Slashdot Mirror

Blacklists, my friend. Here's my current list:

rsync-mirrors.uceprotect.net : Level 2 - Fast local blocking
combined.njabl.org - For dynamic IPs and other
dnsbl.sorbs.net - For open relays
relays.ordb.org - For open relays
list.dsbl.orgM - Various types of Unsecured servers
dnsbl.tqmcube.com - dynamic IPs, spam trap
bl.spamcop.net - Spam trap
sbl-xbl.spamhaus.org - Known spammers, exploited servers
l2.spews.dnsbl.sorbs.net - Spam friendly ISPs
dnsbl.ahbl.org - Realtime composite

About four of those are composites, and contain blocks for dynamic IPs. Each link goes to the usage page for the blacklist, and if you want, you can just block dynamic IPs by using the correct subdomain.

It sounds like your not using any other UCE protection. "hello" checks and rbl's are absolutes then use header checks to really lock it down. After you have all three of those in place then educate spamd with a shared spam email box or a trap email address. Another thing you can do is submit the ip's of spam email to ORDB http://www.ordb.org/submit/

I've seen more than a 300% increase in spam being blocked during the month of October. I've seen at most a 1% increase making it through; but, I attribute that to not being able to block all outdated Outlook Express clients. That isn't a shot. Too many disto's don't have Thunderbird 1.5.07 out yet so Linux users with Thunderbird are messing me up too.

"Running mail at home is a waste of my time. It can be done, but you get nothing but hassle out of it..."

• Mail clients are filtered through my firewall: I blackhole bogons for example, and certain abusive networks.
• RBLs of my choice: There are good RBLs and bad RBLs. I like the ORDB list, DSBL list, the Spamhaus SBL and XBL lists, the SORBS DUL list, and the Spamcop blocking list.
• Greylisting: This is effective for eliminating the remaining spam that makes it through your SMTP-time filters.
• Challenge-response: Yeah, I know... love 'em or hate 'em. TMDA has been useful to me in the past, though I'm not sure I'm going to keep it much longer.
• One-time email addresses: If you maintain your own server and domain, then you can have as many email addresses as you want. Expire them on your schedule, or perform special processing for mail received at those addresses.
• Forget about artificial mail-size limits: My ISP's email accounts cut off attachments at something like 2MB. So much for that camping video my friend wanted to send me. My personal mail server is much more forgiving.
• Flexible and secure access: My mail clients use POP3 and IMAP inside the firewall, and IMAP via SSH port-forwarding from the outside.

Ever head of the many great realtime blackhole lists?

http://www.spamcop.net/bl.shtml
http://dnsbl.njabl.org/
http://ordb.org/

No need to roll your own. There is even one designed to list dynamic IPs (http://www.dnsbl.nl.sorbs.net/).

I can understand the plight of being blacklisted. I work as an intern for a non-proft company (I swap every three months with another guy, who recently left, because of college. I just started again this week.) We've had our e-mail server blacklisted by the CBL twice in the last month.

From what I can tell, the current sysadmin (our IT department consists of the sysadmin and the intern) went through their automated faith-based removal. That worked for a month, but we got listed again yesterday. I've spent the last two days running all sorts of virus/*-ware tools on the servers themselves to see what, if anything, they have (nothing found.) Using tools like the Open Relay Database, I can't find any open ports. CBL supposedly only lists servers that are being used to send spam by proxy or virus/trojan. I went ahead and removed us from the list again today, and will be spending the rest of the week checking outgoing mail stats to see if anyone is sending an unusually high volume of mail, indicating that they have a virus/trojan.

It's unfortunate that we have a lot of troubles because the last-last boss, who was there for three years, was a total idiot. Unfortunatly, my counter-part wasn't exactly pro-active, either. To those who don't know this: (how could you not?)

No one gets administrative rights.

No one.

This has both good and bad aspects. First, the good news: responsible ISPs will be able to block a good portion of spam at their routers and mailservers; it's not hard to detect and blacklist a PC which is spewing the same email to 20,000 different recipients. Unfortunately, it only takes a few poorly-configured ISPs to provide a great deal of bandwidth to spammers. Couple this with Windows' known security holes, and home users' typical apathy regarding patches and security updates, and you have a large pool of potential spam-hosts which cannot be as easily targeted as open relays or specialized spam-spewing servers. After all, if spammers are using a legitimate ISP's mail server to send spam, a remote admin can't block that mail server without also condemning large amounts of legitimate email to deletion, which may well be unacceptable.

The upshot of all this? The onus of spam filtering is going to be, more and more, on ISPs rather than on recipients. While this has its good side - spam filtered at the source doesn't take up as much precious bandwidth - it also means that filtering will be more difficult for those not close to the source.

It is all fine and dandy to ignore volume when you are running a 200 user ISP, but when you get up to 50000 users with over a million messages a day it becomes slightly important.

relays.ordb.org - http://www.ordb.org/
combined.njabl.org - http://www.njabl.org/
list.dsbl.org - http://dsbl.org

BTW, I use this procmail rule to catch all of the DSNs I get and stuff them in a mbox rather than having them clutter my inbox. I didn't write this and I forget who did. I think I got it from a post here on Slashdot sometime in the last year. To whoever wrote this, thanks.

# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs

Or maybe you just strung together a bunch of words in an attempt to impress me.

Could be, since you apparently lack the technical expertise to evaluate the terminology.

Well, what they did BEFORE they had the zombies was SEND OUT LESS SPAM!

Spam did not increase by 50% the day that zombie machines came into existence. It's stayed on a steady increase and some of the spammers simply shifted from open relays to zombie machines for economic reasons. It was cheaper to steal bandwidth from some numb-nuts user than pay for it themselves.

And you STILL have not provided ANY specifics on what they would do to send out the same amount of spam without the zombies.

They would go back to open relays and foreign ISPs. It costs a bit more, but it's still economically viable (explaining why they did that before zombies existed).

"There are 225K+ open relay sites (see the post from the other guy who smacked you down hard)."

Yet no one has provided ANY support for that statement. While MY research shows fewer than 100 sending me spam. And Netcraft shows only 53,341,867 domains (buy only around 22 million active sites). Given that a large portion of these are HOSTED, the 225K+ would mean an incredibly large percentage of email servers were configured incorrectly.

Here is the support for that number.

Oh, did I use too many numbers there? Are you confused again?

Astounded, yes. Confused, no.

"a. Open relays. These show up on a regular basis due to new, misconfigured mail servers coming on line. There are already over 225K of them known and for every one that goes away, another one comes online."

Again, you cite numbers whose ONLY support is an "anonymous coward"'s posting on /. :D

If you weren't so fscking stupid, you could have looked up the numbers just like I did. Go to the link that I provided.

What was that about C2 security? :)

You wouldn't understand.

"b. Foreign spam-friendly ISPs who will give them outgoing e-mail for a handsome price."

Which destroys the economics of spam AND is easily handled by spamassassin.

Chinese and Brazillian ISPs, for example, already sell services to spammers. They send the spam. They host the domains. Obviously that disproves your claims about the economics.

"c. List servers (topica, Yahoo!, etc.)."

Only applicable if you have specifically opted in to those lists. :D (Remember where I said your DEMONSTRATED level of knowledge was ZERO?)

Dearest Dumbfuck, If I "opt-in" to receive e-mail from a large computer security mailing list and some spammer sends an "herbal v1agra" ad to the list, I haven't opted in to see his e-mail. It's a constant problem with mailing lists and why many have gone to manually moderation systems. Again, that you are unaware of this shows just what a newbie you are.

"d. Distributed mass mailings with Zombie machines going through their ISPs' mail servers. If the ISP limits e-mail to one every 30 seconds and there are 1,000 machines, that's 120,000 pieces of spam per hour."

Yep. That's what is called "reduction". Instead of a thousand machines sending a total of a BILLION messages a day, the spam load is reduced to 120,000 an hour.

So what? You didn't solve the the spam problem through technological means. (Nice try at mixing up days and hours to try to make your brown number look more impressive.)

Not to mention that the ISP's email server would show up in services like SpamCop and the RBL's and the ISP could then take action as Comcast has done in the past and cut off service to those machines until they're cleaned.

No major ISP is going to blacklist MSN, Earthlink, Comcast, etc. while those ISPs are playing whack-a-mole with their constantly changing in

• spamhaus
• dnsrbl
• ordb
• opm
• njabl
• maps
• 5/10
• spamcop

Once an actual human person has read and acted on the mail, they should be able to mark it "official business" and/or move the email into an "official business" folder which does get kept as required.

Can anyone suggest a decent, doesn't have to be perfect, server side anti-spam filter?

Don't waste your time implementing a content-based filter. The best solution is to incorporate a real-time spam relay blacklist. I recommend bl.spamcop.net. It's very effective and accurate with an extremely low legit mail blocking rate.

RBLs are great because they refuse spammer connections before the mail even gets delivered, so you don't waste bandwidth and system resources downloading spam crap and trying to interpret the contents. RBLs respect the sanctity of the e-mail message as a private communication medium and penalize those ISPs which allow spammers to operate.

If you're using Sendmail, you can also hard-code some of the IP regions where tons of spam is originating (signal-to-noise ratio for most people on the Chinese IP blocks is 0% so why allow them to hit your server in the first place? A few lines in your /etc/access file such as: "connect:218 REJECT" will knock off about 200-5000 spams per day utilizing minimal system resources).

Personally, if you want to get aggressive, block the following Class As: 61,80,81,82,83,142,164,193,194,195,196,200,201,202 ,210,211,213,217,218,219,220,221 and you'll stop a TON of spam from a lot of foreign countries you likely never communicate with.

Set up a web-based e-mail form and put a link to it in your Sendmail access configuration so that if any legit mail gets bounced, they can redirect to a web page to contact you in the [unlikely] event they were inappropriately blocked.

I even emailed Carl Hutzler, Director of Anti-spam at AOL, and he hasn't returned my emails or my calls. The same goes for the hundreds of thousands of spams we get from *.verizon.net, comcast.net, voyager.net, compaq.com, and others. Clearly people inside the business infrastructure have infected systems propagating spam on the weekends, using the corporate bandwidth to do it.

At this point, this is what I do:

1. Sendmail as my MTA, blocks a significant amount of spam, before receiving it, with some custom antispam rulesets I've cooked up.
2. I also have triple-RBL set up in the MTA (ordb.org, mail-abuse.org, and so on).
3. blackholes.us is set to block known-spammers from Argentina, Brazil, China, HongKong, Japan, Korea, Russia and Taiwan.
4. virtusertable in the MTA chain blocks attempts at some common internal system accounts.
5. SpamAssassin is tuned down to 3.5, and catches a significant portion of the emails that make it past the above measures.
6. AV is done through procmailrc, with some custom heuristics in the recipes (contact me if you want these)
7. Anything that SA catches, is tagged and put into /var/spool/mail/SPAM
   1. I manually go through that SPAM folder, and report every entry there to the 'abuse@address' for the resolved provider (not the forged provider in the From: line, of course)
   2. For hosts that do not resolve, they are permanently blocked at the firewall.
   3. For providers that do not support the 'abuse@address' address, they are permanently blocked at the firewall.
8. I then go through the mail logs themselves, and catch the brute-force attempts at sending mail to the dozen-or-so domains I host, and block them at the firewall.

So far, the more I block, the faster the spam comes in, and the more I block, ad nauseum.

Here is today's counts. At 5:30am, this was 164 hosts, and now it is 109 more than that.

iptables-save | grep "dport 25" | wc -l
273

Spam is definately getting worse, as more and more machines are hijacked for the purposes of propagating it, with these trojans.

The more I block, the more incoming spam we get.

As everyone else says, open relays no longer seem to figure much in the spam we receive here. I thought I'd link through to the stats to show the point, although (to my surprise) they seem to show just as many relays as ever (best graph at the bottom).

I suspect therefore that open relays (and proxies) are still an issue, but the spammers just don't use them as they are all blacklisted anyway.

"0wning" a machine seems to be the current way to do it. It really needs the ISPs to cut off any machine that has been 0wned immediately, and then contact the subscriber for some LART'ing. Unfortunately, at least on my ISP, they leave the user connected and then contact them later on; weeks later, if you are lucky, the user will fix their machine.

There already is a site that works pretty well. It's called ORDB

There are several projects out there that are detecting and blocking open relays (quite effective... I have used this and similar blocklists on my mail server). FTC wouldn't be doing anything groundbreaking, except more formally contacting the owners. Not that mail server admins don't notice when millions of sites start bouncing their mail because they're listed on such places as ordb and dsbl! After all, that is part of the effect of blocklists... puts pressure on people who run improper mail servers.

It may cause spammers dificulty, but what about the server you run it on... what keeps it from ending up blacklisted on ordb and the like, and then becoming inaccessible to all those people out there who have vigilant sysadmins and good firewalls?

Just watch the RBL's and ISP's shut down your IP block for having an open relay...

How are they supposed to know the difference between a spamhole and a real open relay?

Agreed on most points.

I'm not sure PKI needs to be part of the SPAM solution. Three reasons:
1) The same clueless ficktwizzles that set up their mail servers as open relays (224K of them? according to ORDB.org) will also be setting up their mail server certificates. No, this isn't fraught with peril.

2) There isn't a black market (that I'm aware of, doh) of private keys. Client certificates are useless, server certificates are useless unless you also own the domain name, code signing certificates, well, um, yeah I guess those are dangerous. But we've seen the lengths spammers will go, and I can easily foresee a huge market for stolen certificates, if now every domain has one to send mail.

3) The _last_ thing we need to do is get Verisign slobbering over using certificates for email. Over in the SPF discussion mailing list there are Verisign people who want certificates in the DNS records published by SPF.

While this isn't the overall solution, a list of known non-spam servers could be a very important part of a spam filtering system.

That's a great idea. Why hasn't anyone done that??

One of the nicest ways is a "teergrube" (tarpit) - a special SMTP server that is tuned to process incoming mail really, really slow, thus making the spammer's tools very ineffective. It doesn't take much bandwith or other resources to run one - everybody who has a computer connected to the net and doesn't need to run a "real" mail server (or is willing to configure a teergrubing proxy that only traps spammers and lets the real MTA take care of ham mail) should do so.

Most spam is sent via open mail relays. If you are bored or annoyed enough, take the time to read spam mail headers (the interesting one is the last "recieved" line, usually), and inform the admin of the open relay, so that they can close it or get the fuck out of the internet. Also, inform a blacklist like the Open Relay Database, so that mail servers will reject mails from these hosts.

Try to poison they address databases. Set up a web page invisible for human users that contains lots of addresses that don't exist. But be sure that these addresses also will never exist - only use subdomains that you control, or those mentioned in RFC 2606 (Reserved Top-Level Domain Names), hoping that stupid spamware will try to send to these addresses anyway.

None of this is at odds with client-side filtering or legislative initiatives, just some additional ideas. And annoying these bastards feels good.

I'd never even hear of the two sites that closed down. Personally, I use Spamcop's DNSBL, DSBL, and ORDB.

-Lucas

And that's why I don't like SPEWS. I have no leverage at all to do anything about it. None. It's not like I'm tacitly supporting spammers by staying on with a spam-friendly ISP; I'm using the only broadband ISP in town, and they happen to use cw.net as an upstream.

As it turns out, I think my ISP may be migrating to another upstream. If I were to verify that, do you think the powers-that-be would be generous enough to reward their move with the ability to send mail to SPEWS-crippled mailservers again? After all, they did the right thing - right?

Out of curiosity, what blacklists are you showing me on? Now that Osirusoft went black, I think my problem may've resolved itself. I'm not in the Spamhaus Block List, and ORDB doesn't list me in their database. Even their 3rd-party blacklist search gives me a clean slate.

• Distributed Server Boycott List (list: list.dsbl.org)
• Open Relay Database list: relays.ordb.org
• Spamhaus Block List list: sbl.spamhaus.org

DSBL and ORDB list open relays. They have a clear (i.e. programmatically implementable) listing/de-listing process. Spamhaus actively investigates spam gangs. Their policy is not programmatically implementable, but it's pretty clear.

DSBL even has three flavors to choose from:

• list.dsbl.org "single-stage relays tested by trusted users"
• multihop.dsbl.org "the outputs of multihop relays, tested by trusted users"
• unconfirmed.dsbl.org "everything else, including tests done by anonymous users, people could potentially sign up their own ISP's mail server to this list"

I have a relatively small and spam-free system (only six domains, very few email addresses that are not publicly visible), so for the last 7529 emails (since I configured to use these RBLs) processed by Postfix the server has rejected:

• 103 via list.dsbl.org
• 1 via relays.ordb.org
• 8 via sbl.spamhaus.org

If you're griping about collateral damage, then don't choose a wanton list, and advise others not to use one. Just don't go maligning all RBLs like ignorami.

Uppage there are a few of the expected calls for government regulation of email that we see every time there is a story about spam, and there are the obligitory anecdotes about the hundreds of spam emails that some poor souls find every day in thier inbox.

So here is my usual post about how asking the government to regulate everything is a bad idea, and how I have little sympathy for the poor saps who are getting flooded with thousands of spam emails a day that makes it difficult for them to see the one or two legitimate emails that thier friends might send them each year.

First law. Bad idea because it won't work. As long as there are different countries with seperate governments that have differing attitudes towards the internet, commerce, and law it will be impossible to legislate spam out of existance. That is not to say that I am supporting the idea of one government rulling all peoples or that I am advocating any sort if international treaty on regulating email and the internet.

Far from it.

What I am saying is there are good methods of reducing the flow of spam to your in-box to a trickle, possibly blocking the spam flow completely.

Use a provider that is as concerned about stopping the spam as you are. That means no AOL, no MSN, no Hotmail, etc. These companies are notorious for not only allowing you to get spam flooded, but for allowing thier customers to send spam and not discontiuing accounts that are being used as fake "reply to" and "from" addresses. There are other companies that are just as irresponsible as the ones I mentioned, so you should not think that I am saying that these companies are the only ones that should be avoided.

If you like using the same email and access provider (I've been hijacking friends access accounts for years now), then you should know that smaller access providers often are more responsive to user's (knowlegable and legitimate) complaints than large companies. As an added bonus, thier access rates tend to be low, and they are as if not more reliable than thier corporate competitors.

If you like using a separate provider for email, ask around, do some searches, and choose one that has effective filtering/blocking of spam included in thier basic package.

You can filter the mail yourself with one of the many spam blocking services or filters that are readily available on the internet. Here are some links to some of the blacklists and filters that I know about:

ORDB

MAPS

junkfilter

Bogofilter

SpamCop

SpamBouncer

There are others, some services are free, some charge money. If you are going to use a filter on your own machine that is not part of a service, I highly reccomend that you stick with Free Software so you can learn something about how it works.

You should learn as much about the problem and potential solutions as possible by reading articles about spam that may be not quite as sensational as the currently popular "spammer hunting" genre, but are a little richer in detail and technique. Here is a good primer including some good links, and there's lots of good info on dealing with spam around the web.

You should attempt to encourage your provider to take an active role in helping users avoid spam troubles, either by providing information on how users can filter spam on thier own machines, by providing spam blocking/filtering service, or by allowing users to install thier own .procmailrc in thier shell account (if they provide thier subscribers with a shell acc

Use (and support) the Open Relay Database. These people maintain a free service to blacklist mail from open relays. I can't attest for the service myself, but I've heard good things about it.

Everything helps in fighting the war on spam.

Spam is a social problem, just like any other type of fraud.

Yes, often the goods and/or services promoted through spam are fraud, but spam itself is not fraud. It is advertising.

As for the problem, I see it as a technical problem, as in "Why can't my damn service provider reject email with forged headers, from unsecured servers, from ISP's that are notorious for hosting spamers, and is obviously and easily recognised as spam by even the most half-assed filters? I guess I'll have to get my service somewhere else or check and filter it myself."

I haven't been "on the 'net" all that long (about seven years), but I still wonder when it happened that my fellow "netizens" started begging to be regulated. If you have a spam problem, do something about it. Learn something about the problems with open relays, irresponsible ISPs and how touse procmail to filter spam.

Help others learn by pointing them in the right direction.

Encourage your provider to take proper measures to stop spam from entering or exiting thier domain, and put pressure on other providers to do the same.

Don't use services that encourage spammers (Hotmail, AOL, MSN, Mail.com, etc)

Stop asking lawmakers who don't understand the problem to do something about it.

MS Could make their software fight spam better by adding native support for the following two items:

1- Support for DNSBL/RBL style blocklists like ordb and spews in exchange 2000/ make a free addin for exchange 5.5

2- The equiv. of the BIND "Generate" directive to make it so that the MS DNS server can be used for blocklists.

You'll notice that the US is the #1 country Top 3 are:

1. The United States, with over 80,000 open relays
2. Korea and Japan pretty much tied at +15,000 each
3. Japan, at just under 10,000

65.59.224.128/25 could be blacklisted [by SPEWS], but I happen to know that they have quite a few hosting customers, most of who know nothing about the other customers.. Legitimately blacklisted?? - -

ORDB has my ex-girlfriend's mail server listed. She develops and hosts sites. No spamming at all.

Servers are added to ORDB (FAQ) after they have been tested to be open mail relays.

So most probably your girlfriend's server was an open mail relay. Since open relays are exactly what ORDB claims to list, the listing was most probably correct.

An open relay is incorrectly configured mail server. Rather than to complain about the ORDB listing you should be grateful that they pointed out the flaw in your configuration before it was exploited by a spammer (or was it?).

It is also important to understand that ORDB only provides information of open relays. The owners of the recipients' mail servers decide whether they want to filter out mail originating from open relays.

The same applies to other blocking lists, such as SPEWS. The listing criteria are clearly stated on the SPEWS web page. They explicitly state that they escalate listings, i.e. they may also list non-spamming client's of the spammers spammers ISP (see Q16 of the SPEWS FAQ). Given this information, it is up to the owner of the recipients' mail server to decide whether to filter mail using SPEWS.

I am anything but pro-spam, but I'm happy to see the blackhole lists get kicked around a little bit. Some of my accounts get hit more than the average person, because they are well placed on many web pages, or have been in use for years and are now forwarded to my account when people leave the company. I average about 200 spam messages per day coming into my account.

$RANT_MODE="ON";

I also handle many networks, with many many machines. Some of our networks have other people's equipment on it, but I'm 100% positive that they don't spam from their machines. Since they frequently ask me to help with their configurations, or help with problems, I'm intimately aware of what they do.

If there are spam complaints, they filter through to me very quickly. Level3's abuse account gets most of them. They filter out most of the bogus complaints, and are quick to get with us about legitimate complaints. We did have one machine hosted on one network that was spamming, which we ejected from the network shortly afterwards.

On a monthly basis, someone will come to me saying that they've been blacklisted by one of the many lists for ambiguous reasons. Any incident that is legitimate is cleared up between us and our bandwidth provider, under the threat of having the IP or IP block blocked from all Internet access. Level3 Communications is very anti-spam. They'll cut you off for being a spammer. If we don't explain or handle an incident, we could very easily loose our lines. I have no problem with this.

The last case with Level3 was a single spam complaint, sent through SpamCop. The message wasn't a spam at all. Someone had made a purchase online with an invalid credit card number. The Email simply stated that they had attempted a purchase (with IP and invoice number), and said if they still intended to make the purchase, they should contact the sales department at the store. I know the owner of the store personally, so I called him. He freaked out when I told him there was a spam complaint. This is a business man who is the most honest person I know. (If in Ft. Lauderdale, tell Glenn I say "hi"). I read the Email to him, and he confirmed that it was a legitimate message, and the card had been bad.. He immediately cancelled the order, and blacklisted the customer. The next day I got a forwarded Email which was an apology from the customer. She sends every Email off to SpamCop, and lets them sort them out. Nice, huh?

Now on to the abuses of the spews system. SpamHaus is /.'d right now, or I'd complain about them, but lets check who we can.

65.59.224.0/25 is one of our networks. A small backwater of our network. A few older machines live there, and not much happens. SPEWS has 65.59.224.0/24 blacklisted, as well as 66.166.136.128/24 which is no relationship to us (the wrong network size is theirs, not ours). Because I have machines on the first half of 65.59.224.0/25, I'm blacklisted. 65.59.224.128/25 could be blacklisted, but I happen to know that they have quite a few hosting customers, most of who know nothing about the other customers.. Legitimately blacklisted??

ORDB has my ex-girlfriend's mail server listed. She develops and hosts sites. No spamming at all.

65.59.224.11 is listed as herbalo.com. Funny thing is, it doesn't exist on our network.. I'll personally escort anyone from spews into the colo to prove it to them.. Oh wait, I forgot, these are anonymous people who don't exist in the real world and don't feel themselves accountable for blacklisting innocent networks.

AOL has blocked one of my own servers, as well as those of two different friends (on their own networks) for "potential spam".. One of them had a *WEB* proxy server, and aparently because it existed (on port 8000), he was blacklisted from sending

Best place to start is the Open Relay Database FAQ or How Can I Fix the Problem. Poke around those sites and you'll find other sources as well.

Of course, most ISPs will be aware of this and have their own mail servers set up correctly. The problem is that most don't enforce it on their customers.

Why not simply extend the Open Relay Database (or similar) to have an opt-in system for tracking domains notorius for spam?

Then, if a domain is sending lot's of spam, they get blacklisted and suddenly disappear from the SMTP network. I'd like to see how many ISPs cope with not being able to send e-mail at all because they have a reputation for turning a blind eye to spammers.

By making the system opt-in at the client end, ISPs can decide if they want to accept mail from these sources, in the exact same way we do it for open relays.

Problem solved.

It's MAIL FROM and RCPT TO, not other way around. Look at this: ORDB.

From what I take from all this discussion is that the only "solution" to spam is to do the types of things that we have been doing for years, but to do more of it and quicker. Use well run DNS blacklists (Spamhaus SBL, ordb, dsbl, etc.), use good content filters (bayesian filters, etc.), use bulk mail detectors such as DCC or vipul's razor, etc.) and per-user whitelists and blacklists.

Or, combine all of the above techniques by using SpamAssassin

--

I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.

The most interesting discussions that I've seen so far are:

• Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later. This is completely backwards compatible and doesn't require end users to do anything.

  Most spam specific programs will not queue and retry, and thus the spam will be dropped.

  Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.

  Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.

  Apparently the "canit" program already does this, but I had not heard of this technique before.

• Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server.

  If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.

  Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.

• There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.

  Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.

  The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.

No, most spam originates from the spammers own mail server thru his own large bandwidth link.

There are several blacklist iniciatives (a href="http://mail-abuse.org/mail-abuse.org and ordb.org for instance) in use today, but that doesn't nearly solve the problem from the experience I had.

I'm sick of it to the point of *calling* the advertiser (if they provide a number) and giving them a piece of my mind.

Now on to the next target: http://www.lux-world.lu/. The good news is that in addition to running an IE-only site, these lusers also run an open mail relay (you need to specify an address @lux-world.lu in your mail from: command). Yum, spam, yum! Our team is currently busy registering them with a number open relay block lists, in order to diminish the customer value of their webmail service as much as possible ;-)

• Open Relays Database ORDB
• Osirusoft RBL
• Spamcop
  
• And Postfix and it's great spam filtering options.

Spam doesn't select a pathway but spammers do. If you could block relay spam at the open relays it would be dead. You can't, of course - the open relays are controlled by people who don't know the need to block spam.

I must admit to having less of a problem with DNSBLs than other types of RBL such as the open relays

It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.

For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.

There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.

You semiaddress the issue of accountability but not of secrecy. It's a fact that most services keep their lists secret until affectively revealed by dropped emails.

I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?

If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.

If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.

Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.

As an aside, I have personal experience of spending months trying to get a false entry in the DUL corrected.

Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.

Yahoo are saying they operate an Internet email system, but when I tried sending stuff to my own account on Yahoo from my static IP Earthlink DSL connection, my computer spent 3 days trying to send it before giving up because the MX host was unreachable. That means that, for these purposes, that service they claimed to be providing didn't exist. And it didn't exist because someone between me and Yahoo - maybe Yahoo, maybe Earthlink - had blocked an email.

I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.

Oh, but ok, I could have gotten it through if, at that moment, I'd used Earthlink's SMTP relay, but (a) WHY?

Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.

Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.

The end result of this is that legit email is blocked, spam (very clearly) still gets through (I already know how to enlarge my penis thank you very much), and so it's fair for me to say that the measures sysadmins are taking to block spam are not working, that they're interfering with legitimate use, that they're not actually ever going to be effective anyway, that they interfere with the communication of unconnected third parties.

It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)

It is mail users, it's not mail administrators, and this seems to be a distinction many in the pro-block camp fail to understand.

Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering ... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.

If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.

The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.

Having written various SMTP software for a few years now I would like to comment on the "forged headers". forged email headers mean nothing. When a client connects to an SMTP server to send a message the clients IP adrress is recorded and this is added to the message. You can open any email in a text editor and see the originator of the message, his/her IP address that is. Anyone can add a header to the message, its up to the email reader to intepret it. That system works, and spammers are identified. BUT by the time we catch them they have moved to other locations, or they were using an open relay. Spammers can be caught, the 7 million doallar AOL settlement was evidence to that.

I do however agree with the Authorization argument. If more SMTP server in the world would simply require authentication/authorization from it's users and shut down open relays then it would eliminate a good portion of spam and add a little accountability for users of SMTP.
Why An Open Relay is a Problem.

It won't however stop joe spammer from getting a cable connection and setting up his qmail cluster so he can start his "~You Have Won-Some NIGERIAN Money / Tits(c)!!!!!????" campaign at an easy going 50k messages/hour. I believe that changes must be made but they have to be well thought out or we will be in the same boat 15-20 years from now. I believe that instant messaging, presence servers, and presence proxies will take over in the future, slowly replacing email and we need to build up such provisions in these protocols now.

True, excellent point.

I've also been thinking of implementing my own spam filter here, but after receiving tons of spam advertising "viagra", "viagrea", "wiagra", and "\/iagra" I realized the majority of the problem, and continued my volumteer work for spamcop.net and ordb.org.
I believe it's an effective method, as long as the mailserver administrators can straighten up a bit.

Another thing is the spammers behaviour and ethics. So they offer me viagra and university dimplomas, even though I didn't ask for it, then fine. My life goes on. But my bigger concern are the younger surfers. Kids, maybe as young as 8 or 9 years old with their private @hotmail.com address, who knows how much porn offers and links they receive each day? How can spammers sleep at night when they expose the youngest to something like that?

-skurk

I've noticed an increase on my yahoo! account.

I used to get zero (honest zero!) spam on that
account. The only mistake I think I made was to
use that account in my purchases both at buy.com
and outpost.com. So, I have those two sites under
suspicion of selling my email address.

My personal address though, I used to get about
may be 3 or 4 spams a day. A tolorable amount.
These were spams where I was in the To or Cc list
as I filter emails where my email address isn't
in those field into a spam folder which I browse
through for valid emails from friends once a month
or so.

Then I noticed a big jump in amount of spam:
10-15 spams a day!

Keep in mind I have been using ordb.org for
quite a while now.

This increase in spam prompted me to start my own
blacklist. I started keeping my spam and parsing
source IP addresses. Originally I had about 900
IPs listed. I didn't see a dramatic decrease in
spam though. Though I did notice soon after using
my blacklist that i got a few emails confirming my
subscription to "so and so list" was.

Next I noticed a huge flood of spam from
azoogle.com servers. So they just got firewalled
out! (a quick search on them also showed quite
a few sites, including universities, that blocked
out azoogle.com completely).

Now, my blacklist is roughtly at 2200 IP addresses
and I get about 5-8 spams a day. A fair decrease
from the original 10-15 a day I would say. And
every week i keep adding to my blacklist.

Does anyone else have similar experiences?

Granted we're all busy, we all could do the more well-meaning Internet a duty by checking the headers of even five or ten a day of those SPAM messages and submitting any open SMTP relays you find to at least one realtime blackhole list. This is what I've been doing for over a year. This is precisely what the article meant about e-mail vigilante-ism. You'd be surprised to find out how much of the SPAM you receive are sent through ill-configured mail relays.

It also quite likely means YOU have received one less SPAM message because of ME!

And how does one confirm a mail host is an open relay? I shall not explain, but if you know of telnet and a bit of Simple Mail Transfer Protocol, you could manually check this.

Quite honestly, if even half the Slashdot population did this sort of thing consistently for two weeks, the entire Internet could conceivably see a tremendous decrease in SPAM flow. Not impossible.

- IP

Once added to the list, there is no way to appeal the blocking or to fight such policies

This is bullshit, and he knows it, but he has to exaggerate and distort the truth in order to highlight his fashionable Bounty idea.
I inadvertedly ran an open relay and quickly ended up on Ordb, and rightfully, I might add. My mail server logs had this nice explanation given in the error message from other servers, complete with a helpful link explaining how to fix and get delisted (fix your server, resubmit its IP for checking, get automatically removed).

3 hours and a sendmail.cf later I was back with the good guys, and had this nice warm feeling :-)

The clueless dumbshit lawyer Author whined: "As vile as spam is, the ends don't justify the means"

Yes they do! One dumbshit lawyer who could not get a few emails out is perfect justification to stop a spammer from mailing 10-million people crap from dumbshit's open relay.

(my analogy is flawed as dumbshit and spammer could still get mail out, they just won't get into my ORDB protected server!)

The Danish people have pages and links to pages that tell people like this doof "how to fish", my bet is his brain was too small or rod was too short.

ORDB

Check out wPoison if you want to make harvesting e-mail addresses painful and pointless.

can you really expect them to always keep *every* user with an open-relay off of their network? Even if they hired whole teams of people ...

Absolutely I expect this, or close to it. Rather than hiring hordes of staff to perform the task, why don't they [gasp] use a computer to track and monitor open relays? It works for ORDB