Slashdot Mirror

I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.

That's nice.

But why do we care?

Come to think of it, how do you know that your email is legitimate? After all, if it was legitimate, it would have gone through. The owner over the mail server that bounced your message has decided that he doesn't true your source of email. That is his right, isn't it?

Perhaps you disagree with the owner of the mail server in question about what defines legitimate email. If that's the case, take it up with the owner of the mail server. SpamCop is just providing that person with a list. The mail server's owner decided to use that list for blocking despite SpamCop's explicit warnings against doing so

I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.

Your e-mail was returned because whoever runs the mail server you were trying to deliver the message to has chosen to bounce mail from any IP in SpamCop's blacklist, which SpamCop has always recommended against. Complain to the people who made that decision, not SpamCop.

And, the reason the IP is listed in SpamCop's blacklist is probably because the server you're relaying your mail through has also been relaying spam, and people have complained about it (using SpamCop's reporting service). Go here to find out exactly why an IP is listed, along with sample e-mails that users have reported as spam and some statistics about how much spam has been reported from that IP.

The worse thing about spam is that filtering systems create false positives...

SpamCop says this is why their blacklist should not be used to block mail. Their list is entirely automated; it's based on reports from users, and SpamCop does not verify it. Read more on SpamCop's site about exactly how it works.

My provider requires authentication but everyone knows that you can create spam using a IP address from a well behaved smtp server.

SpamCop is really very good about identifying where a message actually came from, not just where it's been relayed through - unless there's something suspicious-looking about the server it's been relayed through (such as, for example, the hostname the server identifies itself as [the Dj line in sendmail.cf] doesn't resolve to the server's IP).

If you want to do the same thing as this guy, try using SpamCop. Paste the entire email (with headers, duh) there, and it will backtrack the message to where it originated. It will tell you which company it came from, which one is being advertised, etc. For the especially lazy, it will also allow you to send a carbon-copy form letter to all parties involved. Best of all, it's free. Consider donating though, it's worth it.

Does because I have to click 'DELETE' a few times REALLY count as a justifable reason to restrict free speech, with open speech being THE MOST IMPORTANT ELEMENT of any democracy?

Aha, so you're one of the JHD crowd (Just Hit Delete). Fine then. I'd say that spam is, as a problem, bigger than that. According to some estimates, about 50% of the E-mail traffic is spam. I'm not too greatly affected by spam, but e.g. my father's signal-to-noise ratio is usually terrible (usually about 30 spams per one legit e-mail).

Besides, at least here in $MY_COUNTRY, commercial speech is not the same as free speech. I agree that political speech (as long as it is not inflammatory) must be free. I'm also a strong believer in the freedom of assembly. However, spam is not free speech: it is commercial in nature, not political. Besides, political free speech does not use up a citizen's resources without the citizen's consent. Therefore, IMHO, free speech clause does not apply to spam. I'd quote the Finnish constitution's relevant section, but am too lasy to look it up.

Making a profitable activity illegal DOES NOT MAKE IT GO AWAY.

Sad but true. Here in Finland spam is already (in most cases) illegal (prior consent required), but the few spammers/scammers/MLMs are usually not prosecuted to the full extent of the law. The cases that I know, the police did not even conduct a pretrial investigation.

They'll just relocate overseas, to where there are no restrictions. Suddenly, sure, you've got no bulk e-mail coming from within the United States - but you've got even more pouring in from China, Taiwan, South America, and any other country without anti-spam laws. Further, it would be a country with no fair business regulations either. Want a working "opt out" link? Forget it. Valid return address? Never. ANY legal recourse against the spammers? Not a chance.

I usually feed my spam to SpamCop. Usually the source is a raped proxy in South Korea or China. If the source happens to be in USA, then it's a 0wn3d ATT broadband or RR cable user. Mexico and Brazil are also prominient among the sources of spam. I can't see what would change if the spammers relocated.

What comes to the validity of return addresses or legal recourses against spammers, the return addresses are usually clearly faked (friend@public, my own e-mail address, etc). When it's a real address, then it's usually a joe-job (i.e. a real person's, a third party's, address inserted as a return address -- guess who is then buried under zillions of bounces?). As to the legal recourse, locating the actual spammer is pain. The data that might lead to the tracks of the spammer, their domain's whois info, is usually faked. It might look valid, but the location is nonexistent.

I'd never even hear of the two sites that closed down. Personally, I use Spamcop's DNSBL, DSBL, and ORDB.

-Lucas

Hey,

How will it be enforced? When I get hit with spam that violates this law, who do I complain to? Who will investigate my complaint and then pursue and punish the spammers?

Why not automate it, a bit like spamcop? You could forward your spams to a central body (who could use filters and human review to confirm the mail was spam) who could automatically determine the sender's ISP and, at the push of a button, print and send a subpoena for the sender's address. If it's in an area affected by appropriate laws, the spam and sender's address could be forwarded to law enforcement authorities, or form letter court summons sent out.

Where will all the money and resources come from to enforce this law (see point #2 above) -- to actually enforce this law will take FAR more money and resources than anyone realizes or will admit.

Remember, we're talking about $1,000 per spam here. You wouldn't expect it to take more than a day to prosecute for one spam and you'd think you could get a mediocre lawyer (which is all you'd really need) for $250 per day - leaving you with $750. Ker-ching.

Just my $0.02,

Michael

Oh well, they can join the rest of the asian spammers i've plonked at 202/8, 203/8, 210/7, 218/7, and 220/7. (Yes, i really do despise countries that dont care about their spam problems)

What, like the United States*?

Make sure you've got your own back covered before you start hurling your bigotry around. (Of course, I don't know if you are from the U.S., but if you're going to ignorantly lump all Asian countries into one big stereotype, I'll take my liberties and at least conclude that you are from the so-called western world, and that you are, as such, just as responsible for the U.S. administration as the people of Singapore are for that of China.)

That having been said, I know a lot of UCE originates from China, but with a population that's about one fifth of theirs and a GDP per capita more than eight freaking times of theirs, which country do you think is employing its resources least adequately?

*) Spamcop seems to have made a PC decision to stop compiling statistics by worst offending ISPs, but while they did, the two main culprits (and it doesn't look like that has changed) were consistently two *cough* Sprint large *cough* Bell South networks in the U.S.

Messages from known spamming autoresponders should be blocked by spam filters. A publicly available list of canned text appearing in messages from spamming autoresponders should be made available and placed into mail filters.

That should deal with the problem.

He obviously has more knowledge of blacklisting than you have. Or give us an EXAMPLE of spews blacklisting an subnet that isn't on a spemmer friendly ISP. And lumping every blacklist from spews to dsbl.org and spamhaus.org isn't very wise either.

Even spews doesn't just blaclist entire A/B subnets at glance, unless they obviously belong to a spammer. They start with single IP:s, and ONLY IF the spammer doesn't get kicked out, the block is gradually enlargened.

It's not blind logic either. Standard whois queries are used to check what IP block belong together and who owns them. If your ISP owns an /16 subclass and doesn't bother setting rwhois up to make people able to distinguish between IP's owned be legitimate companies and IP's owned by spammers, how can a blacklister know what IP's of /16 black belong to the spammer?

And while boasting spamassassin, remember that it uses blacklists as well. However, using blacklists on SMTP level seems to be the only way bring attention for the spamming problem for the ISP harboring spammers.

Personally, I don't use spews, but:
dsbl open relay, open proxy lists.
spamhaus sblIp network ranges belonging to spammers.

0 collateral damage so far. Other high-quality blacklists include:

spamcop dynamic and automatic blacklist that lists IP addresses only WHILE they are spamming.
njabl probably the best list overall, listing all of them: spammers, proxies, relays, dialups.

Ofcourse, many insist not using their ISP's smtp servers so dialup ip blocking is risky, and spamcop.net relies on users repoting spam so a group of clueless people may reuslt a wrong IP blacklisted, so the above two blacklists don't suit everyone..

Some of the crazies who post on nana-e even have the whole country of Brazil banned on their private lists.

If anyone's interested, the Brazil RBL is:
brazil.blackholes.us

Other countries I also have filtered:

korea.services.net
cn.rbl.cluecentral.net (China)
nigeria.blackholes.us
argentina.blackhol es.us

I use SpamCop to filter anything on these and some other blacklists as well as anything with a high SpamAssassin score, then every day or two I go through everything that was blocked and look for false positives. Any false positives get whitelisted, and everything else gets reported to the appropriate abuse@ contacts. SpamCop is very good at figuring out where to send reports, and "spamvertised web sites" don't get reported unless I approve them first, which I usually don't take the time to do.

That's why I use SpamCop.net It does an excellent job of filtering and also allows you to report spam.

You have no influence on what goes into the DNSBl. (other than by not using spamcop).

See:

http://spamcop.net/bl.shtml

You should /not/ use the spamcop DNSBl for blocking, as Spamcop themselves state.

Spamcop list on a statistical basis, based on headers of spam reports they receive. This means they also blacklist the upstreams of regular spamcop users (because if all of spamcop user X's mail comes to him via ISP Foo, then ISP Foo's mail server will be in all of user X's spamcop reports).

Do not use spamcop DNSBl for blacklisting - use it tagging or scoring.

You can't stop someone putting your domain in the 'from' line of their e-mail account any more than you can remove l33t spk frm teh intarweb.

First of all, I'd recommend finding a hosting company which understands e-mail headers. To someone with basic knowledge of how e-mail works, it would be obvious that you haven't been spamming these people and that your account is innocent.

Second, how about putting a link to this article somewhere on your site, with a little explanation to your visitors about what has happened. It's unlikely that any of the victims will actually copy-paste the domain from their spam to their browser, but at least you're doing a little bit to raise awareness of the problem.

Thirdly, use and recommend SpamCop.net. Those hoopy froods will investigate your spam headers automatically -- no computer science degree required, and the innocents like yourself will not be terminated.

And finally... don't worry about it too much. Yes, there's the technical problem of all flood of bounces, but in my experience, people will very rarely actually look at where spam appears to be from, and will simply delete it. Your reputation is safe.

I Am Not A Domain Expert, but this has happened to several of my domains, my host is a good guy, and I'm still here to tell the tale.

Client-side filtering does not need to destroy false positives. Nothing keeps a mail filter on a client from generating delivery failure messages just like those produced by a MTA. Of course, I don't know why you'd want to generate such messages in response to every spam and email worm. Besides, there's no real way to know that any message was actually read by its intended recipient (instead of silently ignored) other than for the recipient to manually reply and say so. This is just the end-to-end principle applied to email.

Nothing in client-side filtering inherently prevents you from aggregating useful information about spam. I perform my own spam filtering, and I forward all my spam to spamcop where it is aggregated with spam reports from many other users. In fact, they get better quality reports from me because I manually review the stuff in my spam folder to make sure it really is spam before I report it. (I don't really have to do that since annoyance-filter, my Bayesian spam detector of choice, has an extremely low false positive rate.)

Your one good point is about resource wastage. And I'd have no problem with a mechanism that allows users to delegate spam filtering functions to their ISPs provided that the users retain ultimate control.

The problem is that such control is almost totally lacking in today's ISP spam filtering mechanisms. Filtering is usually imposed (along with IP blacklists) by heavy-handed ISP fiat, and the users get no say over what is or isn't considered spam. If you're lucky, your ISP won't automatically drop what they consider to be spam, but will simply mark it with a header or place it in a separate IMAP folder. But you will probably have no control over their determination except to ignore it and replace it with your own.

Although most of us would probably agree on what is and isn't spam in the majority of cases, ultimately spam is in the eye of the beholder. There can be no justification for withholding email from someone who really wants to receive it, and no justification (other than ISP laziness) for not giving their users ultimate control over all filtering mechanisms.

Just treat [virus infected emails] as spam [spamcop.net].

This is against SpamCop's rules, which forbid use of the reporting service on "virus infected emails ... regardless of whether you know the originating party or not."

Complete BS.

Geeks are ones that set up the spam filters for everyone else. End users will no more have to install spam filters than they have to install DNS entries, multi-peered lines ot the backbone, etc. (In fact, the problem is that often ISPs don't tell you they are filter, or give you the chance to turn it off.)

Your filters really help cut down on the complaints to the Internet service providers I do business with, and as long as not too many complaints come in their marketing people assure me we can do business.

Sorry, but my delete key is tied to your ISP's abuse box.

Ok, I actually have a separate "this is spam" key that send the spam off to spamcop. I also use the following procmail script to report anything that scores too high on spamassassin:

:0 fw
| spamc

:0 cw:
* ^X-Spam-Flag: Yes
* ^X-Spam-Level: \*\*\*\*\*\*\*\*
* !RAZOR
| spamassassin -r

:0 cw:
* ^X-Spam-Flag: Yes
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*
* !VIRUS[0-9]
| spamassassin -d | head -c 25000 | spamcop_report

Even a small number of vindictive anit-spammers reporting spam will get the spammer's IP address onto spamcop's DNSBL, which feeds back into things like spamassassin.

The amount of spam that reaches my inbox in the last 6 months has been far lower than any time since the mid 1990s. Even with the reporting to spamcop, I'm spending less time dealing with spam now that two or three years ago. Over the last year or so, I've come to believe that Spammer's days are numbered.

Oh, one final note. The original article complained about the fact that spamassassin mine-defangs the spam and then says that it is hard to get the original email back. This isn't true at all. On older versions, you just run it through "spamassassin -d". While you can still do that with newer versions (as per my scripts above), they now create an attachment so you can just click on it if you want to see it.

Complete BS.

Geeks are ones that set up the spam filters for everyone else. End users will no more have to install spam filters than they have to install DNS entries, multi-peered lines ot the backbone, etc. (In fact, the problem is that often ISPs don't tell you they are filter, or give you the chance to turn it off.)

Your filters really help cut down on the complaints to the Internet service providers I do business with, and as long as not too many complaints come in their marketing people assure me we can do business.

Sorry, but my delete key is tied to your ISP's abuse box.

Ok, I actually have a separate "this is spam" key that send the spam off to spamcop. I also use the following procmail script to report anything that scores too high on spamassassin:

:0 fw
| spamc

:0 cw:
* ^X-Spam-Flag: Yes
* ^X-Spam-Level: \*\*\*\*\*\*\*\*
* !RAZOR
| spamassassin -r

:0 cw:
* ^X-Spam-Flag: Yes
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*
* !VIRUS[0-9]
| spamassassin -d | head -c 25000 | spamcop_report

Even a small number of vindictive anit-spammers reporting spam will get the spammer's IP address onto spamcop's DNSBL, which feeds back into things like spamassassin.

The amount of spam that reaches my inbox in the last 6 months has been far lower than any time since the mid 1990s. Even with the reporting to spamcop, I'm spending less time dealing with spam now that two or three years ago. Over the last year or so, I've come to believe that Spammer's days are numbered.

Oh, one final note. The original article complained about the fact that spamassassin mine-defangs the spam and then says that it is hard to get the original email back. This isn't true at all. On older versions, you just run it through "spamassassin -d". While you can still do that with newer versions (as per my scripts above), they now create an attachment so you can just click on it if you want to see it.

They're nothing but spam promoting a hackney fix to a broken security model. Virus scanners aren't the right answer, switching OS's is. Just treat them as spam.

I really doubt people in China want your CC address or paypal account. More likely, it's open relays in China where spammers (probably US-based) open accounts. I can think of no simple solution to this issue, perhaps best is to just cut off these ISPs (think: internet death thread) from the major ISP links here in the US. No need to kill all of China, just the last point of accountability on their side, and let them clean up their own act.

Anyhow, I've not used the ISP's domain publicly since, it's scrubbed from my web page, address books, everything, so the only places it still exists are in archives like Deja, the Wayback Machine and spammer's lists (natch), only the latter of which is likely to be an address source for the virus. Yet this is the account that regularly receives worms, which leads me to the conclusion that not only are spammers dumb, but that they use Windows and have no AV protection either, which goes along way to explaining why these thing spreads so fast. It also raises the possibility of writing a more "targetted" email worm that looks for spammer's mailing list files and takes appropriate action. Deleting the files and then very slowly trashing the data on the hard drive springs to mind...

Uppage there are a few of the expected calls for government regulation of email that we see every time there is a story about spam, and there are the obligitory anecdotes about the hundreds of spam emails that some poor souls find every day in thier inbox.

So here is my usual post about how asking the government to regulate everything is a bad idea, and how I have little sympathy for the poor saps who are getting flooded with thousands of spam emails a day that makes it difficult for them to see the one or two legitimate emails that thier friends might send them each year.

First law. Bad idea because it won't work. As long as there are different countries with seperate governments that have differing attitudes towards the internet, commerce, and law it will be impossible to legislate spam out of existance. That is not to say that I am supporting the idea of one government rulling all peoples or that I am advocating any sort if international treaty on regulating email and the internet.

Far from it.

What I am saying is there are good methods of reducing the flow of spam to your in-box to a trickle, possibly blocking the spam flow completely.

Use a provider that is as concerned about stopping the spam as you are. That means no AOL, no MSN, no Hotmail, etc. These companies are notorious for not only allowing you to get spam flooded, but for allowing thier customers to send spam and not discontiuing accounts that are being used as fake "reply to" and "from" addresses. There are other companies that are just as irresponsible as the ones I mentioned, so you should not think that I am saying that these companies are the only ones that should be avoided.

If you like using the same email and access provider (I've been hijacking friends access accounts for years now), then you should know that smaller access providers often are more responsive to user's (knowlegable and legitimate) complaints than large companies. As an added bonus, thier access rates tend to be low, and they are as if not more reliable than thier corporate competitors.

If you like using a separate provider for email, ask around, do some searches, and choose one that has effective filtering/blocking of spam included in thier basic package.

You can filter the mail yourself with one of the many spam blocking services or filters that are readily available on the internet. Here are some links to some of the blacklists and filters that I know about:

ORDB

MAPS

junkfilter

Bogofilter

SpamCop

SpamBouncer

There are others, some services are free, some charge money. If you are going to use a filter on your own machine that is not part of a service, I highly reccomend that you stick with Free Software so you can learn something about how it works.

You should learn as much about the problem and potential solutions as possible by reading articles about spam that may be not quite as sensational as the currently popular "spammer hunting" genre, but are a little richer in detail and technique. Here is a good primer including some good links, and there's lots of good info on dealing with spam around the web.

You should attempt to encourage your provider to take an active role in helping users avoid spam troubles, either by providing information on how users can filter spam on thier own machines, by providing spam blocking/filtering service, or by allowing users to install thier own .procmailrc in thier shell account (if they provide thier subscribers with a shell acc

I was recently hit by a flood of spam asking me to vote for Mr. Schwarzenegger. I'm way over here in England, and couldn't vote for him even if I wanted to.

Whoever it's from or whatever it's advertising, my spam goes to SpamCop.

Actually, I get filtering AND I still complain. I use SpamCop. I do of course despise getting spam, but I quite enjoy reporting 100% of my spam to their sysadmins at a click of the button. It is easy to report, and I am quite glad to be doing my part.

• Filter all incoming mail using spam assassin . The rules are reasonably exact. Mail which is declared SPAM doesn't reach my inbox.
• Automatically report spam that exceeds SA score 7.5 to spamcop .

This procedure could well be extended to filter all URLs out of the spam and auto-wget them.

If anybody wants the spamasassin+spamcop scripts, mail me. It's a hack though (uses maildrop, qmail, perl, etc).

"The beneficiaries aren't necessarily the pasty faced, high school drop out industrial spammers we have gotten to know, but well known companies."

Been well known for quite a while now. Check out the famous spamdemic map. Real marketing takes work to make it successful, but mainsleaze bozos like Ameriquest slack off with these "shortcuts".

"Most of the ISPs are good to their word and are fighting it very, very hard," he said. "But as you get into the larger ISPs, especially those that are in any form of financial difficulty, the engineers, abuse staff and technicians all want the spammers off the network, but you have the sales staff looking at the money. ... The engineers will be fighting internally with the sales managers, but of course the sales managers always win."

Which is why these ISPs should not complain when I use some choice blackhole lists like SPEWS, Spamhaus, or SpamCop to protect my inboxes from these sleazoids. Anyone remember when Aegis thought they were invincible when they allowed spammers to run amuck on their system? And where are they now? :-)

[I am not a covert ops agent of the Lumber Cartel (tinlc).]

1. Default to no on the "this spam is spam-vertising the following URLs" though admittedly this may be rare; since our clients don't spam I only see false positives on spamverts.

It is rare. Might not be a bad idea though.

2. Use some kind of collaborative filter - SpamCop must have enough users so that instead of acting on single reports, only escalate complaints if the same email is complained about by 20+ users.

It's almost never the "same". Spam software adds random words or code to the subject line and message body, as well as changing the From address, with each message that gets sent out. You could set some thresholds I guess, wiithholding complaints for a particular abuse@ address until you get enough of them, but for a large ISP that doesn't make much sense, since they'll be getting lots of unrelated reports.

By the way, SpamCop's automated DNSRBL (bl.spamcop.net, which they warn you NOT to use to block spam, only to flag possible spam, because it's automated and not necessarily accurate) does use thresholds like this, although it doesn't apply to spamvertized URLs.

One nice thing about SpamCop is, since all the abuse reports are sent in exactly the same format, you can filter them when you receive them. If you want to ignore complaints when there are fewer than 20 for the same web site, you should be able to automate that somehow on your end. Also, apparently you can tell them to quit sending you reports for spamvertized web sites.

Be aware that SpamCop.com is not the same as SpamCop.net - I'm not sure who SpamCop.com is, but having worked in the abuse department at an ISP, as well as having been a paying subscriber for a couple of years now, I can say that SpamCop.net is absolutely wonderful. They're best known for automating spam reporting - you paste in your message with full headers, and they figure out where it came from and prepare an e-mail to be sent to the administrators of those networks. Upon your approval, the complaints are sent from a unique SpamCop.net e-mail address, so your own e-mail address is not revealed (in case the complaint is forwarded to the spammers), yet you still receive any replies (SpamCop forwards them back to you).

On top of that, they also offer a service for $3/month that includes just about everything you could look for in an e-mail provider - pop3, imap, webmail, the ability to retrieve mail from other POP3 (and recently AOL and Hotmail) accounts, e-mail forwarding, easier spam reporting, and of course, spam filtering using a variety of blacklists (including SpamCop's own automated RBL) and recently SpamAssassin. It's all fully configurable so you can use it however you'd like.

Again, I have no connection to them, but SpamCop's reporting really does great things towards reducing the total volume of spam going around (by informing network administrators of the problem in a clear and consistent format so it's easy to deal with). I've only seen a couple of abuse reports from SpamCop.com, compared to thousands from SpamCop.net.

You're the admin. You're supposed to check for this. If the system isn't all that important, I may add patches without checking them on a test system, but if it's important, no patches get added until they are checked on a test system.

2) my fav, the disks stop spinning. This is lots of fun. Try it some time.

You're the admin. You're supposed to be doing backups. Personally, if I think there's a good chance that the drives will fail when I'm doing something ( eg: greater than .5 percent) I make 2 back ups. Tapes can break. Also, I've not seen disks refuse to spin up with out powering off for a while (more than 5 minues). Frequently, you can get the disks spinning again by (gently!) tapping them with a screwdriver. If that doesn't work, sometimes heating them with a lightbulb will work. Heatlamps work too, but you need to be careful not to overheat the drive. I also try to get drives on critical systems replaced every 2 to 3 years. RAID helps here.

Keeping the network, hardware, OS, and applications up is important, but just as important is abuse response. There are a few hosting companies out there that do a wonderful job of keeping things ticking over, but fail absolutely at terminating abusive accounts. Hosting at one of these sites is inviting having your email blocked at the very least. Some sites block all traffic based on what's in the block lists. Part of due dilligence is checking the history of a host by checking at SPEWS, SPAMHAUS, SPAMCOP, News.Admin.Net-Abuse.email, News.Admin.Net-Abuse.Sightings, and other customer's experiences.

I can't find my link to the dead tree report I use to check out hosting companies at the moment, but there are several very nice writeups out there that focus on choosing a good hosting/co-lo company.

And, what the hey, here's the SpamCop report.

if you look at the headers, it still shows the IP address of the host used to send the forged email.

Yeah, most of the time it's easy to pick out, but if they've inserted extra "Received from:" lines that fit the chain, it can get rather messy.

If I'm feeling lazy I'll just feed it into SpamCop and let their scripts do the detective work. You still get the opportunity to cancel it after viewing the technical details, if you change your mind.

On the spamcop newsgroup this has come up several times, increasing frequently. After tens of complainst to hotmail, still the canned 'measures you can do to prevent spam' email returns. Nice to know they care about their soon to be blacklisting.

Okay. I am the source. I wrote this last year.
Copyright 2002 Danny Brewer
Use allowed under the Open Content license. How's that?

If going with option #7 to prevent being blacklisted, then you should also protect your customers by using an aggressive DNSBL to block spam for them. I suggest spamcop as it's logic is designed so that there should be barly any false positives, except where users report mailing lists.

This is the one that's always gotten me. It's obviously one of the worst possible things in spam. But how do you then track down who happens to be sending it and punish them for it?

I don't know how you track them down personally but when you find out let me know and I can take care of the punishment part.

Spamcop can certainly help :)

What a lot of people have suggested (and some have implemented) is to whitelist their incoming email. If you aren't on the list, they aren't interested.

Unfortunately, that does precisely what the anti-spam crowd wants.

Huh? The anti-spam crowd wants to make email useless? That's nonsense. For one thing, "the anti-spam crowd" is meaningless: *everybody* is anti-spam. Even spammers are anti-spam: they just claim that their spam isn't spam.

If you're talking about anti-spam activists, then you're right that some people suggest whitelisting, but I think a lot more activists are in favour of blacklisting and various methods of filtering. They're activists because they want to use email, and spam is making that harder.

Good blacklists and filters make it a lot better. For example, I get around 50 spams a day to my inbox, but only 2-3 a week make it past the SpamAssassin filter and SpamCop filtering service. SpamAssassin gets a few false positives each week; SpamCop gets almost none.

I'm sure this has been posted before, but there was an article on how to reduce spam. Basically, don't open it. By not opening it, ever, you stop giving hits to the original SPAM sender.

A gentle reminder, it's "spam," not "SPAM."

Unfortunately, this is totally off-base. This only works if your email client interprets the HTML and displays an off-site image or something that allows the spammer to determine that the email has been read. I, for one, don't use such a client. (Eudora or Pine, depending on where I am.) My spam load is only increasing, never decreasing.

Obligatory antispam link for those not yet aware of it: SpamCop

Use SpamCop instead to report spam. It very effectively roots out all of the admins involved in the spam's lifecycle, and allows you to forward a report to said admins, hiding your real email address (replies from admins, in the rare case you get any, are routed anonymously to you through SpamCop).

Have you reported them through Spamcop and/or sent mail to abuse@rackspace.com? You can't blame RS for failing to eliminate a spammer if you don't tell them. In most ISP's cases you can't even rely on telling them once, since that's when they send the warning.

The right thing to do is block the spammer, not Rackspace. Rackspace probably deserves an entry in an ISP-RBL somewhere, but most systems will weight that fairly low.

The really funny thing is that I got Slashdot's email-notification of your post, and there was a Rackspace ad in it ;-)

I know what you mean about mail to domains... I've registered 13 domains (some for clients) over the last few years, and want to monitor postmaster@, webmaster@, abuse@ etc. Used to get mountains of spam addressed to these aliases, together with some others that I don't want blocked off (enquiries@, info@).

I've found spamcop to be a fantastic service. I just forward mail from all my domains to my spamcop address, which filters it according to a (configurable) selection of blacklists, etc. The spamcop account then forwards the "clean" mail wherever I want it.

Out of all the crap sent to 13 domains, it's unusual to have more than one slip through a week (YMMV, of course). No false positives so far, either.

Whenever I've got an idle minute, I review the held spam through a web interface and select the offenders for automated reporting. They've probably moved on by that point, but it might make a small difference. Gets potential relays tested too.

$30 a year, but has saved me a fair bit of time.

from http://news.spamcop.net/pipermail/spamcop-social/2 003-January/021018.html

George Moore Jr.
300 Twin Oaks Road
Linthicum, Md. 21090.

I use SpamCop - also $30/year with excellent spam AND virus filtering, plus a great web e-mail client and support for POP3/IMAP and SPOP to your ISP.

When spammers use my e-mail address as the "From" address on their spam, please do not post it to a web site. Getting all the "User unknown" bounces is annoying enough.

Spamcop is a much better idea.

Myself, I've tried domain based systems like SpamCop (overall good, but not perfect), double blind email systems (like SneakEMail and client side filtering.

Presently, I'm trying the 'intelligent' filtering in Mozilla with pretty good results. As I don't pay a per MB charge for bandwidth this solution works for me on an individual level. The one cost is waiting for 50 - 100 spams to download while I get 1 or 2 good messages. (Note, the current Mozilla is kind enough to move auto flagged spam to a Junk folder for me).

I've found that even when it flags "legitimate" emails, they're marketting emails sent from orginzations I do other business with. I'm quite happy to not see their marketting emails. :-)

Most spammers don't use open relays, and they don't use their ISP's mail server!

Do you have any facts or specific experience to back this up, or are you talking out of your ass?

I used to work with the abuse department of a broadband ISP. The majority of the spam complaints we received were due to our customers who were running SMTP servers and didn't realize they were configured as open relays. Spammers would scan blocks of IPs on our network, find somebody with port 25 open, see if it's an open relay, and if so, start sending spam. Over the next 24-72 hours we would receive complaints, mostly from SpamCop. We'd identify the customer and send them an e-mail notifying them of the problem. 24 hours later we'd suspend their service. Then the customer would call into Tech Support confused about why they can't get online, and we'd have to explain what was going on. Most of the time they had no idea. Some of these customers don't know what an SMTP server is, let alone an open relay - yet somehow they've got one set up. Others know, but just forgot to fix it.

Of course, open SMTP servers is not the only problem - open proxy servers work too, usually to connect to an open relay somewhere else so the spammer's real IP doesn't show up in the headers.

I do agree that most spammers don't use their ISP's mail server, although several do. Some ISPs such as Earthlink firewall port 25 so you can't send mail except through their servers (unless you exploit an open proxy; see above) - this helps Earthlink to greatly reduce the amount of spam coming out of their network, since customers with open relays are not a problem for them.

So if we could please move on, the problem is that spammers are doing the same thing as many people on slashdot, they are running their own mail server off their cheap (often free thanks to parents, and yes I am asserting that much spam is from teenagers) broadband connections

Spamming directly from your own broadband connection is retarded; that's why most spammers don't do it. Our policy was to suspend your service until you agree to quit spamming, then suspend it again until you agree to quit spamming again, then cancel your account and charge you a $250 early-termination fee for breaking your one-year contract. We've already got your credit card number, and it's in the service agreement.

I think this is something that needs to happen more often: ISPs need to start making it really expensive for spammers to operate, by charging them large fines when they do. Don't just cancel their account, but make them pay.

The biggest problem with this is, there are so many incompetent people with hacked/infected machines that it's often impossible to tell the difference between an innocent victim whose system was compromised and a die-hard spammer who's lying through his teeth. The latter you want to get rid of ASAP; the former may pay you a lot of money over the next several years (and refer all his friends) if you can help get this little issue resolved.

Check out spamcop.

I happen to use Spamcop to get said information. You enter the headers and the body of the spam, and it processes all the headers, compares them to known open relays, and will identify the email of the admin of both the origin point of the email, and the relays it passes through. Even sends an alert for you, if you so choose.

It hasn't happened in a while, but any time I got a complaint about a customer spamming that checked out, I cut off the account immediately. This was happening about once a month for a while -- people signing up for throwaway accounts and spamming the hell out of them until they were cut off. One morning I checked my email and found spam that was sent from one of these accounts. I was able to log in, lock the account and kick 'em off our modems. That made me feel good.

As for responses to complaints: we'd get a lot of complaints when one of these episodes happened (usually through the good offices of SpamCop, who Truly Rock), and it was impossible to reply individually to each one. I took the initiative and installed Linux (had been W98) so that I could use Mutt, with all the automation that implied, to send canned responses to let people know that someone's listening.

There are two big reasons for any ISP to respond aggressively to complaints about spam:

First, it's death to end up on a blacklist. The number of complaints would be astronomical, and if you're not lucky enough to be dealing w/a blacklist with defined ways of getting off it, you're stuck either waiting for people to decide you're honest/have suffered enough, or living with random chunks of email bouncing. Have a look in news.admin.net-abuse.email (I think that's the right group -- check Google) sometime and read the complaints from people who have been blacklisted. There is no sympathy (or at least very little) in that group for anyone who is blacklisted (whether there should be sympathy is another question).

Second, and arguably more importantly, spam is just plain wrong. There were the comments of the head of an old ISP -- The Well, maybe? -- a while back; he said that for any other entity on the Internet, a DDOS on the scale of spam would be Big News and would result in action. But email, for some reason, just doesn't rate a damn. People are drowning in the stuff, but so are mail servers, and the ISPs that run them, and the admins who take care of them. Check out my journal -- we had to spend $ on getting a new server, plus my time to set it up, just to keep our customer-facing mail server from falling over from the sheer volume of the stuff. That's fucking insane, and the idea of contributing in any degree to someone else's version of that story should make anyone sick to their stomach. It is such a waste of so many resources.

So for me at least, the moral and economic incentives to take action on spam are huge, but the volume of complaints for any episode usually prevents me from replying personally. I can only imagine what it would be like for someone at AOL or Sprint or what have you. YMMV.

Assuming that'll never happen ('illegal' never stopped a spammer, and they'd never comply with a suicide-tag), an easier way would surely be to provide header analysis in email clients, or mail servers, or both.

If I (as a user or mail server admin) could detect (a la Spamcop) forged or rewritten headers and discard/bounce those messages as fake, most of the immediate problem is addressed. Why don't mail clients/servers offer this out of the box?

That step achieved, those messages from non-forged addresses can be filtered and, if spam, automatically actioned with the source ISP - that should be the role of anti-spam software, IMHO.

You give spamcop a copy of your spam. Spamcop then hunts down the offending server(s). If enough people compain about those particular servers, they (the servers) become black-listed, so that if you filter your email w/ spamcop, email from those machines won't get through.