Cisco’s SpamCop anti-spam service suffered an outage Sunday after its domain was mistakenly allowed to expire.
SpamCop provides a Real-time Blackhole List (RBL) that mail servers can use to determine if incoming mail should be considered spam.
Mail servers that use the SpamCop RBL service perform a DNS lookup of a connecting mail server’s IP address to check if it is known to be used for spam. The server does this by performing a DNS lookup of [reverse_ip].bl.spamcop.net, and if there is a response, refuses to accept the mail from the server.
For example, if an outgoing mail server at IP address 192.168.1.2 connects to an incoming mail server using SpamCop, the incoming mail server will perform a DNS lookup for 2.1.168.192.bl.spamcop.net.
If the SpamCop service returns a result, then the outgoing mail server is considered a spam relay, and the email is rejected. If no response is returned, then the incoming mail server would accept the email.
“If you get back an IP address (typically 127.0.0.2), then the IP you asked about is listed. If you get back a non-existent message, then the IP you asked about is not listed,” explains an FAQ at SpamCop’s site.
Expired spamcop.net domain causes false positives
Today, mail administrators, organizations, and ISPs worldwide suddenly found that their outgoing mail was being rejected by mail servers using the SpamCop service.
It turns out that this was a false positive caused by the spamcop.net domain expiring yesterday and being parked at the Sedo domain parking service with a wildcard DNS resolution.
This wildcard DNS resolution caused any DNS lookup for the spamcop.net subdomain, including any lookup under bl.spamcop.net, to return a response. As a response was received by the incoming mail server’s RBL check, it would incorrectly block the email as if it was from a known spammer.
When mail is blocked, admins would see the following error in their mail server logs:
“The error on www.spamcop.net is: An error occurred while processing your request.”
BleepingComputer was told that Cisco is aware of the issue and has been working on renewing the domain throughout the day.
At approximately 1:00 PM EST, Cisco renewed the spamcop.net domain, but some mail administrators report that they continue to see issues with their incoming mail being blocked.
When mail is blocked, administrators see the following error in their mail server logs:
“The error on www.spamcop.net is: An error occurred while processing your request.”
These errors are likely caused by cached DNS lookup results in local DNS servers. Once the DNS TTL expires on the domain or admins flush the cache, the RBL should function normally.
As of Monday morning, admins who were still having issues with SpamCop have told BleepingComputer that the service is working correctly again.
BleepingComputer has contacted Cisco with further questions but has not heard back as of yet.
Update 2/1/21: Added more information on how the SpamCop service works and reports that its fully functional again.
Thanks to Marcel for the tip!
Source: https://www.bleepingcomputer.com/news/security/spamcop-anti-spam-service-suffers-an-outage-after-its-domain-expired/?&web_view=true
