SpamCop, blacklists, and policy
Today one of GeekISP mail servers was listed in the SpamCop blacklist for hitting a spam trap. I learned quickly that for all SpamCop has done for good, it can be a huge problem as well.
For those not familiar with SpamCop, they are an anti-spam web service dating to around 1998. They offer several services including filtered email, spam reporting, and a blacklist. Their spam reporting service allows several different techniques to identify spammers, the one of interest to me today is the ’spamtrap’.
A spamtrap is an email address that is never actually used. It is posted on usenet or on web sites as bait to lure the spammer to send it an email, at which point you can say “aha, got ya!” SpamCop maintains that extreme secrecy is needed to protect these spamtrap addresses, lest they become useless. If you are the unlucky administrator of a site that hits a trap, you’re quickly added to the aforementioned blacklist until either a) more reports come in, which means get comfy where you are or b) the 24 hour waiting period passes, and you’re released.
As a result of the secrecy, the ordinary “this message was reported as spam” reports are not provided when you hit a spam trap. This leaves the well-meaning administrator with no real recourse to take other than to beg the SC deputies for a morsel of information by which to track down the problem. [Aside: apparently at one point, these reports were sent out. Then spammers used them to detect spam traps and work around them. Instead of saying “oh gee this doesn’t really work”, the SC people decided to use secrecy as a means of fighting spam, and thereby create more problems than they actually were solving.]
With the playing field laid out, I believe that one of my customers’ TMDA challenges has sent a challenge to a spam trap. I don’t really know for sure, but this type of message is one of the very few types of post-SMTP-transacation bounce that my server will send. At this point I can really only guess. Now, GeekISP’s mail server doesn’t currently enforce SPF or DomainKey signatures, which offer some help to this category of problem. The problem is that if these emails are secret, how can I know that they have valid SPF / DK records published?
For now, I have sent a web request for my mail server to be removed from the database, and a message to deputies@spamcop.net (hey, you guys can deal right?) for more details on the trap violation. No response so far today.
In addition to the above, SpamCop’s website makes plain their anti-challenge/response policy. They also feel that it’s appropriate for them to set policy for my hosting company and my customers. To quote:
Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.
You emailed me, didn’t you? How am I being selfish by asking you to confirm your message? There’s more:
Solution: Do not use challenge/response filtering. Although it may stop most unwanted email for the person shielded by it, it generates more unwanted email for others.
And the best of all:
Since more and more sites will rightly block these challenge emails, you can never be sure they will reach their target even when they are not misdirected themselves. So these systems will lose legitimate mail in an attempt to stop unwanted mail.
Aha, I see. And why will they lose mail? Because SpamCop blacklists you for using them. Let me paraphrase: “we’re going to block these kinds of mails, and since we’re going to block them, we’ve undermined the effectiveness by which they operate, so better not to use them since they’re broken.” How’d I do?
All of this and more can be found here. I particularly like how SpamCop tells me what to do before going on vacation. If you guys want to cover my mail, sure I’ll let you know, but that’s the limit of how you can dictate policy to me.
The bit about C/R email systems sounds very funny coming from a group owned and operated by IronPort, a company selling security and anti-spam products.