A mailman opt-in plus confirmation mailing list is spam?

Post by K. Thog
When a user subscribes and then doesn't have the wherewithal to unsubscribe,
he might decide to complain to SpamCop.
Now a (potentially) legitimate discussion email list is blocked and there's
no way to find out who it was or what email was included with the
complaint.
What's the solution? There's an impasse, unless details can be provided to
the accused so their (now very annoyed) system administrators can take
steps to deal with the issue.
Comments much appreciated.

AFAIK one report from one user wouldn't be sufficient to get an IP listed.
And, if you don't know who it was that "subscribed and then doesn't have the
wherewithall to unsubscribe" how do you know that "a user subscribed and
then didn't have the wherewithall to unsubscribe and might have complained
to SpamCop" (whatever that means)?

Of course, some people here might be able to help with a bit more useful
information if you weren't expecting them to be using their crystal balls to
determine what IP is actually under discussion.

Mike Easter

2006-03-09 01:51:17 UTC

Post by K. Thog
When a user subscribes and then doesn't have the wherewithal to
unsubscribe, he might decide to complain to SpamCop.

That would be against the rules -- that is, if a person subscribed by a
confirmed or verifiable by unique token opt-in to something like a
mailing list, and then at some later time decided to report the mailing
list items as spam.

However, usually when some mailsender claims that the recipient has
'subscribed' -- the fact is that the sender has no such confirmed and
verifiable unique token by which the subscription process was properly
verified. That is, the sender is claiming the recipient is subscribed,
but in fact the recipient is /not/ verifiably and confirmationally
opted-in.

Post by K. Thog
Now a (potentially) legitimate discussion email list is blocked and
there's no way to find out who it was or what email was included with
the complaint.

While it is true that the reporting process does not 'directly' provide
the recipient of the report with the address of the reporter, the
'appropriate' recipient of the report can dispute any notification.

Post by K. Thog
What's the solution? There's an impasse, unless details can be
provided to the accused so their (now very annoyed) system
administrators can take steps to deal with the issue.

The SpamCop derived notification recipient of a report receives a link
to the evidence on which the report is based. The recipient of a report
can dispute the veracity of a report -- that it should not have been
reported as spam. If a spamcop reporter is 'fraudulently' or
erroneously reporting as spam that which is not, the reporter can be
banned, suspended, fined, or otherwise disciplined.

The reporter is required to agree that:

http://www.spamcop.net/anonsignup.shtml
// If I break these rules, SpamCop will immediately and permanently
revoke my access to SpamCop.
I will use SpamCop only on email which is unsolicited, bulk email. //

In addition, reporters are not supposed to report mailing list items --
there is a different process for that

http://www.spamcop.net/fom-serve/cache/14.html
// Some examples of messages which should not be reported as spam:
Spam sent to mailing lists
Spam sent to mail lists/groups must not be reported using SpamCop except
by the list owner. //

Post by K. Thog
Comments much appreciated.

You haven't stated the IP address of what is at issue so that someone
can comment on how/who/ what address/ SpamCop would notify about a
reported item sourced by that IP.

--
Mike Easter
kibitzer, not SC admin

Vanguard

2006-03-09 02:39:41 UTC

SpamCop doesn't block anything. The mail recipient chose to use the SpamCop
blacklist but obviously doesn't have to. There are LOTS of blacklists out
there but obviously they aren't all used (I won't touch SPEWS which one day
will end up listing the entire IP address range).

How can a mailing list be legitimate if it doesn't have an unsubcribe
function, either by sending the appropriate commands in the body to the
listserver or by submitting a request to an admin? Obviously it is NOT a
legitimate mailing list if a user that elected to participate cannot also
elect to NOT participate any longer. Fix your mailing list! It's not
SpamCop's fault nor responsibility to fix your mailing list server.

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

Don Wannit

2006-03-09 08:29:36 UTC

Post by Vanguard
How can a mailing list be legitimate if it doesn't have an unsubcribe
function, either by sending the appropriate commands in the body to the
listserver or by submitting a request to an admin? Obviously it is NOT
a legitimate mailing list if a user that elected to participate cannot
also elect to NOT participate any longer. Fix your mailing list! It's
not SpamCop's fault nor responsibility to fix your mailing list server.

The O.P. stated that Gnu Mailman is the list management software in use.
By default, Mailman automatically includes a clickable unsubscribe link
in the email headers of every message sent out to the list. It also
facilitates automatically including that information in the footer
of every message sent to the list (and does so by default, although
you can change the configuration so it does not).

When an email address is submitted to be added to the list, Mailman
sends a confirmation message to the address. The confirmation message
contains a unique randomly-generated token which must be included in
any response from the user in order to confirm the intention to
subscribe. If the user does not respond to the confirmation message
with the token, then after a timeout period the submission is dropped.
No list email is sent to the user until and unless the confirmation
token is sent back, or the unique confirmation URL link clicked on.

After the confirmation is received back from the user, a welcoming
message is automatically sent back which contains instructions for
changing personal settings, unsubscribing, etc. This message usually
says "Keep this for your records". Many users do not. That's their
problem. But it's not important, because each and every email
sent to the list contains much the same information in the headers
and the footer, so even if the user tosses the Welcome message,
the information is always right there.

Each and every email message sent to list subscribers, who each had
to go out of their way to confirm the subscription, does contain the
information about how to unsubscribe from the mailing list.

No matter how clearly this is spelled out to the user, there always
will be some number of users who do not read. So, in the case of
a properly run mailing list using the Gnu Mailman software to
manage the list, I do strongly take issue with your knee-jerk
statement "Fix your mailing list!". In such a case, it really
*is* SpamCop's fault if a SC user reports a mailing list email
from a list to which they did confirm their subscription, because
they can't be bothered to unsubscribe like they're supposed to.

This kind of misuse of SC should, according to the SC TOS, result
in permanent banning of the user from SC.

While it is possible to add email addresses to a Mailman-run
list without the address owner positively confirming it, that
is not the normal configuration. Mailman is designed to make
it easy to run a mailing list responsibly, right out-of-the-box
(well, out-of-the-zip-file).

Using a list manager package such as Mailman is a likely
indication of running a responsible list. It's irresponsible
to jump down the O.P.'s throat without knowing the facts.

How about asking for more information before flaming??

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

2006-03-09 16:43:52 UTC

On 3/9/2006 12:29 AM Don Wannit scribbled:

<snip>

Post by Don Wannit
The O.P. stated that Gnu Mailman is the list management software in use.
By default, Mailman automatically includes a clickable unsubscribe link
in the email headers of every message sent out to the list. It also
facilitates automatically including that information in the footer
of every message sent to the list (and does so by default, although
you can change the configuration so it does not).

Just in passing, Dave, I did not see Mailman mentioned in the thread -
might I have lost a message?

Vanguard

2006-03-09 17:49:25 UTC

Post by jg
<snip>

Just in passing, Dave, I did not see Mailman mentioned in the thread -
might I have lost a message?

Not in the body of the message but it is mentioned in the Subject header.
However, I'm not familiar with bulk mailers so it didn't mean anything to
me, especially since it was not capitalized to present the word as a noun.
jg figures the OP was talking about GNU Mailman
(http://www.gnu.org/software/mailman/index.html).

spamcop

2006-03-09 18:14:34 UTC

Post by Vanguard

Post by jg
<snip>

Just in passing, Dave, I did not see Mailman mentioned in the thread -
might I have lost a message?

Not in the body of the message but it is mentioned in the Subject
header. However, I'm not familiar with bulk mailers so it didn't
mean anything to me, especially since it was not capitalized to
present the word as a noun. jg figures the OP was talking about GNU
Mailman (http://www.gnu.org/software/mailman/index.html).

Of course you realize that any Outlook/Outlook Express user is not
going to be able to see this because Microsoft hides all the header
information and changes the name of the label within the menus and
changes the menus within it's held from version to version!

Can you tell I HATE Outlook/Outlook Express?

Porpoise

2006-03-09 18:58:45 UTC

Post by Vanguard
Not in the body of the message but it is mentioned in the Subject header.
However, I'm not familiar with bulk mailers so it didn't mean anything to
me, especially since it was not capitalized to present the word as a noun.
jg figures the OP was talking about GNU Mailman
(http://www.gnu.org/software/mailman/index.html).

Of course you realize that any Outlook/Outlook Express user is not going
to be able to see this because Microsoft hides all the header information
and changes the name of the label within the menus and changes the menus
within it's held from version to version!

He said Subject header. Which of course *is* displayed. Along with:

From:
Reply-To:
Organisation:
Date:
Newsgroup:
Subject:

And if you want to see the Internet Headers <transport headers> it's quite
easy to do that too:

Path: news.spamcop.net!not-for-mail
From: spamcop <***@1bigthink.com>
Newsgroups: spamcop
Subject: Re: [SpamCop-List] Re: A mailman opt-in plus confirmation
mailing list is spam?
Date: Thu, 09 Mar 2006 13:14:34 -0500
Organization: SpamCop
Lines: 31
Message-ID: <mailman.21.1141928087.16519.spamcop-***@news.spamcop.net>
References: <duntuq$39i$***@news.spamcop.net>
<duo4hd$7lq$***@news.spamcop.net>
<duop1h$jmq$***@news.spamcop.net>
<duplqh$5a8$***@news.spamcop.net>
<duppr5$8kc$***@news.spamcop.net>
Reply-To: Mailing list to mirror the spamcop newsgroup
<spamcop-***@news.spamcop.net>
NNTP-Posting-Host: localhost.news.spamcop.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed;
x-avg-checked=avg-ok-766C70DA
X-Trace: news.spamcop.net 1141928087 9999 127.0.0.1 (9 Mar 2006 18:14:47
GMT)
X-Complaints-To: ***@news.spamcop.net
NNTP-Posting-Date: Thu, 9 Mar 2006 18:14:47 +0000 (UTC)
To: Mailing list to mirror the spamcop newsgroup
<spamcop-***@news.spamcop.net>
Return-Path: <***@1bigthink.com>
Delivered-To: mailman-spamcop-***@news.spamcop.net
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on blade1
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=none version=3.1.0
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
In-Reply-To: <duppr5$8kc$***@news.spamcop.net>
X-1bigthink.com-MailScanner-Information: Please contact
dnsadmin-at-1bigthink.com for more information
X-1bigthink.com-MailScanner: Found to be clean
X-1bigthink.com-MailScanner-SpamCheck: not spam
X-1bigthink.com-MailScanner-From: ***@1bigthink.com
X-BeenThere: spamcop-***@news.spamcop.net
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Mailing list to mirror the spamcop newsgroup
<spamcop-list.news.spamcop.net>
List-Unsubscribe: <http://news.spamcop.net/mailman/listinfo/spamcop-list>,
<mailto:spamcop-list-***@news.spamcop.net?subject=unsubscribe>
List-Archive: <http://news.spamcop.net/pipermail/spamcop-list>
List-Post: <mailto:spamcop-***@news.spamcop.net>
List-Help: <mailto:spamcop-list-***@news.spamcop.net?subject=help>
List-Subscribe: <http://news.spamcop.net/mailman/listinfo/spamcop-list>,
<mailto:spamcop-list-***@news.spamcop.net?subject=subscribe>
Xref: news.spamcop.net spamcop:155441

K. Thog

2006-03-09 23:51:52 UTC

Yes, I was talking about GNU MailMan. Or Mailman. Or however the GNU mailing
list manager is supposed to be referred.

Vanguard

2006-03-10 18:09:55 UTC

Post by Vanguard

Post by jg
<snip>

Just in passing, Dave, I did not see Mailman mentioned in the thread -
might I have lost a message?

Of course you realize that any Outlook/Outlook Express user is not going
to be able to see this because Microsoft hides all the header information

The Subject field is one of the headers is *is* presented by Outlook
Express. Outlook does NOT support newsgroups so why even bother to mention
it? What does reading the headers have to do with reading the Subject
header (which is shown) and the body of the post?

and changes the name of the label within the menus

Posts do not change the menues in whatever NNTP client is used for viewing a
post. Only YOU know what you meant to say.

and changes the menus within it's held from version to version!

"within it's held"? "Held" means what? Other than bug fixes, name me a
single product that has been enhanced or improved through versioning that
doesn't change some aspect of the program in its behavior or interface.
It's a new version. Gee, something changed. Duh.

Can you tell I HATE Outlook/Outlook Express?

Apparently you also hate all software.

Don Wannit

2006-03-11 04:22:50 UTC

Post by Vanguard
The Subject field is one of the headers is *is* presented by Outlook
Express. Outlook does NOT support newsgroups so why even bother to
mention it? What does reading the headers have to do with reading the
Subject header (which is shown) and the body of the post?

Post by spamcop
and changes the name of the label within the menus

Posts do not change the menues in whatever NNTP client is used for
viewing a post. Only YOU know what you meant to say.

Post by spamcop
and changes the menus within it's held from version to version!

"within it's held"? "Held" means what? Other than bug fixes, name me a
single product that has been enhanced or improved through versioning
that doesn't change some aspect of the program in its behavior or
interface. It's a new version. Gee, something changed. Duh.

Umm, I think you are mixing together two different things. The
original discussion was about email messages sent by the GNU Mailman
mailing list management software, and how the instructions to
unsubscribe are typically contained in each message. Both in the
email headers and in a footer at the bottom of the message. And
how many users can't be bothered to read those instructions, so
they report as spam a message from a list they explicitly subscribed
to (and confirmed, per best practice).

You seem to be talking about a news reader, and NNTP headers, which
is a different topic.

When you change the topic in a newsgroup thread, it's customary
to change the Subject: header in the news article, and mention
that you did so.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Vanguard

2006-03-11 15:40:45 UTC

Post by spamcop
and changes the name of the label within the menus

Posts do not change the menues in whatever NNTP client is used for
viewing a post. Only YOU know what you meant to say.

Post by spamcop
and changes the menus within it's held from version to version!

Umm, I think you are mixing together two different things. The
original discussion was about email messages sent by the GNU Mailman
mailing list management software, and how the instructions to
unsubscribe are typically contained in each message. Both in the
email headers and in a footer at the bottom of the message. And
how many users can't be bothered to read those instructions, so
they report as spam a message from a list they explicitly subscribed
to (and confirmed, per best practice).
You seem to be talking about a news reader, and NNTP headers, which
is a different topic.

Yep. I was replying to the post by spamcop (yeah, real original moniker),
not to Thog's.

Post by Don Wannit
When you change the topic in a newsgroup thread, it's customary
to change the Subject: header in the news article, and mention
that you did so.

Unfortunately that will sometimes disconnect the subthread from the main
thread because not all newsreaders, especially webnews-for-dummies
interfaces, use the References header to group the messages in a thread. At
one time (don't know if it still is true), Google Groups grouped by Subject
instead of by References, so changing the Subject header resulting in
slicing out the subthread into its own new thread. There are users that
interface to Usenet using e-mail clients (i.e., mail-to-news gateways) that
use e-mail client that don't use the References headers for grouping of
related messages. Outlook is one of those. You should NOT change the
Subject header unless you are deliberately attempting to slice out the
subthread but that is very similar to a malcontent using the FollowUp-To
header to furtively attempt to redirect any replies off to alt.test or
somewhere else so the malcontent "wins" the argument.

Porpoise

2006-03-09 17:16:45 UTC

Post by Don Wannit
Using a list manager package such as Mailman is a likely
indication of running a responsible list. It's irresponsible
to jump down the O.P.'s throat without knowing the facts.
How about asking for more information before flaming??

Perhaps the problem lies with the submission form itself rather than the
maillist software. If it's susceptible to allowing bots to auto-submit
adresses, then it's highly probable that it will end up hitting spamtraps.
You need to ensure that addresses can only be submitted by humans.

Don Wannit

2006-03-10 06:37:45 UTC

Perhaps the problem lies with the submission form itself rather than the
maillist software. If it's susceptible to allowing bots to auto-submit
adresses, then it's highly probable that it will end up hitting
spamtraps. You need to ensure that addresses can only be submitted by
humans.

It is the responsibility of those who run spamtraps to ensure that
they are not triggered by the very confirmation requests sent to
the email address to confirm that the signup is intentional.

Especially since this positive confirmation is the mark of a
responsiblly run mailing list.

This is why fully-automatic spamtrap quick-reporting is not
a good idea. It's an invitation for some miscreant to submit
the spamtrap address (gleaned from the usual hidden locations
that are well known but not discussed openly) to a mailing
list signup form, and thereby get that mailing list blacklisted
by sending the confirmation request to the spamtrap address.
Just as it is supposed to do.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Anonymous

2006-03-10 17:40:04 UTC

Post by Don Wannit
It's an invitation for some miscreant to submit
the spamtrap address (gleaned from the usual hidden locations
that are well known but not discussed openly) to a mailing
list signup form

If the spamtrap addresses are "well known" and can be found by
"some miscreant", perhaps someone should address that as being a
real problem in the way spamtraps are administered.

Treating the confirmations from a GNU Mailman mailing list as
spam is a very bad thing to do, but letting net-abusers find out
the spamtrap email addresses is also a bad thing to do.

G.M.

Jeff G.

2006-03-10 17:57:14 UTC

Post by Anonymous
letting net-abusers find out
the spamtrap email addresses is ... a bad thing to do.

No, it's not. The net-abusers, whether they be spider bot or human,
find the SpamCop spamtrap email addresses when they scrape web sites.
Then they use those email addresses. Then SpamCop catches them and
causes their IP Addresses to be listed in the SCBL. Then we users of
the SCBL don't get subsequent spam from their IP Addresses. That is the
whole point behind SpamCop spamtrap email addresses - keeping email
messages from web scrapers out of our email inboxes. I believe that
there are safeguards built into the SpamCop spamtrap reception systems
to except mailing list software that uses confirmed opt-in.

--
Best Regards, Jeff G.
http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585

Anonymous

2006-03-10 23:10:31 UTC

Jeff G. wrote...

Post by Jeff G.

Don Wannit wrote...

If the spamtrap addresses are "well known" and can be found by
"some miscreant", perhaps someone should address that as being a
real problem in the way spamtraps are administered.
Treating the confirmations from a GNU Mailman mailing list as
spam is a very bad thing to do, but letting net-abusers find out
the spamtrap email addresses is also a bad thing to do.

Look at Don's comment again. He clearly isn't talking about finding
spamtraps in the sense of finding a large number of email addresses that
include some "lost in the crowd" spamtraps but with no way for anyone
looking at the list to know which ones are spamtraps. He clearly implied
that the spamtraps are "well known" in the sense that somebody knows that
email address X is a spamtrap, not in the sense that someone knows that
there is one or more spamtraps hidden among many non-spamtraps. I thought
that the phrase "net-abusers find out the spamtrap email addresses" was
clear, but if you can think of a phrasing that is better, I will use that.

BTW, I am a long-time reader and occasional participant who is very much
aware of how the system works.

G.M.

Porpoise

2006-03-11 00:19:24 UTC

Post by Anonymous
BTW, I am a long-time reader and occasional participant who is very much
aware of how the system works.
G.M.

But you still haven't provided the affected IP so that everyone can look at
the *actual* issue, rather than some hypothetical one.

Steven Maesslein

2006-03-11 09:40:52 UTC

On Sat, 11 Mar 2006 00:19:24 -0000, Porpoise coughed into spamcop and

Post by Anonymous
BTW, I am a long-time reader and occasional participant who is very much
aware of how the system works.

But you still haven't provided the affected IP so that everyone can look at
the *actual* issue, rather than some hypothetical one.

Anonymous isn't the OP whose IP is SCBL'ed...

--
Steve

"Politics is supposed to be the second oldest profession.
I have come to realize that it bears a very close
resemblance to the first."

Porpoise

2006-03-11 16:54:27 UTC

Post by Steven Maesslein
On Sat, 11 Mar 2006 00:19:24 -0000, Porpoise coughed into spamcop and

Post by Porpoise
But you still haven't provided the affected IP so that everyone can look at
the *actual* issue, rather than some hypothetical one.

Anonymous isn't the OP whose IP is SCBL'ed...

Aaaahhh..... Ooops! Lost track there somewhere..... He just sounded so much
like the OP, I didn't even notice it wasn't.... :-(

Anonymous

2006-03-13 16:43:11 UTC

Post by Anonymous
BTW, I am a long-time reader and occasional participant who is very much
aware of how the system works.
G.M.

But you still haven't provided the affected IP so that everyone can look
at the *actual* issue, rather than some hypothetical one.

You are confusing me with someone else. The original post/issue was from
"K. Thog" posted
on Wed, 08 Mar 2006 17:03:46 -0800 with Message-ID:
<duntuq$39i$***@news.spamcop.net>.
I am one of the fellows who asked him for that info.

G.M.

Don Wannit

2006-03-11 04:18:01 UTC

Post by Anonymous
Jeff G. wrote...

Post by Jeff G.

Don Wannit wrote...

If the spamtrap addresses are "well known" and can be found by
"some miscreant", perhaps someone should address that as being a
real problem in the way spamtraps are administered.
Treating the confirmations from a GNU Mailman mailing list as
spam is a very bad thing to do, but letting net-abusers find out
the spamtrap email addresses is also a bad thing to do.

Look at Don's comment again. He clearly isn't talking about finding
spamtraps in the sense of finding a large number of email addresses that
include some "lost in the crowd" spamtraps but with no way for anyone
looking at the list to know which ones are spamtraps. He clearly implied
that the spamtraps are "well known" in the sense that somebody knows that
email address X is a spamtrap, not in the sense that someone knows that
there is one or more spamtraps hidden among many non-spamtraps. I thought
that the phrase "net-abusers find out the spamtrap email addresses" was
clear, but if you can think of a phrasing that is better, I will use that.
BTW, I am a long-time reader and occasional participant who is very much
aware of how the system works.
G.M.

Apparently I was ambiguous, or perhaps overly subtle. I did *not*
say that the spamtrap addresses are well known. Read again; I said
that the kinds of places the spamtrap addresses are hidden are
well known, at least among certain circles. Like the people
who gather them into the "Million Email Addresses" CDs, and
the people who put them out there to be gathered.

The whole point of a spamtrap is that the email address is
gibberish random characters, which will not be encountered
in a dictionary attack, nor by constructing compounds of
words and numbers, nor by conceivable typos. It must be
an email address that can NEVER be sent email by anyone
making an honest mistake.

This means that a useful spamtrap address can never be
any of the following:

- a potential role account, such as "sales", "info", etc.,
even if the domain in question has never had such an
address for real

- common names or words which might be used as a legitimate
email address by someone at a different domain, but get
hit by a typo on the domain part of the email address on
innocent mail sent by someone's grandmother

- an old email address that you had years ago and have not
used in a long time

As for where the spamtrap addresses are to be found, well,
if you don't know by now don't worry about it. Maybe go
back and re-read The Purloined Letter for a start? But the
baddies sure know, and pranksters as well -- otherwise
the spamtrap addresses would never receive any email at
all, right? ;-)

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Mike Easter

2006-03-11 04:53:18 UTC

Post by Don Wannit
This means that a useful spamtrap address can never be

Without getting into any of the specifics about spamtrap addresses which
are known by many around here, I once asked in this newsgroup about the
philosophy of spamcop spamtraps, whether they should be very random
usernames so as to 'never' occur in a so-called dictionary attack, very
common usernames so as to 'routinely' occur in so-called dictionary
attacks -- and similar 'extremes'.

At that time the answer from Ellen was 'yes'. That is, that there are
all different philosophical kinds of spamtrap addresses.

The only requirement as I understand it is that the addy has never been
used by anyone for any purpose, so that its 'exposure' has never been to
subscribe to anything, including free-for-all or anything else. The
fact that a spamtrap address may have been found by a miscreant and used
to forge subscribe to anything is not eliminated from the rack of the
wide range of possibilities for such spamtrap addies.

I don't think that spamtraps are manually eliminated by deputies who
find them forge subscribed in confirmation hits. In fact, I don't think
spamtrap addies are manually eliminated for any reason -- even if the
reason might be that the spamtrap addy does not appear to be a 'secret'
any more.

My concept of a dictionary attack is that the 'dictionary' is made up of
many many usernames scraped from various places including millions CDs
coupled with alternative domainnames scraped from similar very many such
places. The dictionary is /not/ made of dictionary type words.

--
Mike Easter
kibitzer, not SC admin

Don Wannit

2006-03-11 05:28:17 UTC

Post by Mike Easter
The only requirement as I understand it is that the addy has never been
used by anyone for any purpose, so that its 'exposure' has never been to
subscribe to anything, including free-for-all or anything else. The
fact that a spamtrap address may have been found by a miscreant and used
to forge subscribe to anything is not eliminated from the rack of the
wide range of possibilities for such spamtrap addies.

To be sure. However, my worry is automated spamtraps that add
IPs to blocklists without sanity-checking, either by smart enough
software or by humans. If you create a spamtrap address "info" at
some domain name which is public, even if you have never published
or revealed the address "***@that-domain", that address might
receive email from an innocent sender.

Post by Mike Easter
I don't think that spamtraps are manually eliminated by deputies who
find them forge subscribed in confirmation hits. In fact, I don't think
spamtrap addies are manually eliminated for any reason -- even if the
reason might be that the spamtrap addy does not appear to be a 'secret'
any more.

This is the problem. If some prankster finds a spamtrap address by
rummaging around in the places where spammers go digging for email
addresses, and pastes it into the email field on a subscription
form somewhere, then the responsibly-run list will send a brief
email to that address saying something of the form:

Someone (we hope it was you) submitted your email address
to subscribe to our email list. To make sure that this is
your intention, please click on this link to confirm:
http:||some.server/confirm.php?token-876123hdsasf9a7szcxvcxv23
Or, reply to this message, being sure to leave the subject
line intact so we see that magic token to prove that it's you.

If you did not intend to subscribe, simply ignore this message,
with our apologies for the intrusion.

I really hope that this confirmation request does not trigger
a blocklist entry for the sending IP.

Post by Mike Easter
My concept of a dictionary attack is that the 'dictionary' is made up of
many many usernames scraped from various places including millions CDs
coupled with alternative domainnames scraped from similar very many such
places. The dictionary is /not/ made of dictionary type words.

Yes, exactly. A "dictionary attack" means applying individual strings
from a list, as well as combinations of those strings. A robust
dictionary attack will have word lists in many languages, and slang
terms, and every email ID ever seen. That's why Fred with userid
"fr3dy-b0y" over at domain1.com can cause the name "fr3dy-b0y" to
be tried at every domain, even though it is not a word or combination
of words in any language I know...

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Mike Easter

2006-03-11 05:49:39 UTC

Post by Don Wannit
However, my worry is automated spamtraps that add
IPs to blocklists without sanity-checking, either by smart enough
software or by humans.

I have discussed my concerns about some ramifications of spamtraps here
in the past. My view was different from yours I think, at least in the
first 'example' -- but the same in the 2nd.

Post by Don Wannit
If you create a spamtrap address "info" at
some domain name which is public, even if you have never published
receive email from an innocent sender.

I do not understand why you say that -- and so you are launching that
particular argument from a premise which I do not accept as fact.

Post by Mike Easter
I don't think that spamtraps are manually eliminated by deputies who
find them forge subscribed in confirmation hits. In fact, I don't
think spamtrap addies are manually eliminated for any reason -- even
if the reason might be that the spamtrap addy does not appear to be
a 'secret' any more.

Yes, indeedy.

Post by Don Wannit
Someone (we hope it was you) submitted your email address
I really hope that this confirmation request does not trigger
a blocklist entry for the sending IP.

Yes, it would. If it hit a spamcop reporter, the reporter is not
supposed to report it if s/he reads it and plays by the rules. If it
hit a spamtrap, then the spamtrap would report it and the source would
be counted toward the SCbl. In addition to that counting, it is very
important to realize that no provider is going to get a notify from a
spamtrap hit -- so as a result another safeguard is removed, namely that
of the reported having an opportunity to receive a link to the evidence
of the report.

Ellen has stated that spamtraps make less mistakes than reporters.

Post by Mike Easter
My concept of a dictionary attack

Yes, exactly.

--
Mike Easter
kibitzer, not SC admin

Mike Easter

2006-03-11 06:04:54 UTC

Post by Don Wannit
Someone (we hope it was you) submitted your email address
I really hope that this confirmation request does not trigger
a blocklist entry for the sending IP.

What is supposed to counteract this problem of forged spamtrap
subscriptions is that the bulk subscription mailers have much more
'reputation' or traffic points or weight to go into the SCbl denominator
to prevent some small number of false spamtrap hits from causing a
listing -- and that any such listing result would be temporary -- and
that any server which got itself blocked and made a query would have a
deputy examine the evidence, which would include the spamtraps, and s/he
would 'uncount' any spamtrap confirmations. A forged spamtrap
confirmation mistake which doesn't cause a listing is moot.

I think a deputy would probably tell you that it is very uncommon for a
mailing list to become SCbl listed by forged spamtrap subscribes.

Oh, yeah. There's another problem with forged spamtrap subscriptions.
That is that spamtrap hits count more than reporter hits.

--
Mike Easter
kibitzer, not SC admin

Don Wannit

2006-03-11 06:17:11 UTC

Post by Don Wannit
If you create a spamtrap address "info" at
some domain name which is public, even if you have never published
receive email from an innocent sender.

I do not understand why you say that -- and so you are launching that
particular argument from a premise which I do not accept as fact.

What I'm saying here is that it would be irresponsible to create
an automated spamtrap using any of many common role names such
as "info". Hey, I've got a vanity domain, and I should never get
any email to "postmaster" at this domain, since I've never published
that address -- I'll just make it a spamtrap!

(n.b. -- I'm still amazed at the amount of spam I get at my
various postmaster addresses)

Just because a particular email address has never been used at
a domain, and has never been published, doesn't mean that every
email sent to it is prima facie spam.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Mike Easter

2006-03-11 06:29:30 UTC

Post by Don Wannit
Just because a particular email address has never been used at
a domain, and has never been published, doesn't mean that every
email sent to it is prima facie spam.

I don't want to argue about what kinds of philosophical usernames should
be on spamtraps, but I don't agree that sending unsolicited mail to any
address such as info@ is OK.

Why should anyone or anything be emailing an unpublished info@ ?

It sounds like you are 'requiring' the owner of a domainname to be
disposing unreported any mails [or rather spams] which arrive at
unpublished usernames which are 'common' like 'info' -- as opposed to
reporting them as spam.

I don't agree.

--
Mike Easter
kibitzer, not SC admin

Don Wannit

2006-03-11 06:57:22 UTC

Post by Don Wannit
Just because a particular email address has never been used at
a domain, and has never been published, doesn't mean that every
email sent to it is prima facie spam.

I don't want to argue about what kinds of philosophical usernames should
be on spamtraps, but I don't agree that sending unsolicited mail to any
It sounds like you are 'requiring' the owner of a domainname to be
disposing unreported any mails [or rather spams] which arrive at
unpublished usernames which are 'common' like 'info' -- as opposed to
reporting them as spam.
I don't agree.

No, not at all! Abso-f*ckin-lutely report such spam!

What I am saying is that would be irresponsible to set up an
automated spamtrap on that address. Those addresses require
a reporter to supervise the SC reports, and not let them go
out automatically, sight unseen. If the SpamCop spamtraps
are fully automated, with no human or clever software verification
that the email really is spam, then I supremely hope that
all traps are set *only* on gibberish email names set out
to be scraped, and unlikely to be mis-typed by an innocent.

This is a concept very closely related to the Innocent Bystander
in a SpamCop report.

Similarly, it should be an offense requiring banning for
a SpamCop reporter to set up automatic submission from a
common-but-unpublished address to a SpamCop quickreport.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Mike Easter

2006-03-11 07:19:10 UTC

Post by Don Wannit
What I am saying is that would be irresponsible to set up an
automated spamtrap on that address.

I don't know.

Post by Don Wannit
I supremely hope that
all traps are set *only* on gibberish email names set out
to be scraped, and unlikely to be mis-typed by an innocent.

I don't know. That definitely doesn't mean I agree. Hitting a spamtrap
accidentally doesn't seem like the end of the world.

Post by Don Wannit
This is a concept very closely related to the Innocent Bystander
in a SpamCop report.

Not at all. Not even a little bit.

Post by Don Wannit
Similarly, it should be an offense requiring banning for
a SpamCop reporter to set up automatic submission from a
common-but-unpublished address to a SpamCop quickreport.

Heavens no. I completely disagree. A quickreport isn't even as serious
as a spamtrap report, since it counts as a reporter report which has
less weight than a spamtrap report.

The automatic submission of a quickreport does make for an opportunity
for error, to be sure -- but then any quick report has a potential for
error, automatic or not. Banning based on an error would depend on how
'stupid' or egregious the error were. You would have to present a
scenario in which that automatic reporting as described above created a
very stupid badness or severe bad mess.

--
Mike Easter
kibitzer, not SC admin

Don Wannit

2006-03-11 07:35:12 UTC

Post by Mike Easter
I don't know. That definitely doesn't mean I agree. Hitting a spamtrap
accidentally doesn't seem like the end of the world.

The problem is that SpamCop gives much higher weight to spamtrap
hits than to reports monitored by a SC reporter. AND does not
notify the relevant administrator(s) when the hit silently
results in a blocklisting.

Post by Don Wannit
Similarly, it should be an offense requiring banning for
a SpamCop reporter to set up automatic submission from a
common-but-unpublished address to a SpamCop quickreport.

Heavens no. I completely disagree. A quickreport isn't even as serious
as a spamtrap report, since it counts as a reporter report which has
less weight than a spamtrap report.
The automatic submission of a quickreport does make for an opportunity
for error, to be sure -- but then any quick report has a potential for
error, automatic or not. Banning based on an error would depend on how
'stupid' or egregious the error were. You would have to present a
scenario in which that automatic reporting as described above created a
very stupid badness or severe bad mess.

Well, looking back at a situation about 1-1/2 years ago (as I recall),
I found my own server listed due to quickreports reporting my own
server due to a DNS timeout with unfortunate timing. There was
quite a bit of discussion here at the time, including flamage
without bothering to read the facts.

After that time, I have not been a fan of quick-reporting, to put
it mildly.

Of course, this was before the MailHosts setup, and things are
different now for the particular failure that caused my erroneous
listing (due to quickreports, even if they were my own).

To be sure, according to the published algorithm, a single
quickreport should not result in a listing. However, AIUI
even a single email to a SC spamtrap address results in a
listing. I am cautioning against that hair-trigger sensitivity
if there is no vetting or monitoring to ensure that innocent
email does not trip the hair-trigger.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

2006-03-11 18:24:41 UTC

I'm going to jump in here even though this isn't the question that was
forwarded to us, but is important. I'll answer 'our question' as well.

I can't reveal circumstances, but yes, spamtraps are taken out of the
equation if we are not comfortable with them remaining as traps. An
example is a few users who have recently used traps as reply-to
addresses in newsgroup posts. Because the addresses were now in the
open and there was a chance they could be innocently used by others
sending mail to them, they had to be removed from the trap list. There
have been other situations where we've temporarily or permanently taken
trap addresses or even entire trap domains out of service.

We pride ourselves in the quality of our traps, in terms of not being
over-exposed and not attracting accidental mail from the innocent
outsider. Standard role addresses are excluded from traps.

The question:

"Can you please confirm or deny that such safeguards are in effect? If
they are not in effect, can you please work on putting them into effect?"

There are no standards in place for how a confirmation request is formed
or worded, so there is no way to effectively put safeguards in place.
If we were to key in on specific wording or a mail-man specific header
line, that would be trivial to forge into spam to trick the parser into
rejecting outright spam containing those forgeries.

I've never had to deal with a listing caused by traps receiving
confirmation requests from a user filling out a form with a trap
address. Even if it were to happen, the one time would not cause the IP
to be listed. If multiple confirmation requests are received, there is
a problem on the subscription end in allowing a person to submit
multiple subscription forms. The subscription software should be set up
to limit mailing to an address more than once in a set period of time
and ignoring multiple requests from the same IP.

What does come into play is subscription confirmation requests generated
by mailed in subscription requests, generated by spam/viruses hitting
the subscription address with forged return addresses. The server
responds with a confirmation to every email received.

That problem is solved on the subscription end, again with rate limiting
and some simple spam filtering.

Richard

Don Wannit

2006-03-11 19:02:14 UTC

Post by RW
I can't reveal circumstances, but yes, spamtraps are taken out of the
equation if we are not comfortable with them remaining as traps. An
example is a few users who have recently used traps as reply-to
addresses in newsgroup posts. Because the addresses were now in the
open and there was a chance they could be innocently used by others
sending mail to them, they had to be removed from the trap list. There
have been other situations where we've temporarily or permanently taken
trap addresses or even entire trap domains out of service.
[...snip...]
I've never had to deal with a listing caused by traps receiving
confirmation requests from a user filling out a form with a trap
address. Even if it were to happen, the one time would not cause the IP
to be listed. If multiple confirmation requests are received, there is
a problem on the subscription end in allowing a person to submit
multiple subscription forms. The subscription software should be set up
to limit mailing to an address more than once in a set period of time
and ignoring multiple requests from the same IP.
What does come into play is subscription confirmation requests generated
by mailed in subscription requests, generated by spam/viruses hitting
the subscription address with forged return addresses. The server
responds with a confirmation to every email received.
That problem is solved on the subscription end, again with rate limiting
and some simple spam filtering.
Richard

Thank you, Richard. Your points address my concerns about the SC
spamtraps.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Don Wannit

2006-03-11 06:50:26 UTC

Post by Don Wannit
As for where the spamtrap addresses are to be found, well,
if you don't know by now don't worry about it. Maybe go
back and re-read The Purloined Letter for a start? But the
baddies sure know, and pranksters as well -- otherwise
the spamtrap addresses would never receive any email at
all, right? ;-)

BTW, consider a PC which is infected with a virus. This
virus scans files on the hard drive for strings that look
like an email address (contain "@"). Usually, this is an
attempt to find "friends" of the PC user, so that the
virus can propogate by sending itself to those addresses
and appearing to come from the infected user, presumably
known to those friends.

Among the files on the local hard disk are cache files
for web browsers, edit buffers, all sorts of things.
These spamtrap addresses, which are hidden in places
that people normally don't look, might be found in
those local cache files, ready for the virus to find.
And send spam or virm poop to.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Mike Easter

2006-03-11 07:12:47 UTC

Post by Don Wannit
These spamtrap addresses, which are hidden in places
that people normally don't look, might be found in
those local cache files, ready for the virus to find.
And send spam or virm poop to.

Which would of course count as a spamtrap hit, which it should.

--
Mike Easter
kibitzer, not SC admin

Don Wannit

2006-03-11 07:22:22 UTC

Which would of course count as a spamtrap hit, which it should.

Yup, precisely. There were some questions about how the
spamtrap addresses could be encountered, if they are
not easily guessable, which is why I mentioned that vector.

Virm poop sent to a spamtrap address certainly should
be counted as spam.

But if a virm, or person, uses the encountered email
address to maliciously subscribe the address to a
mailing list, then it is vital that the confirmation
email sent by the list to that email address, per
responsible list management and best practice, *not*
automatically trigger a hit.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Anonymous

2006-03-13 17:26:37 UTC

Don Wannit wrote...

Which would of course count as a spamtrap hit, which it should.

Yup, precisely. There were some questions about how the
spamtrap addresses could be encountered, if they are
not easily guessable, which is why I mentioned that vector.
Virm poop sent to a spamtrap address certainly should
be counted as spam.
But if a virm, or person, uses the encountered email
address to maliciously subscribe the address to a
mailing list, then it is vital that the confirmation
email sent by the list to that email address, per
responsible list management and best practice, *not*
automatically trigger a hit.

Assuming (and I have seen no evidence that this is
not true) that spammers, viruses or net-abuser have
no way of identifying spamtraps, they would either
have to be really luck guessers, or they would have
to maliciously subscribe a huge number of non-spam-
trap addresses with the spamtrap addresses hidden
in the crowd. An email list that accepted such a
huge number of subscriptions and then stupidly sent
confirmation requests to a huge number of non-
spamtrap address (plus some spamtrap addresses
hidden in the crowd) *should* be on a short-term
BL such as Spamcop.

G.M.

Don Wannit

2006-03-14 04:14:09 UTC

Don Wannit wrote...

Which would of course count as a spamtrap hit, which it should.

Yup, precisely. There were some questions about how the
spamtrap addresses could be encountered, if they are
not easily guessable, which is why I mentioned that vector.
Virm poop sent to a spamtrap address certainly should
be counted as spam.
But if a virm, or person, uses the encountered email
address to maliciously subscribe the address to a
mailing list, then it is vital that the confirmation
email sent by the list to that email address, per
responsible list management and best practice, *not*
automatically trigger a hit.

This is not the point. If a spamtrap automatically
adds a source IP to a blocklist, then it would be
trivial for someone to forge a subscription request
purporting to be from the spamtrap, and thereby get
the output IP for the mailing list added to the
blocklist when it sends that confirmation request.

I never said anything about huge numbers of addresses,
or hiding a spamtrap address in a crowd of legitimate
addresses. I'm not sure where you got that concept.

The concern here is that spamtrap addresses are
discoverable -- in fact, that's exactly how they
end up on spammers' lists; if they were not discoverable
they would not be of much use. It is quite simple to
find spamtrap addresses if you know where to look, and
know that they are spamtraps. Email address scrapers
typically just gather the address, and don't care where it
comes from. If someone knows the kinds of places that
spamtrap addresses are typically hidden for scrapers to
find, then it's trivial to find one and maliciously
send it in a subscription request to a mailing list.

Richard has answered my concern, without revealing too
much, by saying that while the SC spamtraps do not (and
can not) filter out legitimate confirmation requests,
a single spamtrap hit will not trigger a SC listing.

Other spamtraps may not be so resilient, and the ones that
add an IP to a blocklist on a single hit and make it nearly
impossible to get off are the ones that are worrisome,
and make an inviting resource for a denial-of-service
attack.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Porpoise

2006-03-14 16:15:04 UTC

"Don Wannit" <***@spamcop.net> wrote in message news:dv5fuh$2mq$***@news.spamcop.net...
<SNIP>

Post by Don Wannit
The concern here is that spamtrap addresses are
discoverable -- in fact, that's exactly how they
end up on spammers' lists; if they were not discoverable
they would not be of much use.

All email addresses are "discoverable" but having "discovered" an address is
one thing; knowing that a particular address (assuming that one of the
smappers would actually read every single address that they farm ) is a
spamtrap address is something else and extremely improbable.

Post by Don Wannit
It is quite simple to
find spamtrap addresses if you know where to look, and
know that they are spamtraps. Email address scrapers
typically just gather the address, and don't care where it
comes from. If someone knows the kinds of places that
spamtrap addresses are typically hidden for scrapers to
find, then it's trivial to find one and maliciously
send it in a subscription request to a mailing list.

Extremely improbable.

<SNIP>

Post by Don Wannit
Other spamtraps may not be so resilient, and the ones that
add an IP to a blocklist on a single hit and make it nearly
impossible to get off are the ones that are worrisome,
and make an inviting resource for a denial-of-service
attack.

In what way (by what mechanism) would a BL listing contribute to a DOS
attack?

On the other hand, spammers sending thousands of emails with forged From:
addresses to addresses they know have autoresponders can instigate DOS
attacks against the inboxes of those forged From: addresses, by getting the
autoresponder to flood their mailboxes with thousands or even millions of
emails in very short periods - thereby rendering them unusable; vis-a-vis
Denial Of Service.

Or another mechanism for DOS is when a ne'erdogood uses an automated script
to keep loading a webpage with lots of images on it, thereby overloading the
server and making it impossible for other users to access the site.

There are other mechanisms, but I haven't seen any yet that could be
instigated/result from an IP finding itself listed on a BL. If a mailserver
admin decides to block the receipt of email from a particular sending IP
(based on any number of factors, including, but not limited to, the use of
any particular BL), that is his decision. It has nothing to do with whoever
"compiles" the list, and it doesn't constitute a DOS.

Eric

2006-03-14 18:30:01 UTC

Post by Porpoise
All email addresses are "discoverable" but having "discovered" an
address is one thing; knowing that a particular address (assuming that
one of the smappers would actually read every single address that they
farm ) is a spamtrap address is something else and extremely improbable.

Not to go into too much detail, but some spamtrap addresses
are accompanied by a comment warning innocent users not to
send email to that address because it is a spamtrap. "Smappers"
would ignore that comment. A human might spot that comment and
think "Hmmm. That's interesting. I know how I can abuse that."

Post by Porpoise
<SNIP>

In what way (by what mechanism) would a BL listing contribute to a DOS
attack?

Overloading a web server and flooding an inbox are not the only
types of DOS. In the context of this thread, getting the output
IP of a list server added to a DNSbl would be a Denial Of Service,
would it not?

Porpoise

2006-03-14 19:07:32 UTC

Post by Eric
Overloading a web server and flooding an inbox are not the only
types of DOS. In the context of this thread, getting the output
IP of a list server added to a DNSbl would be a Denial Of Service,
would it not?

No, it wouldn't. In what way does it deny service? If I, as a mailserver
admin decide to use data from a BL (such as SCBL - or any number of other
BLs) to block thousands of mails from a certain IP from getting into *my*
mailboxes (as opposed to just tagging it into a spam folder), that is
entirely my pjerogative (and could actually be saving me from a DOS). How
does that constitute a DOS? How am I performing a DOS attack on you by not
accepting all the shit being churned out by your servers? I'm not stopping
anyone else from accepting them......

Speaking hypopthetically of course ;-) I'm not accusing you personally of
churning out all this crap! ;-)

Eric

2006-03-14 20:12:12 UTC

No, it wouldn't. In what way does it deny service? If I, as a
mailserver admin decide to use data from a BL (such as SCBL - or any
number of other BLs) to block thousands of mails from a certain IP from
getting into *my* mailboxes (as opposed to just tagging it into a spam
folder), that is entirely my pjerogative (and could actually be saving
me from a DOS). How does that constitute a DOS? How am I performing a
DOS attack on you by not accepting all the shit being churned out by
your servers? I'm not stopping anyone else from accepting them......

Whoa, stop with the knee-jerk reaction! Why is there this culture
of "any criticism, no matter how constructive, is prima facie
evidence of a spammer"??

True, you are not preventing others from receiving email from
the list's outgoing server, but you are exploiting the fact that
many admins do misuse the SCBL, and many list members are not in
control of the configuration of their email system(s). In
the knowledge that some number of list members are likely to
be subject to admins who DO in fact use BL data to block email,
you are constructively performing a DOS on the list affecting
at least part of its readership.

Post by Porpoise
Speaking hypopthetically of course ;-) I'm not accusing you personally
of churning out all this crap! ;-)

What makes you think I am churning out anything?

Anonymous

2006-03-14 20:08:47 UTC

Eric wrote...

Post by Eric
Not to go into too much detail, but some spamtrap addresses
are accompanied by a comment warning innocent users not to
send email to that address because it is a spamtrap. "Smappers"
would ignore that comment. A human might spot that comment and
think "Hmmm. That's interesting. I know how I can abuse that."

Doing a quick Google search, I see a lot of what appear to be
abusable spamtraps, but of course I have no way of knowing whether
any of them are associated with a BL instead of an individual.
http://www.google.com/search?q=do-not-send-email-to-this+spam-trap

Not knowing the details, in my opinion SC spamtraps should be made
easy to find by spambots and hard to find by humans, using techniques
such as making it not display using the CSS display Property, putting
it on a tiny image, overlaying it with an image, tiny textsize, white
-on-white, locating it 32,000 pixels to the right, etc. One can also
hide the links to the page the spamtrap is on using many of the same
techniques.

It would indeed deny someone access to a service, but a different
term should be used, because "Denial Of Service" normally refers
to denial at the attacked server, not some other servers deciding
to not accept traffic from the attacked server. Either way, it is
a Bad Thing and is an attack on the reputation of the DNSbl as well
as the target. That's why I don't think the spamtraps should be
visible to humans.

G.M.

Eric

2006-03-14 23:12:54 UTC

Post by Anonymous
Eric wrote...

There are many mechanisms to cause the denial of or inability
to deliver services. Bludgeoning the server is only one of them.

There have been times (mostly pre-Akamai) during which SC users
were effectively denied SC services because of DNS issues. Are
you saying that the term "DOS" could only be applied to the
DNS servers, and not to SC?

Would you prefer the term "Partial Denial Of Service To Some
Downstream Consumers Through Indirect Means"?

Tim McGraw

2006-03-14 23:34:27 UTC

Post by Anonymous
Eric wrote...

There are many mechanisms to cause the denial of or inability
to deliver services. Bludgeoning the server is only one of them.

If you could point to a definition that supports this definition of DoS
this then this might be worth discussing. However, every definition I
see defines a DoS attack as an intentional overload of requests in order
to consume the bandwidth of the victim's network or computational resources.

BLs don't do that, and you saying it's still a DoS doesn't make it so.

Eric

2006-03-14 23:51:07 UTC

Post by Eric
There are many mechanisms to cause the denial of or inability
to deliver services. Bludgeoning the server is only one of them.

How about CERT? http://www.cert.org/tech_tips/denial_of_service.html

Description

This document provides a general overview of attacks in which the
primary goal of the attack is to deny the victim(s) access to a
particular resource. Included is information that may help you respond
to such an attack.

A "denial-of-service" attack is characterized by an explicit attempt by
attackers to prevent legitimate users of a service from using that
service. Examples include

* attempts to "flood" a network, thereby preventing legitimate
network traffic
* attempts to disrupt connections between two machines, thereby
preventing access to a service
* attempts to prevent a particular individual from accessing a
service
* attempts to disrupt service to a specific system or person

Please look at the last 3 definitions. All 3 support my use of the
term DoS in this context.

Post by Tim McGraw
BLs don't do that, and you saying it's still a DoS doesn't make it so.

Knee-jerk reaction again. Until you did just now, no one claimed that
the DNSbl was doing a DoS. The discussion is about how a someone could
exploit a revealed spamtrap to effectively deny service to a list
("service" == "IP not listed in blocklist") or to one or more readers
("service" == "incoming email unimpeded by admin misusing DNSbl").

Tim McGraw

2006-03-15 01:11:06 UTC

Post by Eric
How about CERT? http://www.cert.org/tech_tips/denial_of_service.html
Description
This document provides a general overview of attacks in which the primary goal of the attack is to deny the victim(s) access to a particular resource. Included is information that may help you respond to such an attack.
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include
* attempts to "flood" a network, thereby preventing legitimate
network traffic
* attempts to disrupt connections between two machines, thereby
preventing access to a service
* attempts to prevent a particular individual from accessing a
service
* attempts to disrupt service to a specific system or person
Please look at the last 3 definitions. All 3 support my use of the
term DoS in this context.

Disrupting a list hardly rises to anything discussed on that page. It's
more like a denial of convenience; there is no guarantee to any list
operator that their mail/posts will reach all recipients.

Post by Eric
Until you did just now, no one claimed that
the DNSbl was doing a DoS.

The DNSbl is the cause of the so-called denial; the abused spamtrap is
just the lever for that action.

Post by Eric
The discussion is about how a someone could
exploit a revealed spamtrap to effectively deny service to a list
("service" == "IP not listed in blocklist") or to one or more readers
("service" == "incoming email unimpeded by admin misusing DNSbl").

So, you're saying that the admin misusing a DNSbl filter is conducting a
DoS?

While the list suffers by not being able to deliver to all of its
alleged subscribers, wouldn't the admin basically be "denying" a service
to hir own users?

Eric

2006-03-15 01:48:49 UTC

Post by Tim McGraw
While the list suffers by not being able to deliver to all of its
alleged subscribers, wouldn't the admin basically be "denying" a service
to hir own users?

You know what? This whole side issue is irrelevant. Fine, it's
not a DoS, let's just call it a "Fred Job". It's not worth arguing
about term to use to describe it. Not when that's a diversion to
avoid discussing an issue.

It's just a harmless prank that causes inconvenience to others. No
skin off anyone's nose. Boys will be boys, after all. Just part
of modern life.

Tim McGraw

2006-03-15 01:54:26 UTC

Post by Tim McGraw
While the list suffers by not being able to deliver to all of its
alleged subscribers, wouldn't the admin basically be "denying" a
service to hir own users?

You know what? This whole side issue is irrelevant. Fine, it's
not a DoS, let's just call it a "Fred Job". It's not worth arguing
about term to use to describe it. Not when that's a diversion to
avoid discussing an issue.
It's just a harmless prank that causes inconvenience to others. No
skin off anyone's nose. Boys will be boys, after all. Just part
of modern life.

Thank the spammers.

Eric

2006-03-15 18:45:24 UTC

Post by Tim McGraw
So, you're saying that the admin misusing a DNSbl filter is conducting a
DoS?

No, not what I'm saying at all. Please read more carefully. In this
case the admin misusing a DNSbl is being manipulated by the real
attacker. The attacker is conducting a DoS (all right, a "Fred Job"),
using said admin as the mechanism. The admin is not doing the FJ,
the attacker is.

Tim McGraw

2006-03-15 19:06:25 UTC

Post by Tim McGraw
So, you're saying that the admin misusing a DNSbl filter is conducting
a DoS?

You wrote above, as an example, "incoming email unimpeded by admin
misusing DNSbl."

I'd say such an admin is a victim of his own ineptitude, and the service
being denied (getting legitimate posts to a mail list) is to the admin's
own users.

You're welcome to spin that however you wish, but that's how I see it.

Tim McGraw

2006-03-15 19:40:50 UTC

Post by Tim McGraw
So, you're saying that the admin misusing a DNSbl filter is conducting
a DoS?

You wrote above, as an example of service "denied," the "incoming email
unimpeded by admin misusing DNSbl."

I'd say such an admin is a victim of his own ineptitude, and the service
being denied (getting legitimate posts to a mail list) is primarily to
the admin's own users.

You're welcome to spin that however you wish, but that's how I see it.

Anonymous

2006-03-14 23:36:07 UTC

Eric wrote...

Post by Eric
There are many mechanisms to cause the denial of or inability
to deliver services. Bludgeoning the server is only one of them.
There have been times (mostly pre-Akamai) during which SC users
were effectively denied SC services because of DNS issues. Are
you saying that the term "DOS" could only be applied to the
DNS servers, and not to SC?

Excellent point. I retract my earlier statement.

G.M.

Porpoise

2006-03-15 00:00:15 UTC

Post by Anonymous
Eric wrote...

Excellent point. I retract my earlier statement.

Hmm..... I think you'll find that there's a world of difference between a
service being unavailable to to some service/hardware breakdown and a
service being unobtainable due to malicious intervention by third parties.
The former would be termed a service breakdown, the latter would be a Denial
Of Service attack.......

Eric

2006-03-15 00:24:24 UTC

Post by Porpoise
Hmm..... I think you'll find that there's a world of difference between
a service being unavailable to to some service/hardware breakdown and a
service being unobtainable due to malicious intervention by third
parties. The former would be termed a service breakdown, the latter
would be a Denial Of Service attack.......

Where did a hardware breakdown come into it? We're talking
malicious deliberate action, not a bug/glitch/failure.

Porpoise

2006-03-15 00:50:48 UTC

Post by Porpoise
Hmm..... I think you'll find that there's a world of difference between a
service being unavailable to to some service/hardware breakdown and a
service being unobtainable due to malicious intervention by third
parties. The former would be termed a service breakdown, the latter would
be a Denial Of Service attack.......

Where did a hardware breakdown come into it? We're talking
malicious deliberate action, not a bug/glitch/failure.
Eric wrote...

Post by Porpoise
There have been times (mostly pre-Akamai) during which SC users
were effectively denied SC services because of DNS issues.

Are you not reading your own posts?

Anonymous

2006-03-15 16:31:19 UTC

Porpoise wrote...

Post by Anonymous
Eric wrote...

Where did a hardware breakdown come into it? We're talking
malicious deliberate action, not a bug/glitch/failure.
Eric wrote...

Post by Porpoise
There have been times (mostly pre-Akamai) during which SC users
were effectively denied SC services because of DNS issues.

It was my understanding that the DNS problems were because of an attack,
not a hardware breakdown. I agree that general usage of the phrase
"service breakdown" implies a hardware or software failure, not an
attack of some kind. and that "Denial of Service attack" AKA "DOS
Attack", "Denial of Service" or "DOS" implies an attack of some kind,
not a hardware or software failure. I doubt that anyone here will
disagree with those broad definitions. I read Eric as pointing out that
a DOS can target DNS, and thus is a counterexample to any claim that all
DOS attacks target the victim's server.

G.M.

Tim McGraw

2006-03-15 18:26:38 UTC

<major snippage>
I read Eric as pointing out that a DOS can target DNS, and thus is a
counterexample to any claim that all DOS attacks target the victim's
server.

I believe Eric had some good points to make about how a spamtrap could
result in a false positive listing, but likening it to a DoS was a
canard that didn't really help advance his argument. By his last posting
I take it he felt the conversation was about semantics... but what
conversation isn't? :)

<yes, I just used an emoticon>

My claim was only that DoS attacks by definition target a victim's
network *services* (DNS is one of many) and involves *massive* requests
at the targeted system in order to consume bandwidth.

Back to the subject, as has been noted a legitimate mailman opt-in is
not spam, and sc reporters can lose their privileges by reporting such
an email as spam.

Does it still happen? Probably.

Do spammers "work" to do this on a spamtrap? Most spammers in my
experience can't and don't even bother to listwash, so I can't see them
investing all this time to forge a list subscription even if they knew a
spamtrap addy.

A GNU Mailman mailing list is not a legitimate mailing list? :-) That's a
pretty snap judgement on your part.

A mailman list - or any other list software - can be improperly
configured. Just because the software driving it is one "brand" or
another does not make a list "legitimate."

Eric

2006-03-15 18:42:25 UTC

Post by Tim McGraw
My claim was only that DoS attacks by definition target a victim's
network *services* (DNS is one of many) and involves *massive* requests
at the targeted system in order to consume bandwidth.

Your claim is incorrect. You describe only one of several different
types of Denial of Service attack. See the definitions at CERT,
posted previously.

Post by Tim McGraw
Back to the subject, as has been noted a legitimate mailman opt-in is
not spam, and sc reporters can lose their privileges by reporting such
an email as spam.

Does a spamtrap lose its reporting privileges if it automatically
reports a legitimate good-faith subscription confirmation? A
human reporter would/could/should.

Post by Tim McGraw
Does it still happen? Probably.
Do spammers "work" to do this on a spamtrap? Most spammers in my
experience can't and don't even bother to listwash, so I can't see them
investing all this time to forge a list subscription even if they knew a
spamtrap addy.

Not relevant. Doesn't matter if spammers do or do not do this.
The discussion is about a prankster, or a competitor, or a
jilted gf, or anyone who wants to cause trouble.

Tim McGraw

2006-03-15 19:01:17 UTC

Post by Tim McGraw
My claim was only that DoS attacks by definition target a victim's
network *services* (DNS is one of many) and involves *massive*
requests at the targeted system in order to consume bandwidth.

Your claim is incorrect. You describe only one of several different
types of Denial of Service attack. See the definitions at CERT,
posted previously.

I stand by my statement.

Looks like we've agreed to disagree on something that wasn't even
relevant to the op.

Post by Tim McGraw
Back to the subject, as has been noted a legitimate mailman opt-in is
not spam, and sc reporters can lose their privileges by reporting such
an email as spam.

Does a spamtrap lose its reporting privileges if it automatically
reports a legitimate good-faith subscription confirmation?

I believe RW addressed this concern.

Short answer: it's never happened, and even if it did, one report does
not = a sc listing.

Post by Tim McGraw
Does [reporting legitimate opt-ins] still happen? Probably.
Do spammers "work" to do this on a spamtrap? Most spammers in my
experience can't and don't even bother to listwash, so I can't see
them investing all this time to forge a list subscription even if they
knew a spamtrap addy.

Not relevant.

I'd say my comment is pretty relevant to the discussion of whether a
spamtrap addy could be forge-subscribed to a legitimate list, which has
been part of this conversation since Porpoise brought it up on 3/9.

Post by Eric
Doesn't matter if spammers do or do not do this.
The discussion is about a prankster, or a competitor, or a
jilted gf, or anyone who wants to cause trouble.

That was just one of many discussions in this thread, but it's hard to
tell by the context whether you've changed it to human-entered opt-ins.

I guess you did, since a jilted gf wouldn't enter the addy of a
spamtrap. Or would they?

Seriously, what is it you want to hear or know other than promoting the
idea that a forge-subscribe using a spamtrap is a DoS (which certainly
was never relevant to the topic)?

The system isn't perfect. There, I said it.

indigo

2006-03-15 22:20:20 UTC

Post by Eric
Does a spamtrap lose its reporting privileges if it automatically
reports a legitimate good-faith subscription confirmation?

I believe RW addressed this concern.
Short answer: it's never happened, and even if it did, one report does
not = a sc listing.

It's impossible for it to happen anyway! How can a spamtrap get a "legit"
confirm message?

Eric

2006-03-15 22:32:17 UTC

Post by Eric
Does a spamtrap lose its reporting privileges if it automatically
reports a legitimate good-faith subscription confirmation?

I believe RW addressed this concern.
Short answer: it's never happened, and even if it did, one report does
not = a sc listing.

It's impossible for it to happen anyway! How can a spamtrap get a "legit"
confirm message?

I thought the question was about a legitimate request
to confirm that the subscription request was valid?
The supposed subscription request is not legit, but
the request to confirm it certainly would be.

indigo

2006-03-15 22:48:08 UTC

Post by indigo
It's impossible for it to happen anyway! How can a spamtrap get a
"legit" confirm message?

After thinking about it more after I posted, I started to wonder whether I
had missed something in the thread....perhaps if someone finds a spamtrap
addy and _knows_ it's a spamtrap they could forge-subscribe the addy to a
legit list. The confirm email would then be reported as spam by the
spamtrap. So I guess you could just scrape the SC website and submit every
addy you find to a legit list if you were out to get someone.

Anonymous

2006-03-16 16:05:38 UTC

indigo wrote...

Post by indigo
After thinking about it more after I posted, I started to wonder whether I
had missed something in the thread....perhaps if someone finds a spamtrap
addy and _knows_ it's a spamtrap they could forge-subscribe the addy to a
legit list. The confirm email would then be reported as spam by the
spamtrap.

That is correct. Abusing the system in that way assumes that someone can
find and identify spamcop spamtraps. That, in turn, assumes that whoever
is in charge of hiding the spamcop spamtraps is less skilled than I am,
because I can hide them in such a way that they cannot be found.

In like manner, those who claim that they can find and identify spamcop
spamtraps are in effect claiming to be more skilled at finding spamcop
spamtraps than any of spamcop's many attackers -- attackers who have come
up with many clever ways of attacking the spamcop system and yet have not
forge-subscribed any spamcop spamtraps to legitimate confirmed mailing
lists.

I have another theory; my theory is that those in charge of hiding the
spamcop spamtraps are better at it than I am, and that those who claim
that they can find and identify spamcop spamtraps are mistaken. Perhaps
they have found other spamtraps, or perhaps someone at spamcop trusts
them enough to tell them where to look, but I don't believe that they
can find and identify spamcop spamtraps without some sort of special help.

Post by indigo
So I guess you could just scrape the SC website and submit every
addy you find to a legit list if you were out to get someone.

That would not work. If you can find spamcop spamtrap addresses by
scraping the spamcop website, then the people in charge of hiding
the spamcop spamtraps are idiots for hiding them in such an obvious
place. Also, if you can find spamcop spamtrap addresses by
scraping the spamcop website, so can spamcop's enemies, and yet
we have not seen any of them manage to pull off the abuse described
above.

G.M.

indigo

2006-03-16 21:23:04 UTC

Post by Anonymous
That would not work. If you can find spamcop spamtrap addresses by
scraping the spamcop website, then the people in charge of hiding
the spamcop spamtraps are idiots for hiding them in such an obvious
place. Also, if you can find spamcop spamtrap addresses by
scraping the spamcop website, so can spamcop's enemies, and yet
we have not seen any of them manage to pull off the abuse described
above.

Sounds like a catch-22 to me....if they're so hard to find (impossible
even), how can they manage to get onto a dirty list?

Eric

2006-03-15 18:46:37 UTC

Post by Porpoise
Hmm..... I think you'll find that there's a world of difference
between a service being unavailable to to some service/hardware
breakdown and a service being unobtainable due to malicious
intervention by third parties. The former would be termed a service
breakdown, the latter would be a Denial Of Service attack.......

Where did a hardware breakdown come into it? We're talking
malicious deliberate action, not a bug/glitch/failure.
Eric wrote...

Post by Porpoise
There have been times (mostly pre-Akamai) during which SC users
were effectively denied SC services because of DNS issues.

Are you not reading your own posts?

Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

Tim McGraw

2006-03-15 19:03:21 UTC

Post by Porpoise
Are you not reading your own posts?

Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

It was well-known here. I'm sure you could Google the archives and find
those discussions.

Good luck!

Tim McGraw

2006-03-15 19:20:24 UTC

Post by Eric
Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

It was well-known here.

Correction: Porpoise attributed it to a DoS on sc's DNS (I believe).

And as I recall based on the discussion here, that was the reason sc had
DNS failures.

Anonymous

2006-03-15 19:54:13 UTC

Tim McGraw wrote...

Post by Eric
Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

It was well-known here.

Correction: Porpoise attributed it to a DoS on sc's DNS (I believe).
And as I recall based on the discussion here, that was the reason sc had
DNS failures.

Is this the attack we are talking about?

http://www.theregister.co.uk/2003/11/03/why_spamcop_got_yanked/

http://www.julianhaight.com/jokerstupidity.shtml

http://mail.cesmail.net/jokerproblem.php

http://it.slashdot.org/article.pl?sid=03/11/02/1453253

-G.M.

Eric

2006-03-15 20:53:18 UTC

Post by Anonymous
Tim McGraw wrote...

Post by Eric
Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

It was well-known here.

Correction: Porpoise attributed it to a DoS on sc's DNS (I believe).
And as I recall based on the discussion here, that was the reason sc had
DNS failures.

Is this the attack we are talking about?
http://www.theregister.co.uk/2003/11/03/why_spamcop_got_yanked/
http://www.julianhaight.com/jokerstupidity.shtml
http://mail.cesmail.net/jokerproblem.php
http://it.slashdot.org/article.pl?sid=03/11/02/1453253

No, that's a different incident, different cause.
Here's one thread:
http://groups.google.com/group/alt.spam/browse_thread/thread/71f5f4171095ed08/2574437c7f941a5f?lnk=st&q=spamcop+DNS+akamai&rnum=1&hl=en#2574437c7f941a5f
(snurled: http://snipurl.com/nnfe )

And another:
http://groups.google.com/group/alt.meditation.transcendental/browse_thread/thread/20e23fca52db0488/d1684a9b22d857c2?lnk=st&q=spamcop+DNS+ddos&rnum=4&hl=en#d1684a9b22d857c2
(snurled: http://snipurl.com/nnfm )

Anonymous

2006-03-15 22:03:36 UTC

Eric wrote...

Post by Anonymous
Is this the attack we are talking about?
http://www.theregister.co.uk/2003/11/03/why_spamcop_got_yanked/
http://www.julianhaight.com/jokerstupidity.shtml
http://mail.cesmail.net/jokerproblem.php
http://it.slashdot.org/article.pl?sid=03/11/02/1453253

No, that's a different incident, different cause.
http://groups.google.com/group/alt.spam/browse_thread/thread/71f5f4171095ed08/2574437c7f941a5f?lnk=st&q=spamcop+DNS+akamai&rnum=1&hl=en#2574437c7f941a5f
(snurled: http://snipurl.com/nnfe )

Shortened:
http://groups.google.com/group/alt.spam/browse_frm/thread/71f5f4171095ed08

Post by Eric
http://groups.google.com/group/alt.meditation.transcendental/browse_thread/thread/20e23fca52db0488/d1684a9b22d857c2?lnk=st&q=spamcop+DNS+ddos&rnum=4&hl=en#d1684a9b22d857c2
(snurled: http://snipurl.com/nnfm )

Shortened:
http://groups.google.com/group/alt.meditation.transcendental/browse_frm/thread/20e23fca52db0488

Also see:

http://www.geek.com/news/geeknews/2003Sep/gee20030929021977.htm
http://www.wilderssecurity.com/showthread.php?t=10761
http://news.zdnet.com/2100-1009_22-5082728.html

It is a tribute to the engineers who design the system that antispam sites
are usually up despite such attacks.

Tim McGraw

2006-03-15 19:52:13 UTC

Post by Eric
Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

It was well-known here. I'm sure you could Google the archives and
find those discussions.

I do recall those discussions. It was not hardware failure, it
was a concerted distributed attack which caused DNS servers for
the SC domains to be unable to respond within the usual timeout
period. It was one of the major reasons that SC adopted the
Akamai web support.

Corrected... and agreed.

Eric

2006-03-15 19:50:35 UTC

Post by Eric
Do you have information that the distributed attacks causing DNS for
SpamCop to be unavailable were actually caused by hardware failure?
That's news to me. Please substantiate.

It was well-known here. I'm sure you could Google the archives and find
those discussions.

Tim McGraw

2006-03-14 23:35:53 UTC

Post by Anonymous
Eric wrote...

There are many mechanisms to cause the denial of or inability
to deliver services. Bludgeoning the server is only one of them.

If you could point to reputable Web site that supports this definition
of DoS then this might be worth discussing. However, every definition I
see defines a DoS attack as an intentional overload of requests in order
to consume the bandwidth of a victim's network or computational resources.

BLs don't do that, and you saying it's still a DoS doesn't make it so.

Anonymous

2006-03-14 18:20:20 UTC

Post by Don Wannit
This is not the point. If a spamtrap automatically
adds a source IP to a blocklist, then it would be
trivial for someone to forge a subscription request
purporting to be from the spamtrap, and thereby get
the output IP for the mailing list added to the
blocklist when it sends that confirmation request.

No. It would be far from trivial, because the bad guy
doesn't know what addresses are spamtraps, and the
mailing list won't accept subscriptions to what he
does have, which is hundreds of thousands of harvested
email addresses with a few spamtraps hidden among them.
(and if the mailing list does send confirmations to
hundreds of thousands of subscriptions all coming in
at once it deserves to be listed).

Post by Don Wannit
I never said anything about huge numbers of addresses,

Yes you did. You wrote "I said that the kinds of places
the spamtrap addresses are hidden are well known, at
least among certain circles. Like the people who
gather them into the 'Million Email Addresses' CDs,
and the people who put them out there to be gathered."

Mentioning the people who put them out there to be
gathered is a red herring; the spamtrap creators aren't
going to subscribe mailing lists to their own spamtraps.
Those who run them would very much like to identify and
remove the spamtraps. Such a list would sell for a
higher price.

Post by Don Wannit
or hiding a spamtrap address in a crowd of legitimate
addresses. I'm not sure where you got that concept.

It is an inescapable consequence of the fact that it
is easy to gather a crowd of legitimate addresses that
include spamtrap address, but it is very, very hard to
gather just the spamtrap addresses or to gather just
the non-spamtrap addresses.

So far you are correct; just gather email addresses using
a spambot, virus, etc. and you will find spamtrap addresses
-- and a bunch of non-spamtrap addresses as well, with no
way to tell them apart.

Post by Don Wannit
if you know where to look, and know that they are spamtraps.

You have presented no evidence that anyone knows where to look
this is so, or even
a speculation as to how to differentiate between the two.

Post by Don Wannit
Email address scrapers typically just gather the address, and don't care
where it comes from.

If they could to identify and remove the spamtraps, the list
would command a higher price.

Post by Don Wannit
If someone knows the kinds of places that spamtrap addresses are
typically hidden for scrapers to find, then it's trivial to find one

That is a tautology; they are easy to find if you know where
they are. Isn't everything easy to find if you know where
it is?

Post by Don Wannit
and maliciously send it in a subscription request to a mailing list.

Assuming that they can find and identify spamtraps.
Which they can't, unless the spamtrap creator is stupid.
An intelligent spamtrap creator will hide spamtraps in
places where nobody knows to look, and will not reveal the
locations to anyone.

Assuming that they can find and identify spamtraps.
Do you have any evidence that they can?
If your theory that spamtraps are easy to find were true, I
would expect to see many legitimate confirmed mailing lists
listed; that would be an effective way to damage the reputation
of the blocklist in question. Has anyone seen this? I would
also expect there to be lists-of-spamtraps for sale. Has anyone
seen such a list for sale?

Post by Don Wannit
Richard has answered my concern, without revealing too
much, by saying that while the SC spamtraps do not (and
can not) filter out legitimate confirmation requests,
a single spamtrap hit will not trigger a SC listing.

That should not have been sufficient to answer your concern.
If your theory is correct and spamtraps are easy to find and
identify, it would be a simple matter to subscribe ten or
twenty of them to the same mailing list over several hours
and from different places.

We have been discussing how easy it is to hide a spamtrap and
how hard it is to find it. Now let's consider the available
countermeasures if one is found. Just off the top of my head
I can think of several;

[1] Grep the incoming spam for addresses that are well-known
mailing lists. Examine them and stop using the spamtrap if a
single forge-subscription confirmation comes in. (leave the
spamtrap up, just ignore what comes in to it; this wastes the
time of anyone misusing it).

[2] Set up a process that looks for signs that a browser is
looking at a page where you expect only spambots to be looking.
Even if the bad guy makes his browser self-identify as being
a spambot, real spambots will not typically download images
or look at external CSS, JavaScript, or robots.txt files.

[3] Change the spamtrap from one unguessable email address
to another unguessable email address as soon as it starts
getting incoming spam. Now the bad guy looking for spamtraps
has to find them before any of his spambots or his buddy's
spambots find them.

[4] Every so often, close down one unguessable URL with a
spamtrap on it and put up another unguessable URL elsewhere,
changing the unguessable email address to another unguessable
email address at the same time. Now the bad guy has to play
whack-a-mole.

[5] Put random time delays before reporting on some spamtraps.
this will make it a lot harder to identify spamtraps by doing
a binary search and looking for addresses that result in an
instant listing.

...and that's just what I can think of in three minutes.

--
G.M. ( G u y M a c o n )

Don Wannit

2006-03-15 07:09:46 UTC

The forging of an email sender address *is* trivial.
That should be understood by any reader of this newsgroup.

Post by Don Wannit
I never said anything about huge numbers of addresses,

You are reading the words but not the sentence. The
*kinds of places* are known to the people who compile
the mass lists of addresses, because they are the kinds
of places where email addresses can be harvested. Those
people don't know for sure that a specific address is a
spamtrap unless they look at its context, and their
robots do not look at context.

A different kind of person, even some of the readers of
this newsgroup, *do* know the kinds of places where
spamtrap addresses in particular, not real legitimate
email addresses, are strewn. I strongly doubt that I
am the only reader of this newsgroup who knows one
specific place for certain where SpamCop spamtrap
email addresses are placed to be found by harvesters.

I never said that a prankster would need to send
bogus subscriptions for all the addresses on a CD.

I said that the people who make those CDs know the
*kinds* of places to look for addresses. If they
wrote their harvesting robots to be smarter than just
looking for a string containing '@', it is certainly
plausible to evaluate the context of that string to
classify it as a potential spamtrap.

Some of those addresses are labeled quite clearly
and blatantly as spamtrap addresses. The robots
ignore that labeling, which could lead to the
address being included in a list of addresses.

That's not what I'm talking about. (or writing about)

Post by Anonymous
Mentioning the people who put them out there to be
gathered is a red herring; the spamtrap creators aren't
going to subscribe mailing lists to their own spamtraps.
Those who run them would very much like to identify and
remove the spamtraps. Such a list would sell for a
higher price.

This argument is a non sequitur. Or an even redder
herring.

Post by Don Wannit
or hiding a spamtrap address in a crowd of legitimate
addresses. I'm not sure where you got that concept.

I just did a simple Google search for a particular phrase,
and got a list of 19 likely spamtrap addresses, just
by looking for a phrase which is often nearby a spamtrap
address left out for harvesting.

No, I will not post here the search phrase I used.

That's 19 possible addresses I could use if I wanted to
cause grief for some list admin and for some portion of
the readership of the list.

So far you are correct; just gather email addresses using
a spambot, virus, etc. and you will find spamtrap addresses
-- and a bunch of non-spamtrap addresses as well, with no
way to tell them apart.

That's not the point. Perhaps it's gone over your head.

Post by Don Wannit
if you know where to look, and know that they are spamtraps.

You have presented no evidence that anyone knows where to look
this is so, or even
a speculation as to how to differentiate between the two.

If Ellen, Don, or Richard will give me permission, I would be
happy to describe exactly how you yourself can find one of the
places where SC sows its spamtrap email address seeds. I don't
expect them to do so. There are other readers in this group who
know, and not because they were told but because they encountered
the spamtrap address themselves. You could do so yourself if you
cared to think for a minute or two.

Post by Don Wannit
Email address scrapers typically just gather the address, and don't care
where it comes from.

If they could to identify and remove the spamtraps, the list
would command a higher price.

Yeah, and if the snail-mail bulk mailers would cull duplicates,
they would have marginal savings. For both types of mailing lists,
the cost-benefit tradeoff is such that the duplicates and the
spamtraps are not removed.

Post by Don Wannit
If someone knows the kinds of places that spamtrap addresses are
typically hidden for scrapers to find, then it's trivial to find one

That is a tautology; they are easy to find if you know where
they are. Isn't everything easy to find if you know where
it is?

Your logic is flawed. Knowing the *kinds* of places to look is
not the same as knowing a *specific place* to look.

And in order to find one spamtrap address, I do not need to be
able to find *all* spamtrap addresses.

Post by Don Wannit
and maliciously send it in a subscription request to a mailing list.

A responsible spamtrap creator might put warning signs around
the pitfall, so that innocent people don't accidentally fall
in. The harvester robots ignore the warning, but people can
find it.

Different (but tangentially related) topic, inappropriate argument.

It would. That would then require intervention by a human.
As Richard stated.

Post by Anonymous
We have been discussing how easy it is to hide a spamtrap and
how hard it is to find it. Now let's consider the available
countermeasures if one is found. Just off the top of my head
I can think of several;
[1] Grep the incoming spam for addresses that are well-known
mailing lists. Examine them and stop using the spamtrap if a
single forge-subscription confirmation comes in. (leave the
spamtrap up, just ignore what comes in to it; this wastes the
time of anyone misusing it).

Richard explained that this is not realistically feasible.
After-the-fact manual investigation can do this, but automating
the process is just another arms race.

Post by Anonymous
[2] Set up a process that looks for signs that a browser is
looking at a page where you expect only spambots to be looking.
Even if the bad guy makes his browser self-identify as being
a spambot, real spambots will not typically download images
or look at external CSS, JavaScript, or robots.txt files.

That augments the warning signs for a human surfer. It does not
in any way affect someone who wants to find a spamtrap to exploit.

Post by Anonymous
[3] Change the spamtrap from one unguessable email address
to another unguessable email address as soon as it starts
getting incoming spam. Now the bad guy looking for spamtraps
has to find them before any of his spambots or his buddy's
spambots find them.

Not relevant. The goal is not trying to find *all* spamtraps so
that they can be removed from a list of spammees. The goal
I posit is finding *one* spamtrap address to be exploited for
the purpose of getting someone added to a BL.

Post by Anonymous
[4] Every so often, close down one unguessable URL with a
spamtrap on it and put up another unguessable URL elsewhere,
changing the unguessable email address to another unguessable
email address at the same time. Now the bad guy has to play
whack-a-mole.

Wrong bad guy.

Post by Anonymous
[5] Put random time delays before reporting on some spamtraps.
this will make it a lot harder to identify spamtraps by doing
a binary search and looking for addresses that result in an
instant listing.
...and that's just what I can think of in three minutes.

Perhaps your haste explains why you spent so long addressing
a different problem.

The topic at hand is not listwashing a list of spamtrap email
addresses. The topic is the potential for using a spamtrap
for causing mischief if the spamtrap is fully automated on
a hair-trigger.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Anonymous

2006-03-15 17:39:49 UTC

Don Wannit wrote...

The forging of an email sender address *is* trivial.

Please demonstrate by forging or explaining how to
forge an email sender address when you don't know what
it is. Remember, the claim that you are disagreeing with
specifies the assumption that the bad guy doesn't know
what addresses are spamtraps.

Post by Don Wannit
That should be understood by any reader of this newsgroup.

I advise avoid references to "understanding" in situations
where you appear to not understand the concept "because the
bad guy doesn't know what addresses are spamtraps."

Post by Don Wannit
A different kind of person, even some of the readers of
this newsgroup, *do* know the kinds of places where
spamtrap addresses in particular, not real legitimate
email addresses, are strewn. I strongly doubt that I
am the only reader of this newsgroup who knows one
specific place for certain where SpamCop spamtrap
email addresses are placed to be found by harvesters.

If the creators of spamcop spamtrap addresses aren't hiding
them well enough, then the answer is to hide them better,
not to let them be findable and then to deal with abuse of
them after the fact.

Post by Don Wannit
I never said that a prankster would need to send
bogus subscriptions for all the addresses on a CD.

*I* said that. I believe that I also specified something
along the line of "assuming that the attacker can't find
and identify spamtraps." Which they can't.

Post by Don Wannit
I said that the people who make those CDs know the
*kinds* of places to look for addresses. If they
wrote their harvesting robots to be smarter than just
plausible to evaluate the context of that string to
classify it as a potential spamtrap.

If the creators of spamcop spamtrap addresses are
leaving identifying characteristics, then the answer
is to stop doing that. I can do it, why can't they?

Post by Don Wannit
or hiding a spamtrap address in a crowd of legitimate
addresses. I'm not sure where you got that concept.

So you are saying that the spamtrap creators are too dimwitted
to use a meta or a robots.txt to keep such phrases out of
search engines? Or to use a graphic to display the phrase?
Or to hide the spamtrap address with CSS or by putting a
graphic over it?

If so, they should hide the spamtraps better. I have no proof,
but I think that they are *better* at hiding spamtraps then I
am after 2 minutes of thinking about the problem. I have no
proof, but I think that any spamtrap that you can find is not
associated with Spamcop. (I can't speak for other BLs or for
individuals; no doubt at least a few of them are idiots.)

Post by Don Wannit
No, I will not post here the search phrase I used.

No need. I would require some sort of evidence before
assuming that you are a liar.

Post by Don Wannit
That's 19 possible addresses I could use if I wanted to
cause grief for some list admin and for some portion of
the readership of the list.

The fact that nobody appears to be doing that with the
spamcop BL makes me think that none of those 19 addresses
are associated with spamcop.

So far you are correct; just gather email addresses using
a spambot, virus, etc. and you will find spamtrap addresses
-- and a bunch of non-spamtrap addresses as well, with no
way to tell them apart.

That's not the point. Perhaps it's gone over your head.

That's twice in one post that you have confused disagreement
with lack of understanding. Please consider the possibility
that I disagree because you are wrong instead of assuming
that you are right and that anyone who disagrees must be stupid.

Post by Don Wannit
if you know where to look, and know that they are spamtraps.

You have presented no evidence that anyone knows where to look
this is so, or even
a speculation as to how to differentiate between the two.

Again, this assumes that they can't hide spamtraps as well as I
can, despite my having no experience doing that.

To demonstrate my ability to hide spamtraps, as soon as I finish
this post I will hide ten unguessable email addresses on ten
different websites that I control. If anyone here sends an
email with the subject "foobar barbaz bazqux" to one of them,
I will post here and let you know that I am not as good at hiding
email addresses as I thought I was.

Post by Anonymous
Assuming that they can find and identify spamtraps.
Which they can't, unless the spamtrap creator is stupid.
An intelligent spamtrap creator will hide spamtraps in
places where nobody knows to look, and will not reveal the
locations to anyone.

A responsible spamtrap creator might put warning signs around
the pitfall, so that innocent people don't accidentally fall
in. The harvester robots ignore the warning, but people can
find it.

I can test that too. Five of my ten test email addresses
will have warning signs around them that a human can read.

Different (but tangentially related) topic, inappropriate argument.

In other words, a valid argument that you are unable to refute.
How do *you* explain the lack of large numbers of legitimate
confirmed mailing lists being listed because of confirmation
emails? Ater the bad guys a lot worse at finding spamcop spamtraps
than you are? Did they suddenly decide not to attack spamcop in
every way that they can think of because spamcop is costing them money?

Post by Don Wannit
The topic at hand is [...] the potential for using a spamtrap
for causing mischief if the spamtrap is fully automated on
a hair-trigger.

...and whether the spamtraps can be found and identified, a necessary
precursor to causing the mischief.

G.M.

Eric Black

2006-03-15 22:43:24 UTC

Don Wannit wrote...

[snip]

Again, I don't need to determine that a particular address
is or is not a spamtrap. I just need to find one (numerous
SC-related addresses are available for harvesters to find,
some might be live, some might not be). No doubt there are
SC-related addresses which are in no way "nearby" anything
connecting them to SC. Maybe the ones closely associated
with SC are not real live spamtraps at all. Maybe they are.

If the spamtrap address turns out be inactive, and just left
out there to pollute spammer lists, then it's just noise.

If a teenager dials numbers and pulls the old "Do you have
Prince Albert in a can?" or other silly stunt, does it matter
if some of the numbers don't answer? The ones that do get
through are no less an annoyance because some attempts failed.

[snip]

If the creators of spamcop spamtrap addresses aren't hiding
them well enough, then the answer is to hide them better,
not to let them be findable and then to deal with abuse of
them after the fact.

Indeed. Maybe the visible ones are all dead but still
left out to be found, just to pollute email lists (like wpoison).

Post by Don Wannit
That's 19 possible addresses I could use if I wanted to
cause grief for some list admin and for some portion of
the readership of the list.

The fact that nobody appears to be doing that with the
spamcop BL makes me think that none of those 19 addresses
are associated with spamcop.

Doesn't matter if they are or are not. They *might* be,
and if my goal is to cause a spamtrap to trip, it doesn't
matter in the slightest if most or all of them are dead.
If one of them happens to be live, it serves the purpose.

Post by Don Wannit
That's not the point. Perhaps it's gone over your head.

I am not saying you are stupid. I am saying that you are
disagreeing with the wrong thing, and the difference between
what you are disagreeing with, and what I am saying, is what
you are missing. I'm trying again to explain the difference.

To demonstrate my ability to hide spamtraps, as soon as I finish
this post I will hide ten unguessable email addresses on ten
different websites that I control. If anyone here sends an
email with the subject "foobar barbaz bazqux" to one of them,
I will post here and let you know that I am not as good at hiding
email addresses as I thought I was.

Not a relevant test. It doesn't matter whether I can find
*your* specific spamtrap addresses or not. That is not the claim.
The claim is that if I can find at least one spamtrap address,
anywhere, and if it happens to be a hair-trigger live spamtrap,
I can exploit it to cause inconvenience for some victim.

If what I think might be a spamtrap address turns out not to
be, then it's just another random drive-by forged subscription
of a dead address.

But if it really is a live spamtrap address, it does not matter
in the slightest if it is *your* spamtrap address.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Anonymous

2006-03-16 16:46:58 UTC

Eric Black wrote...

Post by Eric Black

Post by Anonymous
Please demonstrate by forging or explaining how to
forge an email sender address when you don't know what
it is. Remember, the claim that you are disagreeing with
specifies the assumption that the bad guy doesn't know
what addresses are spamtraps.

Again, I don't need to determine that a particular address
is or is not a spamtrap. I just need to find one

That will not work if your goal is to forge-subscribe spamtraps
to mailing lists. If you can't determine that a particular
address is or is not a spamtrap, then you cannot harvest spamcop
spamtrap email addresses without also harvesting many other non-
spamtrap email addresses. The spamtrap addresses will be "lost
in the crowd."

Having that large collection of email addresses (with a few
spamtraps in the collection, but you don't know which ones)
is not sufficient to forge-subscribe the spamtraps to the
lists. You can't forge-subscribe just the spamtraps, because
you don't know which ones are spamtraps. You can't forge-
subscribe the entire large collection because no legitimate
mailing list will let you subscribe that many at once, and
any mailing list that allowed that deserves to be listed.

Post by Eric Black

Post by Anonymous
If the creators of spamcop spamtrap addresses aren't hiding
them well enough, then the answer is to hide them better,
not to let them be findable and then to deal with abuse of
them after the fact.

Indeed. Maybe the visible ones are all dead but still
left out to be found, just to pollute email lists (like wpoison).

That would be a reasonable course of action for an intelligent
spamtrap-hider; hide some fake spamtraps in places that are easy
to find. That would stop at least some attackers from looking
any farther. It would also fool some here into thinking that
they can find spamcop spamtraps.

Post by Eric Black
The claim is that if I can find at least one spamtrap address,
anywhere, and if it happens to be a hair-trigger live spamtrap,
I can exploit it to cause inconvenience for some victim.

As explained above, finding one spamtrap address *and finding
thousands of non-spamtraps at the same time* won't allow you
to forge-subscribe it to a mailing list without somehow telling
it apart from all the others. The list only allows you to
subscribe N email addresses. How do you pick them without
getting 100% non-spamtraps almost every time?

Post by Eric Black
If what I think might be a spamtrap address turns out not to
be, then it's just another random drive-by forged subscription
of a dead address.

Ah, but if you have a large number of those non-spamtrap
addresses you can't randomly drive-by forge-subscribe them
all; the mailing list won't let you do that.

G.M.

Jeff G.

2006-03-15 20:23:46 UTC

Post by Don Wannit
some of the readers of
this newsgroup, *do* know the kinds of places where
spamtrap addresses in particular, not real legitimate
email addresses, are strewn.

I'm one of them.

Post by Don Wannit
I strongly doubt that I
am the only reader of this newsgroup who knows one
specific place for certain where SpamCop spamtrap
email addresses are placed to be found by harvesters.

No, you are not the only one.

Post by Don Wannit
If Ellen, Don, or Richard will give me permission, I would be
happy to describe exactly how you yourself can find one of the
places where SC sows its spamtrap email address seeds. I don't
expect them to do so. There are other readers in this group who
know, and not because they were told but because they encountered
the spamtrap address themselves. You could do so yourself if you
cared to think for a minute or two.

I'm not so sure I would do it even with permission. This thread has
given spammers and others more weapons, I'd rather not give them
ammunition and a target on my back as well. :)

--
Thanks and Best Regards, Jeff G.
http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585

Don Wannit

2006-03-15 22:50:38 UTC

Post by Jeff G.
I'm not so sure I would do it even with permission. This thread has
given spammers and others more weapons, I'd rather not give them
ammunition and a target on my back as well. :)

Yes, this is a problem. Of course, the good news is that if regular
readers of news.spamcop don't see a potential for abuse, then
those "others" might not, either.

So since all this is impossible, and can never happen, there's
no need to worry about it.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Don Wannit

2006-03-11 04:07:12 UTC

Post by Jeff G.
I believe that
there are safeguards built into the SpamCop spamtrap reception systems
to except mailing list software that uses confirmed opt-in.

I would hope so, and that's what I'm not sure of. The requirement
for such safeguards is absolute, hence my point. Since we (tinw)
want/encourage/force mailing list administrators to send a
confirmation request to the email address before sending any
list traffic, then it is fundamental that the confirmation
request not automatically trigger a SC or other RBL listing.

--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

Vanguard

2006-03-09 17:44:54 UTC

Post by Vanguard
How can a mailing list be legitimate if it doesn't have an unsubcribe
function, either by sending the appropriate commands in the body to the
listserver or by submitting a request to an admin? Obviously it is NOT a
legitimate mailing list if a user that elected to participate cannot also
elect to NOT participate any longer. Fix your mailing list! It's not
SpamCop's fault nor responsibility to fix your mailing list server.

I misread the OP's post. I thought "user ... doesn't have the wherewithal
to unsubscribe" meant that there was no option presented or available to the
recipient to remove themself from the mailing list. I guess it meant the
user was too stupid to figure out how to unsubscribe.

Jeff G.

2006-03-10 17:59:12 UTC

Post by Vanguard
I misread the OP's post. I thought "user ... doesn't have the
wherewithal to unsubscribe" meant that there was no option presented
or available to the recipient to remove themself from the mailing
list. I guess it meant the user was too stupid to figure out how to
unsubscribe.

I think you're correct, the OP was using one of those kinder, gentler
insults. :)

--
Best Regards, Jeff G.
http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585

Kenneth Brody

2006-03-09 15:55:33 UTC

Post by Vanguard

Post by K. Thog
When a user subscribes and then doesn't have the wherewithal to
unsubscribe, he might decide to complain to SpamCop.

Well, as posted elsewhere, reporting legitimate e-mail is against
SpamCop's rules, and can get the reported banned from SpamCop.

[...]

Post by Vanguard
How can a mailing list be legitimate if it doesn't have an unsubcribe
function, either by sending the appropriate commands in the body to the
listserver or by submitting a request to an admin? Obviously it is NOT a
legitimate mailing list if a user that elected to participate cannot also
elect to NOT participate any longer. Fix your mailing list! It's not
SpamCop's fault nor responsibility to fix your mailing list server.

You've obviously never run a mailing list. There are plenty of legit
mailing lists out there with people too stupid/lazy to unsubscribe when
they decide they no longer want to receive it. Some people will simply
post repeated "unsubscribe" e-mails to the list (which is how many lists
_used_ to handle automated unsubscribes), and then complain that they
still get mailings. Others will simply delete the messages for a while,
and when they get tired of that, will start complaining. I have seen
this on more than one list, even though the lists often add a link at
the bottom of every message on how to unsubscribe or change your list
options.

--
+-------------------------+--------------------+-----------------------------+
| Kenneth J. Brody | www.hvcomputer.com | |
| kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> |
+-------------------------+--------------------+-----------------------------+
Don't e-mail me at: <mailto:***@gmail.com>

K. Thog

2006-03-10 00:07:47 UTC

Post by Vanguard
SpamCop doesn't block anything. The mail recipient chose to use the SpamCop
blacklist but obviously doesn't have to. There are LOTS of blacklists out
there but obviously they aren't all used (I won't touch SPEWS which one
day will end up listing the entire IP address range).

That's a question of pedantics. If you want to be pedantic about it, here
you go: the many *participating* server admins who *consult* SpamCop's RBL
are the ones blocking email. I know SpamCop has to make the distinction for
legal reasons; now, why are you doing it?

On the other hand, now that you know I know precisely what you meant, and
now that you know that I am perfectly aware of how RBLs operate, I will
continue to use the colloquial form and you will now know that I am not
simply ignorant of the technicalities involved, since pedantics no longer
need apply to that facet of our discussion. Fair enough?

A GNU Mailman mailing list is not a legitimate mailing list? :-) That's a
pretty snap judgement on your part.

What happens when a user simply chooses not to unsubscribe from a normal
mailman mailing list, and instead decides to report it to SpamCop as spam?

I would hope that SpamCop's detection routines will find the list-management
features in the header and reject the complaint as illegitimate... or at
least notify the owner of the complaint.. Right? I mean, for less than 10
complaints, wouldn't it be better to act as a facilitator rather than a
massive retaliatory strikeforce that could be impacting legitimate,
non-spam business operations?

I'll tell you what happens then: businesses with savvy admins will be forced
to build a chain of differently-purposed IP addresses to ensure that
important one-on-one communications don't get blocked by lazy users and an
over-zealous blacklist like SpamCop. SpamCop will be factored into the cost
of doing business and then.. ignored.

Post by Vanguard
legitimate mailing list if a user that elected to participate cannot also
elect to NOT participate any longer. Fix your mailing list! It's not
SpamCop's fault nor responsibility to fix your mailing list server.

Of course it isn't, and I wasn't implying that it was. On the other hand, it
*is* SpamCop's responsibility to at least do rudimentary verification of
the accuracy of the reports. So long as SpamCop is saying they've done that
duty, then great. I have no problem.

For the record, I was one of the most fervent supporters of ORBS (and then
ORBZ) until they shut down, of the MAPS RBL, of all blacklists. However, we
all measure our success rate in terms of acceptable collateral damage, and
*your* default-guilty stance goes against simple legal and moral principle.
You should work hard to *minimize* collateral damage, and deal with
outsiders who are otherwise trying to find out what's going on.

So what is the point of me posting here and going to great lengths to
establish temporary credibility as a savvy user? My point is I'd like to
find out what SpamCop's stance towards outsiders like myself is so I can
decide whether to cooperate with the company or simply take measures so
I'll never become collateral damage in the future.

Porpoise

2006-03-10 00:02:37 UTC

**RANT SNIPPED for brevity**

Did you ensure the security of the web-submittal form? Or is it, perhaps
open to abuse by bots, and therein lies your problem? (If bots are able to
auto-optin loads of addresses automatically). If you use a web-form method
for subscription, it needs to be implimented in such a way that only a human
manually inputting the address is able to subscribe the address to the list
in the first place.

Here's a useful link with info on how to make forms secure against bots:
http://phpsec.org/articles/2005/text-captcha.html

K. Thog

2006-03-10 02:09:33 UTC

Post by Porpoise
**RANT SNIPPED for brevity**
Did you ensure the security of the web-submittal form? Or is it, perhaps
open to abuse by bots, and therein lies your problem? (If bots are able to
auto-optin loads of addresses automatically). If you use a web-form method
for subscription, it needs to be implimented in such a way that only a
human manually inputting the address is able to subscribe the address to
the list in the first place.
http://phpsec.org/articles/2005/text-captcha.html

No, it's all secured against bots, and no Apache logs show mass-subscribe
activity. When a user is subscribed via the web interface, an email with a
cryptographic hash is sent. As far as I can tell there's no way for a bot
to auto-subscribe people without being able to intercept their email. :(

Interesting link though. :)

Mike Easter

2006-03-10 00:51:42 UTC

Post by K. Thog
What happens when a user simply chooses not to unsubscribe from a
normal mailman mailing list, and instead decides to report it to
SpamCop as spam?

That is supposed to be prevented by requiring the reporter to be aware
of the rules under potential penalty of discipline and 'weeding out'
problem reporters.

Post by K. Thog
I would hope that SpamCop's detection routines will find the
list-management features in the header and reject the complaint as
illegitimate...

No such detection mechanism.

Post by K. Thog
or at least notify the owner of the complaint..

If you would say what IP we are talking about, someone can say how the
SC notify would be made. Presently we are trying to talk about some
theorectical mailing list server's IP address. Very often the admin of
a server needs to make some arrangements with SC to be notified about a
particular IP because the mechanism for the SC notify is to notify the
regional internet registrar like arin's contact for the IP block. If SC
were notifying the source provider for your news message it would be
notifying ***@telus.com based on the arin contact for Stentor

whois -h whois.arin.net 142.179.100.170 ...
OrgName: Stentor National Integrated Communications Network
NetRange: 142.179.0.0 - 142.179.255.255
RAbuseEmail: ***@telus.com

in that particular case it is the same as the abuse.net contact for the
bc.hsia.telus.net

whois -h whois.abuse.net s142-179-100-170.bc.hsia.telus.net ...
***@telus.net (for bc.hsia.telus.net)

but it doesn't always work like that.

Post by K. Thog
Of course it isn't, and I wasn't implying that it was. On the other
hand, it *is* SpamCop's responsibility to at least do rudimentary
verification of the accuracy of the reports. So long as SpamCop is
saying they've done that duty, then great. I have no problem.

There is no such rudimentary or otherwise 'verification of the accuracy
of the reports'. It is up to the entity which is receiving the report
to verify if the report is accurate and to dispute those which are not.

Post by K. Thog
My point is I'd like
to find out what SpamCop's stance towards outsiders like myself is so
I can decide whether to cooperate with the company or simply take
measures so I'll never become collateral damage in the future.

SC's admins are very cooperative with the admins of servers and there is
a whole section of the faq designed to facilitate communication and
cooperation.

http://www.spamcop.net/fom-serve/cache/75.html Help for abuse-desks and
administrators

--
Mike Easter
kibitzer, not SC admin

N. Miller

2006-03-10 06:07:58 UTC

Post by K. Thog
What happens when a user simply chooses not to unsubscribe from a normal
mailman mailing list, and instead decides to report it to SpamCop as spam?

I would expect that the recipient of the complaint would file their own
complaint with SpamCop. As has been pointed out, an SC user will lose their
reporting privileges over false complaints.

Post by K. Thog
I would hope that SpamCop's detection routines will find the list-management
features in the header and reject the complaint as illegitimate... or at
least notify the owner of the complaint.. Right? I mean, for less than 10
complaints, wouldn't it be better to act as a facilitator rather than a
massive retaliatory strikeforce that could be impacting legitimate,
non-spam business operations?

I would hope that the SpamCop parser ignores anything which doesn't pertain
directly to identifying the message source, else it will cease to be a
useful tool for dealing with spam. How hard to you think it would be for
spammers to forge mailman headers? They forge everything else forgeable in
email headers.

Post by K. Thog
I'll tell you what happens then: businesses with savvy admins will be forced
to build a chain of differently-purposed IP addresses to ensure that
important one-on-one communications don't get blocked by lazy users and an
over-zealous blacklist like SpamCop. SpamCop will be factored into the cost
of doing business and then.. ignored.

If you are referring to spam complaints, should SC complaints be ignored I
would just go back to manual notifies, and creating my own local block list
based on ignored complaints.

If you are referring to the use of the SCBL, I already "ignore" it in the
sense that I use it as was intended; i.e., not to reject email, but to
score its probable "spamminess".

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Anonymous

2006-03-10 17:39:59 UTC

Post by K. Thog
I am perfectly aware of how RBLs operate
So what is the point of me posting here and going to great lengths to
establish temporary credibility as a savvy user?

I find the above claims difficult to reconcile with your failure to
tell us what IP was reported or to provide a tracking url to the
report which you claim was improperly filed.

G.M.

Mike Easter

2006-03-10 01:15:13 UTC

Post by K. Thog
What's the solution?

What's the IP address in question? Until we start talking about a
/real/ IP address we aren't talking about a real problem, just some
noise making about some hypothetical vague undescribed non-problem.

--
Mike Easter
kibitzer, not SC admin

Mike Easter

2006-03-10 08:45:43 UTC

Post by K. Thog
When a user subscribes and then doesn't have the wherewithal to
unsubscribe, he might decide to complain to SpamCop.
Comments much appreciated.

You come in here accusing by implication a reporter of making a bad
report, but you don't name any IP which was so reported.

You claim to be admin/ing a reported mailserver, but you don't provide
the tracking url to the evidence of a report which would have been
provided to the IP's SC reporting address.

You claim to be interested in interacting positively about spamcop
report issues, but you have shown no sign that you have properly
registered yourself to be a recipient of the spamcop reports described
above http://www.spamcop.net/fom-serve/cache/94.html How can I get
SpamCop reports about my network?

Until there is some real evidence of some bad report, you are just
making useless noise about nothing and your so-called subscribed mailing
list may just be a spamlist for all I know and see here.

--
Mike Easter
kibitzer, not SC admin

Anonymous

2006-03-16 22:47:09 UTC

indigo wrote...

Sounds like a catch-22 to me....if they're so hard to find (impossible
even), how can they manage to get onto a dirty list?

You are confusing spamtraps with spam sources. Spamtraps are hard to
find and identify, but spamtraps are not put on any "dirty lists."
Spam sources are very easy to find (just check your inbox). Spam
sources are put on "dirty lists" of IP addresses that have sent spam.

As I have explained, it is very easy to collect a large number of
non-spamtrap email addresses with a few spamtrap email addresses
hidden among them. Just set a program loose on the web that
searches for email addresses on webpages.

The key point is that after you have done this you have no way of
telling which ones are spamtraps. You also have no way of collecting
only spamtrap email addresses -- if you could you could forge-subscribe
them to mailing lists. You also have no way of collecting only non-
spamtrap email addresses -- if you could you could spam all you want
without being listed by spamcop.

This is the basic method that makes spamcop work; anything you do
to those millions of email addresses you collected you also do to
the spamtrap email addresses -- because you can't tell them apart.
Anything you do to the spamtrap email addresses you also do to
those millions of email addresses you collected -- because you can't
tell them apart.

Imagine the following conversation between Dilbert and his
Pointy-haired-boss (PHB)...

PHB: We just got a contract to find and arrest every terrorist
who arrives at the airport.

Dilbert: How are you going to find the terrorists?

PHB: That's easy! they all will be arriving at the airport!

Dilbert: Yes, but they will be hidden in a much larger crowd of
non-terrorists.

PHB: You aren't paying attention. We just arrest everyone, thus
insuring that we get all the terrorists.

Dilbert: The jails won't hold that many arrestees. You need to
be able to tell terrorists from non-terrorists.

PHB: That's easy if you know where to look. You just look in
the airport. All of the terrorists will arrive there.

Dilbert: Collecting a huge crowd of non-terrorists with a few
terrorists hiding in the crowd is easy. Finding just the
terrorists is hard. Telling terrorists from non-terrorists
is hard.

PHB: I don't need to tell terrorists from non-terrorists.
Besides, I only need to find a few of them to make the customer
happy.

Dilbert: How will you find even a few?

PHB: They will be arriving at the airport!

Dilbert: This has Long Day" written all over it...

indigo

2006-03-17 21:28:49 UTC

Post by Anonymous
You are confusing spamtraps with spam sources.

I don't believe I am.......

Spamtraps are hard to

Post by Anonymous
find and identify, but spamtraps are not put on any "dirty lists."

If as spamtrap isn't put on a list it will never get any email.....

Anonymous

2006-03-17 22:40:26 UTC

indigo wrote...

Post by Anonymous
You are confusing spamtraps with spam sources.

I don't believe I am.......

Looking back on my post, I realized that it as I who was
confused. Sorry about that.

Anonymous

2006-03-17 22:50:43 UTC

indigo wrote...

Sounds like a catch-22 to me....if they're so hard to find (impossible
even), how can they manage to get onto a dirty list?

As I have explained several times, they are easy to find if you don't mind
finding thousands of non-spamtrap address along with the few spamtrap
addresses. Which is what spammers do. Which is why spamtraps get spam.
And it is also how spamtraps get on the lists that spammers sell to each
other.

The key point -- which for some reason is being ignored here -- is that
after you have gathered all of those email addresses you have no way of
telling which ones are spamtraps.

You have no way of collecting only spamtrap email addresses, which means
that
you cannot forge-subscribe the spamtraps to mailing lists -- because you
don't
know which ones to use.

You have no way of collecting only non-spamtrap email addresses which means
that cannot send spam only to email addresses that won't report you to
Spamcop.

You could try forge-subscribing all of the email addresses on your list, but
no mailing list is going to accept hundreds of thousands of subscriptions
all
at once and all from the same IP address.

Don Wannit

2006-03-17 23:05:35 UTC

Post by Anonymous
The key point -- which for some reason is being ignored here -- is that
after you have gathered all of those email addresses you have no way of
telling which ones are spamtraps.

No, the key point is that the goal need not be gathering all the
email addresses you possibly can. The goal could be trying to use
the one address you found that looks a mite suspicious, and using
it. If it's live, bingo, you just caused trouble for someone.
If it's dead, no big deal.

You might have found the single address by looking at places
which are readily accessible (else harvesters would not find the
addresses) but which are not, by default, displayed in a user's
browser window. No doubt there are "billions and billions"
of addresses that you missed. Doesn't matter if you are only
looking for one, any one, doesn't matter which one you use.

Meta: This discussion has been dominated by misunderstandings
and hasty, careless reading.

--
Don Wannit <edb2000 -at- spamcop.net>
"In theory, theory and practice are the same. In practice, they
rarely are."

Anonymous

2006-03-18 01:45:06 UTC