Click the comments link on any story to see comments or add your own.
Subscribe to this blog
20 Sep 2006
I run a service called abuse.net that provides a contact database for people to use to report spam and other network abuse. One of the ways people can use it is to register and then forward mail through it, so that for example mail to firstname.lastname@example.org is remailed to whatever the abuse contact is for furble.net.
Last Friday (while I was on the way to a meeting at an undisclosed location east of Seattle) someone sent me a note telling me that mail sent through abuse.net was bouncing:
Remote host said: 554 Service unavailable; Client host [126.96.36.199] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?188.8.131.52
Spamcop is a spam diagnosis service to which people can send their spam, it tries to figure out where the spam came from and sends off complaint messages. They're the largest user of the abuse.net contact database, and they certainly know how abuse.net works, so what was it doing on their blacklist?
Spamcop's blacklist is infamously hair-trigger. with the goal being to block spam as quickly as possible, even at the cost of blocking a fair amount of legitimate mail. (Their usual response to complaints about overbroad blocking is that their users like it the way it is. I don't use their blacklist, but there's no accounting for taste.)
I sent off a few tartly worded messages to Spamcop's management, they sent back a few responses along the lines of "oops" but with more colorful language, and I got un-listed. But what happened?
Spamcop feeds its blacklist with mail from spamtraps, addresses that should never get any legitimate mail. with some of the spamtraps being entire domains. Evidently abuse.net sent mail to one of those spamtraps. I presume that what happened is that the spamtrap domain was forged in a spam message, someone (probably not using Spamcop) didn't realize it was forged and sent a complaint to that domain through abuse.net, which was then forwarded to postmaster@spamtrap-domain, and blammo. Spamcop says that administrative addresses like postmaster are supposed to be excluded from the automatic blacklisting, but weren't. Oops, indeed. Now it's supposed to be fixed.
The message here is not that all blacklists stink, because they don't. It's that running a good blacklist is really hard, for reasons that are mostly not very technical. The best mechanically run blacklist I know is the CBL which is fed by spamtraps but does some careful analysis of that mail and only adds blacklist entries when the mail appears to have been sent by a virus or worm. Even the CBL has false positives, typically when a virus controlled machine and a real mail host are both behind the same firewall and share an IP address, although its error rate is rather low.
If computers weren't so vulnerable to being taken over by bad guys, the need for blacklists would be much less, but they are, so we're stuck with them.
comments... (Jump to the end to add your own comment)
Add your comment...
Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.