Slashdot Mirror

It's called dshield: http://isc.sans.org/howto.html

That was my first thought, although that may not be entirely accurate. As for dshield, noticed the other day there's what appears to be a new link on the Spamhaus page that reads

Consumer Alerts
Is your PC infected or part of a "botnet"?
Check it Here

Humorous aspects aside, it links to some sort of dshield copy-cat setup run by mynetwachman.com. Never heard of them personally, but the more the merrier. A community-based effort to solve a community-wide problem is sound in principle, and doubtless better than clamoring for new laws or regulations which typically brings unanticipated consequences to the mix.

then use regular expressions on those that do to refuse connections from dynamic/home/dsl/dial_up/etc. (I tried to post the regexes, but slashdot whined about " Lameness filter encountered. Post aborted!") Stop talking to dynamic IPs and about 90% of the world's spam will immediately vanish.

Or, rather than worry about keeping your regexes up-to-date, use the Spamhaus Policy Block List (PBL). It contains *only* dynamic and other "end-user" IPs. The PBL is also contained in their all-encompassing Zen blocklist, which is what I use, but those who don't like automated RBLs can still get the benefit of blocking dynamic IPs by using just the PBL. Adding it to most MTAs these days is a very simple one-line config change.

then use regular expressions on those that do to refuse connections from dynamic/home/dsl/dial_up/etc. (I tried to post the regexes, but slashdot whined about " Lameness filter encountered. Post aborted!") Stop talking to dynamic IPs and about 90% of the world's spam will immediately vanish.

Or, rather than worry about keeping your regexes up-to-date, use the Spamhaus Policy Block List (PBL). It contains *only* dynamic and other "end-user" IPs. The PBL is also contained in their all-encompassing Zen blocklist, which is what I use, but those who don't like automated RBLs can still get the benefit of blocking dynamic IPs by using just the PBL. Adding it to most MTAs these days is a very simple one-line config change.

"Spam is unsolicited bulk email, ..."
No, it isn't.

Yes, it is.

If your boss send you and a dozen other employees an email informing you of a meeting you need to, is he spamming? of course not.

A dozen would probably fail the "bulk" criterion. The fact of being your boss's employee makes it fail the "unsolicited" criterion.

If HR send out an email to 10,000 employees informing them of a policy change, is that spam? no.

That is bulk, but fails the "unsolicited" criterion for the same reason. (However, one employee deciding to mail the other 9,999 would definitely be both unsolicited and bulk.)

Sending an email in the context of the university, about the university, from someone on the student body of that university is not in and of itself spam.

No, for it to be spam it must be bulk and unsolicited. The mail discussed in TFA was both.

Not quite:

Spam is an issue about consent, not content. Whether the UBE message is an advert, a scam, porn, a begging letter or an offer of a free lunch, the content is irrelevant - if the message was sent unsolicited and in bulk then the message is spam.

Chain letters are absolutely spam. If I didn't ask for it, and I don't want it, and there's nothing specifically relevant to me in the email, then it is spam. What do I care if it's commercial or not? It still takes the same amount of space in my inbox, and the same amount of effort to get rid of.

Um, you mean, nullroute the entire Internet?

Start with Spamhaus' DROP-List...

Can't do that in countries where there is no law and order, say for example... RUSSIA.

And there's like 100 other countries too. That's quite a few potential c&c hosts.

I say we blackhole them altogether. Desperate times call for desperate measures.

On the other hand USA is the leader of the spam pack by wide marginal. http://www.spamhaus.org/statistics/countries.lasso

Actually, according to this list, the top spammers are from the US but perform their nefarious deeds using Chinese servers.

In other words, your claim that "The Chinese are EVIL!" because they portscan you is BS.

I also think that by saying this "this is a good reason for me to have an unfriendly attitude toward China" you qualify for the Dumbest Statement All Week award. Most civilized people have, by now, realized that the "us versus them" attitude between nations is stupid, as no nation's people can be judged according to the deeds of its government or a minority such as it's hacking community. What sort of judgment would the world make regarding the US based on the actions and behavior of your last president?

Well done on being the among the last blind bigots to grow up.

Spamhaus Don't Route or Peer

abilena.podolsk-mo.ru isn't resolving for me right now, but DROP list is worth using.

Cut it out with the finger pointing at China and Russia. The vast majority of spam comes from the US, initiated by US citizens. It's not "the Russians" at fault. Anyway, what is this? The 80s? The Mozlems are the new enemy, or didn't you get the memo?

http://www.spamhaus.org/rokso/index.lasso

This windows cloud computing stuff is already used to send millions of emails a day and so on. The product itself really isn't news, the only news is that Ballmer is finally giving it a product name so we can talk about it more effectively in the media.

For a list of computers participating in the Windows Cloud, go here and request an rsync feed for the XBL.

On a related note, Spamhaus recently issued this statement about Atrivo/Intercage, US-based persistent criminal spammer hosts. In the news.admin.net-abuse.email newsgroup, Steve Linford of Spamhaus indicated they made this statement because they are highly frustrated with law enforcement's inaction.

Uhh, that was detailed in the second half of the InfoWorld article.

On a related note, Spamhaus recently issued this statement about Atrivo/Intercage, US-based persistent criminal spammer hosts. In the news.admin.net-abuse.email newsgroup, Steve Linford of Spamhaus indicated they made this statement because they are highly frustrated with law enforcement's inaction.

reality looks like this:

USA 1590

China 442

Russia 304

SouthKorea 201

UK 184

http://www.spamhaus.org/statistics/countries.lasso

http://www.spamhaus.org/statistics/spammers.lasso

no comment!

reality looks like this:

USA 1590

China 442

Russia 304

SouthKorea 201

UK 184

http://www.spamhaus.org/statistics/countries.lasso

http://www.spamhaus.org/statistics/spammers.lasso

no comment!

I use the Spamhaus PBL which is mostly populated by the ISPs responsible for the listed address ranges. If there are false positives, they have been rare enough not to come to my attention, as I said before.

Blackwater would probably do it.

There's something to be said for this. Many of the major spammers have been identified (see ROKSO). The anti-spam community needs "boots on the ground" to do something about them. There are private companies in that business. Blackwater is one; Kroll is another. Spammers today are part of larger criminal enterprises, which makes them vulnerable to private investigators.

According with Spamhaus the top 10 countries the 1st one is US, then at 1/3-1/4 of that amount is china, then Russia, UK, etc. Would be interesting to see UN/US army invading those countries from 1st to last.

With headlines like 'Third World War has begun,' '20000 US Soldiers in US,' and 'China Army crossed China's borders'...

I hear the UK is already setting up a transitional government to guide the citizens of the UK toward democracy, with new laws designed to eliminate spam.

According with Spamhaus the top 10 countries the 1st one is US, then at 1/3-1/4 of that amount is china, then Russia, UK, etc. Would be interesting to see UN/US army invading those countries from 1st to last.

Of course it gave me a reason. 554 Denied [SHPBL] - Denied by Spamhaus PBL along with a nice url. I'm not willing to give up any more details than that as I am not interested in posting any of the related ips.

Ah, the PBL. That's where your argument falls to pieces.

From http://www.spamhaus.org/pbl/index.lasso :

PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies.

So, your ISP told Spamhaus that mail shouldn't be coming from the range your IP address is in. Not Spamhaus making a trite, petty and vindictive block for the fun of it. Not some blacklist deciding in error to block a whole /24 full of static addresses with REAL rDNS records for most of it because they found a couple of zombied machines with vaguely generic-looking PTRs in it. This is a case of the people you pay for connectivity telling Spamhaus that the rest of the world should not accept mail from your IP address or others near it until further notice - they're being good neighbours, and are to be applauded.

If you have a static address you can poke a hole in the PBL for it pretty easily - *you* can provide that further notice:

A feature of the PBL is the elimination of 'false positives' with a server-identifying and automatic removal mechanism for single IP addresses. This allows end users with static IP addresses within a larger dynamic pool, and legitimate mail server operators, to assert that in their opinion their IP addresses are a trustworthy source of email and to automatically remove (suppress) their IP addresses from the PBL database. Safeguards are built in to prevent abuse of this facility by spammers (and particularly by automated bots).

Do your research. The PBL is pretty damn useful, and you probably qualify for free use. If you have an unfiltered postmaster address on your domain (you do, don't you?) the smart thing would be to start blocking with it but make sure the rejection contains something like "Rejected: $IP_ADDRESS listed in Spamhaus PBL ( http://lookup-urlip_address/ ) - please contact postmaster@whineyblacklisthater.org for assistance if required" - you'll find that the "false-positives" for it are almost invariably from people who don't know what the PBL is and want to do their own thing, regardless of the practicalities the rest of the world has to face. Why should I or anyone else accept mail from somewhere your own ISP or their upstream provider has said I shouldn't?

Quit whining. If you have a static IP with your carrier, then there are ways of removing that from the PBL. If you had actually looked up the PBL, you would have seen that, Spamhaus PBL. If you are on a dynamic IP, then too bad for you, as you are not getting off the PBL.

There is a reason people use the PBL, it's because it is a cheap and effective way to block tons of spam. For every million or so spams that are blocked by the PBL, there may be 1 false positive. Why should my server consume processor cycles using other spam filtering methods for a million messages so that your 1 lonely message can get through unobstructed? Because you think that you are priviledged enough to force the world to bend to your will?

Grow up, address space in the PBL that is sending email directly is 99.9999% used to send spam, I will live with that tiny fraction of collateral damage. I'm not the only one, if I were, the PBL wouldn't exist. You could always avoid the PBL all together by setting your outbound mail server to route through your carriers mail server. If you are not a spammer, that shouldn't pose a problem.

If you are concerned about them intercepting/reading/logging your mail, they can do that already if they want to, anytime up to and including when it hits their perimeter routers, snort snort. Encrypt it if you are worried about that.

As for mission critical e-mail, guess what, there is no guarantee that it will get through in a timely manner, even without blacklists. I've had email coming from an msn.com account take 4 days to get to me, while a later message from the same account made it to me in a couple of seconds. Yes, it was a critical email, it wasn't blocked or filtered, it just took 4 days to make it to my server. If your business occassionally requires mission critical email, you should definately have 2 or 3 ways, all independent of each other, to get email in/out. You should be prepared to use the alternative methods when necessary without complaint. Depending on the nature of the email, you should be on the phone with the intended recipient when you send the mail out to make sure it gets to them, or that they know to call you when they are able to check their mail if it doesn't get to them.

Apparently you didn't get the memo, orbs shut down long ago, Register UK, also, they didn't exactly have the best of practices.

Let's just say that the US emits more spam total, and you don't know enough Indians to bring up the signal:noise ratio. If you're working somewhere like a university, you just cannot block email by country.

And it's because of thinking like that that I, in Hong Kong, find it impossible to communicate with some people in the US.

I am undecided about whether or not this is a good idea, but if China and Russia won't stop their criminals

"Their" criminals? The criminals are OVERWHELMINGLY AMERICAN. They use hosting services overseas. The US government could crack down on these if it wasn't in thrall to commercial interests. Trace the money. Block their credit card activity. No money, no spam.

See the ROKSO list: 72 of the top 115 spammers are American.

CLEAN UP YOUR OWN HOUSE BEFORE YOU START FUCKING WITH OTHER COUNTRIES

Here is a list of the most prolific spammers in the world - aka. the people controlling these bots:
http://www.spamhaus.org/rokso/index.lasso

They're mostly american.

You're aware that the US is still, by a factor of almost 4, the number one spamming nation on Earth? But don't take my word for it: http://www.spamhaus.org/statistics/countries.lasso [spamhaus.org] Now, you were saying? Sorry, it's hard to hear you when you're speaking from atop such a high horse.

Does this take into consideration a large portion of the bots in the US being controlled by forces outside of the country? It's a pretty well known that just because a computer is spamming and its origin is within the US doesn't mean it's being controlled by an American.

"If China and Russia won't stop their criminals..."

You're aware that the US is still, by a factor of almost 4, the number one spamming nation on Earth? But don't take my word for it:

http://www.spamhaus.org/statistics/countries.lasso

Now, you were saying? Sorry, it's hard to hear you when you're speaking from atop such a high horse.

You could also explain that spamming people is probably a violation of the Terms of Service he or she agreed to when they got the Internet pipe installed. I would suggest getting hold of a copy of that ToS document (should be readily available from your ISP's site), highlight the section prohibiting spamming, and let your boss read it.

If said boss is still determined to go through with this, explain that such behavior is very likely to get his company's IP address range entered into both local (as in at the target's) blocking list, and possibly that of larger anti-spam outfits such as Spamhaus.

If that should happen, it is very possible that further E-mail, no matter what its content, could end up not getting through to any recipient(s) who use an ISP that subscribes to Spamhaus's blocking service (and LOTS do!)

Proceeding along this train of thought -- If enough people complain to the ISP that your boss is getting his/her connectivity from, it is very possible that your connection could go down. Permanently and unexpectedly.

The RIGHT thing to do is file a formal complaint with the ISP that your competitor is getting connectivity from. It is very likely that said competitor violated said ISP's ToS, and could end up getting THEIR connection terminated. Your boss should be able to appreciate that.

Good luck.

While the practice would meet the definition of SPAM, he is probably not going to piss anyone off too much. If these are 'customers' of a competitor, they are people probably interested in travel deals. I'm not trying to justify your bosses actions, but taking the scope of the big bulk spammers into account this is a nit.

Now if I were going to do this I would mention that 'so-and-so' (the competitors name) gave me your contact information as someone possibly interested in travel deals. Someone getting mad would probably get mad at the competitor.

I was just speaking with Mark Causa, a forums admin of his, this weekend in fact!

(Kevin Hazard's their "SUPER ADMIN" in fact).

(It was in regards to a "IPS Driver Error" I was CONSTANTLY seeing on a posting of mine there, in an attempt to update/edit it, on THEPLANET's forums (in regards to securing Windows))...

WoW! I was trying to point them to security issues too... & they were VERY helpful guys too, trying to help ME out (& going overboard imo in some ways)

I was also today, in fact, prior to seeing this - going to note they were being listed as a site that had problems with hacker/cracker types abusing them as well, per one of these sites:

http://www.castlecops.com/

http://mtc.sri.com/

http://www.spamhaus.org/sbl/latest.lasso

http://www.phishtank.com/

(or, one of the numerous others I look @ daily, like SANS, PacketStorm, etc.)

They were listing theplanet as being abused etc. the past few weeks now in fact, by hacker/cracker/spammer types.

APK

P.S.=> I doubt this is due to "hacker/crackers" though, personally... just bad setup in the server room! apk

Ask this guy.

"ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist."

http://www.spamhaus.org/zen/index.lasso

Quite a lot of spam originates in Europe, with 4 of the top 10 spam sources being Euorpean. RIPE's system is hardly foolproof!

Just add them to the ROKSO list and most ISPs won't route their traffic any more. Additionally this could be listed in the bogon zone at completewhois.

Looks like you could use some enlightenment yourself. here's their top 10 list. According to them, the worst spammer is Russian. Number 2 is in the Ukraine. You have to go all the way down to number 10 before you see anyone in the US.

That would be why nearly all spam references US companies and quotes the millions I could make in US dollars, then.

If you want more enlighenment I suggest you look at the list of the worlds most prolific spammers, and specifically what country they reside in: http://www.spamhaus.org/Rokso/

If you block a country because it is relaying spam, it will be switched to go via another country before the week is out. Meanwhile millions of innocent people will find themselves cut off.

Specifically, if required, then the U.S. of A. should be subject to these same rules.

You bet. Clean up your own act first. I'm not holding my breath. Easier to blame nasty foreigners.

Did you RTFA:

The US continues to relay far more spam than any other country,

I live in Hong Kong. About 80% of the spam I get is from the US. And yet I find my emails often bounced from US addresses because of similar enlightened attitudes.

Most of the world's spam ORIGINATES in the USA, is PAID FOR by USA companies. Your government does nothing to stop it. (What is it, two or three prosecutions in the last 5 years?) American companies lobby to prevent any effective measures to stop spam. Bit bucket Florida and you might make a dent in it for a while. But attack the source, not the routing.

ISPs really should have better IDS on outgoing traffic. At the very least they should be dropping the malicious traffic

My home ISP just started outbound blocking traffic from DSL customers to port 25 a few days ago, which has stirred up some controversy. Maybe I'm just imagining things, but I believe my connection has been faster since then. We're always suffering from bandwidth problems (the downside of being on the end of a very long cable across the Pacific) so anything that eliminates our share of 100 billion daily spams clogging the line is a good thing in my book.

On mail servers I use spamdyke to immediately drop connections from end-user IP addresses (using the reject-ip-in-cc-rdns rule and Spamhaus PBL) and it's been remarkably effective.

If everyone did this, the botnets would be useless.

With apologies to Billy Joel

Green Cards, Spamford, Snake Oil, these guys,
Michael Lindsay, Nigeria, Get Rich Quick Today.

CHORUS
We didn't start the fire...

But what about all the other ways that IP addresses are used and stored?

• Will I need to register under the Data Protection Act in the UK because a default Debian install logs the IP address of failed ssh attempts?
• Will this shut down Spamhaus and other DNS block lists?
• Will IP based Geolocation services have to shut down?

While there is no guilty verdict yet, I am reading this on a Friday.

I will celebrate this fine event ; with I'm sure the fine folks who have been tracking this guy at SpamHaus.

Let's all drink to this ! I hope the same for all the rest of these idiots --> http://www.spamhaus.org/rokso/index.lasso

Ciao,

Marcello M.

Surprisingly well actually. I list Leo Kuvayev's former company "2K Services" as a credit card processing company (the job I was hired for). When they ask why I left I tell them he changed his business model to something I couldn't participate in and still have a conscience. If they ask for details I tell them everything and I reap the scored sympathy points for having the worst job experience imaginable.

For the record I spent several weeks trying to change his mind then turned down a raise and left the company several months before his new business model forced a national carrier to change their policy on spam and cut his fibre optic connection which was exactly what I warned him they would do when I gave him my contractually required two weeks notice.

Ralsky's been documented spamming for a long time. It's about time someone did something about him.

(That link has a pic.)

Since there are over 20 replies to my message, I'll reply to my own message rather than replying to the individual replies.

First, I'll point out that a large amount of spam comes from a small number of spamming operations. Check out SpamHaus and read their listings of the top spammers. You'll find that if you could stop just the top handful, you would have a huge impact on the total amount of spam. And I'm not going to suggest hunting them down with cops and guns, either.

If you look further into the work of these spammers (I'll call it work, you can call it whatever you like), you'll find that one commonality is that the top spammers have registered lots of domains themselves that they spamvertise. If you dig deeper into these domains, you'll find that the spammers use only a small number of registrars and ISPs for their spamvertised domains. And if you bother to do a WHOIS on said domains, you'll find that many of the spammers don't even bother to make up new registration data for the domains, they just stick to a couple of repeated aliases each.

Therefore, the registrars that sell the domains could chose to deny the sale of the domains based on the identity of the people buying them. For example, "Leo Kuvayev" is currently ranked number one at spamhaus. His list of aliases for registration is quite short. But yet the registrars chose to do business with him, even knowing that he is linked to criminal activity.

I therefore say that the fault for much of the spam lies in the hands of registrars and ISPs that willingly keep criminals as customers.

Which of course leads to the question of why these companies would do such a thing, which has a simple answer - money. These companies are making money off of these criminals who they do business with.

Therefore, I propose that the solution lies in better regulation of the registrars and ISPs. In particular, if ICANN actually enforced some codes of decency on the registrars, by way of hitting bad registrars with hefty fines, the registrars would be forced to pass on the higher costs of business to their customers. If domains become expensive, then we will succeed in increasing the cost of business for the spammers.

Since there are over 20 replies to my message, I'll reply to my own message rather than replying to the individual replies.

First, I'll point out that a large amount of spam comes from a small number of spamming operations. Check out SpamHaus and read their listings of the top spammers. You'll find that if you could stop just the top handful, you would have a huge impact on the total amount of spam. And I'm not going to suggest hunting them down with cops and guns, either.

If you look further into the work of these spammers (I'll call it work, you can call it whatever you like), you'll find that one commonality is that the top spammers have registered lots of domains themselves that they spamvertise. If you dig deeper into these domains, you'll find that the spammers use only a small number of registrars and ISPs for their spamvertised domains. And if you bother to do a WHOIS on said domains, you'll find that many of the spammers don't even bother to make up new registration data for the domains, they just stick to a couple of repeated aliases each.

Therefore, the registrars that sell the domains could chose to deny the sale of the domains based on the identity of the people buying them. For example, "Leo Kuvayev" is currently ranked number one at spamhaus. His list of aliases for registration is quite short. But yet the registrars chose to do business with him, even knowing that he is linked to criminal activity.

I therefore say that the fault for much of the spam lies in the hands of registrars and ISPs that willingly keep criminals as customers.

Which of course leads to the question of why these companies would do such a thing, which has a simple answer - money. These companies are making money off of these criminals who they do business with.

Therefore, I propose that the solution lies in better regulation of the registrars and ISPs. In particular, if ICANN actually enforced some codes of decency on the registrars, by way of hitting bad registrars with hefty fines, the registrars would be forced to pass on the higher costs of business to their customers. If domains become expensive, then we will succeed in increasing the cost of business for the spammers.

I literally get 0 spam in my inbox. The only spam I ever get is from businesses that I have a "relationship" for (ie., created an account on their site, said no thanks to junk, but got it anyway). Easy enough to block them since each site gets their own alias.jan-1-2007@mydomain.com that I can filter later on and never bother to "unsubscribe."

I use sendmail with greylisting as my frontline defense, then dul.dnsbl.sorbs.net, `sbl-xbl.spamhaus.org, list.dsbl.org, and lastly bl.spamcop.net. Thunderbird is great at picking up all the stupid "business relationship" junk based on the servers spamassassin's markings (but I don't have spamassassin dropping anything, just marking it up), but mostly just gets in the way of me permanently rejecting their mail (just a few a month ever come in).

I found many of the sendmail configuration lines from http://www.sdsc.edu/~jeff/spam/Sendmail.html if you'd like to give it a try.

4 days worth of spam filtering shows the following were blocked (this is just for my little list of personal domains, mind you):
# grep -c sorbs /var/log/maillog
16048
# grep -c spamhaus /var/log/maillog
13246
# grep -c dsbl.org /var/log/maillog
230
# grep -c spamcop.net /var/log/maillog
897

Combined spam blocked (each file is 7 days worth of spam count, except the top one which is only 4 days):
# grep -cF $'sorbs\nspamhaus\ndsbl.org\nspamcop.net' /var/log/maillog*

/var/log/maillog:30486

/var/log/maillog.1:43508

/var/log/maillog.2:41687

/var/log/maillog.3:36868

/var/log/maillog.4:35687

it is: http://www.spamhaus.org/statistics/countries.lasso

Although the list contains more than just RBN-related netblocks, the Spamhaus DROP List is your friend.

blocking all traffic sourcing anywhere except North America reduces the spam load by 98%