Spamcop.net RBL blocking emails by mistake?
jrudd at ucsc.edu
Tue Sep 12 04:31:46 IST 2006
On Sep 11, 2006, at 4:47 PM, Res wrote:
> On Sun, 10 Sep 2006, John Rudd wrote:
>>> so its completely absolutely impossible for a student to have an
>>> infected pc and do this you will state this on your life would you
>> Students are our _least_ trusted class of user, and yes, we take
>> enough precautions against them that there is 0% chance that this was
>> caused by an infected student.
> There is no way you can guarantee this in this day and age, regardless
> of if you have 100 or 100K students, regardless of your setup, to
> think otherwise shows complete ignorance of modern day capabilities.
We're in between quarters. The students aren't here right now. The
dorms (our residential network, where the student machines would be)
are empty, and "resnet" isn't allowed to relay through our MX servers
anyway. Care to try again?
Further, as I said in other messages, we _heavily_ monitor the
messaging behavior of systems on our network submitting messages
to/through our MX servers, and my peer department aggressively monitors
behaviors of the network itself (flow rates, telltale (and other) signs
of IRC botnet activity, fingerprints of compromised systems, etc.).
Heavily & Aggressively. Oh, and we also routinely check to see what
machines from our network are blacklisted (IIRC, one is, but they
aren't submitting messages through our MX servers). It's not that
these things never happen, it's that none of them have happened
recently enough to have been the issue with spamcop.
Really, the only reports we _ever_ get from other agents is: a machine
submitted a message directly to their mail server. And, almost always,
our response is "we've already taken the machine off of the network",
because we have already started responding to the incident. If this
spamcop event had happened shortly after one of THOSE reports, I
wouldn't have eliminated "spambot or open relay" from the potential
list of causes. However as I said, we haven't had one of those events
Instead, what we have is: a potential source of spam that has ONLY hit
Spamcop's spamtraps. No one else is blacklisting our MX servers. No
reports of anyone else having received spam via our network have come
to us. None of our frequent and aggressive internal scans have found
an internal spam source. The only report has been a lone machine
showing up in XBL ... which has not submitted messages through our MX
servers. No backlog of messages heading to AOL, Yahoo, etc., because
they've started getting flooded via our MX servers. If we had a
spambot, what are the odds that it would ONLY hit spamcop spamtraps,
and NO other reporting mechanism and none of our own diagnostics? So
vanishingly small that it's not even worth acknowledging.
You're making assertions for which you have no qualified information.
That makes you far more ignorant than I.
But let's step past your astounding ignorance... lets say that there
had been a spambot on our campus, or an open relay, and it had slipped
past our various and thorough diagnostics. If Spamcop had a decent
reporting system, we would know which was the case instead of having to
determine "autoresponder" by process of elimination. We would know
which of our systems had originated the message and we would have
immediately tackled it (as we always do when we find them, through our
own processes, or through external reports).
Instead, because (drum roll) SpamCop is run by morons, we don't
directly know, so we have to resort to eliminating unlikely and
What we are left with is: autoresponder.
Whether my "it was an autoresponder" assertion stands up or not, the
"Spamcop is run by morons" assertion still stands. However, given
everything else, I am still absolutely confident in my assertions a)
that it was an autoresponder, and b) regarding spamcop's idiotic dogma
about autoresponders being evil.
More information about the MailScanner