We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

Spamcop SCBL

Overview

SpamCop is the premier web-based service for reporting and blocking spam. They process millions of spam complaints a day and are supported by hundreds of thousands of users, a knowledgeable volunteer community, and a professional staff. The data processed daily is used to maintain SpamCop Blocking List (SCBL). The SpamCop Blocking List offers service providers and other email administrators an automated tool to filter out aggressively spam from an email network

SpamCop is part of Cisco's Security Intelligence at Talos.

Impact

Impact happens on an IP level and can impact the delivery of traffic. The listings are time-based and are usually removed after the last spam trap hit. Time can vary depending on the severity of spamming.

Reason for listing

IPs are listed for

  • SpamCop users direct spam complaints
  • SpamCop’s spam trap hits
  • Misdirected bounces or autoresponse emails
  • An open relay or proxy

Mitigation Process

An IP will automatically be removed in 24 hours after the last spam hit. Spamcop does allow you to submit a dispute for removal directly on site. Prior to submitting the request, they do ask you to review your system for these possible problems:

  • Trojan/Virus infestations or script exploits
  • Misdirected delayed bounces and auto-responders
  • SMTP AUTH insecurity

SCBL Rules

This is how the system currently operates based on these rules:

  • SCBL lists IP addresses with a large number of reports relative to reputation points. The SpamCop team manually balances the threshold in an effort to make the list as accurate as possible.
  • The SCBL weights reports depending on how recently the mail was received (or "freshness"):
    • The SCBL counts the most recently received reports 4:1.
    • The SCBL counts reports for email 48 hours and older 1:1, with a linear sliding scale between the most recent and 48 hours past.
    • The SCBL ignores reports for email received more than one week ago.
  • The SCBL uses Spamtrap reports to weight total reports. For spamtrap scores less than 6, the SCBL multiplies by 5 the quantity of spamtrap reports and adds this to the report score. For larger spamtrap scores, the SCBL squares the quantity. Examples:
    • If an IP address has 2 spamtrap reports and 3 SpamCop user-reported reports, its weighted score is 13: (2 * 5) + 3 = 13.
    • If a host has 7 spamtrap reports and 3 manual reports, its weighted score is 52: (7 * 7) + 3 = 52.
  • The SCBL does not count reports regarding URLs or addresses in the body of the email. Therefore, the SCBL does not list websites or email addresses used to receive replies in reported email, unless that IP is also used to send the mail.
  • The SCBL will not list an IP address with only one report filed.
  • With only two reports against an IP address, the SCBL will list the IP address for a maximum of 12 hours after the most recent reported mail was sent.
  • The SCBL will not list an IP address if there are no reports against it within 24 hours.
  • If a server sends bounces to an SCBL spamtrap in sufficient quantity to meet the listing criteria, the SCBL will list that server. This situation results as some mailservers do not reject mail during the SMTP transaction, but rather accept the mail and then send a bounce message later. (These servers usually run qmail or postfix). Viruses and spam often contain a forged From: line. If email is rejected or blocked during the SMTP transaction, the bounce will go to the connecting IP. If the bounce comes after the mail is accepted for delivery, then the bounce will go to the address in the From: field. Viruses and spam often use addresses from the list of recipients to populate the From: field. Sometimes, these addresses are spamtraps.

 

Powered by Zendesk