SpamCop
Encyclopedia
SpamCop is a free spam
reporting service, allowing recipients of unsolicited bulk email (UBE) and unsolicited commercial email (UCE) to report offenders to the senders' Internet Service Provider
s (ISPs), and sometimes their web hosts. SpamCop uses these reports to compile a DNSBL
of computers sending spam called the "SpamCop Blocking List", (SCBL) and websites referenced in the spam are used to create the Spam URI Realtime Blocklists (SURBL
) RHSBL.
There are basically three ways of reporting, for any of which one must be registered:
In the first two cases, email headers and bodies are automatically analyzed for the responsible IP addresses, the respective ISPs are found out and reports are created. For the reports to be sent, the user has to read and confirm them while logged in on the spamcop website.
In the third case, the reports are sent without user reconfirmation. There is no analyzing of URLs / IP addresses in the message bodies - only the headers will be searched. With spam mails already stored in a special mail folder by the personal spam detection software, the time to report a batch of spam mails after check is reduced to some seconds. This option requires the user to have a certain history of flawless reporting.
Additionally, SpamCop automatically lists IP addresses that send mail to spamtrap
email addresses.
SpamCop has tools for ISPs to manage the reports sent to them, to see details on individual spam messages, and to mark incidents as resolved. Paying members can configure how reports are sent and avoid a "nag" screen. There are also forums for discussing the services. Also available are paid email and mail management services which include spam filtering.
of being a spam/UBE source. This can happen because their IP address is shared with many other customers of their ISP. It may also be the result of malicious, careless or over-zealous reporting of spam.
Since addresses got with the above mentioned spamtrap method may have been falsely used as return addresses on spam messages, backscatter
caused by these messages (including vacation messages and other auto-replies) can result in a receiving server being blacklisted if it fails to employ backscatter prevention techniques. One of the unique features of the SCBL, however, is that a listing expires automatically when no spam is reported from that source for 24 hours.
SpamCop notes that "The SCBL is aggressive and often errs on the side of blocking mail. By using the SCBL, you can block a lot of spam, but you also may block or filter wanted email" and suggests using the SCBL as part of a scoring system. Unfortunately many ISPs and IT consultants use the SCBL as a plenipotent authority for blocking decisions, often without making it clear to their clients that valid incoming messages may be rejected.
SpamCop provides procedures for ISPs to request de-listing. Users of listed IPs can use other IP Addresses or smart host
s if their outgoing mail servers are blocked. SpamCop's on-line forums and FAQ pages, as well as news.admin.net-abuse.blocklisting, are sources of advice to users who find themselves blocked. On the forums, other users will give advice, although some can be impatient with those who are not familiar with the system and terminology involved and have not read the multiple, overlapping FAQs.
SpamCop also has a fee-based email system which provides email accounts that are optionally filtered by the SCBL, as well as other blocklists.
s from organizations listed in the SCBL.
Email security company IronPort Systems
announced its acquisition of SpamCop on November 24, 2003, but it remains independently run by Julian Haight, a small staff and volunteer help in its forum.
IronPort agreed to become a division of Cisco Systems
on January 4, 2007 effectively making SpamCop a Cisco service.
It is not clear whether reporting spam using SpamCop's reporting service actually reduces the amount of spam that one receives, and complaints on SpamCop's online forum provide anecdotal evidence to support some scepticism about its effectiveness. While some spammers may use SpamCop's reports for listwashing, others could retaliate. Spammers who determine the identity of the complainants can, by doing so, also verify that the email addresses are still in use. What is clear is that much spam email is filtered or blocked by the SCBL, which is fed by many SpamCop Reporters reporting their spam.
That said, SpamCop is effective at helping ISPs, web hosts and email providers identify accounts that are being abused and shut them down before the spammer finishes operations. Finally, SpamCop provides information from its reports to third parties who are also working to fight spam, amplifying the impact of its services beyond its own reach.
It is also remarkable in its own right that SpamCop has survived for so many years, considering the severity of opposition other anti-spam companies have faced in the past, most notably osirusoft
and Blue Security. SpamCop has dealt with attacks by spammers thus far by hiring services from Akamai
, but is still the target of many hackers and could face serious difficulties like those faced by Blue Security if it continues to grow in size and effectiveness. The successful attack on Blue Security shows that significant offensive weapons can be wielded by the criminal syndicates behind spammers. SpamCop views itself as an attempt to stop spam without the necessity of governmental intervention, but because it lacks the power of a government or large ISP, it may have greater difficulty dealing with spammers' expertise as well as the large "bot" networks that they control and that they used to cripple Blue Security with a massive DDoS attack.
Also, accessibility to help for paying customers is limted to forums and email; there is no phone number given out by SpamCop, and this can be quite inconvenient when severe problems arise that require immediate attention.
who redirect webtraffic elsewhere when people try to enter the phishing website in ways that phisher doesn't want. This will give investigators the incorrect impression that the phishing site has been taken down. Another such organization is SpamCop.com. According to posts on SpamCop.net's forum, SpamCop.com is a newer service owned by a company named Interspectrum, which uses the service to market its anti-spam products. The use of the same name for the same type of service may constitute trademark infringement
, and may be confusing to new users who expect the more established of the two services to be hosted on the .com top-level domain.
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
reporting service, allowing recipients of unsolicited bulk email (UBE) and unsolicited commercial email (UCE) to report offenders to the senders' Internet Service Provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s (ISPs), and sometimes their web hosts. SpamCop uses these reports to compile a DNSBL
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
of computers sending spam called the "SpamCop Blocking List", (SCBL) and websites referenced in the spam are used to create the Spam URI Realtime Blocklists (SURBL
SURBL
SURBLs are lists of Uniform Resource Identifier hosts, typically web site domains, that appear in unsolicited messages. SURBLs can be used to search incoming e-mail message bodies for similar sites to help evaluate whether the messages are unsolicited...
) RHSBL.
There are basically three ways of reporting, for any of which one must be registered:
- copying the complete source code into a text area on the spamcop website,
- sending the spam messages as attachment to a personally specified spamcop email address for normal reporting,
- sending the spam messages as attachment to a personally specified spamcop email address for "quick reporting".
In the first two cases, email headers and bodies are automatically analyzed for the responsible IP addresses, the respective ISPs are found out and reports are created. For the reports to be sent, the user has to read and confirm them while logged in on the spamcop website.
In the third case, the reports are sent without user reconfirmation. There is no analyzing of URLs / IP addresses in the message bodies - only the headers will be searched. With spam mails already stored in a special mail folder by the personal spam detection software, the time to report a batch of spam mails after check is reduced to some seconds. This option requires the user to have a certain history of flawless reporting.
Additionally, SpamCop automatically lists IP addresses that send mail to spamtrap
Spamtrap
A spamtrap is a honeypot used to collect spam.Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam...
email addresses.
SpamCop has tools for ISPs to manage the reports sent to them, to see details on individual spam messages, and to mark incidents as resolved. Paying members can configure how reports are sent and avoid a "nag" screen. There are also forums for discussing the services. Also available are paid email and mail management services which include spam filtering.
Problems and the Handling Thereof
Like other DNSBLs, SpamCop's SCBL is controversial. Third parties that don't send spam are affected when an IP address they use becomes listed on the SCBL because of reports that accuse their IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of being a spam/UBE source. This can happen because their IP address is shared with many other customers of their ISP. It may also be the result of malicious, careless or over-zealous reporting of spam.
Since addresses got with the above mentioned spamtrap method may have been falsely used as return addresses on spam messages, backscatter
Backscatter (e-mail)
Backscatter is incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam....
caused by these messages (including vacation messages and other auto-replies) can result in a receiving server being blacklisted if it fails to employ backscatter prevention techniques. One of the unique features of the SCBL, however, is that a listing expires automatically when no spam is reported from that source for 24 hours.
SpamCop notes that "The SCBL is aggressive and often errs on the side of blocking mail. By using the SCBL, you can block a lot of spam, but you also may block or filter wanted email" and suggests using the SCBL as part of a scoring system. Unfortunately many ISPs and IT consultants use the SCBL as a plenipotent authority for blocking decisions, often without making it clear to their clients that valid incoming messages may be rejected.
SpamCop provides procedures for ISPs to request de-listing. Users of listed IPs can use other IP Addresses or smart host
Smart host
A smart host is a type of mail relay server which allows an SMTP server to route e-mail to an intermediate mail server rather than directly to the recipient’s server. Often this smart host requires authentication from the sender to verify that the sender has privileges to have mail forwarded...
s if their outgoing mail servers are blocked. SpamCop's on-line forums and FAQ pages, as well as news.admin.net-abuse.blocklisting, are sources of advice to users who find themselves blocked. On the forums, other users will give advice, although some can be impatient with those who are not familiar with the system and terminology involved and have not read the multiple, overlapping FAQs.
SpamCop also has a fee-based email system which provides email accounts that are optionally filtered by the SCBL, as well as other blocklists.
History
SpamCop was founded by Julian Haight in 1998 as an individual effort. As the reporting service became more popular, staff was added and the SCBL became more useful. It has commonly been the target of DDoS attacks and lawsuitLawsuit
A lawsuit or "suit in law" is a civil action brought in a court of law in which a plaintiff, a party who claims to have incurred loss as a result of a defendant's actions, demands a legal or equitable remedy. The defendant is required to respond to the plaintiff's complaint...
s from organizations listed in the SCBL.
Email security company IronPort Systems
IronPort
IronPort Systems, Inc., headquartered in San Bruno, California, was a company that designed and sold products and services that protect enterprises against Internet threats. It was best known for IronPort AntiSpam, the SenderBase email reputation service, and email security appliances...
announced its acquisition of SpamCop on November 24, 2003, but it remains independently run by Julian Haight, a small staff and volunteer help in its forum.
IronPort agreed to become a division of Cisco Systems
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
on January 4, 2007 effectively making SpamCop a Cisco service.
Limitations
For first-time SpamCop Reporters, the SpamCop Parsing and Reporting Service requires that the reporter manually verify that each submission is spam and that the destinations of the spam reports are correct. People who use tools to automatically report spam, who report email that is not spam, or report to the wrong people may be fined or banned. This verification requires extra time and effort. Despite these steps, reports to innocent bystanders do happen and ISPs may need to configure SpamCop to not send further reports if they don't want to see them again.It is not clear whether reporting spam using SpamCop's reporting service actually reduces the amount of spam that one receives, and complaints on SpamCop's online forum provide anecdotal evidence to support some scepticism about its effectiveness. While some spammers may use SpamCop's reports for listwashing, others could retaliate. Spammers who determine the identity of the complainants can, by doing so, also verify that the email addresses are still in use. What is clear is that much spam email is filtered or blocked by the SCBL, which is fed by many SpamCop Reporters reporting their spam.
That said, SpamCop is effective at helping ISPs, web hosts and email providers identify accounts that are being abused and shut them down before the spammer finishes operations. Finally, SpamCop provides information from its reports to third parties who are also working to fight spam, amplifying the impact of its services beyond its own reach.
It is also remarkable in its own right that SpamCop has survived for so many years, considering the severity of opposition other anti-spam companies have faced in the past, most notably osirusoft
Spam Prevention Early Warning System
The Spam Prevention Early Warning System was an anonymous service which maintained a list of IP address ranges belonging to Internet service providers which host spammers and show little action to prevent their abuse of other networks' resources...
and Blue Security. SpamCop has dealt with attacks by spammers thus far by hiring services from Akamai
Akamai Technologies
Akamai Technologies, Inc. is an Internet content delivery network headquartered in Cambridge, Massachusetts, US.The company was founded in 1998 by then-MIT graduate student Daniel M. Lewin, and MIT Applied Mathematics professor Tom Leighton...
, but is still the target of many hackers and could face serious difficulties like those faced by Blue Security if it continues to grow in size and effectiveness. The successful attack on Blue Security shows that significant offensive weapons can be wielded by the criminal syndicates behind spammers. SpamCop views itself as an attempt to stop spam without the necessity of governmental intervention, but because it lacks the power of a government or large ISP, it may have greater difficulty dealing with spammers' expertise as well as the large "bot" networks that they control and that they used to cripple Blue Security with a massive DDoS attack.
Also, accessibility to help for paying customers is limted to forums and email; there is no phone number given out by SpamCop, and this can be quite inconvenient when severe problems arise that require immediate attention.
Fake similar organizations
Several websites exist purporting to provide similar services to SpamCop.net. For example, abusecentral.org (offline now) appeared to be run by phishersPhishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
who redirect webtraffic elsewhere when people try to enter the phishing website in ways that phisher doesn't want. This will give investigators the incorrect impression that the phishing site has been taken down. Another such organization is SpamCop.com. According to posts on SpamCop.net's forum, SpamCop.com is a newer service owned by a company named Interspectrum, which uses the service to market its anti-spam products. The use of the same name for the same type of service may constitute trademark infringement
Trademark infringement
Trademark infringement is a violation of the exclusive rights attaching to a trademark without the authorization of the trademark owner or any licensees...
, and may be confusing to new users who expect the more established of the two services to be hosted on the .com top-level domain.
See also
- Blue FrogBlue FrogThe Blue Frog tool, produced by Blue Security Inc., operated in 2006 as part of a community-based anti-spam system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received...
- Comparison of DNS blacklistsComparison of DNS blacklistsThe following table lists technical information for a number of DNS blacklists.- External links :* , weekly reports since July 2001* * * * * *...
- E-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
- List poisoning
- Network Abuse ClearinghouseNetwork Abuse ClearinghouseThe Network Abuse Clearinghouse, better known as abuse.net, maintains a contact database for reporting misuse on the Internet. It makes entries from the database available , and provides an intermediary service for registered users to forward complaints by e-mail.-See also:* Anti-spam techniques *...
- Spam (electronic)Spam (electronic)Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
- Spamhaus
External links
- SpamCop Official site (Note: There are copycat sites at similar URLs with other TLDTop-level domainA top-level domain is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a...
s.) - SpamCop Wiki
- SpamCop Forums and [news://news.spamcop.net/spamcop newsgroups]
- SCBL dispute resolution from the FAQ
- The SURBL is an RBL based on SpamCop data to block or tag spam based on URIs contained within the message body.