Slashdot Mirror

The Spamhaus ROKSO database lists the netblocks and other relevant information. Interesting tidbit: Scott Richter's address block is now served by T-Systems. It doesn't take small shady ISPs or anonymous DSL accounts to bring spammers online.

First off, it hasn't happened yet. Nothing has been proven to work here, since they haven't actually done anything yet.

Second, SPF doesn't stop spam in the long run. SPF does not even address the problem of spam per se -- it addresses email forgery, and that not very well. In the unlikely event that every email system everywhere implemented SPF restrictions, spammers would still be able to send spam. They simply would not be able to send it under forged addresses in domains that publish restrictive SPF records. They could still send forged spam under domains that cannot (for their own reasons) use highly restrictive SPF, or they could send spam under their own domains.

(Yes, spammers have their own domains. Usually lots of them -- domain registrars' "bulk register" systems allow them to get LOTS of them easily. The registrars get their money, so most of them don't care that the domains are being used for spamming and the contact information is bogus.)

SPF is a case of "solving the wrong problem". The patient has a broken arm, but the quack doctor does not know how to set bones so he gives the patient an aspirin. But the patient's problem is not basically that he is in pain, but that his arm is broken -- the quack is solving the wrong problem.

The Internet's email system basically does not have a forgery problem. People who need to send each other forgery-proof email are already able to do this using systems like PGP. The email system does, however, have a spam problem. Though a good deal of spam is forged, the spam problem goes deeper than forgery. If SPF is widely deployed, spammers will just work around it ... just as they worked around the closing of SMTP open relays by deploying zombie viruses.

The spam problem is today one of ISP accountability, not email forgery. Spammers do their thing, and when people come around to complain, spam-friendly ISPs shine them on. No joke -- take a look around the Spamhaus Project, where professional researchers have tracked down the ISPs that do the most to help spammers.

SPF isn't the solution to spam. SPF isn't even the solution to forgery. But it makes nice headlines. People who want to look busy, and look like they are Doing Something to solve a nasty problem, sometimes don't care if the Something they're Doing is actually effective at all.

(Besides, honestly, why would you expect a company which itself sends spam for hire to actually try to stop spam? Microsoft bCentral operates some legitimate mailing lists, but it also allows its list operators to send unsolicited "opt-out" spam. This is an archive of reported spam sent using bCentral facilities.)

However, there is another domain which has had banner ads for its services. After getting a particularly bad spam attack (around 30k/day to random addresses @ that domain from the same spammer), I spoke with the owner about killing wildcard handling and instead only handling the ones being used.

Btw, three months later, that spammer is *still* being hosted by CW/Savvis. http://www.sheckmedia.com/ is the site of the spam domain owner, but the spamming subnnets, 64.70.43.0/24 and 216.39.64.0/24 are different than the website. Anyway, talk about bulletproof hosting...

After setting up individual boxes for that domain, I decided to direct the rest into a file just to see what kind of crap comes through. For the month of June, there were over 107000 emails. For the month of July there have been 41969 so far. The July numbers are probably a bit lower because I recently added njabl.org blocking (w/o dialup blacklisting) with rbldns. During both months, spamhaus.org's lists and spamcop.net's lists were in use.

So, it's not really a matter of whether or not you handle wildcard addresses, but whether the spammers to decide to use dictionary attacks on your domain.

However, there is another domain which has had banner ads for its services. After getting a particularly bad spam attack (around 30k/day to random addresses @ that domain from the same spammer), I spoke with the owner about killing wildcard handling and instead only handling the ones being used.

Btw, three months later, that spammer is *still* being hosted by CW/Savvis. http://www.sheckmedia.com/ is the site of the spam domain owner, but the spamming subnnets, 64.70.43.0/24 and 216.39.64.0/24 are different than the website. Anyway, talk about bulletproof hosting...

After setting up individual boxes for that domain, I decided to direct the rest into a file just to see what kind of crap comes through. For the month of June, there were over 107000 emails. For the month of July there have been 41969 so far. The July numbers are probably a bit lower because I recently added njabl.org blocking (w/o dialup blacklisting) with rbldns. During both months, spamhaus.org's lists and spamcop.net's lists were in use.

So, it's not really a matter of whether or not you handle wildcard addresses, but whether the spammers to decide to use dictionary attacks on your domain.

However, there is another domain which has had banner ads for its services. After getting a particularly bad spam attack (around 30k/day to random addresses @ that domain from the same spammer), I spoke with the owner about killing wildcard handling and instead only handling the ones being used.

Btw, three months later, that spammer is *still* being hosted by CW/Savvis. http://www.sheckmedia.com/ is the site of the spam domain owner, but the spamming subnnets, 64.70.43.0/24 and 216.39.64.0/24 are different than the website. Anyway, talk about bulletproof hosting...

After setting up individual boxes for that domain, I decided to direct the rest into a file just to see what kind of crap comes through. For the month of June, there were over 107000 emails. For the month of July there have been 41969 so far. The July numbers are probably a bit lower because I recently added njabl.org blocking (w/o dialup blacklisting) with rbldns. During both months, spamhaus.org's lists and spamcop.net's lists were in use.

So, it's not really a matter of whether or not you handle wildcard addresses, but whether the spammers to decide to use dictionary attacks on your domain.

Well Microsoft does get to pay Hotmail's bandwith bills, email storage costs, and employ people to deal with abuse reports? Don't forget that they also get to deal with all the spam that is undeliverable, bounced, or dropped by user's filters etc. Per individual spam, Microsoft may well be paying less than a recipient, but there is definitely a very real price tag attached.

Unfortunately however, under CAN-SPAM, only ISPs and not end-users can use the legislation to go after spammers through the courts. As the owner and operator of Hotmail that would naturally include Microsoft. Of course, the statement that the actions has "netted them $54 million" means the courts have awarded them that much, they will actually see far less of it than that.

It would certainly be nice if Microsoft (and others in a similar position) would make at least a token contribution to the anti-spam groups out there. Spamhaus operates almost entirely on contibutions and sponsorships, Spamcop has a legal defence fund, Spam Assassin is now under the auspices of the Apache Foundation... the list goes on.

But most of the spammers are in America, and sending spam to Americans. See ROKSO. That they're going via a server in "Country 2" should be irrelevant.

I don't get it.

All this bruhaha, yet still all they would have to do is using their existing laws and take down Ralsky, Richter and the rest of the well known spammers whose track record of criminal past and present has been thoroughly documented over several years now on Spamhaus and other sites.

Ralsky, Richter and the other gang of professional spammers know what they do, most of them openly admit what they do and many of them have boasted about it on several occasions in newspaper and TV reports about the spam trade (e.g. this recent German article and a slur of others articles).

So what are these agencies doing all this time? They keep saying "watch out, spammers, we're really going to get you big time, very soon now, now please don't move while we concentrate our efforts, but yes, we are going to get you!" - and they still don't actually go after them. Or am I missing something?

And while it seems to non-Americans that the new homeland security policity can quite likely send you to Guantanamo for a traffic light violation if you happen to look like the wrong ethnic group, these guys still get away with it.

I really really don't get it.

for Americans ? , why yes it is

Here's the actual Ars Technica story that wasn't linked, but copied and pasted as the Slashdot story.

Something I've been wondering about though is SpamCop's yearly stats. Since April, spam reporting has been going down. Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled? I know on my mail server I've implemented some straight blacklist checks primarily using sbl-xbl.spamhaus.org and it's been working great with no false positives. Some spam still gets through, but SpamAssassin usually catches it with other checks.

• spamhaus
• dnsrbl
• ordb
• opm
• njabl
• maps
• 5/10
• spamcop

I don't think so. As the guy from Spamhaus says, the FTC et al know who the sapmmers are, most of them are American, resident in America. Yet they dpo nothing to stop them. Just look at the ROKSO list Here are names and addresses of 180 of the world's worst spammers, 140 of who are Americans. It's lack of will, not lack of evidence. The direct marketing lobbies have made sure that spamming will not be stopped. If any value was put on the resources these people waste, the FBI's Most Wanted would all be spammers. But because they just look at it individually, it's seen a nickel and dime.

YOU

Brilliant. I thought of that. I do it. It's a real pain, and costs me money and time. I could always print it out and post my messages too.

Call your recipient and ask them to whitelist your IP address.

I tried that. They don't have the authority.

There are plenty of alternatives. There's no reason I should be inundated with spam because your ISP is unethical.

In case you didn't read the post you're replying to, MY ISP DIDN'T DO ANYTHING UNETHICAL. It just happens to be in the same country as one that might have, some years ago.

As for being inundated with spam, 95% of my spam is from Americans. You know who they are: 140 out of the 180 in ROKSO are American. Get your own house in order.

I am pleased however that more proactive steps are being taken by organisations such as Spamhaus in addressing the problem by both a technology and policy driven approach in combatting the problem. And that more prosecutions are happening. But I don't see the tide being turned anytime soon.

As for the internet dying, I don't see it. There is now to much commercial interest in it for corporations to sit idly by and do nothing about SPAM and other problems we encounter on the internet. Even our governments misguided steps at regulation, show that the internet is here to stay. It may transform in the future but I don't see it dying just yet.

Super Cheap Deal! Generic Viagra from $3 WOW!!

most places charge $15, we charge $3 ONLY!

- No embarassing doctor visits
- Private and secure online ordering
- Shipped worldwide!!

Order today, and become the stud you always wanted to be.

http://-------.biz/superhard/

Super Cheap Deal! Generic Viagra from $3 WOW!!

most places charge $15, we charge $3 ONLY!

- No embarassing doctor visits
- Private and secure online ordering
- Shipped worldwide!!

Order today, and become the stud you always wanted to be.

http://-------.biz/superhard/

Though I seem to recall contradictory articles citing either the USA or China as the countries causing the most spam, all I could dig up points the finger to the good ole USofA.
http://db.org/spam/weekly/2004/04/
http://www.spamhaus.org/
Worst offenders: United States, mci.com, and Alan Ralsky

Don't know about 'all' of theme, but the vast majority of spam comes from a relatively small list of documented, well-known 'hard-line spammers'.

http://www.spamhaus.org/rokso/

I was thinking something like sbl-xbl.spamhaus.org, which also uses data from cbl.abuseat.org and opm.blitzed.org among other places. I use it as a general purpose blacklist for mail/irc that doesn't just list people on dial-up/dsl/cable connections. It actually works fairly well.

Most of the spam is from America and sent to Americans. Actually I get a lot of that too, though I couldn't buy the stuff advertised even if I wanted to (American mortgages, credit cards, cable decoders as well as the usual viagra etc). I assume you're American -- look at the Register of Known Spam Operations. 141 out of 180 are American. One is From Hong Kong. When you get the number of spammers down to the same, you come back and complain. Americans are the spammers. But you want the rest of the world to solve your problem, and/or suffer for it.

It's interesting how the Russian Mafia is helping American Marketers take advantage of Chinese Equipment. My question is: How involved are the actual Chinese people? Are they all victims of circumstance, or are they helping in some way?

They profit.
This article is incorrect inasmuch as whenever you see a spam for "bulletproof hosting" it's for a Chinese server. The article kinda implies that their incompetent tools but if you go to and read the comments on the various ISPs you can see that they're really complicit.

The general wisdom is that, like the US, most of the spam appearing to come from local servers is from zombies. We have cheap broadband here, like Korea, and that brings its problems. It'd be nice if you guys could send a lynch mob to get these assholes and we'd all see less spam.

http://www.spamhaus.org/sbl/howtouse.html
http://www.spamassassin.org/full/3.0.x/dist/rules/ 25_uribl.cf

yeah that's right
but all i see are Americans blaming someone else like China, mayvbe if i put my head in the sand i can do that to

i have an idea,how about those that make the mess clean it up ? (Iraq/Spam/Landmines/pollution/etc etc)

Didn't Spamhaus recently launch the pretty much the same service called the XBL?

"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso

The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.

Maybe you don't understand how this works. A relatively small number of network operators (ISP's and other businesses that get a lot of mail) drive enough queries against the Spamhaus lists that it is worthwhile for them to have a full copy locally. IF your mail provider is one such entity, they are almost cerainly already using Spamhaus' lists and so you are simply not getting all the spam aimed at you. If it is not worthwhile for your mail provider to get a data feed from Spamhaus because their users don't get much spam, there is no cost for them to pass along.

You should also look at the Spamhaus price calculator. It tops out at $1.18 per year per user and in my opinion (based on experience with large email systems using DNSBL's) that range is unlikely to be one where a data feed makes any sense technically even if it were free, unless the users are being very heavily spammed on an ongoing basis. At the other end, with a million users, an ISP would have to figure out how to pass along less than 2 cents per year to each user.

You're confusing Spamhaus with SpamCop. Only the latter has an affiliation with IronPort.

The public DNSBL service will remain free.

I live in Hong Kong. For every legitimate email I get from the US I get hundreds of spams. All in English, selling drugs, mortgages, software, porn, cable decoders etc. The US creates the spam, and routes it through whatever servers it can find. And you know who thw spammers are (ROKSO) and do nothing to even slow them down. But you block my emails becuae I live in the same country as the server the American spammers are using.

"The Register of Known Spam Operations (ROKSO) database collates information and evidence on known hard-line spam operations that have been terminated by a minimum of 3 consecutive Service Providers for serious spam offenses.

200 Known Spam Operations responsible for 90% of your spam.

90% of spam received by Internet users in North America and Europe can be traced via redirects, hosting locations of web sites, domains and aliases, to a hard-core group of around 200 known spam operations, almost all of whom are listed in the ROKSO database. These spam operations consist of an estimated 500-600 professional spammers loosely grouped into gangs ("spam gangs"), the vast majority of whom are operating illegally, and who move from network to network seeking out Internet Service Providers ("ISPs") known for lax enforcing of anti-spam policies."

The ROKSO list says otherwise. Stop 10 top spammers, and the spam will likely decrease by over 90%. It's not the small spammers who are flooding the net, it's a bunch of a few criminal individuals. Of course, you'll have to keep up the fight, since other sociopaths will gladly take the place of those top-10 spammers...

Unfortunately, most of ROKSO are living in the Land of the Free, where they are unlikely to be prosecuted effectively [CAN-SPAM] :-(

Personally, if it were my universtiry, I would prefer they started to use a RTBL. The fact of the matter is, if the likely spam isn't sorted out first, I have to try to discern the stuff entirely by hand. And although I can easily pick out Viagra ads, I have relatives and the occasional acquaintence who send mail that looks awfully like spam. Didn't want to type a subject. Used "hello" as the subject. Didn't configure their mail client properly, so their "replyto" looks crazy. Without some initialy spam filtering, I would miss at least some of these -- in fact, I'd probably miss more mail with no filtering than with a judicious blackhole in front of me.

Love or hate SPEWS and other kinder, gentler RTBLs, they're better than the present choice. It would certainly reduce the load of these email servers to where it could be more easily handled. And, if nothing else, they couldbe used to prioritize mail. Use Spam Assassin or something else to do some initial tag and filter so that mail coming from Asian IPs or originating from mail servers on cable/ADSL networks gets put into the "slow" processing queue while everything else gets sent down the faster pipe.

</spouting with little to no knowledge>

Here's what the article's all about: CAN-SPAM Act Congressional Testimony of Assistant Director of the Federal Bureau of Investigation Jana Monroe before the Senate Committee on Commerce, Science, and Transportation, May 20, 2004

Steve Linford of spamhaus calls the overview of Project SLAM-Spam "required reading for all spammers."

Actually, more and more spam is originating from various 0wned Windows boxen sitting on broadband lines right here in the US.

I think what you meant to say is that 90% of the websites advertised in spam emails today are offshore.

However, just because the servers are offshore does not mean that the spammers are foreign. If you follow the money like spamhaus.org does, you'll see that the large majority of the world's largest spammers are, in fact, based in the US. They simply host their servers in China.

In short, most American spammers have already moved their operations abroad. But as long as the spammers themselves are still here, they are very much subject to prosecution. It just takes more work to track them down. :)

Actually, more and more spam is originating from various 0wned Windows boxen sitting on broadband lines right here in the US.

I think what you meant to say is that 90% of the websites advertised in spam emails today are offshore.

However, just because the servers are offshore does not mean that the spammers are foreign. If you follow the money like spamhaus.org does, you'll see that the large majority of the world's largest spammers are, in fact, based in the US. They simply host their servers in China.

In short, most American spammers have already moved their operations abroad. But as long as the spammers themselves are still here, they are very much subject to prosecution. It just takes more work to track them down. :)

Some day, some person will find his inbox filled with 1002 spam messages and crack, sure hope he stumbles on this page - [ROKSO] ;-)

http://sophos.com/spaminfo/articles/dirtydozen.htm l, http://www.spamhaus.org/rokso/.

Nope, the majority of the 'spam originators' are in the US: http://www.spamhaus.org/rokso/.

Any spam you get for "bulletproof hosting" is no doubt for a server located in China. That's why they're bulletproof. No one in the country cares that they're sending spam; it's a legitimate business.

It brings in Western currency and that's all anyone cares about. It's amusing that they're more whores to the almighty dollar than we (the US) are!

Spamhaus lists China as #2 though. I'd tend to believe their analysis over anyone else's, especially when you consider how much spam 0wn3d machines on Comcast's network are spewing.

Strange, because USA is still #1 in all 3 categories listed (scroll down) on spamhaus.org
Besides - who cares where the exploited servers are? Soon (my guess is - less than 6 months) the majority of spams will be sent via zombies taken over by some worm or virus. These computers will be spread all over the world. The only solution is to nip it in the butt. Make spam illegal (as it is in Europe) and sue the pants of the spammers. Enough of those stupid atempts to pretend something is being done. We all know that the spammers are from Gods own country - hijacking machines whereever it's easiest.
/me sets mode -rant

I question whether or not Spam is truely 'untraceable'. If the full wrath of the NSA was turned on spam, the spam-mails would probably cease relatively quickly. According to Spamhaus the United States is the top producer of spam closely followed by China and South Korea.

Now I understand that, in the US, we have laws that protect an individuals privacy; hence Federal laws that allow prosecution of 'illegal spammers'. With regards to other countries; why not have an unoffical government agency to hack the spammers? It's obvious that most foreign spam is sent with the intent of defrauding Americans. Couldn't that be construed as an act of cyber-war?

How about this idea? Have all U.S. ISPs block IP addresses from Asia, if only for a day. I wonder how much spam would get kicked back and crash Asian Networks.

You mean like this?

Spam is the USA's problem. Greater than 70% of the spam I recieve in my inbox comes from the USA (stats courtesy of the fantastic Spamhaus). The CAN-SPAM legislation is too lenient and unenforcable, it cannot stop the problem. Hell, the US courts are now siding with the spammers!!

It's an unpopular opinion, but the USA is to blame for the SPAM epidemic. When they get their own house in order, the worldwide spam problem will stop, I guarantee it. Until we see some effective legislation, Spam will continue to be a greater and greater problem.

[Richter] *is* a convicted felon (fenced some stolen goods a decade or so ago), a habitual liar (high-volume email deployer, anyone?) and he steals every day by spamming.

Jenohn writes...

"There are firewall/spam blocker methods that will continue to fail as spammers learn the tricks to route around them. This is the old hacker/security expert game. Build a better lock/block and it will soon be cracked/by-passed. The cycle is repeated ad nauseum."

Really? Now how do you come to that conclusion?

I ask because I use a combination of blocking methods, including referencing at least a half-dozen DNSBL's and a locally-generated (on our mail servers) blocking list. The ultimate purpose is to refuse connection attempts based on source IP address or domain name.

This method is extremely effective, and I don't know of any cases where it has been cracked.

The most egregious offenders, such as Wholesale Bandwidth (who happen to be hosting a big chunk of Richter's operations), get dropped into my router's 'Deny' table. This has the effect of denying ANY connection to any system within my LAN, based (again) on originating IP address or address range.

This method has also proved extremely effective, saving me God only knows how many hours of wasted effort in sorting out what's spam and what's not.

Please explain to me how these methods, used by thousands of other admins and ISPs, "will continue to fail," because I can't see that they ever failed in the first place.

If you don't believe me, ask your ISP to turn off any filters they're using on your mailbox for a 48 hour period. ;-)

Oh, one other thing. Don't write it as "SPAM." That's a registered trademark of Hormel Foods. Write it as "spam" or "Spam."

"Listed in Spamhaus" can be considered "not legitimate"

Only by spamhaus and its lackeys.

Spamhaus' ROKSO is a collection of evidence and information about people who have been kicked of multiple ISPs for unsolicited email and other violations. The evidence is quite substantial. Do you not concur?

Just keep the list accurate. Only include IP addresses of actual spammers.

Your "solution" doesn't work in the real world. ISPs seem to have no hesitation in moving spammers to different IP addresses to evade these blocks. If you want to play whack-a-mole all day long - go right on ahead until it convinces you the futility of this approach.

Now since an ISP is really ignoring complaints and moving spammers around their networks to evade blocks, they can be considered aiding and abetting spammers. The logical course of action is to block all IP addresses of that ISP, since the ISP themselves are condoning spammers with these tactics.

At the end of the day ISPs must make a choice between hosting spammers or genuine customers. Surely is is better for customers not to have spammers roving around their networks, and the quicker ISPs terminate their services and protection of spammers the better it is for you and the internet in general?

It should not need to take an block of all IP addresses of an ISP to get them to do their jobs properly.

I doubt it would make much difference, because the vast majority of spammers are American.

Most of the mail is only relayed through insecure Asian servers, and monitoring Internet cafes is not going to help secure those servers.

Rather cut spam at it's source.

• Arrest warrants are outstanding for defendants James Lin and Daniel J. Lin. In a criminal complaint issued by the U.S. Attorney's Office, these individuals have been charged with violations of the federal mail fraud laws as well as with criminal violations of the CAN-SPAM Act.

The FTC also credits Spamhaus in assisting with the investigation.

If they're going to go after someone in the Detroit area why not Alan Ralsky?