[Dshield] Where should you start - I'll wrap it myself

Chris Brenton cbrenton at chrisbrenton.org
Thu Apr 8 03:15:09 GMT 2004


On Wed, 2004-04-07 at 20:25, Doug White wrote:
>
> Just how do you check for false positives?   Spam is spam.

Um, no. The Dshield mailing list (this list), the Snort mailing list,
and many others have been blacklisted in the past by Spamcop. Obviously
this speaks to poor sanity checking.

> I am a user of the spamcop blacklist,
> and have been for over 4 years. They are not the only blacklist that I use.  Not
> one complaint has been received from a client because of a false positive, or
> describing mail blocked that they did not want blocked.

Just because you have not noticed it, does not mean it does not happen.
As I said, even this list has been blocked by Spamcop. In fact if memory
serves, in the last go around a few months ago Spamcop blacklisted
Dshield twice in a one week period of time. 

> I agree that spamcop runs on the basis of complaints.  They don't block based on
> one complaint, that is unless it is unsolicited mail addressed to a registered
> spamtrap address. 

Its not all that hard to submit bogus spam reports for two or three
sources rather than just one. Quantity means nothing when you 0wn lots
of zombies.

Part of the problem is there is no way to do any real verification. This
makes it trivial to use services like Spamcop for DoS activity. For
example there is nothing stopping me from clipping your mail header,
changing a few items in the header and the body to look like a Viagra
ad, and submitting that to Spamcop from a number of different addresses
to make it look like you are generating spam. Expect to see more of this
activity as blackhats leverage this as a DoS and spammers use it to make
blacklisting even less useful than its already become.

HTH,
C





More information about the list mailing list