Slashdot Mirror

Indeed. It would also be nice if they would actually link to Spamhaus.org rather than just misspelling it. There was one bit near the end where it said that the spammer's business wasn't sending out spam because, for some unknown reason, people tended to associate spam with scum. I wonder why....

I personally use a large number of DNS blacklists. I call them from Sendmail and reject mail with them. Many people don't like DNSBLs; of course I believe these people are ignorany fools who couldn't admin a mail system if their life depended on it. That's ok. At the very least you should be able to use the DNSBLs that list open relays, open proxies, open SOCKS boxes, and vulnerable formmail.cgi web servers. We can surely all agree that you don't want your mail server talking to another mail server that's known to be vulnerable. Most of these specific lists require that an open * be abused before they list them. I'd also contend that we can all justify using Spamhaus's Spamhaus Block List (SBL). It lists known spammers and it very specific about it. You can block roughly 75% of spam with that list alone. Where you use these DNSBLs is up to you. Like I said above, I call all of mine straight from Sendmail. You can configure SpamAssassin to call these DNSBLs for you and assign a score you define. It's pretty easy. This way you can still use lists like SPEWS that rely on collateral damage to score mail but not outright block it. I use SPEWS and love it but it does block some legit mail by design. If you only score off of SPEWS you can minimize the FPs while still maximizing your spam filtering efforts. I am preparing to score foreign countries and RFC-Ignorant domains off of this as well.

I do not recommend you use the DCC. I highly recommend you use Razor which IMHO addresses the shortcomings in DCC. Submissions to Razor have to be confirmed unlike in the DCC. This way other people confirm that the message someone submits is actually spam and not JCPenny's spring mailing list. SpamAssassin can make these calls as well.

The mail system you're describing is going to be fairly large. This isn't something you want a single box handling. Ideally you'd put the spam and AV checks on a mailhub ahead of the actual MTA or cluster of MTAs. These boxes act as a spam firewall of sorts and takes the CPU intensive tasks you mentioned off of the actual mail server. I'm not actually using this type of setup myself but I will be eventually. There was a Slashdot article a while back about a setup roughly your size and what I guy did to make it work. It was quite a nice setup. I can't find the link now. IIRC, he scored mail and then sent probable spam via a seperate mail queue to a seperate spool for each user. Then using IMAP the user could check their probable spam for FPs. It was a nice setup.

You also mentioned Bayesian filtering. Let me make something very clear. Bayesian filters must be applied on a user by user basis. You can't simply enable Bayes for all 50,000 as one lump sum. It will never be able to learn what is an isn't spam that way. You have to let it learn on a user by users basis. The existing Bayes abilities within SpamAssassin don't work well (or at least easily) when SA is called from MIMEDefang. There are supposedly hacks for this but I have yet to see a working one. Along those same lines user-defined preferences also don't work well (or at least easily) fro

I personally use a large number of DNS blacklists. I call them from Sendmail and reject mail with them. Many people don't like DNSBLs; of course I believe these people are ignorany fools who couldn't admin a mail system if their life depended on it. That's ok. At the very least you should be able to use the DNSBLs that list open relays, open proxies, open SOCKS boxes, and vulnerable formmail.cgi web servers. We can surely all agree that you don't want your mail server talking to another mail server that's known to be vulnerable. Most of these specific lists require that an open * be abused before they list them. I'd also contend that we can all justify using Spamhaus's Spamhaus Block List (SBL). It lists known spammers and it very specific about it. You can block roughly 75% of spam with that list alone. Where you use these DNSBLs is up to you. Like I said above, I call all of mine straight from Sendmail. You can configure SpamAssassin to call these DNSBLs for you and assign a score you define. It's pretty easy. This way you can still use lists like SPEWS that rely on collateral damage to score mail but not outright block it. I use SPEWS and love it but it does block some legit mail by design. If you only score off of SPEWS you can minimize the FPs while still maximizing your spam filtering efforts. I am preparing to score foreign countries and RFC-Ignorant domains off of this as well.

I do not recommend you use the DCC. I highly recommend you use Razor which IMHO addresses the shortcomings in DCC. Submissions to Razor have to be confirmed unlike in the DCC. This way other people confirm that the message someone submits is actually spam and not JCPenny's spring mailing list. SpamAssassin can make these calls as well.

The mail system you're describing is going to be fairly large. This isn't something you want a single box handling. Ideally you'd put the spam and AV checks on a mailhub ahead of the actual MTA or cluster of MTAs. These boxes act as a spam firewall of sorts and takes the CPU intensive tasks you mentioned off of the actual mail server. I'm not actually using this type of setup myself but I will be eventually. There was a Slashdot article a while back about a setup roughly your size and what I guy did to make it work. It was quite a nice setup. I can't find the link now. IIRC, he scored mail and then sent probable spam via a seperate mail queue to a seperate spool for each user. Then using IMAP the user could check their probable spam for FPs. It was a nice setup.

You also mentioned Bayesian filtering. Let me make something very clear. Bayesian filters must be applied on a user by user basis. You can't simply enable Bayes for all 50,000 as one lump sum. It will never be able to learn what is an isn't spam that way. You have to let it learn on a user by users basis. The existing Bayes abilities within SpamAssassin don't work well (or at least easily) when SA is called from MIMEDefang. There are supposedly hacks for this but I have yet to see a working one. Along those same lines user-defined preferences also don't work well (or at least easily) fro

I'm wondering how does he size up against the "top 180 responsible for 90% of all spam". Apparently, he is not in the ROKSO list.

Hurricane Electric are possibly not the best of choices to use. They are, by repute, a big spam-friendly hosting outfit and appear to be widely blacklisted, SPEWS blacklist (NB: thats just one spews record that lists HE.net space) quite a bit of their space, the SBL has a few listings for them, they're also listed by blackhole.us.

So, when considering Hurricane.net bear in mind you may well have problems with email being rejected and even complete blackholing of connectivity to/from some sites.

>Techdirt, interestingly, took the contact info down because they feel that no one should get spammed.

Site which displays contact information and tracking stories/comments on spammers,
Spamhaus

A couple guys in australia are responsible for a huge amount of porno spam. Including the animal stuff...

Anti-spam activists go to a lot of trouble to help locate and identify people and groups responsible for flooding the net with spam (or who provide spamware to misinformed laypeople). These same good-doers are often sought out by spammers, sued by groups of them, have their privacy invaded (release of home phone, address) in effort to scare them into shutting up.

I am not kidding here. Take a look at some of the projects that scare the hell out of professional spammers:

spamhaus keeps an exhaustive list of major spam operations.

SPEWS lists areas of the Internet that have frequently be used for spamming, including detailed evidence files and histories of ISPs that turn a blind eye to spam.

Spamware vendor list has a listing of sites that sell spamming software -- without which we would have little or no spam.

That's ROKSO, the Spamhaus Project's Register Of Known Spam Operations (ROKSO) Database. More people watch TV than Spamhaus, but at least the ROKSO people do some research and try harder to be "Fair and Balanced" ...

The spamhaus.org folks have had a file on him for some time; he's been in the ROKSO (Register of Known Spam Operations) since late last year. Here's his master record.

Alan Ralsky aliases and addresses.

Seems like his "real" address is:
Alan Murray Ralsky
6747 Minnow Pond Dr,
West Bloomfield,
MI 48322
Telephone: 248-926-0688
Current email address: amr777@comcast.net

I had to use AOL to check my e-mail when I was over a friend's house once and holy sheep shit batman. Right when you log on you get assaulted with tons of banner ad spam. AOL just wants an exclusive market for their spam instead of sharing it.

Please keep your terminology straight. Spam is unsolicited bulk e-mail sent postage due. Annoying as they are, banner ads are not spam any more than commercial breaks on television. Not only are they not e-mail but they are actually paid for by the advertisers and you are soliciting them by logging on to the AOL service that includes these ads, i.e. you have the option not to do so, just as you can turn off your TV.

Comparing spam to banner ads confuses the issue by making spam seem more legitimate than it really is. It cannot be repeated enough: spam is theft of service, parasitic traffic living off of bandwidth and manhours paid for by others. This is the message that needs to be hammered into those that matter in the grand scheme of things, so that the appropriate laws get passed to throw the perpetrators in jail where they belong.

So where is Sanford Wallace these days?

According to this article, he now runs a non-spam autoresponder service. But there are a good 150 hardcore spammers who took his place.

It's been stated that Linford said "14" spammers in Boca, but the reporter heard it wrong.

That being said, the way they seem to breed sleazebags down there, 40 will be here within a year.

ps. Hello Boca scum Eddy & Kim Marin - why not quit the spam biz and get back to selling cocaine and whoring^H^H^H^H^Hexotic dancing - two vastly more honest professions?

.... is the profile of the average spammer. Most of my spam is poorly spelled and frequently points to sites that don't have anything to sell. My suspicion, and I have no way of verifying it, is that most of these messages are sent by people who get suckered into a "Make Money From Home!" offer, send a few messages to a giant list of addresses, and then give up when they're not living in MC Hammer's mansion by the end of the week. Does anyone know who the average spammer is?

At Spamhaus they know. Not only does Spamhaus run the SBL, the most widely used blocklist of spam sources in existence, they also run ROKSO, the block-on-sight public database of notorious spam gangs. This database is used by many ISPs for background checks when signing up clients. It's also used by the FTC and state Attorney General offices.

According to Steve Linford, head of the Spamhaus team, 90% of the spam originating from America is sent by some 150 top spammers. If these were eliminated, our spam problem would virtually vanish overnight. This seems to contradict your suspicion that most spam is sent by suckers. In reality it's a small number of committed criminals that send most of it, and you can see all the publically available data on them at ROKSO. Go check it out - very educational indeed. So are many of Steve Linford's postings in news.admin.net-abuse.e-mail.

.... is the profile of the average spammer. Most of my spam is poorly spelled and frequently points to sites that don't have anything to sell. My suspicion, and I have no way of verifying it, is that most of these messages are sent by people who get suckered into a "Make Money From Home!" offer, send a few messages to a giant list of addresses, and then give up when they're not living in MC Hammer's mansion by the end of the week. Does anyone know who the average spammer is?

At Spamhaus they know. Not only does Spamhaus run the SBL, the most widely used blocklist of spam sources in existence, they also run ROKSO, the block-on-sight public database of notorious spam gangs. This database is used by many ISPs for background checks when signing up clients. It's also used by the FTC and state Attorney General offices.

According to Steve Linford, head of the Spamhaus team, 90% of the spam originating from America is sent by some 150 top spammers. If these were eliminated, our spam problem would virtually vanish overnight. This seems to contradict your suspicion that most spam is sent by suckers. In reality it's a small number of committed criminals that send most of it, and you can see all the publically available data on them at ROKSO. Go check it out - very educational indeed. So are many of Steve Linford's postings in news.admin.net-abuse.e-mail.

.... is the profile of the average spammer. Most of my spam is poorly spelled and frequently points to sites that don't have anything to sell. My suspicion, and I have no way of verifying it, is that most of these messages are sent by people who get suckered into a "Make Money From Home!" offer, send a few messages to a giant list of addresses, and then give up when they're not living in MC Hammer's mansion by the end of the week. Does anyone know who the average spammer is?

At Spamhaus they know. Not only does Spamhaus run the SBL, the most widely used blocklist of spam sources in existence, they also run ROKSO, the block-on-sight public database of notorious spam gangs. This database is used by many ISPs for background checks when signing up clients. It's also used by the FTC and state Attorney General offices.

According to Steve Linford, head of the Spamhaus team, 90% of the spam originating from America is sent by some 150 top spammers. If these were eliminated, our spam problem would virtually vanish overnight. This seems to contradict your suspicion that most spam is sent by suckers. In reality it's a small number of committed criminals that send most of it, and you can see all the publically available data on them at ROKSO. Go check it out - very educational indeed. So are many of Steve Linford's postings in news.admin.net-abuse.e-mail.

I haven't sued any spammers...yet.

If the spammer is stupid, they will put personal information (company phone/address, etc) in the email or in the domain registrations. You can also link things together by looking at informtion contained in places like SpamHaus and the various block lists. You can also call/email posing as a potential customer to get data. Company information can often be researched through state/county/city clerks offices (sometimes over the net).

I'm not sure how the process works exactly (any law-talking-folks want to jump in?), but I think once you have a lawsuit filed, you can use subpoenas to get info from ISPs, domain regsitrars, etc.

Here's a site that has some good info for WA specifically from somebody who has done this successfully. If this bill is signed, then some of the focus on small claims court will be unnecessary, but there's still good stuff here.

Zen and the Art of Small Claims

What use is the ability to sue spammers when you dont know who they are or where they live. Sure, The Spamhaus ROSKO Project will give some details on the big players, but chances are they already have their operation sorted out 'legally' offshore already.

Especially in light of the fact that probably 99 percent of everyone who uses email doesnt give a shit about spam.

If that's so, then why are the major consumer ISPs currently in an advertising battle over who has the best spam filtering? I can't hardly turn on the television these days without seeing an ad from AOL, Earthlink, or MSN touting "now with better spam blocking!" or "protects your kids' email from porn spam!" The one with the butterfly dumping the spammers down the hole is kind of funny, no?

The fact that the majors are advertising spam filtering to the general public indicates to me that they perceive a demand. My guess is that their tech support staff went to the bosses and said, "You know, we're sick of Mabel Homemaker ringing us up and bitching us out about the Russian teen porn spam her husband and kids get. If the mail admins would start using SBL, we could play more Quake -- I mean, handle more important calls."

Here's what I presume to be home address of the spammer named in the article.

ABUSERS: C. Fielding Childs
cf_childs@yahoo.com
Bulker's Paradise
4132 Pompton Ct.
Dayton, Ohio 45405
FAX: (937) 275-3741

ALSO: Charles Fielding Childs, Jr.
"MAIL ORDER ALLIED COMPANY"
2936 Melbourne Ave.
Dayton, OH 45417

"Many spammers have become so adept at masking their tracks that they are rarely found. They are so technologically sophisticated that they adjust their systems on the fly to counter special filters and other barriers thrown up against them. They can even electronically commandeer unprotected computers, turning them into spam-launching weapons of mass production."

According to the folks at SpamHaus, spammers are not only identifiable, they are typically part of well known spam gangs whose numbers seem not all that large. Responsible ISPs boot such individuals from their services. It is enlightening to see which ISPs are not so responsive.

As to point two. In order to combat those who "Joe Job" or use relay servers to spam, we really do need to apply existing law or adopt new laws to address this type of behavior. Spammers who highjack servers should face serious legal consequences. When spammers choose these types of methods to spam, what they are really doing is simply stealing. Our response to such behavior should be to invoke the normal consequences associated with theft.

Because of the current economic climate, state coffers are down around the country. Savvy lawmakers should begin looking in their own inimitable ways (read: fines levied), how their own states can "make millions from bulk email".

From what I take from all this discussion is that the only "solution" to spam is to do the types of things that we have been doing for years, but to do more of it and quicker. Use well run DNS blacklists (Spamhaus SBL, ordb, dsbl, etc.), use good content filters (bayesian filters, etc.), use bulk mail detectors such as DCC or vipul's razor, etc.) and per-user whitelists and blacklists.

Or, combine all of the above techniques by using SpamAssassin

--

I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.

The most interesting discussions that I've seen so far are:

• Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later. This is completely backwards compatible and doesn't require end users to do anything.

  Most spam specific programs will not queue and retry, and thus the spam will be dropped.

  Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.

  Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.

  Apparently the "canit" program already does this, but I had not heard of this technique before.

• Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server.

  If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.

  Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.

• There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.

  Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.

  The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.

To wit:

I've said this before and I'll say it again, the first place is to rewrite RFC-821 and require valid reverse-name lookups before accepting mail.

No "rewrite" of any RFC is required to achieve this, as in fact many sites already do this. As a result, spammers now almost universally forge valid domains (and even valid usernames) in their spams, causing those innocent third parties to receive all the bounces. This has made matters worse, not better.

Incidentally, RFC 821 has been obsolete for some time. The current SMTP specification is RFC 2821.

Also permit as an authentication scheme that allows the administrator of the accepting mail system to set permissable trust levels. Example, mail that's verified (through an SSL certificate might be one way) as coming from gm.com is accepted, but mail coming from slashdot.org is set to a lower trust level (because they don't want to spend the money for a certificate). Mail from getyerviagra.com is immediately tossed into a review folder, trashed or denied because they don't reverse properly and they have a forged or self-signed certificate or simply don't have one.

What a nonsensical idea. It'd be a real boon for the spammers, though. This is like buying protection from the mafia. The spammers will buy their certificates and keep on spamming in the assurance their spam will be assigned a high "trust" level; the common man with his own home mail server will not be able to send mail to his friends without it getting trashed because he cannot/won't afford the certificate. Not only that, it allows the spammers to keep sending their spam. They don't care if it gets trashed - in fact, the spamming scumbags will always find enough suckers ready to respond to their bait, so they love it if people "just hit delete" instead of hunting them down and busting their asses, and your plan is simply an automated "just hit delete" scheme. This plan will thus only serve to legitimize spamming as well as increasing corporatization of the internet.

I happen to run a set of support/discussion mailing lists for people with a certain neurological handicap. I run my own mail server because I refuse to compromise my member's privacy to an ad-supported certified spamhaus such as Yahoo Groups. Under your plan I could forget about running my lists my way. Non-commercial discussion lists would cease to exist.

The LAST thing anyone here wants is ANY government telling us how to manage electronic mail. In the US, it'll be frought with hooks and back-doors so the feds can snoop your mail.

Hello? What planet did you just arrive from? On mine, the feds (and their equivalents in other countries) have been snooping mail for a long time. Do you really think any solution for spam would change that one way or the other? Or are you just spouting the usual slashbot anti-government drivel?

You might as well say that burglary should not be combatted by the government because you wouldn't want the government to tell you how to manage the locks on your front door. It'd make about as much sense.

Spam is a social problem, not a technical one. Real technical solutions nonetheless already exist and are pretty bloody effective for those who care to actually use them properly. That's because, rather than just deleting the spam, they prevent it from arriving into your system in the first place, and provide social pressure to internet providers to kick off their spammers. Without DNS-based blocklists, spam volume would have been growing several orders of magnitude faster than it has been.

• Bayesian filtering blacklisting: this are local measures, this affects you only, and the others that takes them
• artificial bandwidth scarcity: at the best, it can take out your users from spammers users list, at the worst, they will not care (for the ones that use open relays, i.e.). Still, will be a local measure.
• aggressive collection of fines: the $500 one? anyway, means legislation.
• targeting of domains that are advertised: how? enforcing ISP policies about spam? and what if the ISP (from Verio to most in .cn) is spam friendly or doesn't care? That also could mean legislation.

Having legislation and expanding them worldwide in some way is more like a cure than technical measures (is expressely prohibited, not that some hackers do this to limit my rights).

You can have local technical measures, but this is not guarantee that the spammers don't find a way to bypass them (i.e. most of spam that reach me by now have modified words to bypass bayesian filters, like v*i*a*g*r*a, V1AGRA or embedded html comments, fortunatelly popfile also have workarounds for most of this). Having a good percent of domains that implement that measures will be bad for spammers, of course, but there still a long way to go before this is reached.

The quickest way is probably to use SpamHaus.org. Go to the site, click on "SBL" at the top and enter the IP address where the spam originated from the the SMTP headers in the appropriate query box. If they've an entry for the IP then they'll probably have all the contact information on the spammer you could possibly need, and if they have a ROKSO (Registry of Known Spam Operators) record as well then that may also include the name of his dog (I kid you not!)

Did he at least use Linux to send out the spam? Come on, give us some reason to care about this article.

Well, some of the computers he hijacked to send his spam though were running Linux, does that count?

Lock down your open realys and proxies folks, criminals like Meltzer don't play nice!

One more, though I know it's lame to reply to myself _twice_... Here he is on SPEWS.

Conclusion: he's a spammer, he goes in for the pump-n-dump game, he makes death threats to the families of anti-spammers, he is in fact well in contention for Biggest Douche in the Universe.

Holy... sh...!!!

"Contention for?!" I say give thim the Biggest Douche in the Universe prize right now!!

See what Spamhaus has on him?!

And he works with my spamming "mate" Aussie spammer Dean Westbury?!

I want to be there when this loser picks up the award!!

One more, though I know it's lame to reply to myself _twice_... Here he is on SPEWS.

Conclusion: he's a spammer, he goes in for the pump-n-dump game, he makes death threats to the families of anti-spammers, he is in fact well in contention for Biggest Douche in the Universe.

Holy... sh...!!!

"Contention for?!" I say give thim the Biggest Douche in the Universe prize right now!!

See what Spamhaus has on him?!

And he works with my spamming "mate" Aussie spammer Dean Westbury?!

I want to be there when this loser picks up the award!!

Here is the record of nanae discussions involving him. Here he is on ROKSO, the spamhaus.org register of known spam operations. The long-running pump-n-dump spammer. He finally got nailed, eh? Good! And we've already done Ralsky. Now for the diploma guy...

various references for your amusement:

http://www.wired.com/news/infostructure/0,1377,571 32,00.html

http://www.spamhaus.org/newsdog.lasso?article=114

http://www.unicom.com/chrome/a/000032.html

the last one is of particular interest because it claims that Hotmail doesn't seem to do anything about these dictionary attacks:

They have discovered that MSN/Hotmail seems to allow spammers to run long-lived dictionary attacks, in one case extending over five months in duration.

as for software capable of launching this type of attack - there are already programs which exist for launching these attacks against authentication systems. those written in scripting languages (many of them are written in perl) are easily altered to attack a mail server.

I read the article and was glad that you made it clear how expensive (time+money) spam is to society.

Further, I thought you might find it interesting/ironic that, just shortly before your article appeared online, I was spammed by .. the NY Times! And, they do not deny it:

"This e-mail was sent to you on behalf of the New York Times newspaper by a third party, which obtained your address through an opt-in list of addresses.

In any event, we have contacted our colleagues at the newspaper and they are placing your e-mail address
on their Do Not Send list."

(my italics)

The "third party" used by the Times is a subsidiary of Scott Hirsch's edata.com spam dynasty. For further reading about Hirsch & co.

Anyhow, the net result will be useless overhead for sending e-mail, and the creation of a new industry in postage minting hardware.

The only solution to this problem is legal. Spammers must make money to support their spam. Track the money, and you find the perpetrator. If what he has done is illegal, fine him into bankruptcy, confiscate the homestead under the RICO act, and send the guy who sent the mail to jail for a couple years. If it's a corporation covering for someone living overseas, fine the company into bankruptcy. That will remove the profit motive.

Spam isn't like drug dealing. The victim isn't complicit with the crime. It won't be a hard crime to prosecute. According to this FAQ about the ROKSO, it's likely that fewer than 150 people and organizations account for 90% of the spam we get, and we know who they are. Let's get some laws in place so we can do something about them.

About 2 seconds? And how will you sue them? Which court? And if you win, how do you get the assets of a company run by some chickenboner that hijacked said insecure proxy and left no logs?

Nope. This bill will be part of the problem. False sense of security and a target for those that oppose The Lumber Cartel (tinlc).

Owner Name : RALSKY ALAN M
Latitude : 42.5460
Longitude : 83.4284
Taxpayer Addr.: 6747 MINNOW POND DR
City/State/zip: W BLOOMFIELD MI 48322-2663
Census Tract: 1566.00

more info here

I must admit to having less of a problem with DNSBLs than other types of RBL such as the open relays

It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.

For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.

There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.

You semiaddress the issue of accountability but not of secrecy. It's a fact that most services keep their lists secret until affectively revealed by dropped emails.

I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?

If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.

If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.

Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.

As an aside, I have personal experience of spending months trying to get a false entry in the DUL corrected.

Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.

Yahoo are saying they operate an Internet email system, but when I tried sending stuff to my own account on Yahoo from my static IP Earthlink DSL connection, my computer spent 3 days trying to send it before giving up because the MX host was unreachable. That means that, for these purposes, that service they claimed to be providing didn't exist. And it didn't exist because someone between me and Yahoo - maybe Yahoo, maybe Earthlink - had blocked an email.

I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.

Oh, but ok, I could have gotten it through if, at that moment, I'd used Earthlink's SMTP relay, but (a) WHY?

Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.

Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.

The end result of this is that legit email is blocked, spam (very clearly) still gets through (I already know how to enlarge my penis thank you very much), and so it's fair for me to say that the measures sysadmins are taking to block spam are not working, that they're interfering with legitimate use, that they're not actually ever going to be effective anyway, that they interfere with the communication of unconnected third parties.

It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)

It is mail users, it's not mail administrators, and this seems to be a distinction many in the pro-block camp fail to understand.

Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering ... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.

If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.

Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

In short, nobody would slow down the spammers and our inboxes would be flooded by spam, even if the filters were 99% effective.

The only way to reduce the amount of spam you receive is by reducing the amount of spam being sent.

Personally I use the SBL and DSBL lists to block mail from known spammers, their supporters and open relays and open proxies.

Email is protected speech. There is a fundamental free speech right to be able to send and receive messages, regardless of medium.

Having said that, I think it would be good if every user could choose for him/herself the filters used on his/her mailbox. If only because the users are likely to choose much more agressive filtering than ISPs could ever setup by default.

Verio's been hosting spammers and spamvertized web sites for so bloody long that it's going to take a miracle to un-tarnish their rep in the eyes of Lord only knows how many SysAdmins (myself included!)

This is just a small sample. No fewer than 43 known (and sometimes infamous) spammers hosted by Verio. Need I say more?

They block IPs based soley on the fact your upstream provider hosts or has hosted in the past, someone the SPEWS "admins" (and I use that term losely) believe to be spammers.

MrDingusMcGee responded:

As a sysadmin for an ISP I can assure you that this is absolutely the case. There is no human contact at Spews, the entire system is automated.

This is simply false. Of course there are humans behind SPEWS. Do you seriously think that the SPEWS record (S716) your ISP (Netsville) is covered by was written by a bot?

Of course SPEWS are going to automate what processes they can. But they can't automate everything. Most especially not the bit where they read posts to nanae and sometimes act on them.

A hosting provider should be responsible for the domains they host. But there is rarely anything a provider can do to pre-emptively stop a spammer.

There are certainly some things you can do. Ask potential clients about their 'net history before signing them up. Ask some minimally intrusive questions about the nature of their business. Ask why they left their last provider. Do a search for their domain name on news.admin.net-abuse.sightings and/or nana.email. Do a search for their company name - and their company director's names - on ROKSO. Do a search on SPEWS or the Spamhaus Block List or Spamcop for whatever IPs they might previously have used.

Very few spammers will stand up under even minimal investigation like that, which takes only a few minutes. This is basic stuff which any hosting provider should conscientiously do before taking on new clients, in the interests of their current clients!

Just recently, my company signed up a new company for Co-Location.

You signed up hotticker.com.

Another thing I forgot to mention above. You should really have a look at the domain name your client-to-be uses. You can often spot a disreputable business just from the domain name.

Within a week, this company sent out a huge spam mailing. The moment we saw spam complaints come in we called the company and demanded proof that their mailing list consisted solely of opt-in addresses. They had no proof and their contract was immediately terminated for violating our Acceptable Use Policy.

Immediately terminated???

How long exactly did it take from the time the first complaints hit your mailserver for you to realise hotticker was responsible, call and ask them for evidence about their mailing list, wait for their response, deem their response nowhere near good enough and then pull the plug? If it was less than 24 hours then I might agree that having your /24 listed is perhaps a tad harsh. But I suspect it was in fact much longer than that, perhaps as much as a week or more.

I notice on your SPEWS record that your /24 has been downgraded to level 2. Your three webhosting machines (io, colossus and jupiter) are still at level 1, but any mail they want to send can be smarthosted through your level-2'd mailserver.

Apparently this company had, in the past, under a different name, been blacklisted as a spammer. We were now added to the list of their hosting providers and could not, despite our best effort, contact a single human at SPEWS to explain our situation.

Erm... just what would you have said? "Please take us off your damn blocklist, we've terminated the spammer we signed up and we promise to be more careful in future." SPEWS' generic response would be "Once we can tell you're not providing any more services to $SPAMMER - which may take a little time - we'll downgrade you to level 2, where you'll stay for six months or so, then you'll be removed entirely. And yes, you bloody well should be more careful." This is covered in the SPEWS FAQ.

I ask you, how does that make the internet a better place?

Hopefully it teaches ISPs like yours to be more careful about who it signs up as clients. I imagine that in a year or two it will be considered common practise for ISPs to go through a similar process with new clients as landlords do with potential new tenants. A bad client can easily do as much damage to an ISP as a bad tenant can to a landlord.

Pete.

On second thought, perhaps "package" isn't the best choice of words.. but anyway -

SpamAssassin uses Perl, which adds a couple megs of overhead to the connection. Most spammers slam a server with a billion connections, so Theo's package would be more efficient - it's very small and has low overhead.

I've heard various horror stories about SPEWS though -- mostly about them being indiscriminate when blacklisting whole subnets.. so although I won't be using this tool myself, I'm sure some people will find it useful.

If you haven't already heard...

Taken from http://www.spamhaus.org

found here

Alan M. Ralsky
Telephone: 248-926-0688
Current email address: amr777@comcast.net

Address : 6747 MINNOW POND DR Property ID: 18-31-177-002
City/State/Zip: W BLOOMFIELD MI 48322-2663

Owner Name : RALSKY ALAN M Latitude : 42.5460
Taxpayer Addr.: 6747 MINNOW POND DR Longitude : 83.4284
City/State/zip: W BLOOMFIELD MI 48322-2663 Census Tract: 1566.00
Block Group : 9
City/Vill/Twn : WEST BLOOMFIELD
Subdivision : BLOOMFIELD PINES SUB NO 2
School Dist : WALLED LAKE CONSOLIDATED SCHOOLS
Prop Category : RESIDENTIAL
Land Use : SI SUBURBAN IMPROVED, TOWNSHIP ONLY

I wonder if somebody could come up with a program or something that would just send spam sent from his server directly back (except repeated 100 times, like those oh so annoying repeat spams) so it overloads it... Oh that would be beautiful...

I wonder if somebody could come up with a program or something that would just send spam sent from his server directly back (except repeated 100 times, like those oh so annoying repeat spams) so it overloads it... Oh that would be beautiful...

I wonder if somebody could come up with a program or something that would just send spam sent from his server directly back (except repeated 100 times, like those oh so annoying repeat spams) so it overloads it... Oh that would be beautiful...

Send him a nice hand written note

A better idea if everybody send him an invoice for mail server usage and bandwidth, keep it reasonable amount, and when he does not pay register a bad debt against him. This could work best if done out of his juridiction.

Right here

Rackspace is horrible! I will no longer recommend them to people as they do nothing to stop the number of spammers they host.

Over 10% of the spam received by my company is from someone hosted at Rackspace. I have sent numerous messages to abuse@rackspace.com over the past month with no response.

It appears, I'm not the only one suffering from this (search the net-abuse ng's).

Do not support spammers. Do not support Rackspace!

Here are the current spammers at Rackspace: http://www.spamhaus.org/sbl/listings.lasso?isp=rac kspace.com.

There's one little thing about Rackspace that they, of course, neglect to tell you; They're a spammer nest.

Rackspace has a long history of being apathetic at best to spamvertized sites, despite their anti-spam Terms of Service. As of 3-Dec-02, they're still hosting at least 20 or so spammers, and chunks of their netspace may still be listed on SPEWS.

Cheap or not, good customer service or not, I would be very wary about selecting Rackspace for any sort of hosting.

OK, so when are you going to disconnect these spammers? Two of them were just added to the SBL this past Tuesday (December 3), when will they be disconnected and what will you do to ensure they don't come back?

Is it me, or does it seem that most spam pieces slant toward the "pro-business" aspects of it, and take everything they say at face value.

If a journalist wants to show spammers for what they are, just ask: "Do you relay your mail off of unauthorized open mail servers?" According to Ralsky's record on Spamhaus, he does, or did.

On Aug. 15, Ralsky was interviewed on NPR. It was the typical pary line, about how it's not illegal, and they don't send porn, and they honor removes, etc., all very cheerful. But, once, she asked whether he used "blind relays"....

Quietly, he answered, "I won't make a comment on that." I wish she would have elaborated on it, because most of the listeners wouldn't have understood that this means hijacking open mail servers, which is generally considered theft of service.