Cisco’s anti-spam service SpamCop failed to renew spamcop.net over weekend, causing it to lapse, which resulted in countless messages being falsely labeled and rejected as spam around the world.
From what we can tell, this is what happened. When the domain name expired, *.spamcop.net resolved to a domain parking service’s IP address. The way that SpamCop’s DNS-based blocking list works is that if you, for example, want to check that an email sent from a system with the IP address 18.104.22.168 is legit, you run a DNS query on 22.214.171.124.bl.spamcop.net. If SpamCop returns a valid DNS entry for that lookup, then it’s an IP address known to have sent out spam in the past and should be treated with suspicion.
Thus, after the domain name expired, every single *.bl.spamcop.net lookup would succeed, as it’s pointing to a parking service, meaning every email received by a server checking SpamCop for known spammers would be flagged up as spam and rejected. As such, mail server administrators saw what looked like a deluge of spam.