Slashdot Mirror

It would be far more effective if people reported them to spamcop & similar -- a few days without being to send email would tell them that no means no!

SpamCop is not dead. It is still up and running and the free blocklist is a great part of your anti-spam arsenal. Compare RCVD_IN_BL_SPAMCOP_NET to the other free options using SpamAssassin rule vetting stats and you'll see it's among the top performers. ("S/O" is a measure of relative precision, "SPAM%" is recall.)

Unlike the other DNSBLs, SpamCop also reports spam back to the networks that sent it (with filters to deal with spammer-friendly and negligent network operators, either of which might ignore or even pass on the heads-up to spammers rather than disciplining them).

In particular, SpamCop did well against this Necurs attack but it does not fare as well against hailstorm/snowshoe spam attacks (which IP reputation doesn't help combat). IP-based DNSBLs aren't anywhere near as effective today as they were ten years ago, but they're still quite worthwhile. That said, you're right in that the best ones cost money.

I feel happy, oh so happy. I don't want to go on the cart.

Did you know that, as well as openDNS, Cisco has acquired and virtually abandoned:

SpamCop.net - 2007
Snort - 2013
ClamAV - 2013

All great projects when Cisco bought them and now circling the drain.

The meat of the idea relates to --- and using Spamcop. They have a working techniques of tracing email to it's origin and to determine of the header of the message is forged. In short, if the origin & header is good, the email is good. There is also a need to check to see if some systems are open-relays, and just ignoring all email from that IP address.
(oh joy... watch now as people ignore the "in short" part of the comment and jump on the "these are the problems" band wagon....)
And related ... there should be the ability for me to restrict where my email is access to/from and where it was sent from. I'm not going to Russia -- so why can't I block all access to my account from Russia?

I am also a SpamCop user - have three accounts with them. All three got the email. You are quite correct that there's nothing on the web site, but this doesn't astonish me as the email service has been running on autopilot for a few years now. Note that the blocklist and reporting system are now owned by Cisco, but the email service was not part of the purchase and has been increasingly unreliable. There is discussion on the SpamCop user forum at http://forum.spamcop.net/forum...

I moved my main personal account to Gmail quite a while ago. The other two accounts will also move to Gmail. It was nice while it lasted.

Hi. I'm in the anti-spam business. You got lucky.

A lot of spammers use fake unsubscribe links as a way of verifying your address and the fact that you read the message. Some questionable businesses have verification elements to their unsubscribe links that will note the fact that you visited the site but then due to a bug fail to process your unsubscribe attempt (thus netting the same effect).

I will sometimes unsubscribe from things, but that's because I want to see how successful it was (and I can deal with the trouble caused by attracting more spam). I do not suggest this for others. Use sites like myWOT to research the link before trusting it enough to follow it and perform the request. Use sites like SpamCop and KnujOn (and, if you're in France, Signal Spam, which has legal enforcement power) to report anything else as spam. All of those reporting agencies are tied to actual enforcement (in some way; KnujOn busts registrars, SpamCop informs network operators (and builds its blocklist), Signal Spam prosecutes if in France).

Doesn't seem to be much of a difference according to Spamcop stats. For all the hullabaloo, whatever spammer lives at Cyberbunker doesn't seem to be a very big player.

I only see one publicly visible spam volume graph supporting this claim: SpamHaus CBL (look at the "Last quarter" graph).

SpamCop and SenderBase suggest the overall trend is still down, though I'm not convinced this is related to Grum -- it appears Grum just wasn't as major a player as people thought.

The other graphs I have bookmarked, from McAfee (click the "Historic Data" tab) and Symantec, are inconclusive.

Why would you want to remove ads? Genuine Rolex watches for only $99! They are what support the development of (Refinance today!) new applications for your benefit. Just like you can benefit from a bigger penis! I don't find it (THIS IS NOT ANNOYING!) annoying at all.

this is essentially a big game of whack a mole

The last couple of times a story like this was posted, I went straight to SpamCop's statistics for corroboration. You're right: the touted decrease in spam is real, but temporary. However, the yearly chart does seem to show a downward trend.

(alphabetically)

SANS Internet Storm Center (I can't get the graph working, ymmv)
SenderBase
SpamCop (a feed to SenderBase)
Symantec
ThreatPost (TFA)
Websense Monthly reports (December not yet available, Websense is TFA's source)

An observation: spammers celebrate holidays too; it's hard to recover from a series of shutdowns while dealing with family affairs. I hope their holidays were joyful and full of lasting distractions...

I recommend Spamhaus XBL and Spamcop Blocking List .

Spamcop used to have problems, but I think they resolved them a couple years ago.

Back when http://stats.dnsbl.com/ was operational I used their data to give me a quick leg up on figuring out which lists to look at. Then I checked out the lists for how they operate and then did a performance analysis.

Aside from policy/operation, two things that were particularly important to me were false positives and overlap. These lists get very low false positives and they combine nicely.

Old stats:

http://stats.dnsbl.com/zen.html

http://stats.dnsbl.com/spamcop.html

Unlike the take down of McColo, I see no decrease of volume of spam at all. In fact, since April 2009, my spam level has gone back to and within the last week, above the level of spam since the before McColo and my mail server statistics follow Spamcop.net statistics.
http://www.spamcop.net/spamgraph.shtml?spamyear
IMHO, the botnets masters have dispersed themselves to multiple locations around the world so now taking down on an ISP will not affect them like McColo. On my mail server, most my spam comes from the Central and South America IP addresses and I think those systems are controlled by some bot master somewhere else.
However, IMHO, creating and hosting child porn is punishable by torture like waterboarding or worst. Dying is too good for those people.

If a major player, usually seen as a freemail provider like google or yahoo, but certainly also any large corporation or government agency, were to simply start reporting their spam, the problem would go away.

Beef up and aid services like KnujOn and SpamCop and remove the ease of sending spam and (more importantly) the profitability. But that only goes so far -- it nails the pseudo-legit spammers, but it only slightly hampers the straight-up criminal ones (while eliminating their competition).

The next step is escalation; like Blue Security, create a do-not-email list (using hashed emails for privacy) and then after a lack of response from SpamCop's reports, utilize the opt-out requirement of the CAN-SPAM law to essentially flood the spammer with unsubscribe requests. I've detailed this proposal, along with how to decentralize it to make it immune to the DDoS that stopped Blue Software, on my website at http://khopesh.com/wiki/Ending_spam

and have their sites taken down. As long as (hosting providers are allowed to harbour spammers (yes, USA, I look at you), and nobody gives a big F visitors and site owners pay the price.

Filtering DOES NOT work. Did it stop email spam? No, see: spam year. What did? Kicking McColo off the Internet. And McColo is not alone in providing services to spammers (Netvision.net.il I look at you).

Before you talk more out of your ass, look at what happened when ONE (1) USA based ISP/hosting provider was taken down in November: SpamCop (year)

I use Fail2ban on all of my iptables-based SSH servers, as it eliminates the possibility of brute-force attacks from single IPs (fail2ban will ban any IP with five failed ssh logins in a ten minute period. The ban vanishes after ten minutes).

However, this new botnet attack distributes the attack over the IP-space and time. That bypasses fail2ban!

The only solution I can see to this would be to take an approach similar to the centralized spam-fighting solutions; a DNSBL specialized for brute-force botnets. You run something that monitors your logs for failed logins (with a large scope for time, say ten failed attempts in a month). When an IP triggers it, you block that IP for a month and report it to the DNSBL. The DNSBL operates like Spamcop, trying to verify the nature of the IP (and trying to address the issue), then adding it to the blocklist. Anything listed on a DNSBL gets permanently blocked after one failed authentication, and if your internal list grows too big, any positive IP gets blocked before the login attempt.

The one month graph gives a good feel for perspective, which is really fucking impressive to me. One colo was responsible for THAT MUCH botnet generated spam traffic? Wow.

I think we're all quite happy that the bastards are staying cockpunched after getting cockpunched by the takedown.

Today I saw drop in the spam I'm getting in line with what spamcop is seeing:
http://www.spamcop.net/spamgraph.shtml?spamweek
Normally I get a daily spike of spam around midnight that stay until 2PM then stay low until midnight and cycle starts again. This has been happening to my mail server since February 2008.
I see how long this lull in spam will be and I hope for a long, long time. My mail server needs a break from this crap.
I wish they would find these female donkey anal orifices and send the to some gulag or other torture place for a long, long time. Killing or dying for these people are too good for them.

The 24h view has almost scrolled it away. The 1 week view shows it better.

On a more disheartening note... "Horray, we've beaten them back to where they were this January"

More importantly: http://www.spamcop.net/spamgraph.shtml?spamweek

This shows the difference between today and the rest of the last week. The month version looks largely the same... Spikes every day until today, which is low.

http://www.spamcop.net/spamgraph.shtml?spamweek

Look at Tuesday's sharp drop off coinciding with the shut down.

This shows a dramatic reduction in spam as of yesterday 4PM EST.

Will be interesting to watch it climb back up....

The spammer technique demonstrated in the parent post is called "listwashing": get the complainers off their spam lists so they can continue to spam everyone else.

Also note that her mention of a "no email list" is an implicit admission that they send unsolicited bulk email (i.e. spam): if they only sent email to subscribers, they would not need any kind of suppression list.

So, if parent post is legitimately from O'Reilly (which is not certain), then it's a double confirmation that they are spammers.

It is obvious that nobody trusts them to give their e-mail address, you can't blame people for not giving their mail some organised spammers who _insists_ on spamming them even in age of very powerful anti spam filters.

$1 to organised spam providers via check? Let them offer credit card too. Did you really apply for that service?

My solution is better, free: http://www.spamcop.net/ . It is not some good guy they can easily threaten with lawsuits anymore, it is CISCO. Let them just try.

quite a long time ago. see SpamCop for a current version. I'm sure historical data is available in the forums.

Once again, Twitter, Slashdot's most maniacal anti-Microsoft troll, beats on the truthout.org dead horse. Of course, Twitter and Marc Ash are cut from the same cloth. They both believe that they are so noble, and their causes so righteous, that they can freely stoop to any depth, and engage in whatever underhanded behaviour they please.

Marc Ash was caught spamming totally unrelated Yahoo! Groups by joining and blasting emails through group addresses.

Twitter threadjacks a story, then shills his comment with three of his army of sockpuppets, including two accounts that are impostors of his critics.

And Slashdot does nothing.

Instead, Rob Malda posts this gem to the front page, claiming that Microsoft "prefers" Flash to Silverlight because Microsoft doesn't have some super-special-secret transmogrifier that could spontaneously transform each and every Flash animation on each and every web site Microsoft owns into Silverlight content, and didn't use it the very minute Silverlight 1.0 was released to the public.

Slashdot has turned reason and common sense and honesty against its own readers.

Delete your bookmarks, people. Redirect slashdot.org to 127.0.0.1 in your hosts file, in case you get the urge to go back. There's no point.

There are plenty of places where advocacy of Free and Open Source software is done without the community being exploited. Slashdot is no longer one of those places. Their hatred of Microsoft has become all-consuming, and they're proud of it. Time to leave them shouting into empty space.

When it comes to internet analogies, you must use either "tubes", "trucks" or "clowns" - not cars.

=Smidge=

>They've done something similar to SpamCop, asking to have the use of the word referring to junk email use only lower case "s".

And we still spell it SpamCop:

http://www.spamcop.net/

I literally get 0 spam in my inbox. The only spam I ever get is from businesses that I have a "relationship" for (ie., created an account on their site, said no thanks to junk, but got it anyway). Easy enough to block them since each site gets their own alias.jan-1-2007@mydomain.com that I can filter later on and never bother to "unsubscribe."

I use sendmail with greylisting as my frontline defense, then dul.dnsbl.sorbs.net, `sbl-xbl.spamhaus.org, list.dsbl.org, and lastly bl.spamcop.net. Thunderbird is great at picking up all the stupid "business relationship" junk based on the servers spamassassin's markings (but I don't have spamassassin dropping anything, just marking it up), but mostly just gets in the way of me permanently rejecting their mail (just a few a month ever come in).

I found many of the sendmail configuration lines from http://www.sdsc.edu/~jeff/spam/Sendmail.html if you'd like to give it a try.

4 days worth of spam filtering shows the following were blocked (this is just for my little list of personal domains, mind you):
# grep -c sorbs /var/log/maillog
16048
# grep -c spamhaus /var/log/maillog
13246
# grep -c dsbl.org /var/log/maillog
230
# grep -c spamcop.net /var/log/maillog
897

Combined spam blocked (each file is 7 days worth of spam count, except the top one which is only 4 days):
# grep -cF $'sorbs\nspamhaus\ndsbl.org\nspamcop.net' /var/log/maillog*

/var/log/maillog:30486

/var/log/maillog.1:43508

/var/log/maillog.2:41687

/var/log/maillog.3:36868

/var/log/maillog.4:35687

here's the bl's that i am using with sendmail that would go into your siteconfig.mc file -- that through trial and error -- i have found have zero false positive hit rate... n.b. that the XXX.r.mail-abuse.com (RBL) & XXX.q.mail-abuse.com (QIL) bl's require that you to have a subscription to Trend Micro Advanced Email Reputation Services at http://us.trendmicro.com/us/products/enterprise/ne twork-reputation-services/index.html -- you can get a free trial at https://nssg.trendmicro.com/download/trial/trial-s ervices.php?id=66 --
make sure you select "Email Reputation Services, Advanced". you would then replace the "XXX" in the below with the activation code they would send you:

FEATURE(dnsbl, `XXX.r.mail-abuse.com.', `"550 Mail from " $&{client_addr} " BLOCKED/RBL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')

FEATURE(dnsbl, `zen.spamhaus.org.', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN; see http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')

FEATURE(dnsbl, `bhnc.njabl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/BHNC; see http://www.njabl.org/lookup?" $&{client_addr}')

FEATURE(dnsbl, `bl.spamcop.net.', `"550 Mail from " $&{client_addr} " BLOCKED/COP; see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr}')

FEATURE(dnsbl, `list.dsbl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/DSBL; see http://www.dsbl.org/listing?" $&{client_addr}')

FEATURE(rhsbl, `dsn.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DSN; MX of domain dose not accept bounces in violation of RFC 821/2505/2821, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')

FEATURE(rhsbl, `bogusmx.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/BMX; MX of domain contains bogus address information in violation of RFC 1035/3330, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')

FEATURE(dnsbl, `XXX.q.mail-abuse.com.', `"450 Mail from " $&{client_addr} " BLOCKED/QIL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')

FEATURE(dnsbl, `safe.dnsbl.sorbs.net.', `"450 Mail from " $&{client_addr} " BLOCKED/SAFE; see http://www.dnsbl.sorbs.net/lookup.shtml?" $&{client_addr}')

i also use the http://hcpnet.free.fr/milter-greylist greylisting package as well as spamassassin with some custom score tweaks available at http://iconia.com/user_prefs. all this keeps my mailbox as well as other users at a college radio station and a commercial asp with lots of public email addresses on their respective websites relatively spam free.

respectfully submitted,
geoff goodfellow

Right after the OCR talk started to lead them (antispam people) in some common/working solutions, Spammers begun to use anti-OCR systems. I made a friend working at a big newspaper to test the anti OCR measures via some very expensive professional OCR software, he said it failed to read anything meaningful.

That was the day OCR as antispam became real irrelevant for me. They also figured resolution filters are coming, they immediately started to randomise gif resolutions by 1-5 pixels. There goes that method too.

About the images? I bet there are millions of "fw:fw:fw:look, funny!!!!!" messages around just having a single image. Yes, even at flickr/imageshack ages. They now drag Flickr images to mail window and send it like that.

For some people, they are "messages from their friends" and they will go nuts if they figure out that actual junk was filtered as spam. Of course, lets not go too harsh, there could be people trading family photos like that and that 12 kb jpeg becomes really precious.

I suggest the long term but real solutions: http://www.spamcop.net/ (for mail) and http://www.projecthoneypot.org/ (for web/blogs) . I even started to CC: my Microsoft Pirated software spam to piracy@Microsoft, let the evil care about evil.

As others have pointed out, everyone knows that spammers forge the From: header, so your domain would not be blocked except by the dumbest of mail admins.

Your real problem is the backscatter (those 1000 bounce messages you get per day). My solution follows:

I still have all of my mail logs since time immemorial, so I wrote a script to parse out all of the From email addresses in outgoing email and made a list. Going forward, each outgoing email from my server gets its From address added to that list.

In other words, I have a list of every possible From address ever used to send email from any of my domains (and the domains of the folks I host because they were jealous of my spam filtering).

Part of incoming email processing is a rule that if your envelope sender is <> (that is the envelope sender for bounce messages), and the envelope recipient is not on that magic list of my outgoing senders, then the message must be blowback, and you get an SMTP rejection code and a message that explains why your email was backscatter and to please fix your server.

Before you respond and say, "What about email addresses that you put in webforms? Hello!" Remember, I only apply this rule to envelope sender <>. If you're bouncing email to an address that has never been used to send email, then you are sending blowback.

A desperate plea to mail admins out there: For the love of all things holy, stop sending delayed bounces! When you reject a message, reject it during the SMTP session! Do you have any idea how much pain you are causing others? More information here.

One interesting method is to query an anti-spam database using your IP address, and see if you are listed as a spam source. Quick checks can be done at robtex or dnsstuff.

If your IP address shows up on PSBL, CBL, SpamCop, or WPBL your host is probably infected and a source of spam or other abuse.

As you can see, the most common hit is trawling for valid names. Second most common hit is people claiming to be the domain they're sending to. we've got postfix set to say 'F off' to any machine that lies in HELO, fails to use a FQDN or a ton of other mistakes.

After that, we've got the 400 series errors of cannot lookup sender addresses, followed by greylisting expirations, and finally, the two RBLs actually used on this machine, and finally open relay probes.

What's not listed is the multiplicitive effect of HELO and greylisting blocking, and that's pretty hard to determine. Someone will have to honeypot that one to get some numbers, but a HELO block stops a host from sending ANY spam to you. How many mailadmins out there see their (decently populated) servers only get a single email when a spamrun is in progress? Exactly. Same with greylisting. Spammers consider any error a permenant fail (for that run) because it's more time-efficient to just go on to the next email then to keep a retry queue. Since they never try to send the same email again, they never get through the greylist (since it's based on host:sender:recipient) tuples.

On my personal server, I don't even use RBLs anymore, they are too prone to false-positives for the tiny amount of spam they do catch. And politically, while vengance and retribution seems like a cunning plan, in reality the only people who ever suffer are the collateral damage. Deep-pocket ISPs with 2-3 year downstream contracts and painful early termination clauses keep a lot of collateral damage from being able to vote with their wallet. Plus, thanks to ARIN's inability to move forward with IPv6 in a reasonable fashion, or give portable netblocks to people, moving is exceptionally painful for basically everyone except the largest players (who are not generally colatteral damage). The big losers here are the joejob victims who get blacklisted, small businesses who lose contracts due to having their email blocked, medium buisnesses and small ISPs who have to play whack-a-mole on customer servers trying to find the exploit-of-the-week that allows formmail/mail relay/postmaster bounce spam. The winners are big fat companies like MCI, since they get spammer buisness, and lock their non-spamming customers into contracts that don't let them move when their service is impaired. (Nobody considers being on a blacklist grounds for early termination, or even downtime. OBVIOUSLY you did something wrong to get on it.) And of course, dedicated mail-hosts who are the last resort when you're locked into listed netblocks.

Of the winners and losers, who do you see posting to NANAE? What sides do they take on the RBL issue? Isn't it interesting to follow the money?

Unfortunately, you may not receive the spam, but it's still sent.

That may not be entirely true, depending on where and how the filtering is done. If you're using qmail and its rblsmtpd, an SMTP session from an RBL-listed host gets cut off with a 451 before the sender starts sending the message. The exchange looks something like this:

220 alfter.us ESMTP
HELO spammer.com
250 alfter.us
MAIL FROM: spammer@spammer.com
250 ok
RCPT TO: me@alfter.us
451 Blocked - see http://www.spamcop.net/bl.shtml?65.54.195.216

After that, the connection is closed. The spammer hasn't had a chance to start sending yet. It's still using some CPU time and a small amount of bandwidth, but not nearly as much as with an anti-spam countermeasure that acts on the message only after it's been received in full (like anti-spam software on your desktop).

Blacklists, my friend. Here's my current list:

rsync-mirrors.uceprotect.net : Level 2 - Fast local blocking
combined.njabl.org - For dynamic IPs and other
dnsbl.sorbs.net - For open relays
relays.ordb.org - For open relays
list.dsbl.orgM - Various types of Unsecured servers
dnsbl.tqmcube.com - dynamic IPs, spam trap
bl.spamcop.net - Spam trap
sbl-xbl.spamhaus.org - Known spammers, exploited servers
l2.spews.dnsbl.sorbs.net - Spam friendly ISPs
dnsbl.ahbl.org - Realtime composite

About four of those are composites, and contain blocks for dynamic IPs. Each link goes to the usage page for the blacklist, and if you want, you can just block dynamic IPs by using the correct subdomain.

If a company is sending spam why isn't the ISP for that company shutting them down? Isn't it against the AUP of most providers or at least the big carriers?

"For example when you tell them that they blacklisted your IP address and you can vouche that you don't spam, but they won't do anything because you belong to a /16 where somewhere sombody is spamming."

It also means you share the same ISP who doesn't give a f to security, spam reports from naive people who thinks it will mean something and spare their precious time.

The only thing to make that ISP/IP provider take care is: Move to another ISP which cares about security and quality of customers.

You will figure what I mean by checking this:
http://www.spamcop.net/w3m?action=map;net=bmaxcnt; mask=16777215;sort=spamcnt
"Worst /16 blocks based on total spam count"

That is not some static thing, it is almost realtime. I am still sure about what you will see there. It never changed past 5 years except addition of zero administrated Poland IP monopoly which is owned by Orange to that list.

So, CNData guys (current mega spammer) are blocked likely by Spamhaus and Spamcop, good riddance. Let them close their God damn open proxy ports and freaking port 135!

CNData IP owners are damaged? Lets say, you hang out with some mafia types as a good citizen and whatever happens, police picks you along with them too. Can you blame the police? Or you should take care about your relations?

Am I harsh? Apologies, I am still reporting spam, even sparing my money and time, I see NOTHING being done, NOTHING AT ALL. Those people are sharing the money with those mobs, I am not american and I don't have to be politically correct all times. Those people doesn't manage their system ON PURPOSE. If you are customer and effected? Find a better managed ISP next time.

I hope Spamhaus also starts a legal fund just like Spamcop. Next time those crooks sue them, they shouldn't just ignore the order, they should sue back with some über evil lawyers and take to their pants including the moron judge losing his/her job!

I really see no point in jailing spammers. Sure, I hate spam, but come on, is it worth spending tens of thousands of dollars a year of public money to house and feed a spammer?

It would be better to impose monetary penalties, or to take measures to ensure the perpetrators won't spam again. Put them under court supervision.

Jailing a spammer is a waste of money--those tens of thousands of dollars would be better spent on funding technological anti-spam measures.

Draft Windows-to-Linux Guide [http://smileystation.com/]

I don't use Sendmail because I consider it overly complex.

FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked. See: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl

I gather both NameZero and alum.mit.edu are services for redirecting e-mail?

I've found e-mail redirection to be a huge problem with spam reporting when the users reporting spam don't understand how reporting works. In particular, a lot of people out there using spamcop don't set up any Mailhost configurations even when they're forwarding/redirecting mail across domains. This means users end up reporting their own ISPs in cases where that ISP is the last verifiable hop in the Received: headers before the account where users actually read their mail.

Things are much worse with AOL, where there's apparently no provision for customers' letting their system know that e-mail is being redirected to them from somewhere else.

I'm a SpamCop user, and I have noticed they've been letting through a bit more recently.

Though, that's a bit offset as of late, due to the fact that I've been getting a lot MORE spam recently as well. I usually find a good 40-50 messages sitting in my held mail after about 8-12 hours.

It's getting better slowly as I report more and more of the stuff that makes it through though.

I was an Internet postmaster when your mother was still wiping shit off your butt.

Sure you were.

You see how confused you are?

No, why don't you explain it?

Double-opt-in (which, by the way, is a SPAMMER term, so who's the spammer here?) is the industry standard for ensuring that a mailing list does not spam.

Let's see, I would say that the spammer was the one of us who was listed by SpamCop.

Oh, you don't like the terms I use? I guess that is too bad for you.

I'm not the one listed by SpamCop, you are.

So, a spambot forges email to a mailing list subscription address from one of your sooper-sekrit spamtraps. My mailing list software sends a confirmation email to your spamtrap, and I'm blocked for 24 hours. Why? For following the industry-standard practice of confirming all subscriptions.

Yep.

Now, the question is ... why is a spammer wasting machine time (that could be used to send spam) subscribing SpamCop spamtrap addresses to your mailing list?

What's the point?

All that will be accomplished is SpamCop learning which spamtraps have been compromised.

So what if your list is blocked for 24 hours by people who haven't read SpamCop's FAQ? That doesn't get more spam out for the spammer. That doesn't get more spam hits. That doesn't do anything for the spammer. Nor does it hurt SpamCop.

Yer an idiot, Khasim.

Maybe, but I'm not the one who is making claims he cannot support. Nor am I the one confused about the process of replying in a thread.

Either you were posting anonymously as that spammer
or
You can't tell which post is the GP or GGP to another post.

Those are the facts and I can substantiate them. In this thread.

You think that spamcop wants people to not use bl.spamcop.net?

It seems you have trouble comprehending basic English, too.

Of course SpamCop would like people to use their blacklists. Maybe you also have trouble reading exactly what they post on their site? Here it is: http://www.spamcop.net/fom-serve/cache/291.html

We recommend that when using any spam filtering method, users be given access to the filtered mail - don't block the mail as documented here, but store it in a separate mailbox. Or tag it and provide users documentation so that they can filter based on the tags in their own MUA. We provide this information only for administrators who cannot use a more subtle approach for whatever reason.

They even tell you not to use it to block email.

I can read that. I can post that. I can understand that.

But you seem to have a problem.

They only tell people NOT to use it for legal cover -- cover that will last about ten seconds -- which is how long the judge will take to give it the good belly laugh that it deserves.

So their FAQ and their repeated instructions in their forums are all part of an elaborate ruse that only you have the intelligence to see through.

Yeah, sure. You're not wrong because even when it is plainly written in black and white and it contradicts you, well, they didn't really mean it. They just wrote that to keep the lawyers away.

They do have a legal defense fund. But I guess you'd find some way of rationalizing that away, too.

I've said in another thread (which you apparently didn't read) that Spamcop is trying to solve the wrong problem.

You've already claimed that their posted instructions (often repeated in their forums) are false. So why should I care to read what you believe they are doing "wrong" in pursuit of their true agenda?

It all comes down to one simple statement:
Either you are the anonymous spammer
or

If you rejected mail during SMTP you would not be sending unsolicited email at all.

Some kinds of backscatter are pretty much impossible to do at SMTP time if you have a reasonably distributed email architecture:
1) "Hi, I'm out of the office. I'll read your mail when I get back tomorrow. If you need something in the meantime, contact Bob."
2) "Hi, we accepted this message earlier, but it looks like the user has gone over quota and we haven't been able to deliver it. You might want to try calling them."
3) "Hi, it looks like you sent mail to foo-subscribe and are trying to subscribe to our foo mailing list. Reply to confirm and activate your subscription."

In normal circumstances, these are really nice messages to get, and guess what? Most people like them and find them valuable, and users demand them!

Sure, these can be a problem if the envelope sender didn't actually send the message, so what's an admin to do? Well, fortunately we have ways to authenticate the sender: SPF and DomainKeys. And you can also check the spam score of the message, and check for bulk or autoresponse headers and so on. These are all things a responsible admin might do in his attempts to satisfy his users and still do the right thing. And SpamCop itself recommends that you check DK/SPF.

But guess what? It won't do you any good, because:

How many sites publish DK/SPF anyhow? Maybe 5% at the most?

That's right, despite their recommendations, SpamCop's own spamtrap addresses do not publish SPF or DomainKeys records. They run a service that complains in a most vociferous way if it ever receives one tiny bit of backscatter, but they won't take even the simplest of steps to prevent it. If any site should publish SPF records, it's a spamtrap! Seriously, how hard is it to publish a freaking SPF record?

So then, you get blocked by various sites that use SpamCop as a blacklist (exactly the way SpamCop tells them to), and the pairs of users involved have no clue what's going on, and you end up trying to get a hold of some remote mailserver admin to explain SpamCop's listing policy to him and convince him that it's a good thing that his customers be able to communicate with people with whom they have business relationships, and he tells you the guy who configured the mail server was a consultant, and he has no idea how the blacklisting works, and he's running Joe'sMailServer 1.0 and wants you to help him fix it, as if you're not already behind on other projects because of this whole situation...

You see? You start off happy and trying to do the right thing by your users and by the world, and SpamCop's retarded policies come in and make you hate your life. Shouldn't email be about helping people communicate instead of walking through the anti-spam crusaders' minefields?

Spamcop has been around much longer than bluesecurity, it has already weathered many more DoS attacks than bluesecurity, spamcop has been sued a couple of times by spammers (and the spammers lost), spamcop has had its domain name hijacked, and yet it has survived. Granted, part of the reason they survived is because the are now owned by the anti-spam vendor, Ironport who also provides the free senderbase service.

I'm sorry to see bluesecurity go, but there are still other options for people who want to fight spam.

Never heard of SpamCop?
That's exactly what it's doing, plus checking links in the message to report spamvertised web sites as well.

I work for a financial services company who has a clients who are supposed to receive emails from us related to trades. Since I manage our web presence, email deliverability is also my problem.

Here are the places to start:

Free Certification
AOL: http://postmaster.aol.com/whitelist/
Yahoo: http://add.yahoo.com/fast/help/us/mail/cgi_bulkmai l
Verizon: http://www2.verizon.net/micro/whitelist/request_fo rm.asp?id=isp

Reporting
Spamcop: http://www.spamcop.net/w3m?action=ispsignupform
Hotmail: http://postmaster.msn.com/snds/
Senderbase: http://www.senderbase.org/

Email Signing
SPF: http://www.openspf.org/
DomainKeys: http://domainkeys.sourceforge.net/

Paid Certification
Bonded Sender: http://www.bondedsender.com/
Habeas: http://www.habeas.com/
Goodmail: http://www.goodmailsystems.com/

A lot of providers outside the US have many of their own rules and regulations to follow, which makes it quite difficult to achieve deliverability. At the end of the day, we try to follow all the rules that have been laid out from existing companies and then deal with individual providers on a needs basis. The more users that use that ISP, the more we are willing to obey their individual rules.

Unfortunately, I see paid certification becoming the way of the future. If I can pay to guarantee to have my clients email delivered rather then negotiate with ISPs every other week based on their varying criteria, I'm pretty sure my company will pay for it. I don't like it, but results are the bottom line.