2002-09-12 20:06:10

by Russell King

[permalink] [raw]
Subject: [OFFTOPIC] Spamcop

Hi,

I'd like to bring to peoples attention the idiotic situation going on
with the RBL list known as spamcop.

spamcop have entered into their database the IP address for
http://www.linux.org.uk, which is a machine containing many mailing lists
and other facilities. http://www.linux.org.uk is NOT, repeat NOT an open
relay, and as far as I'm aware has never performed any open relaying.

However, the basis under which it has been listed is that spamcop
received a mailman reponse to a message their tester sent to a valid
mailing list address. The mailman response was:

"Subject: Your message to Linux-arm awaits moderator approval"

Obviously, it didn't relay the spam, nor the test message.


If spamcop is accepting hosts with mailing lists that send responses
back to the person sending the original mail, any mailing list is open
to being listed in the spamcop database.

My advice is: stay FAR away from spamcop. If you're using spamcop
on your mail server, remove it now before they cut you off from all
your mailing lists.

Here's the URL explaining why http://www.linux.org.uk has been listed:

http://spamcop.net/w3m?action=checkblock&ip=195.92.249.252

(Note: this does mean that some kernel people may not be able to
post messages for a while. Hence the vague relevance of this
message to lkml.)

--
Russell King ([email protected]) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html


2002-09-12 20:36:34

by Rik van Riel

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Thu, 12 Sep 2002, Russell King wrote:

> I'd like to bring to peoples attention the idiotic situation going on
> with the RBL list known as spamcop.

> However, the basis under which it has been listed is that spamcop
> received a mailman reponse to a message their tester sent to a valid
> mailing list address. The mailman response was:
>
> "Subject: Your message to Linux-arm awaits moderator approval"

The same happened with NL.linux.org a while ago.

The basic problem with spamcop is that it ISN'T driven by
tests, but by complaints.

It is an automatic system for handling spam complaints and
will automagically list any system it gets too many complaints
about. Regardless of whether the complaints are legitimate.

> My advice is: stay FAR away from spamcop. If you're using spamcop
> on your mail server, remove it now before they cut you off from all
> your mailing lists.

Spamcop is useful as part of a scoring system, but absolutely
unsuitable for outright mail rejection.

kind regards,

Rik
--
Bravely reimplemented by the knights who say "NIH".

http://www.surriel.com/ http://distro.conectiva.com/

Spamtraps of the month: [email protected] [email protected]

2002-09-12 21:01:26

by Gerhard Mack

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

Check your logs .. it looks like maybe somone was sending spoofed
requests? Either that or somone was a total dumbass.

I wonder how hard it is to generate enough requests to get somone listed.

Gerhard


On Thu, 12 Sep 2002, Russell King wrote:

> Date: Thu, 12 Sep 2002 21:10:56 +0100
> From: Russell King <[email protected]>
> To: Linux Kernel List <[email protected]>
> Subject: [OFFTOPIC] Spamcop
>
> Hi,
>
> I'd like to bring to peoples attention the idiotic situation going on
> with the RBL list known as spamcop.
>
> spamcop have entered into their database the IP address for
> http://www.linux.org.uk, which is a machine containing many mailing lists
> and other facilities. http://www.linux.org.uk is NOT, repeat NOT an open
> relay, and as far as I'm aware has never performed any open relaying.
>
> However, the basis under which it has been listed is that spamcop
> received a mailman reponse to a message their tester sent to a valid
> mailing list address. The mailman response was:
>
> "Subject: Your message to Linux-arm awaits moderator approval"
>
> Obviously, it didn't relay the spam, nor the test message.
>
>
> If spamcop is accepting hosts with mailing lists that send responses
> back to the person sending the original mail, any mailing list is open
> to being listed in the spamcop database.
>
> My advice is: stay FAR away from spamcop. If you're using spamcop
> on your mail server, remove it now before they cut you off from all
> your mailing lists.
>
> Here's the URL explaining why http://www.linux.org.uk has been listed:
>
> http://spamcop.net/w3m?action=checkblock&ip=195.92.249.252
>
> (Note: this does mean that some kernel people may not be able to
> post messages for a while. Hence the vague relevance of this
> message to lkml.)
>
>

--
Gerhard Mack

[email protected]

<>< As a computer I find your faith in technology amusing.

2002-09-12 21:08:50

by Larry McVoy

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Thu, Sep 12, 2002 at 05:06:15PM -0400, Gerhard Mack wrote:
> Check your logs .. it looks like maybe somone was sending spoofed
> requests? Either that or somone was a total dumbass.
>
> I wonder how hard it is to generate enough requests to get somone listed.

In the for what it is worth department, I got mail from "[email protected]"
with a subject of "cool game" or something like that, and it was obviously
forged. It's interesting that they are getting smart enough to make it look
like it comes from someone that you've communicated with in the past. Sigh.
--
---
Larry McVoy lm at bitmover.com http://www.bitmover.com/lm

2002-09-12 21:29:44

by Vojtech Pavlik

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Thu, Sep 12, 2002 at 02:13:38PM -0700, Larry McVoy wrote:

> On Thu, Sep 12, 2002 at 05:06:15PM -0400, Gerhard Mack wrote:
> > Check your logs .. it looks like maybe somone was sending spoofed
> > requests? Either that or somone was a total dumbass.
> >
> > I wonder how hard it is to generate enough requests to get somone listed.
>
> In the for what it is worth department, I got mail from "[email protected]"
> with a subject of "cool game" or something like that, and it was obviously
> forged. It's interesting that they are getting smart enough to make it look
> like it comes from someone that you've communicated with in the past. Sigh.

That's an internet worm, called klez. I'm getting more than 10 of these daily.
Each is a meg of data. And I'm also getting responses from various
mailservers which received the worm with my From: address. It generates
both From: and To: randomly based on the victims Outlook addressbook.

--
Vojtech Pavlik
SuSE Labs

2002-09-12 21:25:28

by Gerhard Mack

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Thu, 12 Sep 2002, Larry McVoy wrote:

> Date: Thu, 12 Sep 2002 14:13:38 -0700
> From: Larry McVoy <[email protected]>
> To: Gerhard Mack <[email protected]>
> Cc: Russell King <[email protected]>,
> Linux Kernel List <[email protected]>
> Subject: Re: [OFFTOPIC] Spamcop
>
> On Thu, Sep 12, 2002 at 05:06:15PM -0400, Gerhard Mack wrote:
> > Check your logs .. it looks like maybe somone was sending spoofed
> > requests? Either that or somone was a total dumbass.
> >
> > I wonder how hard it is to generate enough requests to get somone listed.
>
> In the for what it is worth department, I got mail from "[email protected]"
> with a subject of "cool game" or something like that, and it was obviously
> forged. It's interesting that they are getting smart enough to make it look
> like it comes from someone that you've communicated with in the past. Sigh.
>

Looking at it again it takes 3 requests in 48 hours.. a number that is
stupidly low. And since the headders are munged there is no way to tell
from the complaints if they are all the same recipiant or not.


Gerhard



--
Gerhard Mack

[email protected]

<>< As a computer I find your faith in technology amusing.

2002-09-12 22:05:04

by Miquel van Smoorenburg

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

In article <[email protected]>,
Vojtech Pavlik <[email protected]> wrote:
>That's an internet worm, called klez. I'm getting more than 10 of these daily.
>Each is a meg of data. And I'm also getting responses from various
>mailservers which received the worm with my From: address. It generates
>both From: and To: randomly based on the victims Outlook addressbook.

It's many months old and there are several versions around.
A similar one is YAHA. And it doesn't just take the addresses
from the Outlook addressbook - it scans the OE cache too, so
if your address appears on a webpage (say a list archive) that
an infected users visits your address is added to the list as well.

The mindless jerks who wrote Outlook and the KLEZ and YAHA viruses will
be the first against the wall when the revolution comes. Well,
just after the mindless jerks of the Sirius Cybernetics Corporation,
ofcourse.

Mike.

2002-09-12 23:51:39

by David Miller

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

From: Larry McVoy <[email protected]>
Date: Thu, 12 Sep 2002 14:13:38 -0700

In the for what it is worth department, I got mail from "[email protected]"
with a subject of "cool game" or something like that, and it was obviously
forged. It's interesting that they are getting smart enough to make it look
like it comes from someone that you've communicated with in the past. Sigh.

There is someone basically forging email from anyone prominent
in the opensource community. I've even got these forges myself
addressed as from myself which is even more amusing :-)

So I think rather it is this clown instead of someone figuring out
who you've had email with recently.

2002-09-13 00:48:02

by Andries Brouwer

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Thu, Sep 12, 2002 at 04:47:54PM -0700, David S. Miller wrote:

> There is someone basically forging email from anyone prominent
> in the opensource community. I've even got these forges myself
> addressed as from myself which is even more amusing :-)

Yes, indeed. However, their address collection may be a bit out-of-date:

Date: Thu, 2 May 2002 18:54:46 +0700
Message-Id: <[email protected]>
From: torvalds <[email protected]>
Subject: W32.Elkern removal tools

2002-09-13 04:16:10

by David Ford

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

Hrmm...

Actually the URL indicates that your IP is not and should not be listed
as a spammer now:


Metric
------------------------------------------------------------------------
Qty
------------------------------------------------------------------------
Most Recent
------------------------------------------------------------------------
Oldest
------------------------------------------------------------------------
Sample traffic: 116 8.22 hours ago
Thu Sep 12 19:46:12 2002 GMT Thu Sep 12 15:46:12 2002 -0400 6.84
days ago
Fri Sep 6 07:43:01 2002 GMT Fri Sep 6 03:43:01 2002 -0400
Trap recipients: None recorded
Spam reports: 1 12.12 hours ago
Thu Sep 12 15:52:19 2002 GMT Thu Sep 12 11:52:19 2002 -0400 12.12
hours ago
Thu Sep 12 15:52:19 2002 GMT Thu Sep 12 11:52:19 2002 -0400
Relaying reports: None recorded
Relay closed: None recorded

195.92.249.252 not listed in bl.spamcop.net.
195.92.249.252 *is not* and *should not be* listed.
Recent spam increases spam score from 1.00 to 2.00 - spam report
ratio (0.017) falls under threshold (0.020)



It was listed and promptly delisted three hours later. No anti-spam
measure is perfect, all have flaws and all are an inconvenience to some
portion of users and admins. SpamCop is quite decent about fixing
incorrect listings. Some people argue for proactive listing, some
people demand 3 sets of proof before listing.

Anti-spam measures are gonna make admins happy and annoyed depending on
what side of the fence they are on when it hits. If it's affecting you
negatively, it's an "idiotic measure", if it's affecting someone else
instead, it's a "proactive and great idea". Some measures need evolving
and tuning, caching, etc. I.e. my smtp call back mechanism that annoyed
vger admins. Yes I need to cache data but as to the veracity of it
being idiotic...doubtful. I measure greater than ~70% dead on accuracy
in tagging spam which makes it pretty darn useful for my users with
-only- smtp callback. It has false negatives but it hasn't yet had a
false positive.

Everyone gets irate when they are incorrectly blacklisted. Even more
irate when major mail distributers agree with the BL site policies. In
time tho things will get smoothed out. I/we mail admins feel the pain.
Grit your teeth and bear it when these things happen. No person or
method is perfect :)

David

Russell King wrote:

>Hi,
>
>I'd like to bring to peoples attention the idiotic situation going on
>with the RBL list known as spamcop.
>
>spamcop have entered into their database the IP address for
>http://www.linux.org.uk, which is a machine containing many mailing lists
>and other facilities. http://www.linux.org.uk is NOT, repeat NOT an open
>relay, and as far as I'm aware has never performed any open relaying.
>
>However, the basis under which it has been listed is that spamcop
>received a mailman reponse to a message their tester sent to a valid
>mailing list address. The mailman response was:
>
>"Subject: Your message to Linux-arm awaits moderator approval"
>
>Obviously, it didn't relay the spam, nor the test message.
>
>
>If spamcop is accepting hosts with mailing lists that send responses
>back to the person sending the original mail, any mailing list is open
>to being listed in the spamcop database.
>
>My advice is: stay FAR away from spamcop. If you're using spamcop
>on your mail server, remove it now before they cut you off from all
>your mailing lists.
>
>Here's the URL explaining why http://www.linux.org.uk has been listed:
>
> http://spamcop.net/w3m?action=checkblock&ip=195.92.249.252
>
>(Note: this does mean that some kernel people may not be able to
>post messages for a while. Hence the vague relevance of this
>message to lkml.)
>
>
>

--
I may have the information you need and I may choose only HTML. It's up to
you. Disclaimer: I am not responsible for any email that you send me nor am
I bound to any obligation to deal with any received email in any given
fashion. If you send me spam or a virus, I may in whole or part send you
50,000 return copies of it. I may also publically announce any and all
emails and post them to message boards, news sites, and even parody sites.
I may also mark them up, cut and paste, print, and staple them to telephone
poles for the enjoyment of people without internet access. This is not a
confidential medium and your assumption that your email can or will be
handled confidentially is akin to baring your backside, burying your head in
the ground, and thinking nobody can see you butt nekkid and in plain view
for miles away. Don't be a cluebert, buy one from K-mart today.


2002-09-13 06:50:18

by kaih

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

[email protected] (David Ford) wrote on 13.09.02 in <[email protected]>:

> It was listed and promptly delisted three hours later. No anti-spam
> measure is perfect, all have flaws

... and this one appears to have a terminal flaw. Using complaints without
verification to automatically list someone is a bad idea for *exactly* the
same reason that running an open relay is a bad idea - you are at the
mercy of good behaviour of third parties, and if they don't innocents
elsewhere suffer.

Or in other words, spamcop seems to be part of the problem, not part of
the solution.

MfG Kai

2002-09-13 08:13:29

by bert hubert

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Fri, Sep 13, 2002 at 02:52:45AM +0200, Andries Brouwer wrote:
> On Thu, Sep 12, 2002 at 04:47:54PM -0700, David S. Miller wrote:
>
> > There is someone basically forging email from anyone prominent
> > in the opensource community. I've even got these forges myself
> > addressed as from myself which is even more amusing :-)
>
> Yes, indeed. However, their address collection may be a bit out-of-date:

It is less smart than you may think - it sends email 'FROM' people 'TO'
people who are listed next to eachother on webpages. See for example the
authors list on http://lartc.org, we continually get virusses that appear to
come from ourselves.

Regards,

bert

--
http://www.PowerDNS.com Versatile DNS Software & Services
http://www.tk the dot in .tk
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO

2002-09-13 10:32:47

by Thunder from the hill

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

Hi,

On Fri, 13 Sep 2002, Andries Brouwer wrote:
> From: torvalds <[email protected]>
> Subject: W32.Elkern removal tools

Linus sending Win32 virus removal tools? (Yes, I know, Linux removes all
the Win32 viruses...) Naming himself "torvalds"??? Never. ;-)

Those who really read the whole of the mails they get can indeed see the
differences. For example, the sender server, or extra headers such as
"Priority: I really don't care", or "X-Face: ;-)".

Thunder
--
--./../...-/. -.--/---/..-/.-./..././.-../..-. .---/..-/.../- .-
--/../-./..-/-/./--..-- ../.----./.-../.-.. --./../...-/. -.--/---/..-
.- -/---/--/---/.-./.-./---/.--/.-.-.-
--./.-/-.../.-./.././.-../.-.-.-

2002-09-13 14:33:30

by Gerhard Mack

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On 13 Sep 2002, Kai Henningsen wrote:

> [email protected] (David Ford) wrote on 13.09.02 in <[email protected]>:
>
> > It was listed and promptly delisted three hours later. No anti-spam
> > measure is perfect, all have flaws
>
> ... and this one appears to have a terminal flaw. Using complaints without
> verification to automatically list someone is a bad idea for *exactly* the
> same reason that running an open relay is a bad idea - you are at the
> mercy of good behaviour of third parties, and if they don't innocents
> elsewhere suffer.
>
> Or in other words, spamcop seems to be part of the problem, not part of
> the solution.

It is.. the definition of spam sent to spamcop is often "mail I don't
want" That listing is even more pointless than the ones we get from
customers who forgot they signed up for things and then complain there
first instead of using our list removal system.

Worse yet because spamcop munges the headders we can't actually remove the
complaining user.

Gerhard

--
Gerhard Mack

[email protected]

<>< As a computer I find your faith in technology amusing.

2002-09-14 01:15:17

by jw schultz

[permalink] [raw]
Subject: Re: [OFFTOPIC] Spamcop

On Fri, Sep 13, 2002 at 04:37:42AM -0600, Thunder from the hill wrote:
> Hi,
>
> On Fri, 13 Sep 2002, Andries Brouwer wrote:
> > From: torvalds <[email protected]>
> > Subject: W32.Elkern removal tools
>
> Linus sending Win32 virus removal tools? (Yes, I know, Linux removes all
> the Win32 viruses...) Naming himself "torvalds"??? Never. ;-)

Linus did send a Win32 virus removal tool a while back. It
is called Linux. I'm very grateful to him and all who have
contributed to removing the Win32 virus.

--
________________________________________________________________
J.W. Schultz Pegasystems Technologies
email address: [email protected]

Remember Cernan and Schmitt

2002-09-15 17:29:30

by Hell.Surfers

[permalink] [raw]
Subject: RE:Re: [OFFTOPIC] Spamcop

I recently have been receiving mails with"sexy screensavers", what is so dodgy, is that hotmail doesn't pick it up.

Cheers, Dean McEwan. Currently hacking KGI, which I don't understand, oh and ask me about OpenModemTalk...

On Thu, 12 Sep 2002 16:47:54 -0700 (PDT) "David S. Miller" <[email protected]> wrote:


Attachments:
(No filename) (2.40 kB)