November 29, 2020

Keystone SpamKops (cont. 3)

Several people have asked me to expand upon a semi-cryptic comment I made in a previous post, saying that SpamCop’s system allows denial-of-service attacks. What I mean is that it appears that a malicious person could easily put you, or me, or anybody else on SpamCop’s block-list. There are at least three ways somebody could put XYZ.com (a hypothetical site) on the blocklist.

(1) Send a spam message containing the characters “http://www.XYZ.com,” and wait for spam’s recipients to report it to SpamCop.

(2) Sign up for a legitimate mailing list run by XYZ.com. Then when XYZ.com sends legitimate email messages on the list, maliciously report those messages as spam.

(3) Forge the text of spam messages purportedly from XYZ.com, and report the forged messages as spam.

It’s probably illegal to carry out such an attack, but it’s scary that SpamCop apparently makes it so easy.