Domain: osirusoft.com
Stories and comments across the archive that link to osirusoft.com.
Comments · 21
-
Re:Distrustful of Network Level Censorship
Spam control with RBLs is, in fact, decentralized. There are many RBLs to choose from, and any that are too severe will not be used for long if they generate too many false positives. As a system admin, I have my choice. I use 4 RBLs right now:
- spamhaus.relays.osirusoft.com
(this is a mirror of the Spamhaus Block List) Well known spam operations, and is checked hourly. - dialups.relays.osiruSoft.com
(details at OsiruSoft) This list is of DHCP IP addresses of home users (DSL, cable, dial up). - dnsbl.njabl.org
(extensive details of what's on this list) - rbl.restongeek.com
I maintain this one myself for anything I want all my servers, primary and backup MX, to block
/. journal for a sample report). If I start to think maybe one of these lists is a little too severe, or someone lets me know that there are problems with one or more of the lists, I will delete it and pick another. Or maybe not. It is my choice, I want to keep down the spam on my system, for my sake as well as my clients'. - spamhaus.relays.osirusoft.com
-
Ack!
Hate Microsoft; hate spam.
Hate Microsoft; hate spam.
Evil greedy corporation; slimy pollution of the Internet.
Illegally abusing their monopoly; illegally hijacking servers.
Overpriced software; lowest mortgage rates ever.
Bug-ridden products; barnyard porn.
Embrace and extend; extend your manhood.
No concept of security; special offers on SystemWorks 2003.
Never innovating; always innovating.
I'm siding with Microsoft.
*sob* -
Verizon DSL customers also blacklistedI checked on Osirusoft with a random dynamic Verizon DSL IP address. Results are interesting:
(127.0.0.3) 4.60.0.0 is DNSbl listed. by dun.dnsrbl.net
Quite a few sites use Osirusoft's DNSRBL database and as a result inadvertendly block mail from these DSL customers. Oh well, at least VZ provides its customers with an SMTP server.
(127.0.0.3) 4.60.0.0 is DNSbl listed. by blackholes.five-ten-sg.com
(127.0.0.2) 4.60.0.0 is DNSbl listed. by spamguard.leadmon.net
Dial-Up/Cable/DSL IP Range - Use your providers SMTP Gateway
(127.0.0.2) 4.60.0.0 is DNSbl listed. by work.drbl.croco.net
weight: 1; vote.drbl.bilim-systems.net/0.4 vote.drbl.trecom.tomsk.ru/0.4 vote.drbl.kaa.ru/0.2
dsl-verizon.net 0212221906
dsl-verizon.net
-
Re:SpamAssasin in large corporate use?I was wondering how many large corporation are using SpamAssasin. And if not, why not?
Reasons for not using SpamAssassin are the CPU and bandwidth costs. Refusing e-mail from known spam sources is cheaper and (more importantly) does not give away information about which addresses are valid.
After checking the source IP address against lists such as Wirehub, Osirusoft (despite its name not only a list of open relays) and/or some other lists, almost no spam will be accepted.
IP space is finite and, even better, allocated in ranges. Continued spam from (or spamvertizing a website on) an IP address is a very good indicator for more spam from the IP range.
-
Dictionary AttacksIn the past week, I've started seeing some scumball who is trying a dictionary attack against a server that I run. It tries about 50 randomly selected names at a time, always from an open SMTP relay or an open proxy server (usually a SOCKS proxy, but apparently HTTP proxies can be abused too).
It always uses "john@some-randomly-selected-domain" as its From: address.
Fortunately, the targetted domain is one whose users never pick up mail, so I can use it as a honeypot, and feed systems not found in relays.osirusoft.com into a private DNS blacklist. However, I got tired of chasing this dirtball, and set up MIMEDefang to automatically add this cretin to the server's firewall rules when one of its attacks is detected.
-
Re:Great Stuff! Hope to see moreAll you need to block spam:
- Open Relays Database ORDB
- Osirusoft RBL
- Spamcop
- And Postfix and it's great spam filtering options.
-
Collateral Damage?
My ass
Once your ISP allows people to test then maybe you'll get off the list of IPs that block open relay testing.
RBL results : 127.0.0.4, Test blockers: Null routed all access
So, exactly why is you, or your ISP afraid to be tested? Oh I see, your stance may be relay testing may well be illegal. Well tough. If someone turns up at your turn and asks for entry you would ask for identification. Your IPs stance in banning relay check connections is equivilant to not producing identification, but demanding entry anyway.
Until you can prove that you're not a spammer then don't expect your RBL status to change, and for those people that block on that status, you won't get through.
-
Antispews is spam; SPEWS is good; others are too.
Please take a look at http://www.antispews.org for more information before using SPEWS.
Actually, antispews.org is likely being operated by spammers, as the Osirusoft FAQ suggests. (If nothing else, they are spammers of USENET newsgroups, since they kiboze for references to "SPEWS" and troll in response, much as Serdar Argic once did with "Turkey".) Naturally, spammers are pissed off at SPEWS, because it is simply put the most effective tool presently in the field for denying spammers access to (1) victims, and (2) willing ISPs to host them. Innumerable spammers have been terminated as a result of SPEWS listings.
There is no conceivable informed controversy as to whether or not SPEWS is effective at getting spammers off the Net. Whether or not SPEWS is a good tool for your site to use as a tool for reducing your spam count is quite another question. In my personal experience (as a security and email administrator for my site, which is a research institution) SPEWS is extremely valuable. I read my mail logs and ascertain that SPEWS usage blocks spam, with a remarkably low incidence of false positives.
In the past week, our incoming mail server has blocked 969 messages on account of SPEWS, with zero reports of false positives from our users. (To be honest, we get about one such report a month, and we whitelist the offending IP address. It's usually in China; we have several Chinese researchers.) Our locally maintained blacklist blocks about twice as much spam, and our use of sbl.spamhaus.org blocks about five times as much -- but that is biased by the fact that we consult those lists before SPEWS, and there is a good deal of overlap between them.
I would not recommend that ISPs who offer email service to their users use SPEWS by default, though it would be a valuable optional service. The DNSBLs I would recommend everyone use are:
- sbl.spamhaus.org, which lists only netblocks occupied by known repeat spam offenders
- relays.ordb.org, which lists only open mail relays; and
- proxies.relays.monkeys.com, which lists only open proxies.
These are all low-to-no-false-positives lists which I feel comfortable recommending to every ISP regardless of its stance on SPEWS.
-
[moron alert] Re:Blocking subnets? Use SPEWS.The Anonymous Coward above me whined:
SPEWS can rot in hell. A properly configured SpamAssassin will block 98% of spam and have 0.01% false positives (I haven't gotten one false positive in a year, but I will someday).
SPEWS may rot in hell (will there be room with all the spammers down there?!) but until then, I'm sure they are glad a moron such as yourself is enjoying the benefits of using their system!
The SPEWS data is part of the DNSBL system that SpamAssassin uses, and is in fact given a nice, high, +2.730 "spam value." A "0.01% false positives" rate?! Does that not show that SPEWS is not the "black your entire NSP" (whatever that means in English) type list you're ranting about.
The moron added:Please, please don't support SPEWS. I beg you.
Why? With your ringing endorsement I think we all must!
-
"Interstate commerce"? What about international?I applaud the US judical system for approving and using such laws in America, but the whole world isn't the USA. We need a world-trade law, perhaps mandated by the WTO, to prevent spammers from breeding.
Of course, there's always relays.osirusoft - a cross-referenced database of nearly all DNS blacklists.
-
RBL Vigilante Jackasses...First, the author of this article is an idiot. He was running an open relay. He admits it and doesn't even know it. Just another reason to be annoyed by lawyers. Second, the folks that run these various RBL lists are arrogant jackasses. Just look at the childish behavior they exibit. Very unprofessional.
If they make a mistake, you and your organization are screwed until they decide to admit their mistake and correct it -- if they ever do. They have cute, pat answers to explain away any responsibility for their behavior and generally refuse to communicate with those they block. I have had a nasty experience recently with "relays.osirusoft.com" where a client of our was using them as a part of their Postfix RBL configuration. Some Nazi^H^H^H^H German nominated our mail server as a spamhaus when we were not. Without being tested, our server was blacklisted -- I checked my logs and saw no check on the date we were listed. We received no notice, no automated robot checked out server or would anyone respond to my inquiries, just accusations that I was supporting SPAM--an absolute lie. If you are listed, you have to be an evil SPAM supporter with their mentality.
It took one month of constantly e-mailing their retest e-mail address. Daily checking of my mail logs and seeing that their robot was being rejected from relaying, yet, we were not taken off the RBL. Finally, after a month, we were removed. Nothing changed in our configuration, no notice was given as to why we were removed nor why we were added outside of the nomination origin. We were just lucky that "relays.osirusoft.com" decided to do what's right but was too cowardly to admit they were wrong. Hiding behind the anonymity of the Internet with no responsibility to the people they harm. We will never know how many e-mail messages were lost because of "relays.osirusoft.com"'s mistake.
Pathetic.
-
Well filter better ...OK so filtering doesn't stop spammers sending, but hotmail could do the simple things,
- Use blacklists, spews.org if you want to be really careful, or relays.visi.com or relays.osirusoft.com to stop open relays connecting for a start
- Check the sending domains exists when mail is sent.
- Drop the common abusive domains
- Increase the amount of blocked domains you can have. 250 is not enough when people use aaaa.com, aaab.com and so on
- Data mine the individual block lists. If more than 20% of hotmail users block a domain, then it should be looked at
All these things are pretty standard these days, but webmail providers (not just hotmail) don't actually seem to bother. Remember, the more times you check your inbox, the more ads they have viewed.
-
The best spam lists
-
Has the server been blacklisted?
Head over to openrbl.org or osirusoft or Sam Spade and see if the server has been listed in any blacklists. If so, that's probably why your mail has been blocked. If not, contact road runner and find out what's up.
-
99/1 rule on spammersOver the past 2 years we have noticed that more than 99% of the repeat spam comes from less than 1% of the sites.
In addition to the usual anti-spam methods:
- dorkslayers
- procmail
- Project SETS
- well configured MTA
- etc.
one can block IP addresses that attempt to spam on a regular basis. Tools such
can be configured to block frequent spammer IP addresses from your SMTP ports.The following is a list of IP addresses that we have observed spamming on a regular basis. Blocking these sites won't solve your spam problem. On the other hand blocking common spam locations as part of an overall anti-spam system will help.
12.30.205.0/24 24.2.10.0/24 24.88.20.0/24 61.13.0.0/16 61.30.0.0/16 61.129.0.0/16 61.177.0.0/16 63.100.231.32/28 63.184.200.0/24 64.14.218.128/28 64.65.0.0/18 64.80.216.0/22 64.80.220.0/23 64.208.134.0/15 64.239.0.0/18 66.33.0.0/17 66.72.98.10/32 128.18.0.0/16 128.121.126.220/32 142.154.0.0/16 161.58.0.0/16 192.147.174.0/24 194.91.230.0/24 195.53.155.0/24 195.153.207.128/27 202.9.128.0/19 202.181.196.120/29 205.141.192.0/19 205.141.224.0/21 206.173.16.0/21 206.173.24.0/22 208.50.155.0/24 208.165.228.0/22 208.187.17.192/27 209.38.216.0/22 209.69.0.0/16 209.239.0.0/19 209.239.192.0/19 209.249.0.0/16 210.52.0.0/24 210.85.0.0/16 210.201.0.0/18 210.226.0.0/15 210.228.0.0/14 210.241.0.0/17 211.20.180.0/22 211.21.0.0/16 211.32.0.0/13 211.51.63.171/32 211.226.126.0/24 212.49.192.0/24 212.174.0.0/15 212.216.0.0/16 216.41.0.0/16 216.42.0.0/16 216.53.128.0/17 216.79.0.0/16 216.87.64.0/19 216.122.0.0/16 216.143.68.0/22 216.143.72.0/22 216.143.76.0/24 216.167.0.0/17 216.174.192.0/18 216.183.206.64/28
Sorry if your IP address is in the above list. If you are not a spammer then it could be that you happen to be using an ISP that tolerates spammers (or is unable/unwilling to block them), or you work for a company that spam, or you are near a poorly configured and poorly maintained site that is abused as an open relay.
-
Re:Its more of a pain in the neck
I tend to agree. MAPS is useless for the most part as far as listing actual spammers. Now I do like to use their RSS. Many anti-spam admins still report open relays to MAPS. I do. Because of that they have a decent list of open relays. I also like their DUL. It was created in a fairly professional way. They did the leg work to identify actual dialup user netblocks rather than me trying to make a quick guess. I like that. I don't hit the DUL much (maybe 500 times per week on average) but every so often it gets hit hard and I'm glad I shelled out the $$$ for it. I use the ORSS for most of my filtering. I zone transfer it so I get the SPEWS stuff as well. It works well for me. Add that to me huge Sendmail access list and you have a decent setup.
-
It sure did for usI consult with a small ISP in Kansas. We started using MAPS' DUL and RSS quite a while back (zone transfers). Then I added the ORSS (zone transfers) which also gave me SPEWS, Spamhaus Block List (SBL), and SpamSites.org. When MAPS went commercial, we bought zone transfer rights to the RSS and DUL. About that same time I also added RSL, Summit Blocking List (SBL), and FlowGoAway who doesn't have a website. On top of all that I also reject mail from domains that don't resolve and I maintain an extensive Sendmail access list full of Alan Ralsky's domains, spam supporting providers like Broadwing, spamware vendors, and domains and IPs of every spamming outfit I come across. In total I'm up to 4682 entries. Oh, and I also filter message bodies on certain content that identify unique pieces of spam like all those "Enter your email address on this website to be unsubsribed" things. Works great. This time last year I was filtering maybe 10,000 pieces of spam per week. I'm over 100,000 pieces of spam per week now. Considering we only have 2500 users, that's a lot of filtered spam. Roughly 40 per person per week.
What all of this rambling means is that you can filter out a great deal of spam with the right DNS blacklists. I only use DNSbl's that allow zone transfers because I don't want network latency to slow down mail delivery. It really is a worthwhile thing to do.
Finally the best thing that you can do for your users is educate them. Give them very clear examples of how doing simple things like giving your personal email to a credit card company, entering it in a guestbook, using it in USENET, using it on any public discussion board, and many more can increase their spam intake many fold. Explain that to them. Show them the proof. It's not hard to generate spam. Hell create a dummy account and make a few posts in the newsgroups. Never give the address to anyone else and don't use it yourself. Give it a week. Then show the results to your users as proof of USENET address harvesting.
Finally, don't be part of the problem (this is to the parent of the article). Be proactive in fighting spam. Sitting back and bitching about it doesn't help anyone. If you put up a server that's an open relay then you fucked up. It's your responsibility as an administrator to make sure you do your job right. Putting up and open relay isn't doing your job right (are you listening all of you damned Exchange admins?! 90% of the open relays I find and report are running Exchange!!!). When you get spam, report it (called LARTing). Drop a copy to uce@ftc.gov. Reporting stock spam to the SEC. Report bogus drug scams (loose 100lbs tonight while you sleep!) to the FDA. Report Nigerian Monet scams to the Secret Service. Report the spamertised sites to their providers and ask that they investigate (don't accuse in case it's a Joe Job). Parse through the headers and learn to identify relayed spam, BS headers, and other tricks of the trade. Submit open relays for listing in all the open relay blacklists. Report it to the owner of the IP as well. DO YOU PART! If you're not going to do you part to fight spam or ensure that you're servers are properly configured, THEN GET YOU SERVERS AND YOUR ASS OFF THE 'NET BECAUSE YOU DON"T BELONG IN THIS COMMUNITY!! Don't be part of the problem.
-
Re:Subscribing to blacklists did not help me.
I have only about 7 users. I am using two blacklists:
Not Just Another Black List, and Osirus
Between them, I'm stopping an average of over 100 messages a day. We do not have a single indication of any false positives yet.
Considering that only 2 of my 7 users receive a lot of mail per day (based on the size of their mail spools), that's a hell of a lot of spam.
So protestations that "they don't work" are bunk. If you think spam blacklists don't work, then you either have a skewed definition of "work", or you're just sadly misinformed.
As for "false positives", that depends on your definition. I personally choose not to do business with people who keep open relays. I therefore by definition can only have a "false positive" if there's a bug in one of my blacklists. Legitimate mail from an open relay isn't a false positive as far as I'm concerned, and my users have hundreds of alternatives if they don't like my policies. -
My experience as an open mail relay
I reconfigured our mail server a month or so ago, and, well, misconfigured it, so that it was an open mail relay on our DSL line. It took the bad guys about 2 weeks to notice; at which point we all of a sudden started getting hit with tens of thousands, then hundreds of thousands of relays through our server per day.
I'm only a part-time sysadmin, so I didn't realize what was wrong for a couple of days, just noticed that the mail server was slow...during that time perhaps half-a-million messages were forwarded by my machine. Unforgivable, I know. I didn't realize the threat; and most of it happened over a weekend.
On Monday, I spent a few hours finding out what was going on, and madly tried to cancel the messages by hand from the mail queue, before I did the right thing and installed the latest version of sendmail -- which by default doesn't relay.
For the next several weeks, I've been petitioning the various spam reporting lists to take us off of their blacklists. I have to say that everybody was reasonable in this respect. It took some time to hunt them all down, but I think I have them all. If you are doing this yourself, http://relays.osirusoft.com has a great resource for checking what lists your server is blacklisted with.
The only good thing to come out of this is that during the cleanup phase, spammers continued to try to relay spam through my site, and I was able to get several of those accounts cancelled by calling up the various email abuse departments at their ISPs. (My favorite was worldcom, I called them and they answered "Abuse!" I told them that I really wanted an argument...) The biggest disappointment was @home, who required a 1-week waiting period before shutting down a really high-volume spamming operation.
I was surprised how quickly my open relay was discovered, and then how quickly that information was distributed among quite a few (at least 40) spammers. Perhaps they watch incoming spam to see where it is relayed from; and harvest those to run their own spam.
Anyway -- my apologies to the community. It won't happen again.
thad -
Re:Somethi-N-g most forget
"Have a place to submit spam incidents, such as a web form. Then process them to look for patterns."
Have you ever tried to run more than a handful of LARTS through a web form? It's a nightmare. I have 1200 pieces of Broadwing.net spam that I need to LART tonight. I don't know how I'd LART all of them via a web form.
Patterns aren't something that the average Joe would pick up on anyhow. Few people noticed that recently more and more spam uses a spoofed From: in the form of BSUser@yourowndomain.tld. If they do want to look for patterns, they could easily view thousands of spam reports in news.admin.net-abuse.sightings. Numerous people post their spam to it.
Provide separate zones for blocking sources of spam, and blocking web sites and ISPs where spammers might be hosting a web page. Not everyone wants to block the latter; I only want to block the source of spam."
Many DNS blacklist authors do just this. MAPS is a good example. You have the DUL which lists dial-up IPs only. The RSS which lists known && abused open relays. The RBL contains ISPs that are known to harbor spammers or at least be neutral to their abuse and ignore abuse complaints. The RBL+ is a combination of those 3. All 4 of those are their own zones. SPEWS lists
/24's from which spam originates. Occasionally they'll even list a whole provider that harbors spammers or spamware sites, repeated lies to people that mail abuse@, or are known to bit bucket abuse complaints. relays.osirusoft.com hosts many lists. Individual queries can be made to for any of the lists it hosts or you can transfer them all at once in a big zone file. relays.visi.com is the home of the RSL. It only lists open relays that have been abused, like the RSS and relays.osirusoft.com's base DNSbl. blackholes.2mbit.com is the home of the SBL (Summit Block List), not to be confused with the SBL (Spamhaus Block List) which is hosted by osirusoft. The Summit Block List contains abused open relays and hosts that have been directly involved in spamming. The Spamhaus Block List contains "known spammers, spam gangs, or spam support services" and is "by the same team that maintains the ROKSO database", a list of those spammers."Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer."
In a small way I agree. I used to feel like you do now. I was very leary about blocking an entire ISP just because of the possibility of lossing legit mail. I quickly came to realize that blocking just a small piece of that ISP that's know to spam wasn't solving the problem. They'd just move elsewhere within that ISP.
"If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused."
This doesn't accomplish anything in the long term and little in the short term. Sure you block some spam from a spammer for a couple of weeks but they'll quickly figure that out and move to another block. If the ISP facilitates their move then they are supporting spammers. It's an all or nothing deal. You can't have your cake and eat it too.
Personally I block entire ISPs myself, in my personal access lists that are independant of group maintainted DNS blacklists, that are known to harbor spammers and ignore complaints. A perfect example of this is Broadwing.net. I have blacklisted every IP they have registered to them. That includes 3
/14's, a /24, and a /28. That's a lot of IPs. I have never seen anything but spam come directly from them. They harbor Alan Ralsky and many other well known spammers. They ignore spam complaints. They simply don't care. Whenever I LART their spam, I also LART their upstreams because I believe someone there will eventually notice. I know that no one at Broadwing will."Some of the anti-spammers are on the wrong crusade and not very many people will follow them."
This I have to strongly disagree with. I've been involved in protecting my resources from spam for some time now and have implemented many steps to prevent as much spam from entering my system as possible. I reject just under 1400 known spamming domains. I also reject all mail from a number of providers that harbor spammers as well. I utilize all the lists hosted by Osirusoft, relays.visi.com, blackholes.2mbit.com, and I'm in the process of resubscribing to the RSS and DUL. I even do some filtering on message content which has been incredibly successful. Last week I rejected almost 96,000 pieces of spam on one of my servers. That's pretty darn good. Of the 2400 users on this particular server, I've only had complaints from 3. 3 of them couldn't receive mail from a particular person on the 'Net that wsa being filtered by me. 1 was on an osirusoft list. 1 was attempting to send mail through their mailing list that's run by cybercon.com (a known spam supporter) and mail to subscribers on our end was bouncing. The other was a customer of a customer of Broadwing's. After explaining to them that we couldn't selectively allow mail to just them from the affected host and that we'd have to allow all mail to them unfiltered, they decided to suffer from more spam than miss out on their friend's email. One has changed his mind though. The rest seem to love it. The best advice I can say to you is to keep an open mind about these lists and what they do for us. Not every list is meant for all situations. I personally don't want to use the RBL. In the beginning I was leary about SPEWS. The rest I like. Join news.admin.net-abuse.email and keep up with some of the conversations of the anti-spammers that reside there. A plethora of information and insight can be had with them (I'm there too). good luck!
-
Alternatives to MAPS and ORBS
Here are some up and coming alternatives:
- http://www.orbl.org/
- http://www.ordb.org/
- http://www.orbz.org/
- http://relays.osirusoft.com/
- http://orbs.gst-group.co.uk/
I also have my mail server configured to reject mail from other mail servers that do not have their IP addresses correctly configured and/or delegated in the in-addr.arpa reversed DNS zone. Amazingly, this has cut out almost as much spam as MAPS has. For Postfix users, this can be done with:
smtpd_client_restrictions = permit_mynetworks reject_unknown_client permit
While this does end up rejecting a few "legitimate" servers, the number is very small. I suspect that for the most part this works because open relays tend to be the result of "inadequate administration" which can also be the cause of the lack of reverse DNS. If they can't get one of them right, they probably can't get the other right.