Re: is listed by spamcop

From: Jan Knutar
Date: Thu Apr 22 2004 - 12:27:12 EST

On Thursday 22 April 2004 04:30, Rik van Riel wrote:
> On 22 Apr 2004, Miles Bader wrote:
> > Rik van Riel <riel@xxxxxxxxxx> writes:
> > > I'm certain than vger got listed on spamcop due to linux-kernel
> > > subscribers reporting to spamcop some of the spam that leaked
> > > onto lkml, through Matti's strict filters.
> >
> > Does that mean that spamcop does no verification of user reports?
> Indeed.

A part of the fun begins from spamcop not even trying to maintain a list
of open relays. Spamcop attempts to maintain a list of spam sources,
where an IP gets listed if X number of spams have been reported from IP
Y within time period Z.
Based on my by no means complete understanding of all the issues
involved, the problem begins with the parser, there's no way to
distinguish legitimate mailing list servers from a spammer's mailing
list server without user intervention. When parsing the Received
headers, (fx. the one in the mail I'm replying to), the parser sees
that threw it to vger, which for some reason passed it
on to my ISP's mail server. The spamcop engine does not know why vger
is relaying mail from redhat to my ISP, and checking the MX records
reveals no justification for vger to be doing this, thus, the only
thing it can reasonably trust, is my ISP's incoming smtp server, which
reported it received the mail from vger. The scenario"ISP1 -> ISP2" it
might still understand, but not this "ISP1 -> ???? -> ISP2" thing.

This is why spamcop users should not report spam sent to mailing lists.

> > I was under the impression that it's fairly easy to automatically
> > check whether a particular host is an open-relay or not, so it
> > would seem kind of irresponsible for spamcop not to do this if some
> > people are relying on their lists to do blocking (even if there's a
> > disclaimer saying not to do that, clearly people are ignorant or
> > dumb, so why not play it safe?).
> Spamcop isn't doing any vulnerability checks I'm aware of.

There are numerous RBL's which specifically list open relays (such as
Blitzed's OPM), and spamcop is NOT one of them. Mail administrators
need to understand that.
Supposedly, most of the spam traffic today goes through zombied machines
running that Other OS, on consumer broadband connections. You can throw
any amount of open proxy / relay checking at those spam sources, and
find nothing. There are lists which try to list these exploited boxen
as well (such as the XBL), but spamcop is not doing that, either, and
mail administrators need to understand that.

The advantage of spamcop is response-time. A spam source gets quickly
listed, and falls off the list if spam is no longer reported from that
source, based on a fully automated reporting system. The disadvantage
is that it's only as reliable as its weakest link: the human factor,
its users.
Anyone using spamcop RBL for outright blocking for an entire ISP has no
clue about what they're doing. Using any single blacklist for outright
blocking is a bit daft, IMO.

As a side-note, for each reported spam, spamcop tries to find a best
contact email address in attempt to contact the administrator of what
it thinks is the spam source, with links to pages with copies of the
spam in question and output from the spamcop parser engine... I suspect
spamcop sent this a few levels upstream of postmaster@xxxxxxxxxxxxxxx,
though :(

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at