[SpamCop-List] Re: Great. Now it's my turn to get blocked.

[R. P. McCormick]

> > You've noted that the IP in question that brought your posting
> > was indeed guilty of causing spam and network abuse.
>
> Nope... The IP wasn't responsible.
>
> A script belonging to one user among many at that IP/machine
> (and therefore that one user) was responsible.

I know your frustrated/pissed/whatever because an **IP**
address that affects you was listed ... and it is nice that you
have taken the time to describe what caused that IP address
TO be listed.

But from the external perspective ... any in-bound email to
me that is considered spam - the only thing (with emphasis
on the ONLY part) that I can consider in the equation is
the IP address.  Nothing else in the SMTP protocol can be
trusted - just the source TCP/IP address that connected to
my server in attempt to relay me spam.

I - like a lot of people - use numerous black lists ...
I choose those lists based on my personal experience
and opinions about them.

I choose the SpamCop list because I think the algorithms
are fair - and that since the system is totally automated,
addresses that are responsible for the source of in-bound
spam tend to be listed quickly.

Neither my SMTP server - nor I - know you, your provider
or even what goes on at the IP address that ended up getting
blocked.  All my SMTP server can know, through black list
lookups, is the IP address you were sharing WAS guilty of
sending spam.

Although there are surely a LOT of IP address on SpamCop's
black list - it still represents a miniscule amount of the overall
allocated IP address space.  But what it DOES represent ...
are addresses that have recently been reported as sending spam;
and the listing is maintained as long as the spew continues.

And at the bottom of your posting was this in regards to
my suggestion:

> > My recommendation: see if a deputy will do something for you,
> > and then take some action on your own to ensure that it won't
> > happen again.  (Get your own IP address.)
>
> I have my own IP address. If I'm not mistaken, SC is listing all of the
> IPs on my machine... Thus the unnecessary damage.

This is totally confusing ...

I know this thread is pretty long - I had only read and responded
to your original post - and then later read some of the others.
(And there are a lot more I need to read.)

But my understanding was that there was ONE IP address black listed.
That address was one YOU use - but unfortunately that address was
also used by (shared with) some other third party - who loaded some
script on a server which was abused by spammers ...

That gave me the impression of a system (like web server) setup with
ONE IP address - and using something like host headers ... sharing
virtual hosts on that same IP address with numerous UNRELATED
people.

If that IS the case - the problem is both yours and your providers ...
why would you ever share an IP address you use to send mail
with someone else - especially when its not an SMTP server,
but a system where anyone can load/modify/control code on it?
Not wise.

And as for the provider ... if they want to keep happy customers ...
why would they setup an infrastructure like that?  Crazy ...
just asking for the kind of thing you initially described.

But now you say you've got your own IP address ... eh?!
And even more perplexing - that SpamCop has listed ALL
IP's "on your machine"?

Could you kindly elaborate - cite the addresses or reports ...

As you should well know - SpamCop doesn't block address blocks;
it only lists INDIVIDUAL addresses that have been reported
by multiple users multiple times (or addresses that have sent to
spam traps).


> > There is no way in hell that SpamCop can send reports to
> > network admins - and then pause, sit back, wait ... and see
> > if an admin resolves the problem BEFORE SpamCop lists
> > the IP address in its black list.
>
> And.... Why not? A short pause to allow a problem to be fixed
> would be completely reasonable, not to mention a professional
> courtesy, especially considering the sterling record of the host involved.

The professionalism here is ensuring that systems do not get
hacked, infected, taken over, misconfigured, etc. in the first place.

How much time would you like SpamCop to wait before a well
known spamming IP address gets listed?

After SpamCop receives a report from a couple of different users
the address is listed ... and when the first report is generated ...
an email is attempted to the net admins.

An hour?  Maybe two?

Let's see: just for numbers to play with ... a typical 1.5 mbps
connection is capable of easily doing 10,000 messages per hour.
Some US cable broadband connections (now in excess of 3.0 mbps)
and colo hosting (which are typically burstable to at least Ethernet
speeds) could easily do 100,000 messages per hour.

So out of fairness - how many spams do you think a system
should be allowed to relay before it is black listed?

IMO:  ONE.

Sorry ... but each day I get one spam too many ...


> Instantaneously punishing thousands of users based on
> a single script exploit vulnerability created by a single
> user is entirely unreasonable.

So - we've black listed a SINGLE IP address from an
exploited machine - that could generate anywhere between
10,000 and 100,000 spams per hour.  The black listing
saves thousands of users from having to receive the
unwanted spew.


> The entire purpose of blacklisting IP ranges is to pressure
> users into pressuring their ISP or host to take action against
> an ongoing spam problem.

irrelevant.  SpamCop does NOT block ranges ...
Other lists may - but not SpamCop.


> The host in question takes immediate action against spammers.
> There are no -- and will be no -- ongoing spam problems involving this host.

OK - so back to my question: how long should SpamCop wait ...
before blacklisting?

I assume in your quote above "host" really means "provider" or "ISP" ...

So someone 14 times zones from you fires up their system ...
and starts to exploit the script.  But it is 22:00 at your provider's
location.  SpamCop gets a report shortly after the spew starts.
But you are dealing with a small, local provider - who doesn't
have 24 x 7 x 365 (or 366 this year) abuse desk.

The SpamCop report goes into the SMTP system ... and hopefully
gets delivered to the provider.  (Remember, by NORMAL convention
SMTP messages could be held for up to 4-days before being bounced
back to SpamCop as undeliverable.)

Your provider - who will take "immediate" action ... shows up at 09:00,
gets whatever they drink in the morning, and opens up their abuse
mailbox ... which is full of reports.

After taking some time to sift through them ... they start taking
that "immediate" action.

By now - maybe 12 hours have passed ... and the spammer may
have run out of names on their list!  Let's say 12 * 25,000 ...
and easy 300,000 spams relayed.  (Or worse yet: stuck in the provider's
SMTP server if they were routed through it!)

Or maybe the spew started on a Friday evening ... and the small
provider doesn't handle issues until a Monday morning?

So - how long should SpamCop wait?


> So bl.spamcop.net completely misses the mark in this case, applying
> pressure where no pressure is needed.

Total BS.
The system was made vulnerable.  It was exploited.  It relayed spam.



> In fact, a listing like this is not only entirely inappropriate,
> it's anti-productive; all it serves to do is to create ill will directed
> at SpamCop and the anti-spam commmunity in general.

IMO - you are directing your frustration at SpamCop ...
when you should be directing it at the individuals responsible
for making the system vulnerable ... as well as your provider,
who provided you with a solution that OTHERS caused YOU
an interruption in your service.  And you should also review
your own choices - as there are lots of choices and possibilities
that you could have made that would have never put you in
such a position in the first place.


> It says to all those thousands of collateral victims,
> "We at SpamCop really don't care who we hurt,
> and we're more than happy to indiscriminately list
> innocent users for absolutely no reason."

WTF?
There's NO innocence here.  Are you saying that when someone
makes an innocent mistake and allows their system to be compromised,
that it should NOT be black listed?  Get out!

Next I suppose that you would say that we shouldn't be
black listing all the hijacked infected systems on the Internet,
just because the people that own them innocently didn't
know how to ensure that their systems were adequately maintained
(with appropriate firewalls and operating system updates).


> While that may or may not be the case, that's the perception that's
> being created... and while perception may not be reality, it certainly
> can make or break an ISP, a host... or a blocklist.

Ain't going to break SpamCop.  It did exactly what it should have done:
black listed an IP known to have been the source of spam.

Maybe it will break an provider or user that doesn't know how
to properly keep their system's secure.


> > That delay will only mean that hundreds, thousands, maybe more,
> > will be affected.
>
> That delay will mean that the innocent users at that IP are not punished
> for something they didn't do, and which could have been immediately
> stopped with a simple report to an admin.

Ibid.
As noted above - not all admins are sitting around 24 x 7
to get that notice of impending listing.

In fact - there is surely a lot of cases where SpamCop isn't
even able to alert the responsible party (provider) ...
due to poor or inaccurate records for IP address space
allocation, etc.

Just look at the spamcop.routing group for a taste of that ...


> > As for delisting - the 48-hour delay is *CHEAP* as compared
> > to getting off of some other blacklists!  (Where they may charge
> > you $$$ or you may have to beg and wait and wait and wait ...)
>
> The point is that the decision to list was wrong.

Eh?
Well - Julian et al that are "SpamCop" have established what
their rules are for reporting and listing.  Those algorithms have
been implemented in software - which help eliminate human
subjective decisions.  The rules apply equally to all IP addresses.

And I think you're barking up the wrong tree (sorry for non
native English speakers for the expression) here ...
by posting something like that in the SpamCop group.

I think the majority of anti-spam folks would agree ...
if an address is spewing it is spammy and should be black listed.


> Where I come from, one takes responsibility for one's screwups
> and attempts to correct the problem in a timely fashion... not just say,
> "There's nothing I can do" -- when there is.

OK - so you fix it.  Learn from the experience.

But the algorithm sits:  you get caught spamming,
you pay the price.  On the SpamCop list ...
the price is 48-hours after the last spam is reported.

And if you are successful - you may receive (in rare cases)
an override by a Deputy.


> > Plead your case to a Deputy ... and see what they'll do ...
>
> I've been told this case has been to Julian himself, and he
> apparently isn't interested in doing anything to correct the problem.

Regarding getting the listing removed prior to the 48-hour expiry,
you have therefore appealed to the highest of authorities ...
you're lucky that you even know who that authority's name is,
and that he is willing to even read/respond (even if its internally
at SpamCop).

As for problem and correction: there isn't any problem on
SpamCop's side and therefore nothing to correct.


> > > Ya know, there are times when I do consider terminating
> > > my ages-old paid SpamCop membership, and this would
> > > be one of them.
> >
> > This is called churn.  We all have reasons why we choose
> > to participate and why we choose to stop participating.
>
> So... Your solution is to ask those who complain about the
> system to leave, rather than fix the system. Interesting...
> but not very productive in the long run.

I'm not asking you or even suggesting you leave ...
My point is that each of us that use SpamCop do so because
we were drawn to do so for whatever personal reason ...
Some are free reporters - others contribute as "members"
in additional support of the cause.

And at times ... new people use the facilities ...
and some stop using them.  And always, for their own personal
reasons.

Same thing for the subset of SpamCop users in these newsgroups.

If the SpamCop listing and handling of this issue
you were recently involved with is found to be
distasteful - the decision to stop submitting information
to SpamCop, discussing in these groups or even using
the SpamCop black list on your own mail server ...
is your decision!


> > (As well as the state of spamming.)  Honestly, I think getting
> > things on the list faster is more important - with multi-megabit
> > broadband connections, exploited hijacked infected systems,
> > spammers that have large /20 networks with plenty of addresses
> > to spread their spew runs across, etc. ... I think SpamCop is
> > being a bit consertative compared to what may really need
> > to be done.
>
> Conservative...? When the disclaimer from SpamCop itself recommends
> that the blocklist not be used for production? Oy...

Yea - I don't know why have the stuff on SpamCop's web
site is there ... its a great system - in a horrible wrapper.

But the reality is the system works, and is widely used.
That comment you are referring to - its been there as
long as I can remember.  Its possible its been there from
day one - when SpamCop was an experimental system.

But as you're well aware, SpamCop has grown ...
now Akimaized ... and looking to expand its black list mirrors.

Possibly one of the largest black lists used on the planet ...

What I was trying to say in my comment ...
about being conservative ... is that I think due to today's
spammer tactics - SpamCop's black listings IMO should
stick around LONGER, e.g., if you get listed - you get to
stay on 72 hours or even longer if receipt by a spam trap.

R P McCormick
SpamCop user