't just an NDR, i.e., it's actually some sort of advertisement for using the services of some service, there's some judgement calls that may have to be made <g>

[capybara]

a Deputy may take some immediate action, causing things to happen much faster.

Glad to hear this.

If your definition of "NDR" is Non-Delivery Reports, then yes, this seems to be an actionable item for the Deputies. 

Yes, that's what I meant. Of course the spamtraps will suck up NDRs and generate listings without consequence. Netsky and Bagle have pretty much spread multiple variations of every email address in the world to spammers and inboxes everywhere, so I'm sure the spamtraps will be full of non-spam returns etc for a long time to come. (BTW I do agree that NDRs, virus notifications to senders, and spam rejection notices are in general a BAD THING nowadays - of course in this case the only way I knew that my mail was being blocked was that a recipient mail server sent me an NDR).

there's some judgement calls that may have to be made <g>

Thanks. I guess this is basically what I was looking for - the human judgement factor. I wanted to make sure that there was not some blind robotic system that would continually cause recipients to drop my email simply because I use a mail screening service.

The spamtraps are blind and robotic, but it looks like the Deputies can tame them when appropriate. Since the Deputies appear to have quite a bit of leeway to prevent listings as well as to address them after the fact, I can pester Bigfish to do a better job working with SpamCop if I see any more problems.

I know that Bigfish needs to work directly with SpamCop to address the false positives - that's why I worked with the forum instead of bugging the deputies. And I did notify Bigfish before bugging anyone else.

Thanks to all who responded.

[WB8TYW]

of course in this case the only way I knew that my mail was being blocked was that a recipient mail server sent me an NDR

Look again at the NDR.

Most NDRs are generating by the sending mail server when the recipiant mail server terminates the e-mail transaction wtih a 5xx code.

If I get an NDR for a message that I did not send, I send a manual LART to the designated abuse desk for the sending I.P. I recommend that they either change their mail server to use SMTP rejects, or send such notifications to the postmaster for the I.P. address they accepted the message from.

-John

Personal Opinion Only

[capybara]

Most NDRs are generating by the sending mail server when the recipiant mail server terminates the e-mail transaction wtih a 5xx code.

Sorry - wasn't speaking precisely when I said that I received an NDR from the recipient server. The recipient server terminated with a 550, and I got a an NDR from the sending server at Bigfish in response to my legitimate mail.

<recipientaddress>: host fqdn.blah.foo[xxx.xxx.xxx.xxx] said: 550 5.7.1 spam

access denied; ip 63.161.60.61; see bl.spamcop.net (in reply to MAIL FROM

command)

So there was no NDR from the recipient who blocked the mail. But the recipient's rejection and the resulting NDR from Bigfish told me that our mail was being rejected due to the SpamCop listing.

Any server that accepts mail but cannot either deliver it or pass it along to another server for delivery might send an NDR. The NDR goes to the Return-Path address, which can't be verified in any meaningful way by a server that accepts the mail, so there are lot of opportunities for mischief by spammers and viruses.

Between viruses and Joe Job spammers spoofing addresses in my domain, I get about 350 NDRs per week for mail that my domain did not send, from servers that are not mine. This is in addition to the fake NDRs that some viruses generate themselves. Although I despise these messages, I also don't have time to send LARTS to all of the bouncers. And plenty of people defend NDRs as being RFC-compliant, even if the Return-Path on the original message was bogus.

I agree that rejecting is certainly better than bouncing.

I personally favor accepting then dropping undesirable mail rather than terminating or rejecting the mail. Rejections give spammers a means to test rejection policy, and they also may cause bounces to bogus senders depending on the chain of services that led the mail to my domain.

It is the bounces to bogus addresses that are probably making the spamtrap robots nearly unmanageable right now. I bet SpamCop is doing a lot of human intervention until the robots can be upgraded to recognize virus and Joe Job bounces.

JMO YMMV

[turetzsr]

Hi, copybara!

Most NDRs are generating by the sending mail server when the recipiant mail server terminates the e-mail transaction wtih a 5xx code.

Sorry - wasn't speaking precisely when I said that I received an NDR from the recipient server. The recipient server terminated with a 550, and I got a an NDR from the sending server at Bigfish in response to my legitimate mail.

<recipientaddress>: host fqdn.blah.foo[xxx.xxx.xxx.xxx] said: 550 5.7.1 spam

access denied; ip 63.161.60.61; see bl.spamcop.net (in reply to MAIL FROM

command)

So there was no NDR from the recipient who blocked the mail. But the recipient's rejection and the resulting NDR from Bigfish told me that our mail was being rejected due to the SpamCop listing.

Any server that accepts mail but cannot either deliver it or pass it along to another server for delivery might send an NDR. The NDR goes to the Return-Path address <snip>

...That seems to be inconsistent with what I've seen elsewhere in these fora: Ellen's reply to "ISP Backup server listed - how to remove, How to prevent listing of such servers".

[Miss Betsy]

It is the bounces to bogus addresses that are probably making the spamtrap robots nearly unmanageable right now. I bet SpamCop is doing a lot of human intervention until the robots can be upgraded to recognize virus and Joe Job bounces.

You may be right. Though I like your idea of dropping them instead of sending them on and maybe others will too after coping with the spamtrap robots!

And you sound like a really reasonable person! Too bad more people aren't like you - we'd have the spam problem licked in no time!

Miss Betsy

[yourbuddy]

Yes, but the final result is that this "reasonable person" is blacklisted,

and there has been no official response from SpamCop, and (so far)

only SpamCop (no other DNSbl's) has blacklisted this Server.

[Wazoo]

only SpamCop (no other DNSbl's) has blacklisted this Server

Query bl.spamcop.net - 63.161.60.61

63.161.60.61 is mail-res.bigfish.com

63.161.60.61 not listed in bl.spamcop.net

[yourbuddy]

only SpamCop (no other DNSbl's) has blacklisted this Server

Query bl.spamcop.net - 63.161.60.61

63.161.60.61 is mail-res.bigfish.com

63.161.60.61 not listed in bl.spamcop.net

Well, not anymore ...

If you wait long enough even SpamCop relents