Slashdot Mirror

Bad news, pyros: of the 200-odd major spammers who account for 90%+ of the world's spam, most are US-based. They are only routing their... um... product... through offshore servers to avoid detection. See the ROKSO list at SpamHaus.org.

Oh but it's worse than that. The opt-out provision only applies to the specific company being advertised. Start a new shell company (maybe $50 in some states, less in the carribean) and you can spam everyone all over again, 100% legally. Plus you've got all those freshly confirmed addresses!

In fact, I don't think the law prohibits selling your opt-out list to other spammers, for use as their new spam list. Isn't life grand?

• no private right of action. 99.98% of spammers don't cause $5000+ worth of damage and therefore will never be prosecuted by the FBI or FTC. Individuals, companies, and probably even state governments will have to take it up the ass.
• Meanwhile, the big names on ROKSO will know how to abuse the loopholes free and clear.
• Nulls out all existing state spam laws, most of which are stronger than this crap.

Oh but it's worse than that. The opt-out provision only applies to the specific company being advertised. Start a new shell company (maybe $50 in some states, less in the carribean) and you can spam everyone all over again, 100% legally. Plus you've got all those freshly confirmed addresses!

In fact, I don't think the law prohibits selling your opt-out list to other spammers, for use as their new spam list. Isn't life grand?

• no private right of action. 99.98% of spammers don't cause $5000+ worth of damage and therefore will never be prosecuted by the FBI or FTC. Individuals, companies, and probably even state governments will have to take it up the ass.
• Meanwhile, the big names on ROKSO will know how to abuse the loopholes free and clear.
• Nulls out all existing state spam laws, most of which are stronger than this crap.

See the Spamhaus ROKSO database: Spamhaus ROKSO and you'll see that 99% of the spammers listed are in the USA.

SO having a law to stop them would help. Yes, they might then actually move to India, Korea, etc. to send spam, but as you can see, that would create a much bigger obstacle for them. I see this law as a positive move.

(1.) U.S. Laws only reach as far as U.S. borders. Where does 95% of spam come from?

Most spam actually originates from the US! And most virulent spammers are also located in the US: just look at the rokso list for the top spammers.

its going to be tough with all the world wide spam

But is the rule of thumb that most spam comes from outside the US really correct? If you look at ROKSO's list of the most prolific spammers (responsible for 90% of spam), 131 of them are based in the US. Counts are:

United States 132
Canada 9
Australia 5
Argentina 3
Russia 3
Costa Rica 2
China 1
Taiwan 1
United Kingdom 1
Germany 1
Hong Kong 1
India 1
Philippines 1
Poland 1

Your right. Only a few spammers. Most from the Us

I direct you to Spamhaus.org rokso list

Have a quick scan down the list of countries...

Simon

Spamcop is one of the blocklists that has been under perpetual attack by spammers. Recently, spammers started a rather major DDoS against spamcop and several other services.

Antispam services that have limited operating resources (such as the now defunct monkeys.com and osirusoft.com) -- while extremely useful services, simply didn't have the means to withstand major attacks. Those two services had to be shut down because the owners could not deal with the onslaught. Spamhaus, and probably now Spamcop will be able to withstand attacks.

Kudos to any company that joins in on the spam fighting effort. Also worth mentioning are the good folks at Easynet, who have been running top-notch anti-abuse DNSBLs that are available to the public.

The problem of spam is already a problem of laws going unenforced against an entrenched criminal element. While spamming itself may not be explicitly illegal, the act of spamming is not separable from acts which are illegal, such as fraud, conversion, and theft of services. Many (including some spammers) are under the misapprehension that because these laws go unenforced, spam is thereby legal. Indeed, the problem of enforcement is so bad that blatantly destructive acts such as denial-of-service attacks against anti-spam services have gone utterly uninvestigated by law enforcement. (This may be changing.)

It is utterly unnecessary to create further laws which penalize ordinary Net users, in an effort to stop spammers. Indeed, such laws simply aggravate the problem already posed by spam: increasing the bother, inconvenience, and expense of using and operating the mail system. In effect, such laws would help the spammers destroy email.

I read the first line of the first header of this article and saw interbusiness.it. My advice: block or drop everything from interbusiness.it!

The 52 listings at Spamhouse tells enough about the hat colour of this company. Who want's to block interbuisiness.it complete, got to blackholes.us. Here you find all the netblocks tha belong to notorious Spam-Countries (China, Taiwan...) or Spam-ISPs (verio.net, interbusiness.it...).

This page is my mailserver's best firend :-)

NoSuchGuy

As reported on their cyber attacks page, Spamhaus.org is using the iSecure product from Melior to block the DDoS from mimail and variants. If iSecure fails and spamhaus.org is unreachable, here's the Google cache.

finally leave home and get a job?

The above is good, but try using a TXT lookup instead. Thats "dig D.C.B.A.sbl.spamhaus.org TXT".

For example, let's say our spammer of the day (We'll call him 'Drew Auman', because that's his real name) is spamming his domain "kingherbal.biz" with an IP address 203.197.204.86.

[root@localhost] # dig 86.204.197.203.sbl.spamhaus.org TXT

; > DiG 8.3 > 86.204.197.203.sbl.spamhaus.org TXT
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 15
;; QUERY SECTION:
;; 86.204.197.203.sbl.spamhaus.org, type = TXT, class = IN

;; ANSWER SECTION:
86.204.197.203.sbl.spamhaus.org. 2H IN TXT "A href ="http://www.spamhaus.org/SBL/sbl.lasso?query=SBL1 0886"

* 2003-11-09 08:06:52 NYT Profiles Steve Linford & Spamhaus Project (articles,spam)

The New York Times Technology's Saul Hansell profiles Spamhaus Project founder Steve Linford, everyone's favorite houseboat-dwelling, anti-spam activist (Google). The longish article also neatly describes the history, issues and new directions spam is taking, and the tactics that spammers are using to limit Spamhaus's effectiveness. Linford is quoted as saying, 'E-mail is the most incredible communication vehicle invented, and it is on the verge of being made useless.' Let's hope he's wrong.

No complaints, just odd. Must be the X-Men bit.

I doubt that any progress will be made in fighting spam until Microsoft/Apple include authentication options in their default mail applications.

Unfortunately, authentication is unlikely to do much to stop spam unless people use it with a personal whitelist of permitted senders. It is currently straightforward to track a spam email (SpamCop can do this if you paste the email in with full header information) but nowadays it typically comes from a cable/DSL user whose machine has been hijacked.

Can anyone tell me how to query the Spamhaus block list (SBL) from a Linux command line? I tried to use the "dig" utility to do this ("dig @sbl.spamhaus.org suspectedspammer.com any") but it doesn't work.

I read the "how to use SBL page" (here) and I understand that I can set my MTA to use it to block spam. But I'd like to test it out a bit before putting it into production, and ideally I'd like to be able to use this in scripts.

steveha

To get kicked from Verio, you have to burn down a network center or something like this. About 500 mails from users to abuse@verio.net for one spamvertized website netmails.com and no action taken ==> They do nothing against spam. They tolerate spam.

Check for yourself: Verio's Listing .

I use blackholes.us to block (port 25) entire countries (cn, kr, tw) and ISPs (Verio, interbusiness.it...) that do not qualify (in my standards) for connecting to my mailserver.

NSG

Steve Linford of Spamhaus seems to think he knows who is behind the Fizzer/Sobig/Mimail attacks, and will be releasing the information in the near future.

In the article, he leads one to believe that Fizzer is still active in the wild. As a member of IRC Unity, the group founded to eradicate Fizzer, I have not seen a report of Fizzer in months.

If Steve Linford actually knows, he needs to contact Microsoft. The money would help him pay for the losses incurred by the DDoS attacks against Spamhaus.

But if Microsoft are going to take this approach, then what about extending it to spammers?

A new virus released by spammers on Saturday 1st November is infecting computers worldwide, and this time the purpose of the virus is to attack www.Spamhaus.org. [...]

Spammers release virus to attack Spamhaus.org A new virus released by spammers on Saturday 1st November is infecting computers worldwide, and this time the purpose of the virus is to attack www.Spamhaus.org. W32/Mimail-E is designed to infect millions of computers causing them to each begin making overwhelming amounts of bogus requests to Spamhaus.org's web server, to kill the server. The W32/Mimail-E virus is the latest in a string of trojan worms, including SoBig.E and the Fizzer (W32/Fizzer-A) worm, each one released by spammers for the purpose of creating a vast worldwide zombie network of spam-sending machines and building an attack network consiting of hundreds of thousands of virus-infected zombie machines with which the spammers then attack anti-spam organizations.

I've been having trouble getting into Spamhaus too. The spammers are up to something.

I think it really depends on how you spin it. It goes without saying that someone has to be making money from spam, and also that there are gullable fools who buy the stuff on offer. The problem is that many of the gullable fools are not the same ones that actually buy the porn and pills being peddled, but those that by the spamming services too.

The spam "business" seems to be constructed in several levels. At the top you have the metaspammers (see the ROKSO for a list) who don't really sell anything other than spamming tools and services. These guys are the ones raking in the bulk of the cash, and are probably the only ones with the werewithal and resources to run the global spamnets without getting nailed (so far). Underneath those is a mesh of "affliate programs" and small fry who do spam their own products and finally, at the bottom, are the dregs of humanity that actually buy the physical products.

The problem is, that everytime something like this comes up on Slashdot, Kuroshin, or even the "mainstream" TV and press media, there is a chance that someone has the following chain of "reasoning":

1. There is money to be made in spam.
2. Why shouldn't that be me?
3. How do I spam?

Good blacklists post evidence, and leave the decision to the receiver. If you want a reasonably conservative filter, I recommend using the Spamhaus SBL blacklist or shell out for Brightmail.

Here's a copy of the original lawsuit which was filed by the world's most incompetant lawer, Mark Felstein who was hired by a bunch of Boca Raton chickenboner spammer scumbags, under the auspices of this "emarketersamerica" front. A summary of the charges is here. You can also read the defendant's item-by-item reply to the original complaint. It's quite funny, actually, and reminds me of IBM's response to SCO's bullshit where they basically state that every allegation is false to fact, other than the obvious, such as "IBM sells computers".

Except in this case, the spammer plaintifs were so incompetant that they couldn't even formulate a single complaint that had any basis in law. They also tried to file a temporary restraining order against spamhaus, which the Florida judge basically laughed at. The suit was really just a big case of harassment, and a ploy to somehow reveal the identity of the anonymous party[1] behind SPEWS -- which is not Steve Linford or Spamhaus, as a lot of these slashdot stories seem to imply. Spamhaus was just one of about 13 various mirrors that distributed the SPEWS DNS blocklist.

You can find more details here.

[1]<cough>Terry H. Gilsenan aka "Posopis Menaga" (pidgin for "postmaster")

It's more difficult to persuade ISPs than you think. Plenty of major ISPs have "pink contracts" with spammers (including, often, those listed on ROKSO) or simply feign ignorance to the abuse taking place on their networks. That's why blocklists like SPEWS aim to deliver a direct economic hit to said ISPs by inconveniencing their non-spammer customers, forcing them to take their business elsewhere. The level of desperation involved in pursuing such an obvious collateral-damage approach shows just how resistant ISPs can be to curtailing abuse.

Unfortunatly China absolutely no problem hosting american spammers in their networks and allowing them to spew unlimited amounts of spam on the rest of the world..

If they can block everything incoming they don't like, why can't they block everything outspewing WE don't want?

...who have so many spammers that they're now in the SpamHaus database, and whose spammers have been joe-jobbing my domain (from numerous charter.com and charter.net connections) for the last month, and whose sysadmins competely ignore my complaints? Just checking...

I already had an idea quite like this after reading the story on that spammer from .nz who left the industry after getting harassed because his real identity was made public in some local newspaper... Set up some fund which will pay bounty for accurate and valid information on proven spammers, and set up a directory just like rokso at spamhaus.org. Dont really harass them, just give them the bad feeling that we know who they really are...

WCG.net, and told the tech support staff what had been happening. Within a few hours, Marin's account had been canceled.

Baloney! It is likely that they told Marin to change the domain name before Markley sues and WCG loses their big bonus blood money.

But WCG sounded sincerely surprised to find out the infamous Eddy Marin was one of their customers."

Rule #1! Williams Communications Group is notorious for continuously providing bandwidth to spammers with dirty /24s. Then they feign this concern by "shinning" on those who complain about their dubious customers. Why don't someone ask them about Wholesalebandwidth.com/Optigate?

Anyone who wants to know about Marin and his scum operation can see it on Spamhaus.org:
http://www.spamhaus.org/rokso/search.lasso?evidenc efile=1114

You can start with some of the addresses listed at the ROKSO.

The ratio of "collateral damage" to actual spams stopped is way too high

Hear, Hear. Effective blacklists with no practical collatarate damage actually exist, even if all the attention seems to gather around the overzealous(SPEWS) and stupid(AOL) blocklists.

dsbl.org open proxy/relay list, easy to get out once you fix the problem. very effective.
spamhaus.org lists IP addressess known to belong to spammers. Not as effective as dsbl, but a nice compliment in case spammer decides to send mail directly instead of raping a relay.

with those two, 60-80% of spam will stop at gates, so you will still need a content based filter for the rest.

-mlk

Supposedly there are about 150 spammers doing the majority of the world's spam. I can't believe they can keep the entire world from eventually picking up the pitchforks. I guess they think that in order to control a thing, you must annoy it repeatedly for years on end?

Oh well, they can join the rest of the asian spammers i've plonked at 202/8, 203/8, 210/7, 218/7, and 220/7. (Yes, i really do despise countries that dont care about their spam problems)

What, like the United States*?

Make sure you've got your own back covered before you start hurling your bigotry around. (Of course, I don't know if you are from the U.S., but if you're going to ignorantly lump all Asian countries into one big stereotype, I'll take my liberties and at least conclude that you are from the so-called western world, and that you are, as such, just as responsible for the U.S. administration as the people of Singapore are for that of China.)

That having been said, I know a lot of UCE originates from China, but with a population that's about one fifth of theirs and a GDP per capita more than eight freaking times of theirs, which country do you think is employing its resources least adequately?

*) Spamcop seems to have made a PC decision to stop compiling statistics by worst offending ISPs, but while they did, the two main culprits (and it doesn't look like that has changed) were consistently two *cough* Sprint large *cough* Bell South networks in the U.S.

Someone needs to read things more carefully. I strongly suggest anyone who believes the original Slashdot posting to go read this on SpamHaus. It's fine to post a story, but it's worse to publish the opposite of what it really says.

How about a restraining order on spammers where they are ordered not to ever touch a computer again. That's what they do to a lot of crackers.

Yeah, except that times have changed and it's increasingly necessary to touch a computer to perform basic tasks of living and working. I'm not talking about software engineering or other high-tech work; I'm talking about being a clerk at a convenience store.

Even the suspected author of one variant of the MS Blaster worm, Jeffrey Parson, was told by the judge that he could use the Internet to look for work. Judges are increasingly unwilling to place permanent draconian restrictions on computer criminals because that could leave them unemployable, and an unemployable person can be forced back into crime by that very fact.

I agree that aggressive, repeat spammers -- the sort that end up on the SpamHaus.org ROKSO (Register of Known Spam Operations) list -- deserve to be thrown permanently off the Internet. But maybe we should think of some more practical ways to deal with them?

Under the new law, companies will have to get permission from an individual before they can send them an e-mail or text message.

From 11 December it will be legal to send spam to the millions of hapless employees of British businesses (as long as each spammer gives each employee the opportunity to 'opt-out' of his individual spam campaign).

Why the law won't work

They're also hosting the annoyences messagemedia.com and linkexchange/listbuilder.

Oh, and skylist.net and lamailer.com.

Those are just the ones that have annoyed me.

For a most detailed listing of the spammers that are currently hosted by these fucktards, check here.

THIRTY-NINE fucking spammers CURRENTLY listed.

You're lucky you can talk to anyone. Forget SPEWS, you're in the damn SBL, dude.

Do we provide safe harbor to unrepentant criminals? Not in my house, and not on my internet!

Some greedy people disagree with you and will gladly take money from the spammers who are destroying your internet... My, here's a nice list of these sleazebags!!

I'd be interested in seeing the list of bulk friendly isp's :)

Try this: ISP list @

Do you host on, or downstream of, a major offender (maybe 10 or more SBL'd spammers)? Fight the anti-spam battle with your money - move to a "clean" provider!

Because spamming slime have no problem at all with forging anything they want. Without accountabillity, nothing changes.

Some common tricks spammers use:

Set up their own ISP, or buy one

Steal IP space from dead netblocks

Use your pc as a spamming zombie via virus, hacking, cracking, or because the PC isn't otherwise secure.

Dialup IPs

Dialup IPs with Janus connections (use a dialup IP and forge that IP in the highspeed line. When you get a kill on the source, you are only killing a dialup line.)

buy bulletproof connections from lazy/incompentant/bankrupt ISPs

From your description, your idea depends on the spammer telling the truth about himself. Rule 0. Spammers lie.
I see problems with AMTP too.

Spammers set up their own CA and fake being legitimte by selling to non-spammers too. The non-spammers become human shields.

A CA, even if it were 10,000.00USD, wouldn't stop them. They would happily spend that to get a 24 hour spam run.

Spammers already infest many ISPs that have a large group of legitimate users. If you cut that ISP off, you also cut off their legitimate users.

The only way I see being able to cut off spammers is whitelisting people you want to email and using challange/response to those not whitelisted. This doesn't require changing SMTP, CAs, or all the mail clients in the world, but it also doesn't make money for anyone, so it unlikely to see wide adoption in large ISPs.

As for using the law, the problem there is that over half the states already have laws against UBE, and the rate of spam keeps going up. How are you going to sue when the mail is sent from an open proxy in .BR, with a web server for payment in .CH, and the payment processor is in .RU, and the product is shipped out of .NZ?

Silly as this all seems, spamming is big bucks. Remove the money, remove the problem. But you can't do that by suing all over the globe. You will do that when you stop lying, stealing scum suckers from being able to contact anyone in the first place.

He obviously has more knowledge of blacklisting than you have. Or give us an EXAMPLE of spews blacklisting an subnet that isn't on a spemmer friendly ISP. And lumping every blacklist from spews to dsbl.org and spamhaus.org isn't very wise either.

Even spews doesn't just blaclist entire A/B subnets at glance, unless they obviously belong to a spammer. They start with single IP:s, and ONLY IF the spammer doesn't get kicked out, the block is gradually enlargened.

It's not blind logic either. Standard whois queries are used to check what IP block belong together and who owns them. If your ISP owns an /16 subclass and doesn't bother setting rwhois up to make people able to distinguish between IP's owned be legitimate companies and IP's owned by spammers, how can a blacklister know what IP's of /16 black belong to the spammer?

And while boasting spamassassin, remember that it uses blacklists as well. However, using blacklists on SMTP level seems to be the only way bring attention for the spamming problem for the ISP harboring spammers.

Personally, I don't use spews, but:
dsbl open relay, open proxy lists.
spamhaus sblIp network ranges belonging to spammers.

0 collateral damage so far. Other high-quality blacklists include:

spamcop dynamic and automatic blacklist that lists IP addresses only WHILE they are spamming.
njabl probably the best list overall, listing all of them: spammers, proxies, relays, dialups.

Ofcourse, many insist not using their ISP's smtp servers so dialup ip blocking is risky, and spamcop.net relies on users repoting spam so a group of clueless people may reuslt a wrong IP blacklisted, so the above two blacklists don't suit everyone..

Bill Rapanos
85 Thorncliffe Park Dr.
Toronto, ON
M4H1L6
416-467-6585
416-467-8986
express4676585@yahoo.com

Here is his reference on Spamhaus.

Including names and addresses. The list claims that these 200 spammers create 90% of the world's spam.

Have fun.

Bill Rapanos
85 Thorncliffe Park Dr.
Toronto, ON
M4H1L6
416-467-6585
416-467-8986
express4676585@yahoo.com

Here is his reference on Spamhaus.

Has anyone stopped to think that maybe it's not spammers who are doing this? I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down.

Bzzt. SPEWS has not been shut down. The DNS to their website is currently down due to the DDoS attacks, and in addition, one particular method of querying SPEWS (among others), i.e. relays.osirusoft.com, has been shut down.

The blocklist SPEWS itself is still operating and perfectly functional. There are plenty of other, still-functioning ways, of querying SPEWS. I won't post them here for obvious reasons, but anyone who is really interested can google for them in the appropriate newsgroups.

They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

On the contrary, they are very effective. They do exactly what they claim to do: list spam-supporting networks (not spammers), so that those who are so inclined can automatically refuse mail from them. They do so by choice; nobody is forcing them.

If they weren't effective at what they do, there wouldn't be so many spammers, spam supporters and clueless lusers bleating about how evil they are.

All of these centralized blacklists have made so many enemies in their history that any finger pointing is simply laughable. They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks.

ROTFLASTC. Would those include all the large ISPs cooperating in hosting the SBL, for instance? They have been under constant DDoS for months, and they aren't so much as slowed down. Osirusoft (which, again, is not SPEWS) was run off a DSL line by a single person and would have been relatively easy to shut down by the spammers or a pack of clueless luzer skript kiddies hired by them.

This is not your normal DDOS: it is not only the originators of the DDOS, but the very network itself that wants them destroyed!

No: spammers, spam supporters, and clueless lusers want them destroyed. The very network itself wants spam destroyed. The blocklists are the network's immune system, and they're now gearing up for the real war on spam, which is only just getting started.

You thought SPEWS was evil? You ain't seen nothing yet. You can't stop mail admins from protecting their network against criminals. If SPEWS is shut down, multiple, much nastier sons-of-SPEWS will pop up everywhere, ones that probably won't have any way of getting out of them.

• Distributed Server Boycott List (list: list.dsbl.org)
• Open Relay Database list: relays.ordb.org
• Spamhaus Block List list: sbl.spamhaus.org

DSBL and ORDB list open relays. They have a clear (i.e. programmatically implementable) listing/de-listing process. Spamhaus actively investigates spam gangs. Their policy is not programmatically implementable, but it's pretty clear.

DSBL even has three flavors to choose from:

• list.dsbl.org "single-stage relays tested by trusted users"
• multihop.dsbl.org "the outputs of multihop relays, tested by trusted users"
• unconfirmed.dsbl.org "everything else, including tests done by anonymous users, people could potentially sign up their own ISP's mail server to this list"

I have a relatively small and spam-free system (only six domains, very few email addresses that are not publicly visible), so for the last 7529 emails (since I configured to use these RBLs) processed by Postfix the server has rejected:

• 103 via list.dsbl.org
• 1 via relays.ordb.org
• 8 via sbl.spamhaus.org

If you're griping about collateral damage, then don't choose a wanton list, and advise others not to use one. Just don't go maligning all RBLs like ignorami.