[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Great. Now it's my turn to get blocked.

Don Wannit nobody at spamcop.net
Sun Jan 25 15:36:41 EST 2004 

Michael Lefevre wrote:

> Mike Easter wrote:
> 
>>I have several 'problems' with the result of spamtrap parses creating a
>>SCbl listing.  One of them is that the effect is based on 'autopilot'
>>which /assumes/ several things which are not appropriately assumable,
>>namely that the parse is *correct*.  Ideally, a 'normal' parse and
>>report would be overseen by a 'competent' human who would recognize a
>>parse error or premature chain breakage and cancel.  This is not the
>>case for the spamtrap hit.
> 
> 
> For the spamtrap headers I've seen, I would think it's quite unlikely that
> a parse could go wrong. If it does, it's the person running the spamtrap
> that has the problem.  I don't think that particular issue is likely to be
> a problem.


I have two big worries about automated processing of mail received
at spamtrap addresses:

1 - The header parsing can and does make mistakes.  One of my
     hosts was a victim of a parsing error last year when the
     rDNS lookup timed out because of high system load (the
     infamous "Molasses Meltdown"). That rDNS lookup failure
     caused the parse to bail and blame my IP. This is another
     reason for a human to vet a purported spamtrap report.

2 - If a spamtrap address is available to be harvested by a
     'bot, then it can be gleaned by a human.  For example, the
     rotating spamtrap addresses that appear and change from time
     to time on the various SpamCop web pages.  A malicious
     person could grab one of those, and subscribe it to a
     mailing list somewhere.

     That well-run mailing list will of course send a subscription
     confirmation message with some sort of unique key ("double
     opt-in", "confirmed opt-in", "closed-loop opt-in", whatever
     you want to call it).

     When that mailing list sends the confirmation email to the
     spamtrap address, it must not get listed automatically!
     It's doing exactly what we want (and demand) the mailing
     list signup process to do. Innocent mail sent to a spamtrap
     address needs to be filtered out, and that may require human
     action.


-- 
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

More information about the SpamCop-List mailing list