Slashdot Mirror

First up lkml.org is a third party site that hosts Linux kernel mailing list archives on a website. Regular Linux kernel mail isn't actually sent from it (I believe that's done by vger) so we're looking up the email reputation for the wrong IP...

Secondly UCEPROTECT is a very aggressive blacklist which states upfront they will block people who they believe are in the vicinity of people who the judge to be sending them spam. It's not the be and end all though and on one server I looked some time ago it's effectiveness was surpassed by other blacklists (here's someone else's old DNS blacklist comparison for 2014). In general I prefer more conservative tools like senderbase when trying to work out an IPs mail reputation.

For what it's worth I've also seen GMail incorrectly mark mails sent to the fio mailing list (which is also managed by vger) as spam and in that case it was purely down to mail being proxied through the list which was a place that didn't match the sender's DMARC records. Most of the time GMail was getting the marking of spam right though (even for mailing list mails)...

I only see one publicly visible spam volume graph supporting this claim: SpamHaus CBL (look at the "Last quarter" graph).

SpamCop and SenderBase suggest the overall trend is still down, though I'm not convinced this is related to Grum -- it appears Grum just wasn't as major a player as people thought.

The other graphs I have bookmarked, from McAfee (click the "Historic Data" tab) and Symantec, are inconclusive.

Yes, there was a holiday period dip, as usual. What is different is the longer term (12 month) view
http://www.senderbase.org/home/detail_spam_volume?displayed=last18months&action=&screen=&order=

June 2010 . . . . . 339 Billion/day average
December 2010 . . 92 Billion/day average
December 2009 . .205 Billion/day average
So comparing December with the 2010 peak, or comparing December year to year, there is a huge decrease in the last quarter on 2010.

The steady decline from September to December is most likely attributable to the exposure of Igor Gusev in the Russian media, Russian police action in seizing his computers, and the immediate shut-down of his GlavMed affiliate program that was funding the spammers and providing the pharmacy fraud and fake watch scams.

(alphabetically)

SANS Internet Storm Center (I can't get the graph working, ymmv)
SenderBase
SpamCop (a feed to SenderBase)
Symantec
ThreatPost (TFA)
Websense Monthly reports (December not yet available, Websense is TFA's source)

An observation: spammers celebrate holidays too; it's hard to recover from a series of shutdowns while dealing with family affairs. I hope their holidays were joyful and full of lasting distractions...

I think you were given a very badly infected "zombie" machines IP by your IP provider overnight.

If you give your IP to sites like http://http//www.completewhois.com or http://www.senderbase.org/ they may give very good clue since zombies mostly end up on such lists. Of course if you aren't victim of some sort of monopoly, it is best to find a better managed ISP with zero tolerance to both spammers and zombies on their subnet. Not every IP address/block is equal on web since the early dial up times. At one time, while I was using cable ISP, I had 5 kb/sec virus/worm traffic hitting me while I am using OS X. It really bugged me a lot and eventually sites like slashdot really went paranoid about my IP and I was disallowed from posting once.

Olympics?

Serious, there is a total explosion of spam from China area involving open proxies especially in 2 weeks.

http://www.senderbase.org/ which isn't Symantec (e.g. won't alert for nothing to sell sw to end user) reports another virus outbreak right now. They also get the early alert from Spamcop.net which I just reported 6 spams coming in 1 day, a very unusual thing for that mailbox.

It is either Olympics or someone won a huge botnet auction.

Currently, 99% of spam I report comes from Korea (Kornet, again!) and advertises sites in China selling illegal drugs.

Spamcop.net (.com is fake) and their users do the job free reporting them without any kind of wrong information out there. If a single IP sends 10.000 mails and you see figures like (1200 mails sent, 900 bounces), they have a "guy" in that ISP or the ISP's native country is supporting it.

Their parent company (now owned by Cisco) gives their stats free:
http://www.senderbase.org/home/detail_get_domain

Note that the list is current top mail senders (legit or spam) of planet.

It includes my own country too. Rather than getting blocked soon even for browsing, they better get blocked and get rid of those worms, secure their freaking port 25,135.

I remember purchasing a broken modem back in the BBS times and modem had a weird bug crashing whatever modem (rack) answers it. End of the day, I was in caller ID block list of all BBS'es I called. :)

In 2007 people can get infected and just because that $30 they pay, they have right to spam entire planet choking up bandwidth, risking other computers down to medical networks. Companies like fastmail.fm, small mail providers have already setup some good RBL/Filtering schemes and they don't ignore a single spammer. I am using their cheapest option and I didn't get a single spam even into my "Junk" mailbox.

So if they stop acting "politically correct" or they don't get afraid of Chinese etc. government, they can stop spam very effectively.

Whoever owns a ISP grade line and can't get rid of those "paying customers" who spams/probes entire planet is an idiot regardless of nationality.

Thing is, US ISP guys or those German guys actually reads spam reports and take counter measures. You see "ISP has already taken action against it, spam will cease". On those idiot ISPs having enormous bandwidth, you either get your report bounced or as in one time, idiot sends abuse report to your ISP since you sent them abuse report!

I am using OS X here and 4-5 KB of my paid bandwidth is gone to stupid port 135 worm probes. I am a Spamcop user since it was founded, I keep reporting Korean spam for 6 years, sorry if I call some people "idiots". I am not Yahoo Inc. or something, I don't have future billion dollar deal plans with them.

What if I don't trust a very active, imperial country government with my private mails even if they are spam?

I better keep reporting French spammers via Spamcop, they make into SCBL for anyone opting in and live with peace of mind. At one point they will really have to login to that "american" system since planet will start blocking their country blocks if this complete lack of management continues.

See what happened with South Korea. They weren't caring about spam reports and after they figured their industrial giants mails are bouncing from ordinary users mailboxes. Now they have setup a security organisation and opted in to receive entire country block reports to that organisation mail.

Well France Telecom can start with verifying their SMTP servers DNS, see the entries at Senderbase, parent of Spamcop:
http://www.senderbase.org/senderbase_queries/detai ldomain?search_string=orange.fr

Gives a good clue how non managed they are.

For everyone screaming that this isn't feasible, will kill mailing lists, and other wise render effective communication via SMTP impossible you might want to consider that about a quarter of global email volume is already flowing through a system very much like what the OP describes.

Ironport (recently purchased by Cisco for $830 million US) has been doing this kind of service for large providers for several years.
Their statistics site is publicly viewable, but using their stats requires a subscription fee.
http://www.senderbase.org/
Its interesting to look at how well or poorly the MTA's you use are scored. All of the stats are gathered by the systems they sell to ISP's and enterprise customers. These boxes perform the spam filtering for that organization's customers and provide statistical data back to senderbase.org, which allows all Ironport customers to "know" about problems for all other Ironport customers.

The link to their PDF on their metric's is here:
http://ironport.com/pdf/ironport_wp_reputation_bas ed_control.pdf

We evaluated their system last year as a possible replacement for a third party spam/virus scanning provider and may end up purchasing their equipment once everything with the Cisco purchase shakes out. Their solution, while not perfect, behaves far better than some of the things that large service providers *coughAOLcough* have tried and are (or were when we tested) comparable to most of the content based scanning systems in terms of spam filtering with a lower rate of false positives.

This isn't a new concept. Our mail gateways already participate in something like this with IronPort's SenderBase reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.

There is a problem.

That "blog" doesn't uncover anything interesting, yes a free mail service has ads and new Ajax etc. stuff needs CPU/RAM to handle unlike old webmail. Big deal...

It is posted to blog right after Yahoo opens the API and create some good media.

Yahoo mail could be irritating (I cancelled plus after figuring no APOP or IMAP) but it is a very popular webmail internationally.

Check http://www.senderbase.org/ and look at their place in legit (non spam/zombie) providers. Where is Google?

Is Google playing "evil" games now with some anonymous blogs?

Who is that guy claiming a thing which any serious power user/developer will laugh? "why do Windows filesystems suck so?" (older entry)

No, Windows file systems, especially NTFS 5+ (2k,xp) does NOT suck. They are very modern systems and I am a OS X user saying it. Go ask any developer who isn't zealot, they will say too.

I mean why this Anonymous Blog entry submitted by AC poster is front page of Slashdot?

There is one mail service needing much more popularity and users, http://www.fastmail.fm/ , now THAT is a webmail/imap service worth reviewing.

Not sure how, but whois returns 4.2.2.2 as level3.net

http://www.senderbase.org/search?oOrder=lastday%20 desc&searchString=level3.net

You should just write to 1025 El Dorado Blvd. Broomfield CO 80021 US and ask them yourself.

On a bit unrelated note, when will your ISPs start to fight against at least open proxies?

With such speed we are even more doomed (as spam receiving people).

Top senders there will look familiar to you:

http://www.senderbase.org/

Either France became completely nuts about e-mail communication or they are spamming.

BTW it includes my own country and ISP too and I am ashamed, no "freedom fries" attitude in my post.

Hi,

Click here: http://www.senderbase.org/

You will notice "top senders by domain". There are some telecoms "shouldn't be" there. They are the spam infested ISPs who doesn't have a clue about managing their services. Sadly it includes my backbone too.

I seriously suspect China spam is sort of foreign policy. As a spamcop (free,paid)/) user for years I have right to suspect so. Also if ISPs, large ISPs end this "politically correct" crap and enable country wide user selectable blocking lists you will see how they buy those Ironport, eSafe etc. devices by paying 1% of their revenue.

What about commercial communications? Well you will tell your business partner to find a better managed ISP.

Also check:
http://wiki.apache.org/spamassassin/AvoidingFpsFor Senders
http://www.senderbase.org/
http://www.truste.org/
http://www.bondedsender.org/

Spamcop has been around much longer than bluesecurity, it has already weathered many more DoS attacks than bluesecurity, spamcop has been sued a couple of times by spammers (and the spammers lost), spamcop has had its domain name hijacked, and yet it has survived. Granted, part of the reason they survived is because the are now owned by the anti-spam vendor, Ironport who also provides the free senderbase service.

I'm sorry to see bluesecurity go, but there are still other options for people who want to fight spam.

I also hope that they know the size of the mail system they are playing with. That mail system must have its very own schemes, countermeasures.

To see size of Yahoo mail:
http://www.senderbase.org/

ps: Some on that list are spammer friendly ISPs (non managed etc), that is the purpose of that system. They own spamcop.net too.

I work for a financial services company who has a clients who are supposed to receive emails from us related to trades. Since I manage our web presence, email deliverability is also my problem.

Here are the places to start:

Free Certification
AOL: http://postmaster.aol.com/whitelist/
Yahoo: http://add.yahoo.com/fast/help/us/mail/cgi_bulkmai l
Verizon: http://www2.verizon.net/micro/whitelist/request_fo rm.asp?id=isp

Reporting
Spamcop: http://www.spamcop.net/w3m?action=ispsignupform
Hotmail: http://postmaster.msn.com/snds/
Senderbase: http://www.senderbase.org/

Email Signing
SPF: http://www.openspf.org/
DomainKeys: http://domainkeys.sourceforge.net/

Paid Certification
Bonded Sender: http://www.bondedsender.com/
Habeas: http://www.habeas.com/
Goodmail: http://www.goodmailsystems.com/

A lot of providers outside the US have many of their own rules and regulations to follow, which makes it quite difficult to achieve deliverability. At the end of the day, we try to follow all the rules that have been laid out from existing companies and then deal with individual providers on a needs basis. The more users that use that ISP, the more we are willing to obey their individual rules.

Unfortunately, I see paid certification becoming the way of the future. If I can pay to guarantee to have my clients email delivered rather then negotiate with ISPs every other week based on their varying criteria, I'm pretty sure my company will pay for it. I don't like it, but results are the bottom line.

ind out what IP blocks the provider has and look them up on various RBL's to see if you are going to have issues

If you haven't already found it, SenderBase is a handy site for determining the history of email traffic from a particular IP address or block of addresses. For the anti-spam crusaders out there, it also useful in determining if that originating IP is a consistent high volume mailer, or a recently hacked zombie.

Well, look it up at SenderBase:
http://www.senderbase.org/search?searchString=255. 255.255.255
So much about checking user-supplied data.

Senderbase has been providing this information for quite some time. Senderbase gives numerical scores for e-mail volume and makes it easy to see when an address or domain is on spam blacklists.

Folks with an IronPort e-mail security appliance are granted access to the actual reputation scores as opposed to just a volume score. The reputation scores control the flow of e-mail through IronPort security appliances. IPs with a negative score are either known spammers or have insufficient repuation history. IPs with a positive score have a good sending history.

The whole concept of reputation scores is to determine whether you will accept an e-mail message or SMTP connection. Basing that judgment merely on sending volume would block Comcast, Yahoo, and AOL gateways (I'm referring to the ISP's e-mail systems, not their customer DSL and dial-up connections). Dynamic reputation scores are most useful in restricting the flow of e-mail from the bad guys while letting trustworthy e-mail flow through quickly. Folks with an IronPort e-mail security appliance also get actual reputation scores as opposed to just a sending volume rating. IPs with a negative score are either known spammers or have insufficient repuation. IPs with a positive score have a good sending history.

Wow, this is almost an exact copy of Ironport's Senderbase Reputation Score!

A similar site already exists: http://www.senderbase.org/

This is so horribly full of conjectures, uncontrolled data resources, and just pure speculation. The figures are based off Alexa Toolbar users, and one website visitor ratio. The author uses these as the base of forumlating a simple division/multiplication approach to postulating the gross users of the internet.

Suggestion for more accurate collection of information. Talk to ICANN or that nifty website senderbase.org that has a broader view on traffic flow across the internet.

I do get it. And I am not a MAPS supporter.

If you don't want you mail filtered tell your ISP not to filter it. If you brother wants his mail unfiltered he should tell his ISP not to filter it. Acting like it's MAPS fault you had email connectivity problems is ridiculous. Your and your brother's problem is with YOUR ISPs. Complain to them. Why should it be anyone else's problem?

The reason your cable company is in MAPS (and that is likely not the only place it's listed) is the totally lax way most cable ISPs have had towards spam spewing trojaned machines on their networks.

Why should the rest of the internet have to put up with machines on your network sending 2 million spam a day through proxys? How about 200 million a day? More! They didn't read their abuse mail, didn't pay attention to the problem and it got worse and worse.

Take a look here:
http://www.senderbase.org/

Comcast and RR, both big cable modem providers, 525 million emails in the last 24 hours. Comcast is #1, 373 million emails today! They don't have anywhere near enough customers to account for that. How many are spam through infected machines? LOTS.
So that's the reason. Call your cable ISP and make them scan their network for those trojans and shut them down.

Be a part of the solution, not a part of the problem

Now imagine several thousands or millions of Spamcast customers using Windows-powered set-top boxes. First thing spammers will do is get such a thing and examine it for possible exploits. Legitimate customers won't even get the idea that their set-top box could catch a virus or a trojan which could do harm to anyone. Most of them won't ever update their set-top box top fix known security holes. Why should they? Would Spamcast tell them to do so? Or even Microsoft?

So it won't take very long until the world gets hammered by the worst and biggest spam cluster the Internet has ever seen.

Senderbase provides monthly and dail counts on mail seen from particular IP addresses and thus is capable of spotting when something dramatically out of the (previously known) ordinary happens.

Most spammers don't use large ISPs.

This is complete BS. Where did you pull that from? Where do you think the bulk of those compromised machines reside? Unless there are significant differences between the customers of small ISPs vs. big ISPs (there aren't), it is simple statistics.

Besides using logic, you can read these for empirical evidence:
Comcast reports 53 percent decline in spam
Top Senders by Domain

I'm sure you can find more if you want to spend a couple of minutes on it. Sorry for the strident tone, but as someone who works for a small ISP, this is personal.

Magnitude 6 = 1 million emails/day

Comcast is, hands down, the largest spam source of the Internet with approximately 640 million messages every day. Personally, 25% of the spam I receive comes from the Comcast network. Of course, users are unaware that the latest virus has turned their computer into an open proxy sending millions of messages every day. I hope other major ISPs such as Road Runner (180 million), AT&T (150 million), and AOL (140 million) follow suit, and disconnect open proxies and zombies when they are found.

It's a database that identifies high-volume email sources. So you could say Senderbase is pretty much neutral.

These are also the people who came up with Bonded Sender - a whitelist with an economic incentive to keep senders honest. So they're hardly new to the anti-spam world.

The controversy seems to be over IronPort's hardware: they sell mail servers. Big friggin' whoop.

What may not be common knowledge is that IronPort's Senderbase has 'the reputation as the fastest way to send millions of junk e-mail messages' and is popular with spam factories.

Senderbase.org is an invaluable site for fighting spam, not a way to send junk email; it is a scourge for spam factories.

Larry

No way, the guys at IronPort are fantastic.

If I've ever met a group of people who understand the Spam Problem, it's them.

This is *fantastic* news! The guys at IronPort Systems make the best damned mail routers I've ever seen. Bar none.

Their SenderBase and Bonded Sender programs are really a lead into solving the SPAM problem.

Both products integrate directly into the IronPort C60 mail appliances and automatically apply what they call "reputation filters" which let you control SPAM. You can throttle based on the "reputation score" from SenderBase, as well as traditional methods.

The fact that BrightMail is integrated also is a major bonus.

Back to the original point, I'd definitely give IronPort a chance here. They're a GREAT group of people (I've met everyone from the CEO on down), understand e-mail, and really want to do the Right Thing.

Check them out at: http://www.ironport.com

Unfortunately, my company's rules won't let me give a public testimonial as a satisfied customer, but believe me, if I could, I would!!

Roadrunner is blocked with good reason: it's the number 2 sender of mail in the world, of which a lot of it is spam. abuse@rr.com does not act on complaints on open relays fast enough, so they tend to have LOTS and LOTS of open proxies, open relays, etc.

Roadrunner is blocked with good reason: it's the number 2 sender of mail in the world, of which a lot of it is spam. abuse@rr.com does not act on complaints on open relays fast enough, so they tend to have LOTS and LOTS of open proxies, open relays, etc.