[SpamCop-List] Re: Great. Now it's my turn to get blocked.
sheila at spamcop.net
Sun Jan 25 08:51:20 EST 2004
On Sun, 25 Jan 2004 02:16:15 -0800, "Mike Easter" <MikeE at ster.invalid>
wrote in spamcop in article <bv052c$hcr$1 at news.spamcop.net>:
> -1- The discussions here have been taking place about /some/ IP, but
> they have been about some 'theoretical' /munged/ IP, rather than some
> specific and /named/ IP.
> _2- Apparently, the discussions about the /named/ IP took place between
> the admins of the IP and Julian, rather than with a deputy.
Incorrect. First notification took place with a deputy, as did several
follow-ups. Julian was emailed in a cc list that also included deputies
only some time after the original problem was solved (in that the CGI
script causing the problem was found and disabled), with thoughts and
commentary about the general operation of the SBCL as it pertained to this
particular situation with an eye towards future changes and in the frame of
mind of giving constructive feedback. In no way was an appeal made to
Julian in regards to the specifics of this particular matter nor for any
resolution or special handling in this particular matter. We are well aware
that Julian is not much involved with the day-to-day operations of SC.
However, he still determines policy (it seems to me), and so commentary of
the type sent would appropriately also be sent to him.
> when a deputy addresses a /specific/ IP here, s/he examines the evidence
> header to see if an output IP was named because of the parse rather than
> the /actual/ source IP. I don't know that that examination has ever
> taken place.
Indeed it has and did.
> Instead there's been some kind of discussion here about
> how some providers should be treated differently than others, rather
> than how some parses should cause a different IP being listed than has
> -3- There seems to be some confusion over whether the blocking of this
> specific IP has resulted in the blocking of very many IPs or not. That
> would certainly be the condition if an output IP were listed instead of
> a source IP.
Only a single IP address was blocked: The IP address of the server. Because
the spam emails in question were generated by a CGI script on the server,
the email headers contained the server's IP address as the origin of the
email, rather than the individual web site's IP address.
> I find myself wondering if the /actual/ IP in question had been
> discussed here, if it might have been determined by a deputy that an
> output IP was named.instead of a source IP because of a premature break
> in the chain by the parse, and the listing 'corrected' for some reason
> other than special treatment of a provider.
The IP address was the source IP (as explained above). There was no parsing
error and therefore no grounds for requesting special treatment by having
the IP address removed from the SCBL, since spam did in fact originate from
the server. I've long since learned not to request special treatment from
SC for actual offenses that did occur. OTOH, SC deputies have been very
helpful in the past in the case of actual errors on either the part of the
SC parser or on the part of end users submitting improper reports.
> Julian's response to the
> special treatment issue would be negative; a deputy's response to a
> parse error would be positive. Talking about hypothetical IP/s is a big
> waste of time.
As noted by Larry, for solving this particular problem, discussing without
specifics is a waste of time. (BTW, the IP dropped off the SCBL late
yesterday afternoon, so it is now moot.) However, I think Bob W. is
interested in general policy and future changes (if I read his posts here
correctly), not simply in this particular situation.
It has been suggested in this discussion that some ISPs/hosts (whitehats)
might receive special treatment in not being blacklisted right off the bat,
but given a chance to correct the problem first. Since I've poked my head
into this discussion, I want to make it clear that that is certainly not my
position or request (I am not sure what my employer would think on that
one, as I've not asked--but on Abuse Desk issues they most often take my
recommendations). However, if spam *IS* in fact coming from our system, I
have no problem with it being listed (although we would prefer not to be
listed, there is certainly something not right if spam is coming from our
servers...we have no room to plead otherwise until the problem is
What was disturbing about this particular case, was that shortly after 10
PM ET on a Thursday night the SCBL listed our IP address due to a SC
spamtrap, but sent us no notification (since the source was a spamtrap),
and we did not learn of the problem until 1 PM ET the next day via a
complaint from a customer that an intended recipient of an email they sent
had the mail bounced back due to SCBL use. That was 15 additional hours
during which the spammer was able to continue sending spam, where had we
been notified, it could have been stopped sooner.
More information about the SpamCop-List