December 4, 2024

SpamCop Responses

I have gotten plenty of email from SpamCop advocates in response to my previous posts. Due to a work-related deadline, it will take me several days to sort through them and post a response. I hope to have my response up here by the end of Monday.

Keystone SpamKops (cont. 3)

Several people have asked me to expand upon a semi-cryptic comment I made in a previous post, saying that SpamCop’s system allows denial-of-service attacks. What I mean is that it appears that a malicious person could easily put you, or me, or anybody else on SpamCop’s block-list. There are at least three ways somebody could put XYZ.com (a hypothetical site) on the blocklist.

(1) Send a spam message containing the characters “http://www.XYZ.com,” and wait for spam’s recipients to report it to SpamCop.

(2) Sign up for a legitimate mailing list run by XYZ.com. Then when XYZ.com sends legitimate email messages on the list, maliciously report those messages as spam.

(3) Forge the text of spam messages purportedly from XYZ.com, and report the forged messages as spam.

It’s probably illegal to carry out such an attack, but it’s scary that SpamCop apparently makes it so easy.

Keystone SpamKops (cont. 2)

Thomas Roessler is the person who sent the innocent email message that the Keystone SpamKops incorrectly characterized as spam, leading to my summary ejection from the net. He did nothing wrong, and once he heard about the problem he did his best to rectify it – but the SpamKops apparently ignored his messages as they ignored everyone trying to resolve the problem. He comments on the situation in his blog.

Keystone SpamKops (cont.)

A reader, Florian Weimer, points out that there has already been at least one apparently successful lawsuit against spam blacklisters.

Keystone SpamKops

Earlier this week, my ISP shut off this site, because the site had appeared on a list of “spammers” published by an outfit called SpamCop.

Apparently, this happened because one person, whose identity I was not allowed to learn, had sent SpamCop an accusation saying that he had received an unwanted email message, which I was not allowed to see, that did not come from me but that did mention my web site. On that “evidence” SpamCop declared me guilty of spamming and decreed that my site should be shut down. Never mind that I had never sent a single email message from the site. Never mind that the site was not selling anything.

Naturally, I was not allowed to see the accusation, or to learn who had submitted it, or to rebut it, or even to communicate with an actual human being at SpamCop. You see, they’re not interested in listening to complaints from spammers.

With help from my ISP, I eventually learned that the offending message was sent on a legitimate mailing list, and that the person who had complained was indeed subscribed to that list, and had erroneously reported the message as unsolicited. Ironically, the offending message was sent by someone who liked my site and wanted to recommend it to others. Everybody involved (me, my ISP, the person who filed the complaint, and the author of the message) agreed that the report was an error, and we all told this to SpamCop. Naturally, SpamCop failed to respond and continued to block the site.

Why did my ISP shut me down? According to the ISP, SpamCop’s policy is to put all of the ISP’s accounts on the block list if the ISP does not shut down the accused party’s site.

Note the similarities to the worst type of Stalinist “justice” system: conviction is based on a single anonymous complaint; conviction is based not on anything the accused did but is instead based on favorable comments about him by the “wrong” people; the evidence is withheld from the accused; there is no procedure for challenging erroneous or malicious accusations; and others are punished based on mere proximity to the accused (leading to shunning of the accused, even if he is
clearly innocent).

Note also that the “evidence” against me consisted only of a single unsigned email message which would have been trivial for anyone to forge. Thus SpamCop provides an easy denial of service attack against a web site.

The only bright spot in this picture is that our real justice system allows lawsuits to be filed against guys like SpamCop for libel and/or defamation. My guess is that eventually somebody will do that and put SpamCop out of business.