The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Boxtrapper - Harmful. Should it be avoided?

Discussion in 'cPanel Developers' started by jols, Jul 29, 2005.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I agree with the sentiments, challenge response systems such as boxtrapper usually cause more harm than good and are an easy way of getting your server on an RBL if people report false bounces of spam (or hit a spam trap).
     
  3. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Yea but then you have people like my wife that only get email from about 10 people worldwide. Why should she have to sit there an filter out spam from everyone. The Boxtrapper works great in her situation as she can have 100% control over the white/blacklist. Spamcop should be ashamed of themselves for doing things like that is the real issue here. The spam reporting systems such as Spamcop and Spamhause are so unregulated that most are useless.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The problem is that for every spam challenge you're most likely sending an email to someone entirely innocent, thus doubling the amount of unwanted email in a single stroke.

    I have no problems with SpamCop of Spamhaus myself. SpamCop need (IIRC) 10 reports from different sources to block an IP address and the block only lasts 48 hours after which the block is dropped so long as there are no more reports. SpamCop, IMX, very rarely indeed has any false-positives.

    As for spamhaus, I doubt that they can have done more against spam than anyone else, epecially naming and shaming some large US ISP's that have been used as spam havens and them knowing it - and successfully lobbying them to mend their ways. They've also been at the forefront at advising China and the like in anti-spam policies. AFAIK, their block lists are based on carefully built block lists based on spam trap and analysis of spam, not from arbitrary user submissions.

    Now, the likes of SPEWS is another matter.

    Personally, I detest challenge response systems because of the damage they do compared to the benefit. Thankfully, their use seems to be on the decline because of the problems that they create.

    IMHO ;)
     
  5. HaveHost

    HaveHost Member

    Joined:
    Nov 10, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I've had over a dozen requests for this sort of thing recently. And BoxTrapper, already being in cPanel seemed like a good solution. However, it doesn't automatically add people to the list like it should! People reply to the challenge and get the approval email but still can't email my clients!

    Have sent email to stop using it until I can figure out if this is a problem with my server or not...
     
  6. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider

    The latestest builds auto whitelist any address you send to if you use smtp auth.
     
  7. ehits

    ehits Registered

    Joined:
    Aug 13, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    This thread is 2 years old, and I'm sure BoxTrapper has evolved...

    Are there still the same the dangers of using C-R systems such as BoxTrapper on one's own server?
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I have never used boxtrapper, so I can't exactly speak for it.

    In my opinion, any challenge-response system is a bad idea. Challenge-response is just an ill-conceived idea. The main thing against challenge response is that spammers practically never use their real e-mail address as the from address when they send out spam. This means that when your address receives a spam message, your challenge response system is going to send a message to a completely innocent party. Since that innocent party has no idea what the message is for, they will flag the message as spam. Those challenge response messages are coming from your server, so each time someone flags a challenge response message as spam, then that adds a tally against your server, marking your server as a spam source.

    I have heard that boxtrapper can be used with the challenge response system disabled. I don't know if this is true or how to set this up (again, I've never used boxtrapper). But in this sense, it might be a better solution. I believe with this functionality only messages that are from whitelisted addresses are allowed through. Otherwise you have to review the mail that is sent your domain and whitelist accordingly. I'm not sure if I am understanding if this is how this set up works or not, but if no challenge response messages are being sent out, then this would not be a harmful set up. I just don't know if this can be set up without using the challenge response part of boxtrapper.
     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Like others have said, I don't believe you can really improve anymore upon C-R methods. The fact is that any time your server will automatically send a response email each time an email is received from a new sender, you are going to eventually be adding to the problem of spam in somebody's eyes.

    I don't have an absolute statistic on how much mail to a mailbox is typically spam, but let's say for a mailbox that has been in regular use the rate of spam versus nonspam is 80% - that means that for each 10 emails sent, 8 are spam (and likely from a forged sender). So the C-R system sends out 8 challenges in response to the 8 spam that are received (and sends those 8 challenges out to the 8 forged senders who never asked for the email and never emailed you in the first place). As soon as that happens, your mail system is contributing to the distrust people already have in email.

    Mike
     
  10. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Whooooah there partner! How could you have an opinion about something you have no direct experience with? Well I guess it's certainly possible to have an opinion but how valid such an opion is, remains to be seen.

    Anyway, please know that in the 7 years we have been using cPanel, not one of our hosted customers has ever been blackballed, nor had the slightest problem from using BoxTrapper.

    One time a tech that we hired to server tune our servers switched off BoxTrapper for all of our hosted accounts just out-of-the-blue. Why? I guess he just didn't like it, so without telling us he just caused it to dissapear from all of our customers' control panels. Which in turn aused a firestorm of complaints from people who were using BoxTrapper and who were very much in love with this thing. So we kicked the tech, turned BoxTrapper back on and everything has been groovy since.
     
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Well, that line was kind of meant to be a disclaimer. No I haven't used boxtrapper before, but that doesn't mean that the explanation I gave afterwards is not valid. Does this apply directly to boxtrapper? I don't know, never used it. But boxtrapper is a challenge response system, correct? (at least in one sense). All challenge response systems are virtually the same and I think my explanation basically described why they are a bad idea. It also seems that mtindor shares in my sentiments and chirpy, who is very well respected around here, also seems to agree that it is a bad idea.

    But yea, that first sentence was meant as a disclaimer so you can take my explanation with a grain of salt if you want to. Boxtrapper may work very well for you. I'm not going to tell someone they should or should not use something, I just give my opinions and my reasoning for those opinions.
     
  12. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Actually it's a really good idea because very little spam actually get's through, period.

    Consider a worst case scenario:

    Spammer joe-jobs some legitimate email address and sends spam to a challange response system.

    The legitimate email holder gets a confirmation message, NOT the spam mind you, just a confirmatioin that says something like, "Thanks for your email, please just respond to this message to have your email go through."

    So then what happens?

    99% of the time the one who receives this email says, "What the &^*& is this?" And tosses the email.

    End of story.

    So how exactly is this going to get someone's server blackballed? Flagged as spam? Sorry, I just don't think so. Do you flag all misdirected email as spam?


    ----

    Now let's consider the far-and-away most common secnario:

    Spammer sends out spam with a totally fake/made up email address as the reply to..... You can take it from there.
     
    #12 jols, Jul 24, 2007
    Last edited: Jul 24, 2007
  13. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Or they get the message, select the message, and click the convenient "This is spam" button in their e-mail interface. I can't speak for every e-mail provider, but I know with AOL, when this happens, AOL will increase the tally against your server's IP address, marking your server's IP address as a spam source. I suspect that other e-mail players (Hotmail, Yahoo, etc) do the same thing.

    In my opinion, users are a bit quick to pull the trigger on the "This is spam" button. I have seen AOL flagged message come back to us showing users flagged e-commerce receipts as spam (but, who knows, maybe they didn't really order something). It just seems that everybody is so fed up with spam, that they will mark anything as spam and I suspect that they would mark these challenge response messages as spam too.

    It basically comes down to how you want to believe. If you believe that users will just delete challenge response messages when they receive them from fake spammers then boxtrapper and other challenge-response systems would work ok. If you believe that users will mark those challenge response messages as spam, then boxtrapper and other challenge-response systems are a bad idea.
     
  14. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Any message that a recipient gets that they didn't specifically solicit is spam - If they didn't sign up for the mailing on a mailing list or it isn't directed specifically at them for legitimate reasons, it is spam. This applies to C-R emails as well. The forged sender _never_ in their wildest dreams ever attempted to communicate with the recipient whose mail server is sending the C-R. It was all triggered by spam/virii with a forged sender. And when the forged sender gets that mail, it IS spam to them. Now whether they just ignore it and dispose of it, or whether they specifically designate the message as spam somehow, they have gained more distrust for the email system each time it happens.

    So whether it's actual spam, server backscatter from poorly configured servers, C-R emails to a forged sender, etc., it increases the mistrust in the mail system. That can never be good.

    You say very little spam gets through - It may be correct that very little spam gets through to the recipient, but oftentimes this is at the expense of the forged sender.

    Mike

    P.S. - If I had time, I'd certainly flag all C-R mail sent to me as spam - It is spam. It is a waste of my time to have to download and read it.

     
  15. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    But in the real world UCE (unsolicited commercial email) is like porn, "You know it when you see it."
    So, would a BoxTrapper confirmatioin actually be classed as UCE?

    Hmmmm ---> http://www.webopedia.com/TERM/s/spam.html

    In any case, the backscatter question goes to the heart of the following question:

    What percent of spam contains real/joe-jobbed reply-to email addresses?
     
  16. ontheflipside

    ontheflipside Registered

    Joined:
    Aug 9, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    The spam thing is a difficult problem and there are no quick fixes. The host I am an admin for has recently started getting a decent amount of spam complaints about these challenge responses from boxtrapper (complaints via spamcop mostly). Because of this we've disabled boxtrapper on all of our shared servers. For the clients who get upset we apologize to them and explain that they can sign up for a 3rdparty C-R system if it's something they really must have. And our dedicated server and VPS clients are certainly welcome to use boxtrapper or similar systems on their own servers if they wish.

    My personal opinion after working in the hosting industry for many years is that C-R systems such as boxtrapper are no longer acceptable means of spam mitigation (you are pushing your spam filtering off on other people which is at the very least impolite). And it's important to note that if everyone started using a challenge response system to filter spam nobody would ever receive any email. I mean in reality these challenge response systems depends on the fact that most people aren't using them (and that is a pretty big flaw if you ask me).With that said I also feel that allowing users to click a "mark as spam" button to instantly initiate a spam complaint is irresponsible. The worst part is the clients who forward their email to AOL or one of these other providers with instant spam reporting buttons and then start reporting their very own forwarded email as spam (reporting themselves as a spammer).
     
  17. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I too am a hosting admin of many years (8) and co-owner of a hosting business with thousands of customers world wide, etc.

    Of course everyone is entitled to their opinion, but I've got to say I find that some of your statements are.... well, questionable to say the least:

    "...C-R systems such as boxtrapper are no longer acceptable means of spam mitigation..."

    Perhaps not acceptable to some, but nonetheless probably the best thing going right now in terms of blocking spam. Of course, you know how this works; None or very nearly none, of the spam that is broadcast has a legitimate reply-to address. Thus a proper response can not be made, and the spam does not get through.


    "...important to note that if everyone started using a challenge response system to filter spam nobody would ever receive any email"

    Huh? This would only be true of the white-listing capabilities of every C-R system in the world somehow failed simultaneously. Or if EVERYONE started sending email with fake reply-to addresses. It is useful to keep in mind that only ONE proper response need be met, then email flows freely afterward. Or if the reply-to is whitelisted ahead of time, then the C-R system is simply avoided.


    "...you are pushing your spam filtering off on other people which is at the very least impolite"

    Most "other people" I know consider spam to be an outright assault! Thus they are very understanding if they need to only hit the reply button on a confirmation they receive when they send email to a new address. Indeed they are happy to do it. This is truly a one-click item. And by the way, with BoxTrapper you can modify the confirmation message to make it as "polite" as you want.


    "in reality these challenge response systems depends on the fact that most people aren't using them.."

    You must be thinking about SPF? Oh, no, sorry, the opposite is true; SPF does not work unless EVERYONE uses it. Sorry, I really have no idea what you are referring to here.


    As I see it, the argument against BoxTrapper and similar systems boils down to these two points:

    -- Backscatter.

    -- Potential black listing of legitimate email addresses (as you point out about AOL accounts).


    Here's my opinion:

    Backscatter is a non-issue, OR you would have to also be against autoresponders in general, because the same exact argument could be made.

    Black listing is something that could inadvertently occur with ANY sent email. Fact is, a verification message from BoxTrapper is not UCE, an Unsolicited Commercial Email message.


    In conclusion --- I for one do not use BoxTrapper, BUT I am really very pleased that cPanel publishers have included this in their system, because for some who the usual SpamAssassin-like spam tagging system fails, BoxTrapper (and similar C-R systems) is their ONLY fail safe against the avalanche of spam that they would otherwise receive.

    Rather than just poo-pooing one of the best anti-spam tools out there, I would only ask you to come with a better idea.
     
    #17 jols, Aug 9, 2007
    Last edited: Aug 9, 2007
  18. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just because something is not commercial does not mean it's not spam. Spam is unsolicited email, period. Any other definition does nothing except give individuals a way around the "this is spam" argument.


    Now, let's take a look at this from all sides here, how abusable it is, and how much it's loved (heh) by datacenters.

    Firstly, C/R (which boxtrapper is) is basically an auto-responder, albeit on steroids, hyped up, and the like. The problem is what happens when two auto-responders get setup talking to each other? Oops, endless loop. This is the case here. So, let's say, for example that my support desk system mailed out a response, or an invoice to a customer who had their mail protected by boxtrapper. Well, the two would (naturally) talk back and forth to each other, until something eventually broke that connection. Now, most support desks are good enough to have workarounds for this, but the idea and theory is still there. It's VERY easy to kill a server using something like this.

    Secondly, let's take a look at the abusability of this format. It's incredibly easy to put together a php mail script that will mail a single address, from a group of other addresses (known) in a db. I'm not talking formmail here, I'm talking a script deliberately designed to abuse an address like this. The desired response? When mail gets to that address, it automatically responds to the mailing address with the boxtrapper message. So, you loop the mail script a few times, and voilla, you've got instant spam in < 20 minutes.

    Thirdly, datacenter response:
    I've had more than one datacenter mail me about abuse reports because of this. While I don't have this personally on my own server, some of my clients do. That's not to say I've NEVER had it on my server(s), but at some point, you realize that boxtrapper is not the answer to the problem.
    The responses from multiple datatenters were quite simple: This IS spam, and it WILL get your server shut down". End of story, this is spam.

    Fourthly, the RBL response:
    An RBL is a realtime blackhole list. These guys keep track of whom sends out spam. You can read a response by spamcop here addressing auto responders, replies, and the like, and they consider this (you guessed it), SPAM.

    Now, that's not saying that there isn't a "spam" problem out there. That's saying that boxtrapper is NOT the solution. There are plenty of solutions to the spam problem from ASSP to Spamassassin to , well, you name it, but contributing to the problem doesn't SOLVE the problem, it makes it worse.
     
  19. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    In response to twhiting9275 post:

    Your points:

    Firstly - All autoresponders have check limits these days, and therefore do not get into those "endless loops". No server has ever been "killed" by boxtrapper that I know of.

    Secondly - Makes absolutely no sense. Keep in mind that BoxTrapper does not respond with a copy of the message that was sent, only a verification note. So this shoots down your entire point.

    Thirdly - We've been hosting thousands of customers for nearly a decade, and our data center is very strict. We've never had an experience anywhere close to this involving BoxTrapper responses.

    (I would recommend that you move to a new datacenter that is not going to send you bizarre warnings about your server being shut down due to autoresponders. Sorry, but this item is ridiculous at best.)

    Fourthly - Regarding "These guys keep track of whom sends out spam." Yes, and they also are able to tell tell the difference between mass UCE and a simple autoresponse.

    Like it or not BoxTrapper IS effective against spam. It is not the only effective anti-spam tool but it is certainly an auto-whitelisting utility that is effective against all forms of email spam, and we are very happy that cPanel/BlackOrb includes this with their system.


    -------------

    By the way, the Spam-Cop page you quoted is loaded with bad advice. For example:

    ----------------------
    Problem: Misdirected bounces
    Description: When a mail server accepts a message and later decides that it can't deliver the message, it is required to send back a bounce email to the sender of the original message. These bounce emails are often misdirected.

    Solution: Upgrade and/or configure your mail server software so that this situation is never encountered. Configure your software to either reject messages during delivery or accept them permanently. Do not let your software make choices about delivery after it has accepted a message.
    ---------------------

    Think about it. If you following this recommendation, and no mis-addressed email ever bounces (mis-directed or not). Then:

    A -- Giant spam-house in China sends email (probes) to 40 best guess addresses based on your domain name, e.g. sales@yourdomain.com tom@yourdomain.com sally@yourdomain.com etc etc etc.

    B -- None of these email messages bounce.

    C -- Those 40 email addresses are then determined to be LIVE email addresses by the spam house, and then sold, and resold, included within email "OPT-IN" (phony) mega-lists to spammers all over the world. (Now repeat this scenario for every spam-house around the globe. Then total this up and repeat daily.)

    D -- Your email addresses are avalanched with spam from all corners of the Planet, forever.
     
    #19 jols, Aug 25, 2007
    Last edited: Aug 25, 2007
  20. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    And you've personally checked out ALL Autoresponders, and ALL servers to verify this statement, right? Of course not.

    Now, it's entirely possible to abuse boxtrapper, and YES, to get it to take down a server. I've seen it happen quite a few times, so please, don't say it's not possible, because it is.

    Never once did I say it responds with the sent message. I stated that it was EASILY abused, simply put, and it is. All you have to do is send mail from X address to Y address that is known to be protected by Boxtrapper or something else. Rinse, repeat. The time it takes to get php mail() to work is nothing, really, and the amount of spam that can be sent out is just crazy. Boxtrapper HELPS this along.

    Actually, I've already left that provider, just because I didn't need the server any further, HOWEVER, I agree completely with their point, and will happily support it. We're not talking small peanuts here for a DC either, any major DC will take this stance, because it is UNSOLICITED email!

    and effective at creating spam as well. Spam is UNSOLICITED Bulk (sent by non human) email, which is JUST what boxtrapper is.

    Precisely the way things should be. If the mail address doesn't exist, nobody should know. if the email address exists, nobody should know unless the owner of the mail address wants it to be known.
     

Share This Page