Re: spamcop.net tactics
Hello, I have had to remove spamcop from my rbl check list. they have had some legitimate mail servers listed recently. They had the gentoo mail list listed and some other important servers which i cant see why they were added. Regards .. Leonard - Original Message - From: Christopher X. Candreva [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 23, 2005 2:29 AM Subject: Re: spamcop.net tactics On Tue, 22 Nov 2005, Chr. v. Stuckrad wrote: So simply by having users use 'vacation' or viruses/worms sending themselves from faked spam-trap-addresses and bouncing at your site, you can be blacklisted for 24 hours (for each?). By having users use vacation without a filter to stop it from replying to spam, or accepting virus mail then generating a new error, you are engaged in a DDOS against the people who's address is forged into the mail. We have users getting 3-6 THOUSAND such bounces a day. So yes, I'm glad SpamCop is blocking sites that do this. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: spamcop.net tactics
On Wednesday, November 23, 2005, 3:33:47 AM, Leonard SA wrote: Hello, I have had to remove spamcop from my rbl check list. they have had some legitimate mail servers listed recently. They had the gentoo mail list listed and some other important servers which i cant see why they were added. Regards .. Leonard If you mean at the MTA level, yes, I don't use bl.spamcop.net in my MTAs. For SpamAssassin, however it's useful as another somewhat reliable indicator of spammyness to increment the scores a bit, just like SORBLs or SPEWS, which would otherwise be largely unusable for outright blocking in an MTA for most people. SpamCop's bl gets IPs that users report. There's some filtering and munging, but it's either less than one would like or more than one would like, depending on one's perspective. IOW some SpamCop user (unwisely) reported a gentoo mailing list message as spam, and that's why it got onto the blacklist: user error. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: spamcop.net tactics
Jeff, Thanks again .. Regards .. Leonard - Original Message - From: Jeff Chan [EMAIL PROTECTED] To: Leonard SA [EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 9:13 AM Subject: Re: spamcop.net tactics On Wednesday, November 23, 2005, 5:39:05 AM, Leonard SA wrote: Jeff, I found this out yesterday after enabling the RBL lookups in the local.cf config file. Its great to get a high score slash because they are listed in the rbl list, but not rejected in case there are errors.. As being a cautious user; I still glance over my spam folders, so I would still catch these messages marked as spam as a result. Its not the best solution, but better then blockage at the MTA level. I still don't know how whitelisting works and where to configure this.. so until this time; I have to handle it this way. Thanks again for your insight Jeff. Regards .. Leonard Hi Leonard, Glad to help! Definitely check out the whitelisting feature. The SA Wiki may help, etc. Cheers, Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: spamcop.net tactics
On Wed, 23 Nov 2005, Ed Kasky wrote: I for one would be interested to know how you implement a filter like this. It's one of the things that keeps me from using it sometimes... procmail does wonders, just don't call vacation for anything marked as spam. We use that plus some other checks: :0 c * !^Return-Path: (www|nobody|apache|httpd|bounce|no-?reply|devnul|root|notify|owner-) * !^X-Spam-Status: Yes * !^List- * !^X-Mailer: Accucast * !^X-Campaignid: |/usr/local/bin/vacation $VACATIONOPT As for not accepting then bouncing -- do virus checking in a milter (we use ClamAV), and push a list of valid users to your secondaries. This sort of this in access.db: To:westnet.com ERROR:5.1.1:550 User unknown To:[EMAIL PROTECTED]OK To:[EMAIL PROTECTED]OK To:[EMAIL PROTECTED]OK To:... etc == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: spamcop.net tactics
BTW list .. Can I use the whitelisting feature eventhough I use qmail-scanner? Where would this be configured? Regards .. Leonard - Original Message - From: Jeff Chan [EMAIL PROTECTED] To: Leonard SA [EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 9:13 AM Subject: Re: spamcop.net tactics On Wednesday, November 23, 2005, 5:39:05 AM, Leonard SA wrote: Jeff, I found this out yesterday after enabling the RBL lookups in the local.cf config file. Its great to get a high score slash because they are listed in the rbl list, but not rejected in case there are errors.. As being a cautious user; I still glance over my spam folders, so I would still catch these messages marked as spam as a result. Its not the best solution, but better then blockage at the MTA level. I still don't know how whitelisting works and where to configure this.. so until this time; I have to handle it this way. Thanks again for your insight Jeff. Regards .. Leonard Hi Leonard, Glad to help! Definitely check out the whitelisting feature. The SA Wiki may help, etc. Cheers, Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: spamcop.net tactics
... On Wednesday, November 23, 2005, 3:33:47 AM, Leonard SA wrote: Hello, I have had to remove spamcop from my rbl check list. they have had some legitimate mail servers listed recently. They had the gentoo mail list listed and some other important servers which i cant see why they were added. Regards .. Leonard If you mean at the MTA level, yes, I don't use bl.spamcop.net in my MTAs. For SpamAssassin, however it's useful as another somewhat reliable indicator of spammyness to increment the scores a bit, just like SORBLs or SPEWS, which would otherwise be largely unusable for outright blocking in an MTA for most people. SpamCop's bl gets IPs that users report. There's some filtering and munging, but it's either less than one would like or more than one would like, depending on one's perspective. IOW some SpamCop user (unwisely) reported a gentoo mailing list message as spam, and that's why it got onto the blacklist: user error. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/ It is not an available option to everybody; I depends on your MTA and other parts of your environment, but if you can, '450'ing on the SpamCop blacklist catches a lot of zombies, open relays, etc. before they hit the other lists (XBL, CBL, etc.), and the policy of relatively rapid auto-delisting makes almost certain that real mail isn't lost, just delayed. At least for Postfix, this is quite trivial (i.e. directive defer_if_reject); For sendmail, it is more than one line, but not much harder (I don't know most other MTAs well enough to be the person to say what the easiest method should be, but I can already see an easy equivalent means for Exim too). Paul Shupak [EMAIL PROTECTED]
Re: spamcop.net tactics
That doesn't mean it's a moral, an ethical or respectable reason: Spite is reason enough for most people these days. Michele Neylon:: Blacknight.ie wrote: if your IPs end up in there it's usually for a reason. Michele
Re: spamcop.net tactics
On Tue, Nov 22, 2005 at 09:24:28AM -0800, Linda Walsh wrote:
That doesn't mean it's a moral, an ethical or respectable reason:
Spite is reason enough for most people these days.
Michele Neylon:: Blacknight.ie wrote:
if your IPs end up in there it's usually for a
reason.
Before we get into 'arguments' or even 'flamewars':
We (@{math,inf,mi}.fu-berlin.de) were hit by the same problem,
we also could not find *anything* visible, which had could have
put us into their list, and so we had to resort to 'circumventing'
the assumed problem.
Seemingly 'spamcop' not only counts 'real spam' (explicitly
sent to spam-traps) but also counts 'any bounce stranding in
their spam-trap' as an 'spammer or open-relay'.
So simply by having users use 'vacation' or viruses/worms
sending themselves from faked spam-trap-addresses and bouncing
at your site, you can be blacklisted for 24 hours (for each?).
After reducing 'bounces' by patching 'qmail' with a user
check in 'RCPT' of the SMTP-Delivery, making all lists
reply to local owner-addresses instead of bouncing,
by checking all auto-answering-services to never answer
on bounces, bulk-mails and spams, and such,
thereby reducing the 'chance' of hitting the
spam-traps again, we 'survived' so far without being
blocked again (at least without being blocked again
for more than the lifetime of mails sent to us).
Stucki(postmaster)
Re: spamcop.net tactics
On Tue, 22 Nov 2005, Chr. v. Stuckrad wrote: So simply by having users use 'vacation' or viruses/worms sending themselves from faked spam-trap-addresses and bouncing at your site, you can be blacklisted for 24 hours (for each?). By having users use vacation without a filter to stop it from replying to spam, or accepting virus mail then generating a new error, you are engaged in a DDOS against the people who's address is forged into the mail. We have users getting 3-6 THOUSAND such bounces a day. So yes, I'm glad SpamCop is blocking sites that do this. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: spamcop.net tactics
I am not a fan myself and do not use them. However, you should have received a mailing to postmaster (or abuse) due to Spamcop complaints. Did you get these? - Original Message - From: Amos [EMAIL PROTECTED] To: SpamAssassin users@spamassassin.apache.org Sent: Monday, November 21, 2005 11:11 AM Subject: spamcop.net tactics | I must say I'm not particularly thrilled about the tactics employed by | SpamCop. At a university it is sometimes difficult to control every | single thing that everybody does on campus, unless of course perhaps | if this was a complete authoritarian state. We try hard to control and | minimize spamming events, but alas, sometimes they happen. | | Just recently we discovered we've been tagged by spamcop. Since the | spamtrap is secrete, there's no way to know what incident triggered | this event, which makes it pretty damn difficult to track it down to | try to deal with it. Furthermore, a site has only one chance to delist | their server. After that, it's a permanent block. | | So, if we can't tell what source is a problem, only have one chance to | delist--EVER--seems to me we're pretty screwed. Lovely. | | Amos | |
Re: spamcop.net tactics
Amos wrote: I must say I'm not particularly thrilled about the tactics employed by SpamCop. At a university it is sometimes difficult to control every single thing that everybody does on campus, unless of course perhaps if this was a complete authoritarian state. We try hard to control and minimize spamming events, but alas, sometimes they happen. Just recently we discovered we've been tagged by spamcop. Since the spamtrap is secrete, there's no way to know what incident triggered this event, which makes it pretty damn difficult to track it down to try to deal with it. Furthermore, a site has only one chance to delist their server. After that, it's a permanent block. So, if we can't tell what source is a problem, only have one chance to delist--EVER--seems to me we're pretty screwed. Lovely. Amos Amos Signup for an account with them so that you can see the reports related to your IP block(s) There's no point ranting about spamcop. Their listing criteria are fairly transparent and if your IPs end up in there it's usually for a reason. Michele -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: spamcop.net tactics
On Monday 21 November 2005 10:11, Amos wrote: I must say I'm not particularly thrilled about the tactics employed by SpamCop. At a university it is sometimes difficult to control every single thing that everybody does on campus, unless of course perhaps if this was a complete authoritarian state. We try hard to control and minimize spamming events, but alas, sometimes they happen. Just recently we discovered we've been tagged by spamcop. Since the spamtrap is secrete, there's no way to know what incident triggered this event, which makes it pretty damn difficult to track it down to try to deal with it. Furthermore, a site has only one chance to delist their server. After that, it's a permanent block. So, if we can't tell what source is a problem, only have one chance to delist--EVER--seems to me we're pretty screwed. Lovely. Seems to me like setting up a firewall or network logger should make it pretty easy to see what is sending out inordinate amounts of traffic on port 25. Or you could just block port 25 outgoing as a matter of policy and force people to go out through the university mail servers. No one should be sending email directly from a residential machine anyway. It may be difficult either politically or technically, but it's not spamcop's job to police your network for you. It's spamcop's job to help its customers deal with *their* spam problem - that you're apparently (if unwittingly) helping to cause. University networks are pretty well known to be swiss cheese as far as security goes. Yours is probably no exception. Fix that problem and your spam problem should be fixed along with it. --Russell -- Russell Miller - [EMAIL PROTECTED] - Agoura Hills, CA
Re: spamcop.net tactics
Amos wrote: I must say I'm not particularly thrilled about the tactics employed by SpamCop. At a university it is sometimes difficult to control every single thing that everybody does on campus, unless of course perhaps if this was a complete authoritarian state. We try hard to control and minimize spamming events, but alas, sometimes they happen. Just recently we discovered we've been tagged by spamcop. Since the spamtrap is secrete, there's no way to know what incident triggered this event, which makes it pretty damn difficult to track it down to try to deal with it. Furthermore, a site has only one chance to delist their server. After that, it's a permanent block. So, if we can't tell what source is a problem, only have one chance to delist--EVER--seems to me we're pretty screwed. Lovely. Amos Hello, First off this is not the SpamCOP rant list, it is the SpamAssassin software list. SpamCOP and SA are not involved, other than the fact that SA queries SpamCOP and score email according to its presence or absence of the SpamCOP lists. SA does not need SpamCOP, and the reverse is also true. Secondly, from my reading of their policies, you have one chance to _expedite_ de-listing, which in my dictionary means speed up. De-listing happens automatically, however if you continue to spew spam, complaints from SpamCOP users will continue to list you into oblivion if need be. You are not screwed, but you are (according to your email) responsible. Claiming non-socialist ideals will get you nowhere, particularily if you send your concerns to the wrong people. Good luck, Chris Conn
Re: spamcop.net tactics
Amos wrote: Just recently we discovered we've been tagged by spamcop. Since the spamtrap is secrete, there's no way to know what incident triggered this event, which makes it pretty damn difficult to track it down to try to deal with it. Furthermore, a site has only one chance to delist their server. After that, it's a permanent block. So, if we can't tell what source is a problem, only have one chance to delist--EVER--seems to me we're pretty screwed. Lovely. We went through this earlier this year, back when forged Received headers suddenly became widely popular and sites building blacklists were still trusting all the headers. None of the lists that blocked us -- SpamCop included -- would provide us any way to determine whether the messages had actually come from our server. I understand they want to keep their sources secret, but this is like bringing evidence to a trial in a sealed envelope and not allowing the defense attorney to see it. There's no way to verify that the evidence was collected properly or interpreted correctly, and of course there's no way to resolve the problem. Actually, SpamCop was one of the more responsive lists. I sent them a point-by-point list of possible explanations for them seeing our IP address in their spamtraps, how likely each one was (I didn't outright reject the possibility that someone had broken TOS or found a way to trick our server into sending something, but it seemed really unlikely), and some sample headers from mail that really came from our servers, and within a day they'd written back that they were satisfied the message in their spamtrap had used forged headers. None of which helps you track down the problem if someone actually *is* abusing your server, and I think that a two-strikes-you're-out policy is f*#^ing INSANE (if you'll pardon the expression) and shows a complete lack of understanding as to the nature of providing email for large communities of people outside of your direct control. I really do not understand the assumption some people make that either you're AOL, Earthlink or Yahoo, or you're some 20-person small business that can impose any draconian measures you want on your users. There's a whole world of in-between sites. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: spamcop.net tactics
Seems to me like setting up a firewall or network logger should make it pretty easy to see what is sending out inordinate amounts of traffic on port 25. Or you could just block port 25 outgoing as a matter of policy and force people to go out through the university mail servers. No one should be sending email directly from a residential machine anyway. It may be difficult either politically or technically, but it's not spamcop's job to police your network for you. It's spamcop's job to help its customers deal with *their* spam problem - that you're apparently (if unwittingly) helping to cause. University networks are pretty well known to be swiss cheese as far as security goes. Yours is probably no exception. Fix that problem and your spam problem should be fixed along with it. It's a nice thought, but if it's anything like our environment we're not actually allowed to fix it (we don't control the routers etc) so that's not an option. My suggestion is to ask the network folks for a mirroring port on your WAN router and monitor it carefully for abuse. Ask your users to register non-campus equipment with the helpdesk. You may be forced to resort the the LAN Mafia routine a few times, but as the users begin to understand that you can shut them down if you need to (block them at the DHCP server or whatever resources you do control) you should be able to get more cooperation since it reduces inconvenience for them if something bad does happen. We find our monitoring system (NTop, Snort, etc) to be invaluable for dealing with this sort of thing, and you may be able to use SpamAssassin with a mirror port to check outbound mail through the WAN link if you set it up right. I haven't tried that but it's probably worth a shot.
Re: spamcop.net tactics
SpamCop simply notes what addresses appear to be emitting spam. If your network is emitting spam and SpamCop users or traps detect it, then yes your IPs can get blacklisted. The best way to solve that is to stop the emission of spam from your network. As was already suggested, one good way to do that is to block direct port 25 output from your network and instead direct users to officially sanctioned outbound smtp servers. This has become a standard practice for many ISPs, wireless networks, companies, hotels, wifi hotspots, etc., these days for the good reason that it defeats most outbound spam from viruses/bots/zombies. While SpamCop's trap addresses don't provide visible analyses of headers IIRC, user reports do, so that you can see how the headers were interpreted. Usually they are interpreted correctly these days. There is a link in the reports that shows the analyses. You can also sign up for an account that gives periodic reports for your networks. As has already been noted, this is not an appropriate place to b!tch about SpamCop. Better to discuss it on the SpamCop forums: http://forum.spamcop.net/forums Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: spamcop.net tactics
On 11/21/05, Jeff Chan [EMAIL PROTECTED] wrote: detect it, then yes your IPs can get blacklisted. The best way to solve that is to stop the emission of spam from your network. It's easier to do when the source is identified. As was already suggested, one good way to do that is to block direct port 25 output from your network and instead direct users Irrelevant in this case since it would appear this incident was instigated by an Exchange user, and Exchange itself is used for sending the mail. (Can Exchange be viewed as virusware?) While SpamCop's trap addresses don't provide visible analyses of headers IIRC, user reports do, so that you can see how the We never received a user report, nor was a report visible using our account, only the indication of the IP being blocked. (Perhaps our greylisting blocked the user report.) You can also sign up for an account that gives periodic reports for your networks. Yup. Already have. As has already been noted, this is not an appropriate place to b!tch about SpamCop. Better to discuss it on the SpamCop forums: Thanks for the reminder, and the followups from others. Amos
