Slashdot Mirror

• On the other end, if many of those domains are in the Orbz [orbz.org] or other blacklists, maybe just using those would be better

Do the reading. Despite the shrieking tone of the article, what we are talking about here is Spamhaus blacklisting China Telecom, not "all Asian ISP's". That's the entire story. And Spamhaus themselves suggest that their list should be used in conjunction with an open relay list.

• • frustrated sysadmins in the West are responding to a torrent of Asian spam by simply refusing all e-mail from that part of the world [says Slashdot]
  Anti-spam activists confirm that a growing number of beleaguered systems administrators are now blocking all e-mail originating from Asia from their systems [says the article]

Bollocks, says anyone reading it with a critical eye. There are no references or sources for this sweeping "all Asian email" statement. The single reference is to Spamhaus which implements selective listing of domains that persistently generate or carry spam and decline to respond to spam reports. Most of their listed ISP's are currently US based. There is specific mention of two Chinese ISP's, and none from any other Asian nation.

To make a story out of this, you have to cite metrics. The fact that Spamhaus are currently blacklisting China Telecomm no more proves that "the west" is blocking "the east" than a story about anyone temporarily blacklisting AOL (again) proves that there is some mass move to block "the west".

Without giving metrics, you're just providing anecdotes. Persuasive anecdotes, sure, that probably appeal to our personal experiences, but those are the most dangerous kind, because they stop you looking for the real story and asking the real questions.

The real question here isn't "Why do Spamhaus currently blacklist China Telecomm?" but "Why don't Spamhaus currently blacklist Roadrunner?" or any of another half dozen ignorant ISP's that deny that they are injecting spam even in the face of unequivocable header evidence. Perhaps we in the "west" (sweeping-generalisations-r-us) could go about cleaning up our own house before we go gunning for those coming late to the party.

ROKSO is your friend.

Poke around groups.google.com in news.admin.net-abuse.email.sightings or news.admin.net-abuse.email to find out who your pet spammer is. Learn.

Punch your pet spammer's name into ROKSO. Learn more.

Many of these individuals have prior convictions for fraud. Some may still be on probation. Why the FTC has ignored them for so long is utterly beyond me.

www.spamhaus.org has a list of spammers and the ISPs supporting them. They also have some quite interesting articles on this topic.

These operations also get listed in other ways, too. The identity of their network generaly gets discovered and places like spamhaus.org will list them.

What all of this rambling means is that you can filter out a great deal of spam with the right DNS blacklists. I only use DNSbl's that allow zone transfers because I don't want network latency to slow down mail delivery. It really is a worthwhile thing to do.

Finally the best thing that you can do for your users is educate them. Give them very clear examples of how doing simple things like giving your personal email to a credit card company, entering it in a guestbook, using it in USENET, using it on any public discussion board, and many more can increase their spam intake many fold. Explain that to them. Show them the proof. It's not hard to generate spam. Hell create a dummy account and make a few posts in the newsgroups. Never give the address to anyone else and don't use it yourself. Give it a week. Then show the results to your users as proof of USENET address harvesting.

Finally, don't be part of the problem (this is to the parent of the article). Be proactive in fighting spam. Sitting back and bitching about it doesn't help anyone. If you put up a server that's an open relay then you fucked up. It's your responsibility as an administrator to make sure you do your job right. Putting up and open relay isn't doing your job right (are you listening all of you damned Exchange admins?! 90% of the open relays I find and report are running Exchange!!!). When you get spam, report it (called LARTing). Drop a copy to uce@ftc.gov. Reporting stock spam to the SEC. Report bogus drug scams (loose 100lbs tonight while you sleep!) to the FDA. Report Nigerian Monet scams to the Secret Service. Report the spamertised sites to their providers and ask that they investigate (don't accuse in case it's a Joe Job). Parse through the headers and learn to identify relayed spam, BS headers, and other tricks of the trade. Submit open relays for listing in all the open relay blacklists. Report it to the owner of the IP as well. DO YOU PART! If you're not going to do you part to fight spam or ensure that you're servers are properly configured, THEN GET YOU SERVERS AND YOUR ASS OFF THE 'NET BECAUSE YOU DON"T BELONG IN THIS COMMUNITY!! Don't be part of the problem.

What all of this rambling means is that you can filter out a great deal of spam with the right DNS blacklists. I only use DNSbl's that allow zone transfers because I don't want network latency to slow down mail delivery. It really is a worthwhile thing to do.

Finally the best thing that you can do for your users is educate them. Give them very clear examples of how doing simple things like giving your personal email to a credit card company, entering it in a guestbook, using it in USENET, using it on any public discussion board, and many more can increase their spam intake many fold. Explain that to them. Show them the proof. It's not hard to generate spam. Hell create a dummy account and make a few posts in the newsgroups. Never give the address to anyone else and don't use it yourself. Give it a week. Then show the results to your users as proof of USENET address harvesting.

Finally, don't be part of the problem (this is to the parent of the article). Be proactive in fighting spam. Sitting back and bitching about it doesn't help anyone. If you put up a server that's an open relay then you fucked up. It's your responsibility as an administrator to make sure you do your job right. Putting up and open relay isn't doing your job right (are you listening all of you damned Exchange admins?! 90% of the open relays I find and report are running Exchange!!!). When you get spam, report it (called LARTing). Drop a copy to uce@ftc.gov. Reporting stock spam to the SEC. Report bogus drug scams (loose 100lbs tonight while you sleep!) to the FDA. Report Nigerian Monet scams to the Secret Service. Report the spamertised sites to their providers and ask that they investigate (don't accuse in case it's a Joe Job). Parse through the headers and learn to identify relayed spam, BS headers, and other tricks of the trade. Submit open relays for listing in all the open relay blacklists. Report it to the owner of the IP as well. DO YOU PART! If you're not going to do you part to fight spam or ensure that you're servers are properly configured, THEN GET YOU SERVERS AND YOUR ASS OFF THE 'NET BECAUSE YOU DON"T BELONG IN THIS COMMUNITY!! Don't be part of the problem.

Ahh... well, I should probably add that Spamhaus also supplies the Spamhaus Block List"... very similar to the RBL (just not in legal troule, yet.) Not to mention their list of "kills.

Ahh... well, I should probably add that Spamhaus also supplies the Spamhaus Block List"... very similar to the RBL (just not in legal troule, yet.) Not to mention their list of "kills.

Then why not Alan Ralsky.

This pigfucker (my apologies for the insult to those of you who fuck pigs) has been going non-stop since 1997.

Typical modus operandi used to be dozens of dialups on sprint, uu.net, and dialinx (Genuity) in the Michigan area, and recent modus operandi has been to spam from dozens of dialups on att.net, uu.net, and Broadwing, in Dallas-Ft. Worth. (He may continue to reside in Michigan, dialing long-distance, or he may have moved to DFW. I dunno.)

But with a track record of spam several light years long, what appear to be prior convictions for bank fraud, involvement in (if not actual profit from) an operation to spam for beastiality pr0n, and continued spam for health products of questionable efficacy (e.g. his BerryTrim operation), what the fuck is the FTC waiting for?

More to the point, why the fuck is the FTC going after these two-bit chickenshit make-money-fast-fools, when they could be going after the big guns.

FTC: You reading this? You really wanna put a dent in spam? Take this bastard down. HARD.. NOW.

Then why not Alan Ralsky.

This pigfucker (my apologies for the insult to those of you who fuck pigs) has been going non-stop since 1997.

Typical modus operandi used to be dozens of dialups on sprint, uu.net, and dialinx (Genuity) in the Michigan area, and recent modus operandi has been to spam from dozens of dialups on att.net, uu.net, and Broadwing, in Dallas-Ft. Worth. (He may continue to reside in Michigan, dialing long-distance, or he may have moved to DFW. I dunno.)

But with a track record of spam several light years long, what appear to be prior convictions for bank fraud, involvement in (if not actual profit from) an operation to spam for beastiality pr0n, and continued spam for health products of questionable efficacy (e.g. his BerryTrim operation), what the fuck is the FTC waiting for?

More to the point, why the fuck is the FTC going after these two-bit chickenshit make-money-fast-fools, when they could be going after the big guns.

FTC: You reading this? You really wanna put a dent in spam? Take this bastard down. HARD.. NOW.

Actually, we do have something very similar (sans fines), it's called Spamhaus. It collects evidence of spamming by companies, finds those companies that own those netblocks, and lists the top spam-friendly hosts in the ISP business.

Sitting at the top of the list is media3, which hosts 5 known spammers has known about them for at least 2,163 operational days (operational days for all 5 spam sources), and acts covertly to support them. Their "score" is thus listed as 5*2163*4 = 42,720, nearly 8 times more than the closest spammers. If you want your spam to decrease significantly, you gotta take out those spammers at the top right at their source.

-Misch

Of course the DMA has one very good reason to continually promote opt-out: they fear that if they moved to opt-in that no-one would opt-in and they will go out of business (well, that's just too bad - no-one should be forced to read adverts they don't want). We can also note that Empire Towers, SAMCO, Alan Ralsky and all the other spammer scum listed at The Register of Known Spam Operations are of course members of the DMA and will follow its guidelines in full. Not.

www.poxteam2001.com

Congratulations. You've met Alan Ralsky. Not one of the most prolific spammers, but definitely one of the most annoying ones.

His typical MO lately is to use asymmetrical routing, with his sites hosted on dialup connections. Through his own DNS servers which seemingly cannot be removed from the net, combined with joker.com not particularly caring that domain registration information is totally fraudulent, he's not going to be going anywhere anytime soon. The Registry of Known Spam Operators has more and more detailed info on him, including his various criminal convictions and civil judgements. This guy is a crook, flat-out.

"Have a place to submit spam incidents, such as a web form. Then process them to look for patterns."

Have you ever tried to run more than a handful of LARTS through a web form? It's a nightmare. I have 1200 pieces of Broadwing.net spam that I need to LART tonight. I don't know how I'd LART all of them via a web form.

Patterns aren't something that the average Joe would pick up on anyhow. Few people noticed that recently more and more spam uses a spoofed From: in the form of BSUser@yourowndomain.tld. If they do want to look for patterns, they could easily view thousands of spam reports in news.admin.net-abuse.sightings. Numerous people post their spam to it.

Provide separate zones for blocking sources of spam, and blocking web sites and ISPs where spammers might be hosting a web page. Not everyone wants to block the latter; I only want to block the source of spam."

Many DNS blacklist authors do just this. MAPS is a good example. You have the DUL which lists dial-up IPs only. The RSS which lists known && abused open relays. The RBL contains ISPs that are known to harbor spammers or at least be neutral to their abuse and ignore abuse complaints. The RBL+ is a combination of those 3. All 4 of those are their own zones. SPEWS lists /24's from which spam originates. Occasionally they'll even list a whole provider that harbors spammers or spamware sites, repeated lies to people that mail abuse@, or are known to bit bucket abuse complaints. relays.osirusoft.com hosts many lists. Individual queries can be made to for any of the lists it hosts or you can transfer them all at once in a big zone file. relays.visi.com is the home of the RSL. It only lists open relays that have been abused, like the RSS and relays.osirusoft.com's base DNSbl. blackholes.2mbit.com is the home of the SBL (Summit Block List), not to be confused with the SBL (Spamhaus Block List) which is hosted by osirusoft. The Summit Block List contains abused open relays and hosts that have been directly involved in spamming. The Spamhaus Block List contains "known spammers, spam gangs, or spam support services" and is "by the same team that maintains the ROKSO database", a list of those spammers.

"Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer."

In a small way I agree. I used to feel like you do now. I was very leary about blocking an entire ISP just because of the possibility of lossing legit mail. I quickly came to realize that blocking just a small piece of that ISP that's know to spam wasn't solving the problem. They'd just move elsewhere within that ISP.

"If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused."

This doesn't accomplish anything in the long term and little in the short term. Sure you block some spam from a spammer for a couple of weeks but they'll quickly figure that out and move to another block. If the ISP facilitates their move then they are supporting spammers. It's an all or nothing deal. You can't have your cake and eat it too.

Personally I block entire ISPs myself, in my personal access lists that are independant of group maintainted DNS blacklists, that are known to harbor spammers and ignore complaints. A perfect example of this is Broadwing.net. I have blacklisted every IP they have registered to them. That includes 3 /14's, a /24, and a /28. That's a lot of IPs. I have never seen anything but spam come directly from them. They harbor Alan Ralsky and many other well known spammers. They ignore spam complaints. They simply don't care. Whenever I LART their spam, I also LART their upstreams because I believe someone there will eventually notice. I know that no one at Broadwing will.

"Some of the anti-spammers are on the wrong crusade and not very many people will follow them."

This I have to strongly disagree with. I've been involved in protecting my resources from spam for some time now and have implemented many steps to prevent as much spam from entering my system as possible. I reject just under 1400 known spamming domains. I also reject all mail from a number of providers that harbor spammers as well. I utilize all the lists hosted by Osirusoft, relays.visi.com, blackholes.2mbit.com, and I'm in the process of resubscribing to the RSS and DUL. I even do some filtering on message content which has been incredibly successful. Last week I rejected almost 96,000 pieces of spam on one of my servers. That's pretty darn good. Of the 2400 users on this particular server, I've only had complaints from 3. 3 of them couldn't receive mail from a particular person on the 'Net that wsa being filtered by me. 1 was on an osirusoft list. 1 was attempting to send mail through their mailing list that's run by cybercon.com (a known spam supporter) and mail to subscribers on our end was bouncing. The other was a customer of a customer of Broadwing's. After explaining to them that we couldn't selectively allow mail to just them from the affected host and that we'd have to allow all mail to them unfiltered, they decided to suffer from more spam than miss out on their friend's email. One has changed his mind though. The rest seem to love it. The best advice I can say to you is to keep an open mind about these lists and what they do for us. Not every list is meant for all situations. I personally don't want to use the RBL. In the beginning I was leary about SPEWS. The rest I like. Join news.admin.net-abuse.email and keep up with some of the conversations of the anti-spammers that reside there. A plethora of information and insight can be had with them (I'm there too). good luck!

"Have a place to submit spam incidents, such as a web form. Then process them to look for patterns."

Have you ever tried to run more than a handful of LARTS through a web form? It's a nightmare. I have 1200 pieces of Broadwing.net spam that I need to LART tonight. I don't know how I'd LART all of them via a web form.

Patterns aren't something that the average Joe would pick up on anyhow. Few people noticed that recently more and more spam uses a spoofed From: in the form of BSUser@yourowndomain.tld. If they do want to look for patterns, they could easily view thousands of spam reports in news.admin.net-abuse.sightings. Numerous people post their spam to it.

Provide separate zones for blocking sources of spam, and blocking web sites and ISPs where spammers might be hosting a web page. Not everyone wants to block the latter; I only want to block the source of spam."

Many DNS blacklist authors do just this. MAPS is a good example. You have the DUL which lists dial-up IPs only. The RSS which lists known && abused open relays. The RBL contains ISPs that are known to harbor spammers or at least be neutral to their abuse and ignore abuse complaints. The RBL+ is a combination of those 3. All 4 of those are their own zones. SPEWS lists /24's from which spam originates. Occasionally they'll even list a whole provider that harbors spammers or spamware sites, repeated lies to people that mail abuse@, or are known to bit bucket abuse complaints. relays.osirusoft.com hosts many lists. Individual queries can be made to for any of the lists it hosts or you can transfer them all at once in a big zone file. relays.visi.com is the home of the RSL. It only lists open relays that have been abused, like the RSS and relays.osirusoft.com's base DNSbl. blackholes.2mbit.com is the home of the SBL (Summit Block List), not to be confused with the SBL (Spamhaus Block List) which is hosted by osirusoft. The Summit Block List contains abused open relays and hosts that have been directly involved in spamming. The Spamhaus Block List contains "known spammers, spam gangs, or spam support services" and is "by the same team that maintains the ROKSO database", a list of those spammers.

"Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer."

In a small way I agree. I used to feel like you do now. I was very leary about blocking an entire ISP just because of the possibility of lossing legit mail. I quickly came to realize that blocking just a small piece of that ISP that's know to spam wasn't solving the problem. They'd just move elsewhere within that ISP.

"If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused."

This doesn't accomplish anything in the long term and little in the short term. Sure you block some spam from a spammer for a couple of weeks but they'll quickly figure that out and move to another block. If the ISP facilitates their move then they are supporting spammers. It's an all or nothing deal. You can't have your cake and eat it too.

Personally I block entire ISPs myself, in my personal access lists that are independant of group maintainted DNS blacklists, that are known to harbor spammers and ignore complaints. A perfect example of this is Broadwing.net. I have blacklisted every IP they have registered to them. That includes 3 /14's, a /24, and a /28. That's a lot of IPs. I have never seen anything but spam come directly from them. They harbor Alan Ralsky and many other well known spammers. They ignore spam complaints. They simply don't care. Whenever I LART their spam, I also LART their upstreams because I believe someone there will eventually notice. I know that no one at Broadwing will.

"Some of the anti-spammers are on the wrong crusade and not very many people will follow them."

This I have to strongly disagree with. I've been involved in protecting my resources from spam for some time now and have implemented many steps to prevent as much spam from entering my system as possible. I reject just under 1400 known spamming domains. I also reject all mail from a number of providers that harbor spammers as well. I utilize all the lists hosted by Osirusoft, relays.visi.com, blackholes.2mbit.com, and I'm in the process of resubscribing to the RSS and DUL. I even do some filtering on message content which has been incredibly successful. Last week I rejected almost 96,000 pieces of spam on one of my servers. That's pretty darn good. Of the 2400 users on this particular server, I've only had complaints from 3. 3 of them couldn't receive mail from a particular person on the 'Net that wsa being filtered by me. 1 was on an osirusoft list. 1 was attempting to send mail through their mailing list that's run by cybercon.com (a known spam supporter) and mail to subscribers on our end was bouncing. The other was a customer of a customer of Broadwing's. After explaining to them that we couldn't selectively allow mail to just them from the affected host and that we'd have to allow all mail to them unfiltered, they decided to suffer from more spam than miss out on their friend's email. One has changed his mind though. The rest seem to love it. The best advice I can say to you is to keep an open mind about these lists and what they do for us. Not every list is meant for all situations. I personally don't want to use the RBL. In the beginning I was leary about SPEWS. The rest I like. Join news.admin.net-abuse.email and keep up with some of the conversations of the anti-spammers that reside there. A plethora of information and insight can be had with them (I'm there too). good luck!

"Have a place to submit spam incidents, such as a web form. Then process them to look for patterns."

Have you ever tried to run more than a handful of LARTS through a web form? It's a nightmare. I have 1200 pieces of Broadwing.net spam that I need to LART tonight. I don't know how I'd LART all of them via a web form.

Patterns aren't something that the average Joe would pick up on anyhow. Few people noticed that recently more and more spam uses a spoofed From: in the form of BSUser@yourowndomain.tld. If they do want to look for patterns, they could easily view thousands of spam reports in news.admin.net-abuse.sightings. Numerous people post their spam to it.

Provide separate zones for blocking sources of spam, and blocking web sites and ISPs where spammers might be hosting a web page. Not everyone wants to block the latter; I only want to block the source of spam."

Many DNS blacklist authors do just this. MAPS is a good example. You have the DUL which lists dial-up IPs only. The RSS which lists known && abused open relays. The RBL contains ISPs that are known to harbor spammers or at least be neutral to their abuse and ignore abuse complaints. The RBL+ is a combination of those 3. All 4 of those are their own zones. SPEWS lists /24's from which spam originates. Occasionally they'll even list a whole provider that harbors spammers or spamware sites, repeated lies to people that mail abuse@, or are known to bit bucket abuse complaints. relays.osirusoft.com hosts many lists. Individual queries can be made to for any of the lists it hosts or you can transfer them all at once in a big zone file. relays.visi.com is the home of the RSL. It only lists open relays that have been abused, like the RSS and relays.osirusoft.com's base DNSbl. blackholes.2mbit.com is the home of the SBL (Summit Block List), not to be confused with the SBL (Spamhaus Block List) which is hosted by osirusoft. The Summit Block List contains abused open relays and hosts that have been directly involved in spamming. The Spamhaus Block List contains "known spammers, spam gangs, or spam support services" and is "by the same team that maintains the ROKSO database", a list of those spammers.

"Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer."

In a small way I agree. I used to feel like you do now. I was very leary about blocking an entire ISP just because of the possibility of lossing legit mail. I quickly came to realize that blocking just a small piece of that ISP that's know to spam wasn't solving the problem. They'd just move elsewhere within that ISP.

"If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused."

This doesn't accomplish anything in the long term and little in the short term. Sure you block some spam from a spammer for a couple of weeks but they'll quickly figure that out and move to another block. If the ISP facilitates their move then they are supporting spammers. It's an all or nothing deal. You can't have your cake and eat it too.

Personally I block entire ISPs myself, in my personal access lists that are independant of group maintainted DNS blacklists, that are known to harbor spammers and ignore complaints. A perfect example of this is Broadwing.net. I have blacklisted every IP they have registered to them. That includes 3 /14's, a /24, and a /28. That's a lot of IPs. I have never seen anything but spam come directly from them. They harbor Alan Ralsky and many other well known spammers. They ignore spam complaints. They simply don't care. Whenever I LART their spam, I also LART their upstreams because I believe someone there will eventually notice. I know that no one at Broadwing will.

"Some of the anti-spammers are on the wrong crusade and not very many people will follow them."

This I have to strongly disagree with. I've been involved in protecting my resources from spam for some time now and have implemented many steps to prevent as much spam from entering my system as possible. I reject just under 1400 known spamming domains. I also reject all mail from a number of providers that harbor spammers as well. I utilize all the lists hosted by Osirusoft, relays.visi.com, blackholes.2mbit.com, and I'm in the process of resubscribing to the RSS and DUL. I even do some filtering on message content which has been incredibly successful. Last week I rejected almost 96,000 pieces of spam on one of my servers. That's pretty darn good. Of the 2400 users on this particular server, I've only had complaints from 3. 3 of them couldn't receive mail from a particular person on the 'Net that wsa being filtered by me. 1 was on an osirusoft list. 1 was attempting to send mail through their mailing list that's run by cybercon.com (a known spam supporter) and mail to subscribers on our end was bouncing. The other was a customer of a customer of Broadwing's. After explaining to them that we couldn't selectively allow mail to just them from the affected host and that we'd have to allow all mail to them unfiltered, they decided to suffer from more spam than miss out on their friend's email. One has changed his mind though. The rest seem to love it. The best advice I can say to you is to keep an open mind about these lists and what they do for us. Not every list is meant for all situations. I personally don't want to use the RBL. In the beginning I was leary about SPEWS. The rest I like. Join news.admin.net-abuse.email and keep up with some of the conversations of the anti-spammers that reside there. A plethora of information and insight can be had with them (I'm there too). good luck!

For the many /.ers who:

a. Use Outlook secretly
b. Receive loads of foreign spam
c. Don't know any foreign languages
d. Don't have any foreign friends
e. Don't have any friends

This Outlook rule is for you!

Apply this rule after the message arrives
with
Ô or ¾ or Ç or or É or ½ or Í or ò or Ë or ® or Ä or ã or Ï or Ö or Ô in the subject or body
delete it
and stop processing more rules.

This blocks 99% of foreign spam. Sue Mosher wrote about other effective methods for killing spam in Outlook. Finally, before you reply saying "You dummy, that filter works in any client!" -- You're right.

Don't like Hotmail very much, but their
spam filter rocks. 100% of spam is binned.

Today in my unused Hotmail box, I see:
Inbox 0 (0 new)
Junk Mail 189 (189 new)

Why? If you set the option, Hotmail excludes
anyone not in your address book. In other words,
anything _NOT_ sent to someone in your address
book goes directly to the bin.

So unless you have simon.wong@bulkemail.ca
in your address book, you should be spam-free.

------

Outlook 2002's new rules manager does the same
thing. Does anyone know if Eudora, Calypso, or PINE can
filter by excluding those not in your address book?

They are also the exclusive registrar of Alan Ralsky, a notorious spammer. An excellent method of blocking Ralsky spam to to declare that all joker.com domains are spamming domains. I've seen it done. If you use it and than it's highly likely that soon you'll come across someone that rejects your mail as spam. Then you'll become a casuality of war, an anti-spam war.

Well, acording to these links. They are not the most-spamfriendly. Plus, you can actually call UUnet's abuse staff, how many other Tier1 providers can you say that about? You talk as if UUnet never shuts down anyone, and you know that is not the case.

Looking over at Spamhaus, we find that Sprint is working hard to be in the top 3 spam-friendly ISPs, currently hosting 18 sites of known spammers and spam software and ignoring all complaints. If this is what their policy is on personal information, I don't think I want them to know where I am.

http://www.spamhaus.org/top10.lasso

1. Cybernet Business Professionals (hosted by UUNet)
2. Qwest (qwest.net)
3. Sprint (sprintlink.net)

Now that I know of your policies, I'll be making sure to take my business elsewhere in the future.

Rob? Better look for a new provider! Exodus has been a spamhaven for some time. Here's the scoop: Spamhaus.org ROSKO entry, with full list of spammers and their spam, replies, etc.

Maybe in this case the slashdot effect will do some good for the world....

One can hope. Until then, use the SBL to block them:

http://spamhaus.org/sbl

I've been dreaming about setting up an anti-spam program and service (free, I hope) that would use real-time reporting like MAPS/ORBS and user feedback like spamcop. The idea would be to keep an near-real-time updated list of regexes with match all the recent spams but are highly unlikely to match any normal emails.

I wonder if anyone else is doing this sort of real-time-regex list?

This seems to be close:

http://spews.org

BTW, ORBS is dead and MAPS now charges larger users. There are many free ORBS like replacements.

/.!

You ask:
Does Monster Hut send spam?!

I reply:

Beaverhome / MonsterHut / Neal Martin records from the Rosko database at spamhaus.org

You ask:
Does Monster Hut send spam?!

I reply:

Beaverhome / MonsterHut / Neal Martin records from the Rosko database at spamhaus.org

Or, have somebody who is NOT an ISP sponsor a big blacklist that all ISPs can contribute to and get the contents of if they so wish.

We have that. It's called spamhaus.org and the database of known spammers is called Rosko

Or, have somebody who is NOT an ISP sponsor a big blacklist that all ISPs can contribute to and get the contents of if they so wish.

We have that. It's called spamhaus.org and the database of known spammers is called Rosko

MonsterHut (aka Beaverhome) has been a well-known spamhaus for at least a couple of years. For further information regarding this rotten outfit, take a look at this link on The Spamhaus Project's ROKSO database. Lots of good history there. Or simply search DejaGoogle on Beaverhome or Monsterhut.

Rich

MonsterHut (aka Beaverhome) has been a well-known spamhaus for at least a couple of years. For further information regarding this rotten outfit, take a look at this link on The Spamhaus Project's ROKSO database. Lots of good history there. Or simply search DejaGoogle on Beaverhome or Monsterhut.

Rich

I just got attempted mail delivery from Monsterhut on August 29. It was blocked because I already subscribe to a number of spam blocking zones. More info is available about why Monsterhut is blocked here.

As long as we can block spammers, we don't have to take it out on the ISPs. It's when the spam gets mixed up with legitimate mail (such as from an open relay where otherwise good mail comes from, or via a regular mail server relayed by their customers) that we need to complain directly to the hosting ISP.

Another approach is to complain to any businesses that appear to be customers of Monsterhut, such as Hertz, even if that company wasn't involved in spamming. Tell them (the customers) that because Monsterhut is spamming, any legitimate email promotions they might send out won't get through because everyone has Monsterhut blocked off.

Jamie, you most certainly DO have a conflict of interest which leads you to write slanted material bashing MAPS without questioning what Peacefire's Bennett Haleston tells you to say. Haleston jumped into a puddle so he could cry "Look everybody! Big bad brother pushed me into this puddle!".

Peacefire's host Media3 is the worst spam service host on the Internet (see: TOP 10 Spam Support ISPs), the net's worst stealth spam outfits are right there on Peacefire.org's server. Media3 is a spam support service that makes money supplying 'bullet-proof hosting' to stealth spam outfits and _refuse_ to stop doing so, that is why the server's IP space had to be placed on the RBL. It was placed on the RBL *two months* before Media3 moved Peacefire on it to place Peacefire (the "anti-blocking" site) in the line of fire.

I can assure you that Media3's owner (who is an old friend of Bennett Haselton in case you weren't aware) knew in March 2000 that the class C would be placed on the RBL because *I* told him and I also cc'd him a copy of the RBL nomination. That's *6* months before Peacefire was moved onto the already-blocked server. (Bennett even told you he knew the server was blocked because once they moved onto it then then had to find a way to send email out through a different server because that one was blocked.)

What you're trying to pass off as an "allegation" of Media3 moving Peacefire onto an already-RBL'd server is NOT an allegation but fact. It's also fact that Media3 took MAPS to court at the same time to get the server's IPs released from the RBL - and LOST - which made Media3's owner even more determined to get back at MAPS. Media3 used Peacefire as a pawn *with* Bennett's tacit help because Bennett saw a chance for press coverage for Peacefire. Each time Media3 loses a court case against MAPS a couple of days later Peacefire sends out a 'press release' deliberately misrepresenting the facts to suit Bennett's "I hate MAPS" agenda. An agenda of which you and Slashdot are an unwitting part thanks to the ease with which you write anything Bennett tells you to write without checking the facts.

Steve Linford
Director
The Spamhaus Project
http://www.spamhaus.org

Jamie, you most certainly DO have a conflict of interest which leads you to write slanted material bashing MAPS without questioning what Peacefire's Bennett Haleston tells you to say. Haleston jumped into a puddle so he could cry "Look everybody! Big bad brother pushed me into this puddle!".

Peacefire's host Media3 is the worst spam service host on the Internet (see: TOP 10 Spam Support ISPs), the net's worst stealth spam outfits are right there on Peacefire.org's server. Media3 is a spam support service that makes money supplying 'bullet-proof hosting' to stealth spam outfits and _refuse_ to stop doing so, that is why the server's IP space had to be placed on the RBL. It was placed on the RBL *two months* before Media3 moved Peacefire on it to place Peacefire (the "anti-blocking" site) in the line of fire.

I can assure you that Media3's owner (who is an old friend of Bennett Haselton in case you weren't aware) knew in March 2000 that the class C would be placed on the RBL because *I* told him and I also cc'd him a copy of the RBL nomination. That's *6* months before Peacefire was moved onto the already-blocked server. (Bennett even told you he knew the server was blocked because once they moved onto it then then had to find a way to send email out through a different server because that one was blocked.)

What you're trying to pass off as an "allegation" of Media3 moving Peacefire onto an already-RBL'd server is NOT an allegation but fact. It's also fact that Media3 took MAPS to court at the same time to get the server's IPs released from the RBL - and LOST - which made Media3's owner even more determined to get back at MAPS. Media3 used Peacefire as a pawn *with* Bennett's tacit help because Bennett saw a chance for press coverage for Peacefire. Each time Media3 loses a court case against MAPS a couple of days later Peacefire sends out a 'press release' deliberately misrepresenting the facts to suit Bennett's "I hate MAPS" agenda. An agenda of which you and Slashdot are an unwitting part thanks to the ease with which you write anything Bennett tells you to write without checking the facts.

Steve Linford
Director
The Spamhaus Project
http://www.spamhaus.org

Peacefire wasn't caught in the cross fire, it moved into an IP range that was already blocked.
A quick glance at Steve Linfords www.spamhaus.org and Sapient Fridges Spamware vendor list gave me:
209.211.253.68 www.extractor-pro98.com
209.211.253.69 www.list-sorcerer.com
209.211.253.70 www.massmailer.com
209.211.253.71 www.bulkemailpeople.com
209.211.253.73 www.e-mailblaster.com
209.211.253.74 www.marketingmasters.com
209.211.253.84 www.bulkers.net
209.211.253.88 www.bulkbarn.com
209.211.253.89 www.web-promotions.com
209.211.253.139 www.firstlinesoft.com
209.211.253.169 www.peacefire.org
209.211.253.248 www.bulk-isp.com / www.bulk-isp.net etcetera.

Not really a nice region, is it?

And who do we know from adcops.com?

Why, it's Maurice O'Bannon!

What does Maurice do for a living? Why, he's the Treasurer of Empire Towers!

And what does Empire Towers do? Why, they're a bunch of spammers!

What an amazing coincidence!

• Never buy from it - In getting rid of roaches, rule #1 is to remove their food source. Same thing here. Spammers only spam because they think it will profit them.
  
• Report it - I use SpamCop; it does 95% of the work.
  
• Automatically reject it - Tell your MTA to make use of the spammer blacklists at MAPS and elsewhere.
  
• Tell your friends - Most people don't realize that spammers inflate ISP fees and reduce service quality by clogging servers with garbage. Educate them!
  
• Tell your legislators - Some countries and US states have already outlawed spam. To help make this universal, you have to let your legal reps know how you feel. Check out The Coalition Against Unsolicited Commercial Email.
  
• Don't do business with spamhausen - Especially if you are a network admin, don't do businesses with companies that profit from spam. Check out spamhaus.org and spamsites.org for details. And make sure to let the sales droids know why you won't buy from 'em!

more spam gets spewed through UUNET than from all the other Internet service providers combined

AboveNet is participating in a boycott of our ISP, organized by the Mail Abuse Prevention System, because of sites like http://209.211.253.69/ which sell mass email software (but does not spam or use spam for advertising).

Well, really? media3.net is the ISP in question. Have a look at Spamhaus. Who's at the top of the list? media3.net? gee...

As I've said elsewhere, MAPS started by blocking the spammer site. But it turns out that Media3 is the most spam-friendly ISP around. And as the article mentions, MAPS has been after Media3 for months with no results; they've even taken on new spam-friendly clients in that time.

What do you want MAPS to do? Blow kisses at Media3? Send 'em cookies and say pretty please?

As an RBL subscriber, I'm glad they list spam-friendly ISPs. And maybe Peacefire is an innocent bystander, although perhaps they stay there to make a political statement. If they truly didn't know what was coming, then they should yell at Media3, 'cause Media3 has known this was in the works for months.

But if you don't like it, don't subscribe to the RBL. The Internet I envision doesn't have spammers or their pals on it, and the RBL helps make that vision a reality.

As I've said elsewhere, MAPS started by blocking the spammer site. But it turns out that Media3 is the most spam-friendly ISP around. And as the article mentions, MAPS has been after Media3 for months with no results; they've even taken on new spam-friendly clients in that time.

What do you want MAPS to do? Blow kisses at Media3? Send 'em cookies and say pretty please?

As an RBL subscriber, I'm glad they list spam-friendly ISPs. And maybe Peacefire is an innocent bystander, although perhaps they stay there to make a political statement. If they truly didn't know what was coming, then they should yell at Media3, 'cause Media3 has known this was in the works for months.

But if you don't like it, don't subscribe to the RBL. The Internet I envision doesn't have spammers or their pals on it, and the RBL helps make that vision a reality.

My recollection was that eBGP4 was the first format they offered it in; I have the notion that the DNS version came later. But either way, they've offered both for years.

In any case, using MAPS in this way is just plain wrong. I support only blackholing via mail, not anything else.

Well then you should certainly use it that way. I think it's probably right, and I hope you support my right to make my own ethical choices.

Here's why I think it's probably a good call by MAPS: Banning an entire spam-friendly ISP should be a solution of last resort, but MAPS has been after these people for six months to fix things. And still, they are listed as spamhaus's number one spam-friendly ISP. As an RBL subscriber, I fully support their action.

I think Peacefire is fine, and I'm sure the people from MAPS like them, too.

But the point here is that the ISP has been spam friendly for ages, and they've been warned for at least six months. Despite that, they are still taking on new spam clients. And spamhaus.org considers them the the biggest host of spam-friendly domains.

The ISP, as far as I'm concerned, is spam-friendly. And I don't want my boxes to talk to spam-friendly ISPs. If Peacefire chooses to to use a spam-friendly ISP, that's their business, I'm not one to stop 'em.

Oh, you say the didn't choose? That they just didn't know? It's funny, isn't it, that Media3 didn't even warn their clients about a possible loss of connectivity to large parts of the Internet?

That's not the behavior of a reputable businessman; it's an ISP trying to shield its spammer clients by mixing in legit sites. The ISP has known this was coming for months; they should have warned their customers.

I think Peacefire is fine, and I'm sure the people from MAPS like them, too.

But the point here is that the ISP has been spam friendly for ages, and they've been warned for at least six months. Despite that, they are still taking on new spam clients. And spamhaus.org considers them the the biggest host of spam-friendly domains.

The ISP, as far as I'm concerned, is spam-friendly. And I don't want my boxes to talk to spam-friendly ISPs. If Peacefire chooses to to use a spam-friendly ISP, that's their business, I'm not one to stop 'em.

Oh, you say the didn't choose? That they just didn't know? It's funny, isn't it, that Media3 didn't even warn their clients about a possible loss of connectivity to large parts of the Internet?

That's not the behavior of a reputable businessman; it's an ISP trying to shield its spammer clients by mixing in legit sites. The ISP has known this was coming for months; they should have warned their customers.

I'm satisfied that MAPS excercises a lot of restraint when listing IP's; in fact, I would like MAPS to be much more aggressive at times. If MAPS didn't escalate to larger netblocks, companies like Media3 would only move their spammers' IP's around, and they would still be profiting from spam.

Yes, this causes collateral damage. In fact, it is intended to cause collateral damage; people like the owners of peacefire.org should be talking to Media3 about terminating spammers like the ones found at Media3's entry at the Spamhaus Project, all but one in the same netblock as peacefire.org.

Spam is censorship; it fills up mailboxes and causes legitimate email to bounce. It consumes network resources paid for by unwilling recipients; I think it is not acceptable to ask these recipients to eat their spam because peacefire.org doesn't want to move to a different hosting provider.

Have a look at the site that caused this netblock to be listed, and at Media3's Service Agreement. Media3 is obviously not willing to enforce that, so they themselves are supporting spam.

If MAPS' careful process of education, listing and escalation causes it to be in the same category as the censorware, then so be it. I use MAPS because it prevents my network connectivity from becoming prohibitively expensive; as long as I can do that, I can avoid going to places that use censorware to filter 'net access.

Goodbye, peacefire.org. See you when you've found another web host, or Media3 cleans up their act.

"Just a correction, according to spamhaus media3 is hosting not 1 but 21 spam sites, the largest on the list, and considering media3 is a grand total of a few class C networks, thats a pretty high percentage of their customers being spammers."

Just some corrections of your correction. :)

1. The Spamhaus list is here.

2. Not a single one of the IP numbers listed there sends spam. Let me repeat that: you could drop every one of those IP numbers off your network and it would not stop a single piece of spam from reaching you. Those are websites. Spamhaus and MAPS don't like ths products those websites are selling and that is why they (and over a thousand other websites) are blocked.

3. Media3 has 42 Class C blocks, which means that 0.2% of their IP numbers house websites which sell spam-friendly software (but, again, those IP numbers are not sending spam). I would not say 0.2% is a "high percentage."

The situation is analogous to a censorware company blackmailing a service provider into removing Holocaust-denial material, by blocking thousands of innocent websites. Now, I don't like Holocaust denial, but standing up for free speech means standing up for speech I don't believe in.

This situation is no different (except that, on my scale of evil, spammers aren't even close to those who want to rehabilitate Hitler).

Jamie McCarthy

Check this out. Wow, I was thinking MAPS was being a bit strongarmed, but now I know how deep Media3 is in their own shit. I sincerely hope Qwest finds out about this, and puts some pressure on them. Unfortunately, I don't think that's likely.

--

They are blocking the ISP, which has hosted a whole mess of spammers for at least six months.

The ISP is the one who is violating the "cooperative spirit that makes the Net work"; MAPS just lets us know who the bad guys are so we can block 'em if we choose.

Also, RBL is used in a backbone and those using it have no choice in the matter.

Many have made this claim; despite many requests, I still have seen no evidence. I say it's bunk.

That's how MAPS should work, by blocking the bad stuff so that RBL users just don't see it. There isn't any need to punish innocent sites who happen to be on the same class C.

Wrong. Media3 is currently the number one ISP for live spam sites accoring spamhaus.org. MAPS has been talking with these guys for months about their various spam-friendly activities. If an ISP keeps allowing spammers in, MAPS should block 'em.

If MAPS successfully got Media3 to shut down the spammer's site, then MAPS WOULD be dealing in
censorship, wouldn't they?

These aren't just people who say that spam should be allowed. They are people who spam to draw traffic to their websites, people who sell spamming software, and people who provide spam-friendly hosts services.

If MAPS blocked people for advocating spam, like, say, the DMA, then they would be censoring. But they don't; they only block people who spam or those who help spammers. Their criterion is based on an activity, not an opinion. That's not censorship as far as I'm concerned.

In fact, MAPS even goes so far as to give links to its various opponents on its web site. Censors? I don't think so.

That's how MAPS should work, by blocking the bad stuff so that RBL users just don't see it. There isn't any need to punish innocent sites who happen to be on the same class C.

Wrong. Media3 is currently the number one ISP for live spam sites accoring spamhaus.org. MAPS has been talking with these guys for months about their various spam-friendly activities. If an ISP keeps allowing spammers in, MAPS should block 'em.

If MAPS successfully got Media3 to shut down the spammer's site, then MAPS WOULD be dealing in
censorship, wouldn't they?

These aren't just people who say that spam should be allowed. They are people who spam to draw traffic to their websites, people who sell spamming software, and people who provide spam-friendly hosts services.

If MAPS blocked people for advocating spam, like, say, the DMA, then they would be censoring. But they don't; they only block people who spam or those who help spammers. Their criterion is based on an activity, not an opinion. That's not censorship as far as I'm concerned.

In fact, MAPS even goes so far as to give links to its various opponents on its web site. Censors? I don't think so.