Don’t use bl.spamcop.net as a blocklist
Update: as of Oct 2007, this advice is obsolete. The Spamcop algorithms have been greatly improved, as far as I and others can tell.
I’ve been hearing increasing reports of false positives using bl.spamcop.net.
One today spurred me to check out exactly how many times it I’m seeing it misfiring on nonspam in my own mail collection. The results have been pretty astonishing.
In my nonspam collection, it fired on 1043 messages out of 8415 in July; 12.4% of the mail. It gets worse for August, though — 884 messages out of 3729 since the start of August. That’s a staggering 23% of my nonspam mail this month. ;)
Most of that is due to the listings of GMail and Yahoo! Groups, both of which seem to have been listed for large swathes of the past month and a half.
Now, an important point — it can work pretty well as a single input to a scoring system, like Spamcop itself or SpamAssassin. In fact, I didn’t lose any mail as a result of those listings; SpamAssassin assigns only 1.5 points to the RCVD_IN_BL_SPAMCOP_NET rule, so it’s easily corrected by other rules.
However, people using it to block or reject spam outright, or who’ve changed the score of the RCVD_IN_BL_SPAMCOP_NET rule, need to turn that off ASAP — as they are losing mail.
Tags: anti-spam, blocklists, dnsbls, smtp, spamcop
Michele said,
August 17, 2006 @ 6:36 pm
Most people don’t understand how a blacklist works nor how to use it.
Justin said,
August 18, 2006 @ 4:12 pm
Michele –
that’s probably true. Hopefully however my advice might be noticed by the ones who do, and who recommend their use to the ones who don’t. ;)
Kelly O. said,
August 30, 2006 @ 7:21 am
Could this be related to the way SpamCop does Shotgun Reporting? Maybe erroneous URL’s are being pulled out of the content…
Justin said,
August 30, 2006 @ 1:34 pm
I don’t think so — I think it sounds like an imbalance in the weighting factors for sender volume. GMail and Y!Groups are both senders of massive volumes of (legit) mail.
Clemens said,
September 7, 2006 @ 6:11 pm
SpamCop lists GMail for a reason: When sending a mail from there, they don’t show the IP address of the sender. All mail sems to come from the GMail servers, thus making it impossible to differ between ham and spam.
If GMail would use a correct implementation of SMTP and show the originating IP (i.e. the address of the sender), the problem would be gone in a blink.
Jerome said,
September 10, 2006 @ 3:10 pm
For our customers, the rule RCVD_IN_BL_SPAMCOP_NET hits more than 25% of messages eventually tagged as ham, 80% of these originating from gmail servers. Less than 0.1% of the messages originating from gmail servers are tagged as spam. What’s the use of a black list system with so many false positive messages?
Ed said,
June 1, 2007 @ 2:08 pm
Our firewall logs indicate we have had over 5000 of 7000 emails denied through positive tags by Bl.spamcop.net. Our vendors 2nd level support tech suggested that I remove the spamcop RBL list from our spamscreen configuration and referenced the URL to this blog. The spamcop RBL even tagged email from our firewall vendor until I added them to the whitelist. I have went to the spamcop website and attempted to validate some of the listings and so far every IP I have checked has been clean. It is amazing that the RBL list is tagging addresses not in their publicly accessible database. These are not Gmail, Yahoo, or any other public email system IP’s. Where is the list data coming from? I am definitely deleting this RBL. and I would suggest that anyone reading these posts do the same. Btw – good job on posting info that security vendors are referencing!