[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    Re: spamcop.net tactics
From:       Kelson <kelson () speed ! net>
Date:       2005-11-21 18:36:48
Message-ID: 438213C0.60702 () speed ! net
[Download RAW message or body]

Amos wrote:
> Just recently we discovered we've been tagged by spamcop. Since the
> spamtrap is "secrete", there's no way to know what incident triggered
> this event, which makes it pretty damn difficult to track it down to
> try to deal with it. Furthermore, a site has only one chance to delist
> their server. After that, it's a permanent block.
> 
> So, if we can't tell what source is a problem, only have one chance to
> delist--EVER--seems to me we're pretty screwed. Lovely.

We went through this earlier this year, back when forged Received 
headers suddenly became widely popular and sites building blacklists 
were still trusting all the headers.  None of the lists that blocked us 
-- SpamCop included -- would provide us any way to determine whether the 
messages had actually come from our server.

I understand they want to keep their sources secret, but this is like 
bringing evidence to a trial in a sealed envelope and not allowing the 
defense attorney to see it.  There's no way to verify that the evidence 
was collected properly or interpreted correctly, and of course there's 
no way to resolve the problem.

Actually, SpamCop was one of the more responsive lists.  I sent them a 
point-by-point list of possible explanations for them seeing our IP 
address in their spamtraps, how likely each one was (I didn't outright 
reject the possibility that someone had broken TOS or found a way to 
trick our server into sending something, but it seemed really unlikely), 
and some sample headers from mail that really came from our servers, and 
within a day they'd written back that they were satisfied the message in 
their spamtrap had used forged headers.

None of which helps you track down the problem if someone actually *is* 
abusing your server, and I think that a two-strikes-you're-out policy is 
f*#^ing INSANE (if you'll pardon the expression) and shows a complete 
lack of understanding as to the nature of providing email for large 
communities of people outside of your direct control.  I really do not 
understand the assumption some people make that either you're AOL, 
Earthlink or Yahoo, or you're some 20-person small business that can 
impose any draconian measures you want on your users.  There's a whole 
world of in-between sites.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>
[prev in list] [next in list] [prev in thread] [next in thread]