Cisco’s anti-spam service SpamCop failed to renew the spamcop.net domain over the weekend, causing the domain to expire. This resulted in countless outgoing e-mail messages being falsely labeled and rejected as spam across the globe.
SpamCop provides a Real-time Blackhole List (RBL) that can be used by mail servers to determine if incoming mail should be considered spam.
Mail servers that use the SpamCop RBL service perform a DNS lookup of a connecting mail server’s IP address to check if it is known to be used for spam. The server does this by performing a DNS lookup of
[reverse_ip].bl.spamcop.net, and if there is a response, refuses to accept the mail from the server.
As a result of the domain expiration, mail administrators, organizations, and ISPs worldwide suddenly found that their outgoing mail was marked as spam and was rejected by mail servers using the SpamCop service.
It turns out that this was a false positive caused by the spamcop.net domain expiring yesterday and being parked at the Sedo domain parking service with a wildcard DNS resolution.
This wildcard DNS resolution caused any DNS lookup for the spamcop.net subdomain, including any lookup under bl.spamcop.net, to return a response. As a response was received by the incoming mail server’s RBL check, it would incorrectly block the email as if it was from a known spammer.
Cisco has acted to resolve the issue by renewing the expired domain Monday at approximately 1:00 PM EST. The domain renewal should have resolved the problem for most organizations and email administrators.
However, there are still some problems being reported. These errors are likely caused by cached DNS lookup results stored on local DNS servers. Once the DNS TTL expires on the domain or administrators flush the cache, the SpamCop RBL should function normally.