Overview
SpamCop is a spam reporting service that takes reports of spammers’ IPs addresses from recipients. It uses the information to maintain the SpamCop Blocking List (SCBL). SpamCop also generates reports of email sent to spam traps. It uses pristine spam traps for tracking IP reputation.
SpamCop assigns reputation points as part of a scoring system it uses to weight reported email. A sender receives a reputation point for each SCBL query that is not reported as spam.
- Listings occur at the IP level.
- The impact on deliverability is high.
Reasons for getting listed
IP addresses are listed for:
- Sending spam that is reported or submitted directly by SpamCop users
- Sending email to SpamCop’s pristine spam traps
- An open relay: an email system that allows an unauthorized third party to send spam
- An open proxy: a non-email system tricked into sending spam
- Sending a sufficient quantity of misdirected bounces or autoresponse emails to a SpamCop spam trap
How to get off this blocklist
An IP is removed automatically within 24 hours after it stops sending spam. This limits the damage if recipients mistakenly report legitimate email.
You can request information about a listing by emailing deputies@admin.spamcop.net.
Tips for staying off this list
- Do not purchase email lists or use list harvesting techniques to acquire email addresses
- Ensure your email and non-email systems are secure against being used as an open relay or open proxy
- Conduct regular list hygiene and list maintenance
- Make sure that all of your feedback loops are set up and working and you are suppressing complaints
- Conduct regular system security scans to check for viruses and spambots
SCBL methodology
The SCBL is a list of IP addresses which have transmitted spam. It draws on a number of sources, including:
- Automated spam reports
- SpamCop user complaints
- Spam traps
- Websites that use the SCBL
The sending system can be a direct email source (such as a site's primary mail server acting as an open relay) or an indirect source (such as a web server acting as an open proxy that sends spam).
SpamCop monitors queries from a sample of sites that use the SCBL. SCBL users query the SCBL servers during every Simple Message Transfer Protocol (SMTP) transaction. SpamCop counts the total number of queries for each IP address and whether or not that IP address appears on the SCBL to generate an estimate of how much email is transmitted by each IP address. When a sampled site queries the SCBL about an IP address sending mail which is not reported as spam, that host is given a reputation point.
The SCBL does not consider misconfigured, unsecured or dynamically-assigned IP address servers. Instead, the SCBL lists only IP addresses of machines that are sending reported email. As a result, IP addresses that do not host a misconfigured or unsecured server but do send reported mail may be listed. An unsecured machine that has never been abused would not be listed.
The SCBL tries to stop spam without blocking or misidentifying wanted email. However, its methods are not perfect. For example, some IP addresses that send a significant amount of reported mail may rarely or never be listed in the SCBL because those IP addresses also send a lot of non-reported mail. Given the power of the SCBL, SpamCop encourages users to actively maintain a allowlist of wanted senders. SpamCop also encourages SCBL users to tag and divert email to the spam folder, rather than block it outright.
SCBL rules and scoring
The system operates according to these rules:
- SCBL lists IP addresses with a large number of reports relative to reputation points. The SpamCop team manually balances the threshold in an effort to make the list as accurate as possible.
- The SCBL weights reports depending on how recently the mail was received (reflecting its freshness):
- The SCBL counts the most recently received reports 4:1.
- The SCBL counts reports for email 48 hours and older 1:1, with a linear sliding scale between the most recent and 48 hours past.
- The SCBL ignores reports for email received more than one week ago.
- The SCBL uses spam trap reports to weight total reports. For fewer than six spam trap reports, the SCBL multiplies the quantity of spam trap reports by five and adds this to the report score. For larger numbers of spam trap reports, the SCBL squares the quantity. For example:
- If an IP address has two spam trap reports and three SpamCop user-reported reports, its weighted score is (2 * 5) + 3 = 13.
- If a host has seven spam trap reports and three manual reports, its weighted score is (7 * 7) + 3 = 52.
- The SCBL does not count reports for URLs or addresses in the body of the email. Therefore, the SCBL does not list websites or email addresses used to receive replies in reported email, unless that IP address is also used to send the mail.
- The SCBL will not list an IP address with only one report filed against it.
- If an IP address has only two reports filed against it, the SCBL will list it for a maximum of 12 hours after the most recent reported mail was sent.
- The SCBL automatically delists an IP address if there are no reports filed against it within the past 24 hours.
- If a server sends bounces to an SCBL spam trap in sufficient quantity to meet the listing criteria, the SCBL will list that server. This occurs when a mailserver does not reject mail during the SMTP transaction, but rather accepts the mail and then sends a bounce message later. (These servers usually run qmail or postfix). Viruses and spam often contain a forged From: line. If email is rejected or blocked during the SMTP transaction, the bounce will go to the connecting IP address. If the bounce comes after the mail is accepted for delivery, then the bounce will go to the address in the From: field. Viruses and spam often use addresses from the list of recipients to populate the From: field. Sometimes, these addresses are spam traps.
Escalation process
SpamCop permits network owners to register for its feedback loop (FBL). It determines the network owner for IP addresses using a Whois query. Although network owners may forward complaints to SpamCop, as noted below, it is frowned upon.
To query SpamCop about listings and FBL reports (something Validity cannot do for its customers):
- Ask the mailbox provider that furnished the IP addresses if it already has a spamcop.net FBL setup.
- If:
- It does, tell it to forward the emails to you directly (not to the FBL email address).
- It does not, tell it to send an email to deputies@admin.spamcop.net and request to be set up on the FBL.
SpamCop will deny the request if it discovers that complaint feedback will be forwarded. It only sends the FBLs for customers that have 100% verifiable closed-loop, double opt-in emails.
You can request summary reports about your network on the SpamCop report routing page. Reports list when complaints were registered, when spam traps were tripped and other information.