Spamcop.net RBL blocking emails by mistake?

Tue Sep 12 04:31:46 IST 2006

On Sep 11, 2006, at 4:47 PM, Res wrote:

> On Sun, 10 Sep 2006, John Rudd wrote:
>
>>> so its completely absolutely impossible for a student to have an 
>>> infected pc and do this you will state this on your life would you
>>
>> Students are our _least_ trusted class of user, and yes, we take 
>> enough precautions against them that there is 0% chance that this was 
>> caused by an infected student.
>
> There is no way you can guarantee this in this day and age, regardless 
> of if you have 100 or 100K students, regardless of your setup, to 
> think otherwise shows complete ignorance of modern day capabilities.

We're in between quarters.  The students aren't here right now.  The 
dorms (our residential network, where the student machines would be) 
are empty, and "resnet" isn't allowed to relay through our MX servers 
anyway.  Care to try again?

Further, as I said in other messages, we _heavily_ monitor the 
messaging behavior of systems on our network submitting messages 
to/through our MX servers, and my peer department aggressively monitors 
behaviors of the network itself (flow rates, telltale (and other) signs 
of IRC botnet activity, fingerprints of compromised systems, etc.).  
Heavily & Aggressively.  Oh, and we also routinely check to see what 
machines from our network are blacklisted (IIRC, one is, but they 
aren't submitting messages through our MX servers).  It's not that 
these things never happen, it's that none of them have happened 
recently enough to have been the issue with spamcop.

Really, the only reports we _ever_ get from other agents is: a machine 
submitted a message directly to their mail server.  And, almost always, 
our response is "we've already taken the machine off of the network", 
because we have already started responding to the incident.  If this 
spamcop event had happened shortly after one of THOSE reports, I 
wouldn't have eliminated "spambot or open relay" from the potential 
list of causes.  However as I said, we haven't had one of those events 
recently.

Instead, what we have is: a potential source of spam that has ONLY hit 
Spamcop's spamtraps.  No one else is blacklisting our MX servers.  No 
reports of anyone else having received spam via our network have come 
to us.  None of our frequent and aggressive internal scans have found 
an internal spam source.  The only report has been a lone machine 
showing up in XBL ... which has not submitted messages through our MX 
servers.  No backlog of messages heading to AOL, Yahoo, etc., because 
they've started getting flooded via our MX servers.  If we had a 
spambot, what are the odds that it would ONLY hit spamcop spamtraps, 
and NO other reporting mechanism and none of our own diagnostics?  So 
vanishingly small that it's not even worth acknowledging.

You're making assertions for which you have no qualified information.  
That makes you far more ignorant than I.

But let's step past your astounding ignorance... lets say that there 
had been a spambot on our campus, or an open relay, and it had slipped 
past our various and thorough diagnostics.  If Spamcop had a decent 
reporting system, we would know which was the case instead of having to 
determine "autoresponder" by process of elimination.  We would know 
which of our systems had originated the message and we would have 
immediately tackled it (as we always do when we find them, through our 
own processes, or through external reports).

Instead, because (drum roll) SpamCop is run by morons, we don't 
directly know, so we have to resort to eliminating unlikely and 
impossible causes.

What we are left with is: autoresponder.

Whether my "it was an autoresponder" assertion stands up or not, the 
"Spamcop is run by morons" assertion still stands.  However, given 
everything else, I am still absolutely confident in my assertions a) 
that it was an autoresponder, and b) regarding spamcop's idiotic dogma 
about autoresponders being evil.