Domain: blitzed.org
Stories and comments across the archive that link to blitzed.org.
Comments · 13
-
Re:Free Opera??
-
Enforcement Issues & Sleazy ISPs
According to Spamhaus, whom I completely agree with based on my own experience, 80% of all known spam originates from no more than 200 "spam gangs", most of whom are in the United States. If China cooperates by providing U.S. Authorities with the missing logs to track the illegal activities of these groups so that law enforcement can prosecute them, that will be a good thing. But it still comes down to law enforcement going after the spammers, which is something that's not being done. If just a few of these 200 spam gangs were criminally prosecuted, we'd probably see spam levels drop dramatically. So everyone should contact their District Attorney and demand that they pursue and prosecute these cases.
And then you have big corporations that are deliberately sabotaging anti-spam efforts. AT&T for example is hacking their nameservers to be authoritative for anti-spam RBLs so their users are unable to filter mail based on these services. That's unconscionable, and reason # 87,343 why you shouldn't do business with a provider like AT&T who is not only being ambivalent about spam, but actively interfering with their customers' own attempts to find superior solutions. -
Re:What about the jerks?
there's nothing stopping you from blindly blocking access to your own servers; however in most cases, that'd probably be just an overreaction.
there are hundreds, if not thousands, of publically accessible proxys and anonymous surfing tools besides tor. you'd likely spend more time trying to keep your filter or block lists up-to-date than you would dealing with any mess left behind if you didn't bother.
I disagree. The combination of the Blitzed Open Proxy Monitor List and the TOR DNSBL do a pretty good job of weeding out abusive proxy possibilities. I agree that there are more out that these won't catch, but these do a much better job than you seem to think possible. It is sad that these have to be used, but there is little choice when abuse comes from these and there is no way to single out the bad person. -
Re:here you go:
-
Re:Blocking IP addresses? Only a matter of time...
Err, exactly this is why the OPL exists, albiet originally for IRC. There is also the CBL, which lists about a million open proxies and compromised machines.
I suggest you check up on how a DNSBL works and find out about them. They publish a constantly updated list of such proxies and other things, mainly for filtering out spam but can be used to filter out anything you don't want from an open proxy using DNS protocols.
As you can appriciate, having a constantly updated list is preferable to a static list of 1000.
There's no reason why Sprint couldn't use the OPL, Sorbs, NJABL, CBL or any of the other open proxy DNSBL's out there. -
Re:The SPEWS philosophy
From what I have gathered, the SPEWS philosophy isn't just indifference to collateral damage (ie, 'civilian casualties'); they actively do this damage in order to try to force ISPs into changing their habits. And they are extremely difficult to both reach and reason with; you can post on a newsgroup and hope someone pays attention to your pleas.
Unfortunately, SPEWS does not speak up for themselves, so a certain set of fanatics on newsgroups have taken to speaking up in SPEWS' place and offering listees their flawed interpretation of what SPEWS does and is. You will find absolutely nothing in SPEWS' own documentation -- including the FAQ -- asserting any of the following myths.
"SPEWS wants to cause 'collateral damage'."
The popularization of the term "collateral damage" is entirely due to a minority of militaristic posters on the newsgroup news.admin.net-abuse.email. These folks like to fantasize that fighting spam is a "war" rather than simply good systems administration. Even though SPEWS doesn't speak in their terms or play their game, they want to enlist it on their side in the war, trump it up as a scary weapon that ISPs should fear. The fact of the matter is that SPEWS does not intend to cause collateral blocking, and in fact does not serve well the purposes of those who want to do collateral blocking of spammy ISPs. That is what the blackholes.us lists are for -- blocking all the netblocks of an ISP you think is a spam source. Less than 1% of mail blocked by using SPEWS is non-spam mail, so if you wanted to block a lot of non-spam mail from spammy ISPs, SPEWS would not help you do that very well."If you're listed in SPEWS, complain in a newsgroup."
This is based on some semiliterate person's misreading of the SPEWS FAQ. The FAQ nowhere suggests that complaining on a newsgroup will get you delisted. Rather, it offers pointers to a couple of newsgroups as places to discuss spam and blocklisting in general. When people come to the newsgroups and post "del1st m33" they get treated about as you'd expect someone who wanders into a conversation mumbling about how mistreated they are gets treated -- with distate and suspicion. Abuse newsgroups are not your fucking tech support. They are for systems administrators and other concerned parties to discuss abuse problems -- not for you to whine about how SPEWS doesn't want to receive your mail. You know how bad an idea it is to whine at your own site's BOFH? It's hundreds of times worse to whine at dozens of BOFHen who have no obligation to you, who have every reason to flame you into a crisp and block all your netblocks with a message like 550 goatse wanker."SPEWS accuses us of being spammers."
There are many DNSBLs out there that are "spam-source" DNSBLs. That is, they list the IP addresses of hosts that have transmitted spam to a spamtrap address or honeypot system, or that have been reported by their users as sending spam. Not every DNSBL is a spam-source DNSBL. There are a lot of types of DNSBL that have nothing directly to do with whether an IP address has sent spam. For instance, the Blitzed Open Proxy Monitor DNSBL started as a way for IRC operators to keep track of open proxies that were an abuse risk for IRC servers -- nothing to do with spam whatsoever. SPEWS, likewise, is not a spam-source DNSBL. It is a predictive DNSBL, hence the words "early warning" in its name. Its goal is like a "spam hurricane watch" -- it isn't just to tell you where the hurricane is today, but also where it will be tomorrow. It's a fact of the world that netblocks that willingly harbor some spammers tend to get more spammers, and so it's reasonable if one wishes to predict where the spam will come from tomorrow, to say that it will come from the same wider netblocks that the spammers ar -
Re:open proxy list
there's the Blitzed Open Proxy Monitor list.
-
blacklisting this stuff
You can always add the Blitzed Open Proxy DNSBL to your mailer configuration, check out http://opm.blitzed.org/.
-
Re:Incomplete!
I must admit to having less of a problem with DNSBLs than other types of RBL such as the open relays
It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.
For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.
There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.
You semiaddress the issue of accountability but not of secrecy. It's a fact that most services keep their lists secret until affectively revealed by dropped emails.
I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?
If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.
If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.
Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.
As an aside, I have personal experience of spending months trying to get a false entry in the DUL corrected.
Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.
Yahoo are saying they operate an Internet email system, but when I tried sending stuff to my own account on Yahoo from my static IP Earthlink DSL connection, my computer spent 3 days trying to send it before giving up because the MX host was unreachable. That means that, for these purposes, that service they claimed to be providing didn't exist. And it didn't exist because someone between me and Yahoo - maybe Yahoo, maybe Earthlink - had blocked an email.
I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.
Oh, but ok, I could have gotten it through if, at that moment, I'd used Earthlink's SMTP relay, but (a) WHY?
Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.
Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.
The end result of this is that legit email is blocked, spam (very clearly) still gets through (I already know how to enlarge my penis thank you very much), and so it's fair for me to say that the measures sysadmins are taking to block spam are not working, that they're interfering with legitimate use, that they're not actually ever going to be effective anyway, that they interfere with the communication of unconnected third parties.
It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)
It is mail users, it's not mail administrators, and this seems to be a distinction many in the pro-block camp fail to understand.
Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering
... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.
-
Re:Incomplete!
He's pointing out that current blacklisting systems are stupid. He's pointing out that the people who run the blacklisting systems are generally unaccountable (most lists are secret), that they do impose arbitrary blacklist entries against groups they disagree with, well outside of their advertised remits (such as MAPS blocking an ISP that had a handful of customers that sell spamming software), that ordinary bystanders are frequently the victims of over zealous blocking and that, per se, anyone relying on a third-party RBL based solution is making a huge mistake.
But, you see, those things he's "pointing out" are wrong. They just aren't so. They aren't the way the world works, and they aren't the way DNSBLs work.
- DNSBLs are not secret or unaccountable. They can't be! They are accountable to those who use them (mail server operators), who are respectively accountable to their users. Individual DNSBLs have force solely because sites use them; a DNSBL nobody uses is a no-op. I use certain DNSBLs because I trust them to accurately do what they say they will. If a DNSBL that I use starts going haywire and listing things that it said it would not, then nobody will continue to use it -- and it will therefore be without force in the world. (Incidentally, anonymity or pseudonymity does not equal unaccountability -- but if you don't know that, get the fuck off the Internet, since we fought that one almost a decade ago, and St. Julf of Penet was right.)
- MAPS screwed up, and was held accountable for it. That is why nobody who is serious about spam-fighting takes MAPS seriously any more. They fucked up, they fucked up bad -- and so today they are naught but a minor player. SPEWS, SBL, and ORDB are the big players in the world of DNSBLs, because they do what they say they will do, and they don't fuck around. (Note: That they do what they say they will do doesn't mean they do what you want them to do. You don't get to decide that except for your own mail server.)
- There is no "overzealous blocking" problem. There just isn't. If you are thinking about SPEWS, keep in mind that sites which use SPEWS know what it does and want it to be doing that -- otherwise, they would quit using it. SPEWS doesn't force itself upon unwitting mail servers -- rather, operators have turned to it because it works, it works well, and because they and their users are sick and tired of putting up with ISPs which don't boot off their spammers. It isn't "overzealous" -- it is doing precisely what we want.
- Using DNSBLs isn't a "huge mistake"; it's effective collaboration. Right now, DNSBLs represent the best means for sites to share information with one another about which IP addresses emit spam, or are open proxies, or belong to spam supporters. They are used not only by mail server operators, but also by IRC operators tired of proxy-borne abuse. They are effective -- and if they were not effective nobody would use them. If a better means comes along to do what DNSBLs do, then we will happily use it -- but it ain't here yet.
It is not mail users who want us to consider DNSBLs passe' or something to "move beyond". It is spammers who want us to give up our current most effective tool for collaborating to impede their crimes.
-
Re:Wrong!
This is in every way wrong. If that damn company can't make mail software it's their problem. They don't have anything to do with us who just try to block spam.
The way I see it, Ian/Orbz was criminally negligent for using a test that he knew (because he already reported the problem hismelf) would crash unpatched Domino servers.
What's more, he knew that that particular test never worked on Domino servers.
IMHO at the very least he should have skipped that check for Domino servers.
Now, I am not arguing against the fact that Domino admins should be clueful enough to apply the appropriate patches, but some blame has to lie with Ian/Orbz for negligent behaviour.
I would consider it appropriate that Ian/Orbz be fined in order to serve as some form of encluement. The other guys have already had their encluement in the form of downtime.
I am not advocating destroying Ian's livelihood nor would I wish to see Orbz die, but IMHO under a fair legal system, once some blame is apportioned then it has to be accounted for.
People who run DNSBL-style services have a duty to be good Internet citizens just as much as the corporate sysadmins who run servers. This issue is very close to my heart since I am involved with Yet Another DNS-based Blocking Service myself.
-
Re:more?
And here's another one for you, which displays some unfortunate IE6 quirks. Again, the page works fine in Netscape 6/Mozilla.
-
Re:IRC can be fixed easily.
However it is still possible (even with any ip address blocking) to determine a users address by using netstat on a shell.
With some form of "hostmasking" scheme, this is only possible if you can get the person to open a direct connection to yourself (e.g. by getting them into a DCC CHAT/SEND situation). So that is a question of user education.
Hostmasking as a security method has other more serious problems which I would actually love to discuss (as I am trying to implement this in a non-sucky way) but I fear that for this thread that'd be off-topic. Chat to me if you care, you can find me here.
The other problem is lag/netsplits.
What many people seem to ignore is that multiple servers are there to solve Internet connectivity issues, not to make them worse -- the theory being that a set of servers housed in large organisations under professional hosting conditions are more reliable than the path between any two domestic internet users.
If your network of choice has servers that split off all the time then those servers should not be there and are likely being used as penis extension tools by people running them off their own @home cable modem (when their mom doesn't need to reboot into win98 to use Word).
Consider that if your chosen network has 5 servers and one dies, your users can go to another server and resume conversation with the same people. If your network has one server and that dies, well, you work it out. In short, reducing the network down to one good server is only the answer when the other servers are lame.