Re: spamcop

[Andrew Vaughan <ajv-lists@netspace.net.au>]

On Thursday 28 September 2006 01:44, Kamaraju Kusumanchi wrote:
> On Wednesday 20 September 2006 08:21, John Kelly wrote:
> > For the second time in the past few days, spamcop has listed
> > murphy.debian.org.  That's it.  I'm done with spamcop!
>
> If murphy is sending spamtraps, it deserves to be listed. period.
>
If murphy is sending to spamtraps, then yes that does need to be fixed.  
However if the cause is an occasional misdirected subscription 
confirmation, then this isn't easy.  Even spamcop says "Occasionally, 
confirmation requests are misdirected, usually due to innocent typing 
errors. If one receives a single misdirected confirmation message, do not 
report it as spam."  (http://www.spamcop.net/fom-serve/cache/125.html).

However apparently the problem is users reporting list emails to spamcop.  
(see  http://lists.debian.org/debian-user/2006/09/msg02125.html, and the 
email from listmaster@d.o that I'll quote below .)  Even spamcop says don't 
do that.

  Spam sent to mailing lists 
  No matter how hard list managers try, spammers find a way to inject spam   
  to the list (sometimes even going so far as to subscribe to the list 
  first). This results in all list members receiving the spam. 
  List servers often show themselves as the source of the mail sent to it, 
  not the originating user's IP address. Spam sent to mail lists/groups must 
  not be reported using SpamCop except by the list owner. Subscribers may 
  send a note to the list owner who can block the source from sending to the 
  list or take responsibility for reporting the spam themselves.
(http://www.spamcop.net/fom-serve/cache/14.html).

Spamcop assumes that its users get it right.  A well written example of just 
what can happen when a spamcop user gets it wrong is  
  http://catless.ncl.ac.uk/Risks/22.19.html#subj7
  http://catless.ncl.ac.uk/Risks/22.21.html#subj4

> If it is not spamcop, there are tons of other DNSBLs which will happily
> list it in the due course. Since spamcop is very very aggressive, you are
> seeing the effect first in spamcop and not in other DNSBLs.
>
> Why not just whitelist murphy by yourself?

My isp has been using mandatory blocking based on spamcop and cbl.  This 
global blacklist overrides user whitelists, and cannot be disabled.  I lost 
approx. 500 emails from debian.org last week.  (They have indicated that 
they will make changes, but as yet I don't know what those changes will 
be.)

I emailed listmaster@d.o some questions about the spamcop/debian 
relationship.  I'll paste sections of the reply below. 

[Pascal Hakim <pasc@debian.org>]
> Feel free to quote my replies somewhere public if you wish them to be.
>
> > Murphy.d.o has been listed on spamcop 6 times in the last 4 months.  Is
> > debian actually notified of these listings by spamcop?  
>
> See reply to next question.
>
> > Do they attempt to get in touch and give debian a chance to resolve
> > issues before listing murphy.d.o?
>
> Spamcop normally seems to notify the owner of the IP block rather than
> us. The issue we have is list subscribers reporting mail they have
> received from a list as spam. Spamcop doesn't seem to care that users
> have actually signed up for this list traffic, although they've told us
> in the past that they've "whitelisted" us to some extent. This doesn't
> seem to help a huge amount, as we still get listed for periods of 24
> hours or so here and there. As I understand it, spamcop doesn't do real
> whitelisting, but their software can be taught to "trust" an IP so that
> it will not consider that IP as the source of the spam unless it can't
> find someone else to blame.
>
> Even when they have whitelisted us, they apparently report spam that has
> gone through the list to the IP block owners, which makes any report
> they send rather useless, since some people seem to be automating spam
> reporting to spamcop.
>
> > Do they reply when some-one from debian.org attempts to contact them?
>
> Last time we talked to them (about 3 listings ago), they told us that we
> had been whitelisted.
>
[snip]
> > When contact is made, is sufficient information provided to give debian
> > a reasonable chance of identifying the actual source of the 'spam'
> > and/or disputing the issue?
>
> We usually get to see some of the messages, which are clearly sent to
> list subscribers.
[snip]
>
> > If spamcop doesn't provide a copy of the "spam", do representatives
> > give the the impression that they have actually seen and examined the
> > original spam or do they simply assert that their
> > scripts/users/spam-traps are right?
>
> I don't believe humans actually look at a report before the listing is
> created.
>
> > When/if the source is identified, is it
> >   a. misdirected bounces?
> >   b. misdirected auto-responses?
> >   c. some-one blaming debian for spam which was sent to a lists?
> >   d. spamcop being fooled by forged email headers?
> >   e. user/reporter error?
> >   f. something else?
>
> The times I've looked at reports, it's always been c.
>  
>
> > Do Debian auto-responders/mailing-lists
> >   a. reject messages at SMTP time?
> >   b. bounce messages afterwards?
> >   c. silently drop messages?
>
> a. and c. depending on how we determine it's spam. We stop a *lot* of
> spam from getting on our lists. Usually around 99.9% or so. The spam on
> the lists is the little that's left.
>
> > Thanks for any info, and for your work on debian.

Andrew V.