Don’t use bl.spamcop.net as a blocklist

Update: as of Oct 2007, this advice is obsolete. The Spamcop algorithms have been greatly improved, as far as I and others can tell.

I’ve been hearing increasing reports of false positives using bl.spamcop.net.

One today spurred me to check out exactly how many times it I’m seeing it misfiring on nonspam in my own mail collection. The results have been pretty astonishing.

In my nonspam collection, it fired on 1043 messages out of 8415 in July; 12.4% of the mail. It gets worse for August, though — 884 messages out of 3729 since the start of August. That’s a staggering 23% of my nonspam mail this month. ;)

Most of that is due to the listings of GMail and Yahoo! Groups, both of which seem to have been listed for large swathes of the past month and a half.

Now, an important point — it can work pretty well as a single input to a scoring system, like Spamcop itself or SpamAssassin. In fact, I didn’t lose any mail as a result of those listings; SpamAssassin assigns only 1.5 points to the RCVD_IN_BL_SPAMCOP_NET rule, so it’s easily corrected by other rules.

However, people using it to block or reject spam outright, or who’ve changed the score of the RCVD_IN_BL_SPAMCOP_NET rule, need to turn that off ASAP — as they are losing mail.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

7 Comments

  1. Posted August 17, 2006 at 18:36 | Permalink

    Most people don’t understand how a blacklist works nor how to use it.

  2. Posted August 18, 2006 at 16:12 | Permalink

    Michele –

    that’s probably true. Hopefully however my advice might be noticed by the ones who do, and who recommend their use to the ones who don’t. ;)

  3. Kelly O.
    Posted August 30, 2006 at 07:21 | Permalink

    Could this be related to the way SpamCop does Shotgun Reporting? Maybe erroneous URL’s are being pulled out of the content…

  4. Posted August 30, 2006 at 13:34 | Permalink

    I don’t think so — I think it sounds like an imbalance in the weighting factors for sender volume. GMail and Y!Groups are both senders of massive volumes of (legit) mail.

  5. Clemens
    Posted September 7, 2006 at 18:11 | Permalink

    SpamCop lists GMail for a reason: When sending a mail from there, they don’t show the IP address of the sender. All mail sems to come from the GMail servers, thus making it impossible to differ between ham and spam.

    If GMail would use a correct implementation of SMTP and show the originating IP (i.e. the address of the sender), the problem would be gone in a blink.

  6. Posted September 10, 2006 at 15:10 | Permalink

    For our customers, the rule RCVD_IN_BL_SPAMCOP_NET hits more than 25% of messages eventually tagged as ham, 80% of these originating from gmail servers. Less than 0.1% of the messages originating from gmail servers are tagged as spam. What’s the use of a black list system with so many false positive messages?

  7. Ed
    Posted June 1, 2007 at 14:08 | Permalink

    Our firewall logs indicate we have had over 5000 of 7000 emails denied through positive tags by Bl.spamcop.net. Our vendors 2nd level support tech suggested that I remove the spamcop RBL list from our spamscreen configuration and referenced the URL to this blog. The spamcop RBL even tagged email from our firewall vendor until I added them to the whitelist. I have went to the spamcop website and attempted to validate some of the listings and so far every IP I have checked has been clean. It is amazing that the RBL list is tagging addresses not in their publicly accessible database. These are not Gmail, Yahoo, or any other public email system IP’s. Where is the list data coming from? I am definitely deleting this RBL. and I would suggest that anyone reading these posts do the same. Btw – good job on posting info that security vendors are referencing!