Slashdot Mirror

Well I would still rather use one of the other mirrors that one from these guys: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL68370

Seriously, Spamhaus is under DDoS and we slashdot it too?

Take a chill pill, bro, please: it is worth noting this:

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

Was it really a good idea to post that link on slashdot - to a DDoS:ed site?

In general, no. However in this case, it is worth noting this:

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

In the case of it getting /.'ed or DOS'd (like TFA link to nanozen.info)

Wikileaks Mirror Malware Warning
2010-12-14 17:00 GMT, by Quentin Jenkins

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under the control of, Russian cybercriminals.

Important: this warning is issued only for wikileaks.INFO, NOT Wikileaks itself or any other Wikileaks site. Wikileaks.info is NOT connected with Julian Assange or the Wikileaks organization. For a list of real Wikileaks mirror sites please go to wikileaks.ch

The Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus Block List (SBL) since October 2008. Spamhaus regards the Russian Webalta host (also known as Wahome) as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees malware/virus hosting, botnet C&Cs, phishing and other cybercriminal activities. These include routing traffic for Russian cybercriminals who use malware to infect the computers of thousands of Russian citizens.

The fact that recently some unknown person or persons decided to put a Wikileaks mirror on Webalta IP address 92.241.190.202 should raise an alarm; how was it placed there and by whom. Our concern is that any Wikileaks archive posted on a site that is hosted in Webalta space might be infected with malware. Since the main wikileaks.org website now transparently redirects visitors to mirror.wikileaks.info and thus directly into Webalta's controlled IP address space, there is substantial risk that any malware infection would spread widely.

Spamhaus also notes that the DNS for wikileaks.info is controlled by Webalta's even more blackhat webhosting reseller "heihachi.net", as evidenced by the DNS records for the domain:

wikileaks.info. 14400 IN A 92.241.190.202
wikileaks.info. 14400 IN NS ns2.heihachi.net.
wikileaks.info. 14400 IN NS ns1.heihachi.net.

Spamhaus has for over a year regarded Heihachi as an outfit run 'by criminals for criminals' in the same mould as the criminal Estdomains. The Panama-registered but Russian/German-run heihachi.net is highly involved in botnet command and control and the hosting of Russian cybercrime.

We also note that the content at mirror.wikileaks.info is rather unlike what's at the real Wikileaks mirrors which suggests that the wikileaks.info site may not be under the control of Wikileaks itself, but rather some other group. You can find the real site at wikileaks.ch, wikileaks.is, wikileaks.nl, and many other mirror sites around the world.

Spamhaus takes no political stand on the Wikileaks affair. We do have an interest in preventing spam and related types of internet abuse however and hope that the Wikileaks staff will quickly address the hosting issue to remove the possibility of cybercriminals using Wikileaks traffic for illicit purposes.

More information on the SBL listing of Webalta's 92.241.160.0/19 is here:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL68370

Spamhaus is not alone in issuing this Wikileaks mirror malware caution. On Sunday researcher Feike Hacquebord at fellow anti-spam system Trend Micro issued a similar warning in the Trend Micro Malware Blog. (http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/)

Oh, the irony!

From the Update 18 December

In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDOS "enemies of Anon" with, AnonOps is now escalating its DDOS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDOS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".

There is palpable irony in a DDOS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.

One of the world's most prolific spammers has hid out in Finland from time to time. While his hiding out there does not make an argument for Finland supporting his actions, it does suggest that it may be a place where computer criminals can hide out fairly effectively. Being as he was controlling a botnet from there to pump spam, it would not be hard to envision him using the same botnet to attack someone he views as an enemy - regardless of whether or not they have any negative affiliations with anything he does directly.

Of course if it really is Kuvayev - who makes most of his money selling counterfeit prescription drugs - he may actually be acting very short-sighted here. He may be concerned that radiation accident victims wouldn't want to buy his counterfeit viagra, while really he should be thinking of all the other drugs he could sell those people...

The links below have been reported to contain Malware, so don't click without reading first.

I'm confused. wikileaks.org redirects to mirror.wikileaks.info. That page looks like WikiLeaks did a year ago (a simple MediaWiki site), but it has up-to-date content. Meanwhile, the official domain we have had for the past fortnight, wikileaks.ch is still running and serving the "new look" which seems to just have the cablegate stuff.

mirror.wikileaks.info links to wikileaks.ch if you click on cablegate. They also claim this is a false spam report; the spam report claims that "Wikileaks.info is NOT connected with Julian Assange or the Wikileaks organization" and that "We also note that the content at mirror.wikileaks.info is rather unlike what's at the real Wikileaks mirrors which suggests that the wikileaks.info site may not be under the control of Wikileaks itself, but rather some other group." (Fair enough; it does claim to be a mirror.)

So is wikileaks.info a malware site or a legitimate WikiLeaks mirror? I'm all for WikiLeaks mirrors, but it seems like the main wikileaks.org domain should link to the main website, not a very different mirror. And if wikileaks.info is a malware site, where do you go to get all the other WikiLeaks content from the old site (it doesn't seem to be available anymore from wikileaks.ch)?

I don't see this guy listed on the spamhaus top 10 spammers list. We know that if he was arrested in the past week his spam volume would not have decreased that dramatically that quickly; so why does the US government disagree with the magnitude of this guy's role?

It would seem a strange turn since the USA allowed a one of its firms to sue a foreign entity not that long ago: http://www.spamhaus.org/organization/statement.lasso?ref=3

though I cannot think of a good reason not to dock major points for an e-mail sent by a mail server with a non-static IP to begin with.

I cannot think of a good reason to even start talking with a non-static IP to begin with. Spamhaus has a PBL (Policy Block List) and if an IP address is on it I just terminate the connection.

I know some people will say, "but now you prevent the common man from running a mail server!". Correct. It is unfortunate to create such a barrier to entry, but I feel that if you want to operate a mail server responsibly you will use a static IP. Spammers suck, and they have forced us to make it pretty difficult to deliver legitimate email. My own personal mail server is operating in a datacenter, but I pay $5 for a static IP address at home. I could be running a mail server there if I wanted to as well.

To expand upon NevarMore's point, domain names are only a small piece. I use several RBL's to determine if I even want to start a conversation with another mail server. Afterwards, it is all about the weight, or as you said, "points".

I believe what the article refers to is Spammer's attempts to mitigate the points being assigned to their emails from the message level domain checks. That can remove some of the negative points against their spam, but does nothing against the IP address checks that can be performed as well on the mail server, and even on the IP address lookups for those domains.

IMO, the spammers are just looking to get a little more spam through, and don't think this is a way to defeat anything. Just a higher success rate of getting their spam to the Inbox. Awful lot of work, effort, and money being spent to do it too. Which is why I am convinced it is not advertising dollars from the companies marketing the products, but attempts at hijacking machines motivating them instead. Using them to conduct more serious crime such as identity theft and stealing financial information is a lot more profitable then some two-bit Viagra company paying them to deliver the spam.

None of the dutch ISP block incomming port 80. Some block outgoing port 25 to anything but there own SMTP server.

That's why we are in the top 10 of spam countries: http://www.spamhaus.org/statistics/countries.lasso
Oh, wait, we are not.

Maybe cutting off the users that send out spam has something to do with it.

Spamhaus is NOT a free service. It is only free for low-volume personal non-commercial use.

If you are an ISP, or a corporation with a mail server, you must buy a subscription.

Most people fall into that category.

Note; They have even implemented checks on the Spamhaus DNSBL servers to identify the operating systems of certain spam filtering appliances, such as Barracudas.

If you are using a spam filtering appliance, with the free spamhaus servers, you will get banned, even if your server only processes 10 messages a day.

Spamhaus is NOT a free service. It is only free for low-volume personal non-commercial use.

If you are an ISP, or a corporation with a mail server, you must buy a subscription.

Most people fall into that category.

Note; They have even implemented checks on the Spamhaus DNSBL servers to identify the operating systems of certain spam filtering appliances, such as Barracudas.

If you are using a spam filtering appliance, with the free spamhaus servers, you will get banned, even if your server only processes 10 messages a day.

"To meet public demand for its DNSBLs, Spamhaus has built one of the largest DNS infrastructures in the world. Its network of over 60 public DNSBL servers spread across 18 countries serves many billions of DNSBL queries to the public every day, free of charge."

for a business to operate equipment in a country, that equipment is required to follow laws pertaining to that country.

"Hypocrite! First get rid of the log in your own eye; then you will see well enough to deal with the speck in your friend's eye."

The good old US of A is the leading spam generating country by May 24, 2010: http://www.spamhaus.org/statistics/countries.lasso . It's got on the first place spam-wise in the world.

As far as I know the US army cannot act on the territory of the United States. But the spam is destroying our businesses. Colleagues have to spend a lot of time to deal with spam. Even filters do not help anymore.

It it the police, not army, who has to deal with cyber criminals. And also there is a role for Interpol and ITU.

According to ROKSO the folks who run the Canadian Pharmacy run out of the Ukraine. I'd have to say they are the most annoying bastards I've ever seen, at least as far as spammers go. I'm waiting for the day when they get their come upppance. I hope I live to see it.

There's a problem with these automated tools - and that is that they're the shotgun approach.

We run some mainstream sites, and we also allow affiliate promotion.
We have a zero-tolerance spam / mailing policy, but that doesn't stop people trying.

If or when complaints come through (SpamCop, SpamHaus, etc) - we deal with them, and nuke the affiliates - we're just as anti-spam & fraud as the BL guys.

The problem, however, is that with the use of this / these tools, when DNS, upstream and network providers are scatter-bombed with complaints, over, and over, you end up getting blacklisted. Even if you're not in the wrong, you get blacklisted.

If you've ever been on the end of a SpamCop / SpamHaus complaint, as much as they may have intended to setup a good service, their 'service' is incredibly partial.

For example, the latest email back from SH to our host, when we had banned a fraudulent affiliate:

Let's talk about removing the customer instead of offering up yet another affiliate excuse.
Regards,
-- The Spamhaus Project (SR22) http://www.spamhaus.org/

Their website 'evidence' archives are full of libel and blackmail - if you email SH with a fake complaint, and say that company X participates in money laundering, international fraud and spam - they'll publish it - without an ounce of fact checking.

Somewhat off topic, but these issues burn - who watches the 'watchers' / internet 'police'

Until China learns how to act as responsible Internet citizens, I'll continue to blackhole as many of Chinese subnets as I can find both at work and home. Spam, malware, and every kind of crap comes from China, and I don't do business with any Chinese, so it's a no-brainer

Well, since more SPAM comes from the US I assume you'll block those subnets too? http://www.spamhaus.org/statistics/countries.lasso

Also, in March the US was the source of most malware, but since you already have that blocked for SPAM you should also block Korea who for some reason in the month of April took the lead. http://www.infosecurity-us.com/view/8547/korea-reigns-as-king-of-malware-threats-/

In regard to China learning how to act as responsible Internet citizens, you are not leading by example.

little profit in spam from a legitimate business

While the meaning of "legitimate business" may be debated with regards to the businesses that employ spam, the profit is indisputable. Here is someone who made millions before age 28 from spam. There is also an Olympic skier who is a millionaire spam mogul. Here is yet another spammer who made millions off of spam. Most of the top spammers on the SpamHaus list are doing quite well financially as well - well enough that many of them jet around the world with their spam profits.

The spammer can only profit because their overhead is being spread to unsuspecting users on a global scale.

That statement doesn't match reality. The money the spammers pull in could easily purchase a cluster to pump out spam. However the botnets create one element of the great game of spam whack-a-mole in how difficult they are to shut down as they dynamically resize and pull in new nodes.

And if you look at how much the spammers pay their ISPs, you'll realize that the spammers are in no way hurting for money.

As an Earthling I get more spam from the US than anywhere else...

Stats (so as a Briton, I should probably keep quiet about spam-by-country.)

Well, you could send complaints to the provider they peer with.

Normally that means the provider you send the messages to forwards them to the administrator of the network the spam complained about originates from.

Blacklisting is still your best bet, if you want to stop spam.

Spamhaus has a list called DROP, the Don't Route or Peer list, for listing hijacked blocks and professional spammers.

Trend Micro has InterCloud, ICSS/BASE.. which can provide tl. a BGP feed of providers/IP addresses to blacklist/null-route (botnet command and control points and infected hosts).

No it's not, several of the larger spam/malware gangs including the infamous Russian Business Network have been doing this for several years now. That's partly what prompted Spamhaus to create their solution to the problem: DROP. All it takes is a for the majority of the Tier 1 carriers to adopt the DROP list and it's pretty much game over for this this technique.

According to the original documentation, 'In early 2008, a security company identified one botnet -- which it dubbed "Mega-D" -- that sent sparn promoting Affking's VPXL and King Replica products as the worst botnet in the world, accounting for 32% of all spam.'

The Mega-D botnet consisted at least 264,784 computers.

That's 264,784 UNAUTHORIZED COMPUTER ACCESS FELONIES.

Why the FUCK are we 'fining' someone who committed at least 264,784 felonies? We invade goddamn countries and charge people with war crimes for that level of criminality!

Anti-spam laws are nonsense. Forget the damn anti-spam laws. Lock them up for the felonies they're committing. Extradition would be a lot easier, too. (Of course, we could just find a few hundred IPs this guy hijacked in Australia, turn them over, and have him locked up there his entire life, instead.)

The laws are completely useless and always have been. They were passed to make consumers think that government is doing something. But the extradition and prosecution is a lot harder than it sounds, even when the criminal is in a friendly country like Australia. It takes forever and costs a lot of money, so the law enforcement agencies pass.

According to the original documentation, 'In early 2008, a security company identified one botnet -- which it dubbed "Mega-D" -- that sent sparn promoting Affking's VPXL and King Replica products as the worst botnet in the world, accounting for 32% of all spam.'

"Sparn"?

According to the original documentation, 'In early 2008, a security company identified one botnet -- which it dubbed "Mega-D" -- that sent sparn promoting Affking's VPXL and King Replica products as the worst botnet in the world, accounting for 32% of all spam.'

The Mega-D botnet consisted at least 264,784 computers.

That's 264,784 UNAUTHORIZED COMPUTER ACCESS FELONIES.

Why the FUCK are we 'fining' someone who committed at least 264,784 felonies? We invade goddamn countries and charge people with war crimes for that level of criminality!

Anti-spam laws are nonsense. Forget the damn anti-spam laws. Lock them up for the felonies they're committing. Extradition would be a lot easier, too. (Of course, we could just find a few hundred IPs this guy hijacked in Australia, turn them over, and have him locked up there his entire life, instead.)

It's about consent, not about content. Spam, by definition, is unsolicited bulk e-mail. The type of content doesn't enter into it, so any concerns about censorship are misplaced.

sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html [spamhaus.org] ) and got delisted pretty quickly.

Yes, but are you still on SORBS?

Company I used to work for had their ip address space hijacked over six years ago. Got it cleaned up and off every other list relatively quickly. Repeated contacts over the years to SORBS by various postmasters, jumping through every conceivable hoop to no avail.

Anyone that uses SORBS for anything is an idiot.

When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.

The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.

So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.

http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4

So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html ) and got delisted pretty quickly.

Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".

For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.

A faster and more direct tube for Chinese to receive US spam.

44u. http://www.spamhaus.org/statistics/countries.lasso

from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.

Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.

It's completely different. Snowshoe spam does not come from infected PCs (proxies or bots), it comes from *static* IP addresses *bought* by the spammers from ISPs. The spammers have been buying IP ranges, class Cs, directly from ISPs and filling these ranges with 'nonsense' domains, each one sending 'a bit' of spam is order to spread the load across the whole class C to lessen complaints.

from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.

Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.

As a Canadian I figured I'd better look that up.

http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233

Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming uses many frequently-changing IP addresses, domains and aliases to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Snowshoers use many fictitious business names (DBAs), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build their brand reputation based on a real business address, a known domain and a small permanent range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.

Do you really have enough information to support your claim?

Do you?

Actually, yes, I do.

I've seen some pretty solid evidence that a lot of spamvertised domains don't actually profit from it, but there's no shortage of new customers so the spammers keep making profits without having to worry about retaining customers.

I would like to see the evidence you speak of. In support of my claim, I offer The SpamHaus entry of Leo Kuvayev. We see that Mr. Kuvayev (who uses several aliases as well) repeatedly uses spam for the same companies, using the same web pages. The contact info all goes back to the same place for his new customers. Whoever is paying him for his spamming services is buying his services repeatedly.

And this is very common in the spam enterprise.

AFAIK this is common to all RBLs - if they told you why and you were an evil spammer you could just work around whatever put you on the list and go on with your evil spamming.

And now you know otherwise. If you put in your IP, it'll tell you exactly why you're blocked (if you are). My ISP registered my whole netblock as dynamic, forgetting about my static allocation. I filled out the form to remove myself and was off the list in about half an hour. Spamhaus runs their RBL the way they were meant to be run and I have nothing but good to say about them.

Correct me if I'm wrong, but I was operating under the impression that it is the ISP who added them self to the list (for the most part). If this holds true, you probably *do* want to talk to your ISP as they are the ones who added your netblock.

That said, this stuff is a tricky deal I know. Most people using the Spamhaus stuff have been there, done that, when it comes to dealing with shitty RBL's. If spamhaus turns foul, most people will dump them.

I recommend Spamhaus XBL and Spamcop Blocking List .

Spamcop used to have problems, but I think they resolved them a couple years ago.

Back when http://stats.dnsbl.com/ was operational I used their data to give me a quick leg up on figuring out which lists to look at. Then I checked out the lists for how they operate and then did a performance analysis.

Aside from policy/operation, two things that were particularly important to me were false positives and overlap. These lists get very low false positives and they combine nicely.

Old stats:

http://stats.dnsbl.com/zen.html

http://stats.dnsbl.com/spamcop.html

I was a bit off by saying less than two dozen, but I wasn't off by that much. Spamhaus says 200 heavyduty spammers are generating 80% of the spam in the world.

The numbers I had in my mind are an outdated estimate I've heard a couple of years back. It's good to remember to question information and it looks like I forgot about keeping my assumptions up to date...

not quite 90 from 24 but here is one of the better maintained lists of the heaviest spammers: http://www.spamhaus.org/statistics/spammers.lasso from there full list of major spammers: http://www.spamhaus.org/rokso/index.lasso

not quite 90 from 24 but here is one of the better maintained lists of the heaviest spammers: http://www.spamhaus.org/statistics/spammers.lasso from there full list of major spammers: http://www.spamhaus.org/rokso/index.lasso

They pass a law to reduce the junk mail, and what does it do? Causes a flood of MORE junk mail.

I think you're missing part of the picture if you really believe that the CAN-SPAM act increases junk mail. After all, only a trivial portion of spam comes from inside the US as advertising for US based companies. If you look at most of your spam you'll find it generally passed through open mail relays on another continent, is advertising for a company on yet another continent, who purchased a domain from a registrar on possibly a third continent outside North America.

You might wish to think that, but reality disagrees with you. Now had you said the kingpins were mostly non-US you might have had a point. The vast majority of source, either zombie or real servers, is from inside the United States, in either case that puts them under the jurisdiction of US laws for crimes committed inside the United States. Whether they can be extradited is an entirely different matter.
In any case CAN-SPAM did in fact increase the amount of junk mail as it created a federal law wherein if you followed it you couldn't be prosecuted under the few existing state laws until those laws were rewritten. It increased the amount because CAN-SPAM is so full of loopholes and toothless that basically anyone can send whatever they want and doubly so if you're a member of government.

They pass a law to reduce the junk mail, and what does it do? Causes a flood of MORE junk mail.

I think you're missing part of the picture if you really believe that the CAN-SPAM act increases junk mail. After all, only a trivial portion of spam comes from inside the US as advertising for US based companies. If you look at most of your spam you'll find it generally passed through open mail relays on another continent, is advertising for a company on yet another continent, who purchased a domain from a registrar on possibly a third continent outside North America.

You might wish to think that, but reality disagrees with you. Now had you said the kingpins were mostly non-US you might have had a point. The vast majority of source, either zombie or real servers, is from inside the United States, in either case that puts them under the jurisdiction of US laws for crimes committed inside the United States. Whether they can be extradited is an entirely different matter.
In any case CAN-SPAM did in fact increase the amount of junk mail as it created a federal law wherein if you followed it you couldn't be prosecuted under the few existing state laws until those laws were rewritten. It increased the amount because CAN-SPAM is so full of loopholes and toothless that basically anyone can send whatever they want and doubly so if you're a member of government.

They pass a law to reduce the junk mail, and what does it do? Causes a flood of MORE junk mail.

I think you're missing part of the picture if you really believe that the CAN-SPAM act increases junk mail. After all, only a trivial portion of spam comes from inside the US as advertising for US based companies. If you look at most of your spam you'll find it generally passed through open mail relays on another continent, is advertising for a company on yet another continent, who purchased a domain from a registrar on possibly a third continent outside North America.

You might wish to think that, but reality disagrees with you. Now had you said the kingpins were mostly non-US you might have had a point. The vast majority of source, either zombie or real servers, is from inside the United States, in either case that puts them under the jurisdiction of US laws for crimes committed inside the United States. Whether they can be extradited is an entirely different matter.
In any case CAN-SPAM did in fact increase the amount of junk mail as it created a federal law wherein if you followed it you couldn't be prosecuted under the few existing state laws until those laws were rewritten. It increased the amount because CAN-SPAM is so full of loopholes and toothless that basically anyone can send whatever they want and doubly so if you're a member of government.

Not accordng to Spamhaus. Their ROKSO list of spammers is dominated by Americans.

And anecdotally, most of my spam is sellig American products. However they've routed the spam most originates in the US.

Spam is commercial email.

No. Spam is Unsolicited Bulk Email. Content does not enter into the equation.

It's always the same story. "Technology X is no longer able to stop spammers/bots. Technology Y will solve everything though."

As long as it's an arms race of technology, it will be...an arms race. Better tech means more effort on the part of the spammers to break it. The rewards for the spammer stay constant, but the costs for the defender constantly increase.

There are only two ways to stop spam: Make it financially unsustainable, or murder everyone on this list, and repeat every six months. Note that I'm NOT advocating this behaviour, but unless you can change the price model of spam, it's the only solution.

Everything else is damage control.

Maybe Hurricane Electric needs to do a better job when it comes to handing out IP space to well known spammers. They currently have 4 SBL listings (including a few /24s) for ROKSO listed spammers which have been active for weeks. These are folks who have already been terminated for abuse by at least three previous providers.

http://www.spamhaus.org/sbl/listings.lasso?isp=he.net

because I sit here all day hitting the check for new mail button but nobody is trying to help me make my penis bigger or sell me a women.
I don't even get SPAM to the webmaster, root or JoeBob accounts on my multiple domains *** cry ***

Mhhhh, I think it all started when I setup ZEN from http://www.spamhaus.org/ about 2 years ago.

PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies.

Spamhaus PBL

That list will block a good hunk of botnet spam before it ever gets past HELO.

You would think so, but it seems like Spamhaus isn't always keeping pace with the spammers. Take, for example, this SBL entry: SBL74156

It was added on March 23rd. However, looking through my mail logs, they started spamming us all the way back on March 11th. So unless I set the greylisting period to 12 days, greylisting+Spamhaus is insufficient.

I do appreciate what Spamhaus does, and the XBL especially cuts out a lot of the spam I receive, but there's a lot that falls through the cracks.

One thing about botnets... I don't really understand why there couldn't be a blacklist of known botnet controllers ...

Like this one?