Slashdot Mirror

What about spyware coming from non-US systems

lol, next you will be telling us that 90% of spammers are based outside the US....oh wait

The Spam Tour site would be a nice match with this one.

The US Federal Trade Commission says that over 80% of spam involves some violation of Federal law. Not just the CAN-SPAM act, but mail fraud, false advertising, money laundering, computer crime, drug counterfeiting, and racketeering. There should be no problem filing charges.

If we had an FBI director who made this a priority, most spam could be eliminated in a year. Just divert some of the FBI Baltimore people who do child pornography, who are already experienced at tracking people on the Internet, off that job and onto tracking down the major spam operators.

In a sense, CAN-SPAM has been effective. Spamming by even vaguely legitimate companies is down. Almost all spamming now involves felony criminal activity of one kind or another.

They use zombie machines, and host their spam sites on chinese and brazilian bullet-proof ISPs, like CNCGROUP-HI (CNC Group Hainan province network), or Connect BR NET, reported there many hundreds of times. But guess what - they ignore all spam reports, and some brazilian admins are so clueless that they can't even shut their own network down right (or they just protect the spammer for all those bullet-proof money):
http://groups-beta.google.com/group/news.admin.net -abuse.blocklisting/browse_thread/thread/1b8c61ebd de805eb

More about these spammers is on the Spamhaus website:
http://www.spamhaus.org/rokso/evidence.lasso?rokso _id=ROK4932

If I recall correctly, Comcast's primary method of blacklist prevention is that they don't allow outbound port 25 access from end-user machines, everyone has to go through their SMTP server; Comcast doesn't get blacklisted because machines on their network can't spam.

Interesting to note, that many spam mails can be traced back to .cn domains

That's actually a myth. Most spam comes from the US. Just because spammers forge 'From: ' headers doesn't mean they are sending spam from chinese networks.

In a recent survey, more than 72% of the spam came from the ARIN netblock (the US being the biggest part of it), 16% from RIPE and the puny remaining rest from APNIC (where most .hk and .cn domains belong).

MAPS stopped being a reputable service ever since they joined MFN/Abovenet. I say this as someone who previously supported MAPS and even donated to their legal defense fund.

It was quite sad to see them fall to the dark side. It's even sadder to see that MAPS is still in active use by anyone outside of MFN.

shame he works for the #1 spam support company in the world.

his company adds new spammers on an almost daily basis, just check the dates on the various sbl records.

This blocks 99% of foreign spam. Sue Mosher wrote about other effective methods for killing spam in Outlook.

Thought so to, but reading about .mail made me change my mind. It's "outside the box" when it comes to the TLD concept (in a good way! :)

The only one that looks useful is .mail and it's not really like the current TLDs.

So the short answer is probably "no"!

And Alan Ralsky is still spamming and is the number #1 spammer according to Spamhuas. even with the stupid Verizon lawsuit.

When are the fucking ISP's going to be forced to shut these assholes down.

I forgot , they make money off them.

The Internet consortium needs to start shutting down ISP's if they don't act.

Isn't this like telephony fraud ?

I agree fully. We only use Spamhaus which has proved itself to be highly effective, plus to date no clients have noticed legitimate email being blocked. Spamhaus have a very clear policy and procedure, significantly reducing the chance of legitimate mail being impacted. Their Register of Known Spamming Organisations (ROKSO) is also brilliant.

If you are a co-location customer, and your IP address gets black-listed, I think it's your responsibility to put pressure on the co-lo facility to resolve the problem. All of the people on these black-listings must not care if they've let it go this long.

Also, just because you're listed on these pages doesn't necessarily mean you are the one causing the problem. A non-profit for whom I do server administration got listed on a bunch of these lists. The cause was some spammer stealing content from their site, and including the URL to this non-profit in the email. SpamHaus just finds all domains listed in the email, looks up information on everything it finds, and blacklists ensue. When this happened, I had to fight with both Peer 1 and SpamHaus to convince them we had nothing to do with the spam, which we didn't. (Peer 1 acted too quickly if you ask me, as they blocked one of our IP's listed in the report almost immediately.) What should have happened and what didn't is that SpamHaus should only be looking at the servers through which the spam travels. Had they done that, the non-profit with whom I'm involved would have never been included in the blacklist. Instead, only the originating mail server and any open-relays would have been affected.

If you are a co-location customer, and your IP address gets black-listed, I think it's your responsibility to put pressure on the co-lo facility to resolve the problem. All of the people on these black-listings must not care if they've let it go this long.

Also, just because you're listed on these pages doesn't necessarily mean you are the one causing the problem. A non-profit for whom I do server administration got listed on a bunch of these lists. The cause was some spammer stealing content from their site, and including the URL to this non-profit in the email. SpamHaus just finds all domains listed in the email, looks up information on everything it finds, and blacklists ensue. When this happened, I had to fight with both Peer 1 and SpamHaus to convince them we had nothing to do with the spam, which we didn't. (Peer 1 acted too quickly if you ask me, as they blocked one of our IP's listed in the report almost immediately.) What should have happened and what didn't is that SpamHaus should only be looking at the servers through which the spam travels. Had they done that, the non-profit with whom I'm involved would have never been included in the blacklist. Instead, only the originating mail server and any open-relays would have been affected.

It depends on how populated that block is. If it's 120,000 used addresses with only about 50 of them being problematic, then it IS a big number. If it's only got a few hundred used IPs, then it's not quite as bad as it sounds.

If you have 50 problematic IP's in your customer base, you rank #9 on Spamhaus' top 10 offender ISP list.

You're one step below level3.net and one step above Verizon. You don't want to be there.

He didn't say that he did relay the spam.

I run quite a few servers for hosting companys and whenever the datacenter gets blocked by some one like spamcop or maps that is the reason they give you for being on the list. they rarely investigate the spam they just block the datacenters.

http://www.spamhaus.org/ is the only one I have never had a problem with, I just told them who it was (well they told me the domain name) and deleted the account spamhaus removed us within minutes.

Some are well maintained, and even automatically maintained. spamhaus and spamcop come to mind. One of the less desirable ones that comes to mind is SORBS, where if they list you in one category you've got to donate $50 to charity, per message, to be delisted. You're an ISP providing smtp to your customers, and you're listed again? Tough.

Speech ranges from "I have a dream" to spam.

(cough) Sorry to get offtopic, but no, it really doesn't. Spam has everything to do with volume and unsolicitedness and nothing with content; therefore, it has nothing to do with speech.

Phishers, on the other hand, can operate from anywhere; they're popularly blamed on Russian Mafia, but I haven't seen any real statistics. But until banks start running SPF or similar protocols that make it easy to filter out forgeries, phishing won't go away that fast. Banks and credit card companies also need to start running stings on phishers - things like setting up dummy accounts that instantly flag anyone who accesses them, sending this information to the phisher's traps, and then nailing them when they try to get them money.

Filters and Lawsuits hit different ends of the spammer market. Lawsuits aren't very useful against the little spammers - it's a whack-a-mole game, where any spammer you bankrupt has two or three more following in his footsteps. They're much more effective against the big spammers - Spamhaus estimates that 200 spammers put out 80% of the spam, and putting any of them out of business can make a big dent - and most of them are based in the US, where you can sue them, even if their infrastructure is mostly in China or Zombieland. The nice thing about whack-a-mole lawsuits is that they're usually easy to win - you don't make any money off of it, because most of them aren't making much money compared to the amount they're costing the Internet as a whole, but if you've got a collection of 200 heads nailed up on your office's front gate, it starts to get their attention.

Exchange, Outlook, and Outlook Express do get spam filter technology added to them - it makes the users happy, and if it implements spam-reporting capabilities well, it can help the ISP side of MS improve their filters. But the main filtering happens at the ISP level, because that's what most customers want.

seeing as USA is the number 1 spammers choice its not hard to connect the dots, those who have most to lose always shout the loudest, anon/name proxy domains always are american, coincidence ?

While US spammers can reasonably be expected to evolve over time to collaborate with their host society, foreign spammers don't ...exist!

Please stop this strawman already. There are virtually no non-US spammers. Look at the ROKSO list - of the top 200 spammers, over 150 are in the US. Another 20 or so are in Canada, UK or Australia. Only about 10% are in any difficult-to-reach legislations, and most of them are further down the list, not at the top.

The USA is, by a wide margin, the #1 source of the spam problem.

Given a commonly cited response rate of about .00001%[0] (as opposed to 10% in the article) used by People with more credibility ,in my opinion, than some faceless marketing firm, you're wrong. I'm still looking for something to
cite at the moment, as I don't expect someone who's never dealt with them to take Steve's(Spamhaus), Rich's(Spamblocked), or Bill's(theclub...) word for it.

The entire game of advertising has become one of infintesimal returns, in no small part because advertisers,like spammers, seem to think that forcing someone to view thier spew, will them or nil them, will make them more positively disposed towards the product/service/company being advertised.

[0] +/- an order of magnitude. I'm bad at remembering the exact number of zeros.

...So what is the big deal?

The CNN article says "IBM is not concerned about liability, even in cases where innocent senders might be misidentified as spammers, because all the technology does is bounce back the e-mails, said Gail." The WSJ article posted by someone above says "based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them." This sounds exactly like the DNSBL FAQ at www.spamhaus.org which reads "Doing a DNSBL lookup on a message at SMTP connect time is cheap in hardware cycles and system time. Your DNS server may even have it cached from the last time the spammer tried. If your MTA already knows the incoming message is spam it can deny a spam message before having to pass it to mail-scanner (medium cost), through the virus scanner (medium to expensive), bayesian filtering (medium), spamassassin network tests: blacklists, DCC, pyzor, razor, etc. (medium - high). Mail rejected by a DNSBL does not disappear into the bit bucket. A DNSBL realtime rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, therebye allowing troubleshooting on the sender's end. Realtime rejection avoids the "backscatter" problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam. Of course, as we all know, most spam and all viruses have forged sender addresses, and so the "bounce" goes back to an innocent third party (if it is deliverable at all). Using the SBL-XBL lists together (recommended) rejects a very large amount of spam and virus mail with very low "false positive" rejections of legitimate mail. And remember, all those rejected legitimate mails are instantly reported to the sender with a DSN. "

The IBM page says "FairUCE (which stands for "Fair use of Unsolicited Commercial Email") is a spam filter that stops spam by verifying sender identity instead of filtering content." "Technically, FairUCE tries to find a relationship between the envelope sender's domain and the IP address of the client delivering the mail." This suggests that the receiving mail server does a DNS lookup "at SMTP connect time" verifying that the from address is related to the owner of the IP address the mail is coming from i.e. email from joe@yahoo.com originating from www.msn.com "bad" email from me@myisp.net originating from www.myisp.net "good" or something like this. If the cash is of WHOIS lookups so what? IP addresses do not change hands very often (do they?), I may have a different IP every time I log on to the internet, but that IP is always comes up on a WHOIS as being assigned to my ISP. :( And onone is going to read this...

It is called a blacklist. There are many blacklists out there from the free like http://cbl.abuseat.org/ to the non-free http://www.spamhaus.org/. Wonder how much time IBM wasted on figuring out how to send a 500 error message based on IP.

However, we're also going to need some software tools. A lot of sites, my own workplace included, are rolling out VoIP systems. Some of these are COTS systems of various levels of quality. Others (like us) are using open systems like Asterisk PBX and SIP Express Router (SER). Currently, as far as I have seen neither the proprietary nor the open tools have what it takes regarding abuse rejection:

• Dictionary attack rejection. Any caller who makes a vast number of wrong numbers in a day is just trying to guess numbers, and should be rejected.
• Call rate limiting. A single caller IP address should not be able to make a vast number of simultaneous or near-simultaneous inbound calls.
• Site-local blocklisting. One good way of telling if an IP address is going to spam me is if it has spammed the guy the next office over. The VoIP PBX is a good place to aggregate abuse information. Asterisk has the beginnings of a blocklist system, but it's not quite there yet.
• Distributed blocklisting. DNSBLs have worked very well in the email world, where a single highly reliable list such as Spamhaus SBL-XBL can deflect over 50% of spam. We will need this ability in VoIP.
• Abuse reporting. If I'm getting VoIP abuse from your site, I need a way to report it to you or your ISP. Likewise, VoIP sites that want to be reputable should offer call recipients a way of reporting harassment, spamming, and other sorts of abuse.

I hope that Verizon decides to start kicking the spammers off their network, because I shudder to think what one of them could do with that sort of bandwidth. That's not the only problem, either. I can only imagine the fun kiddies will have with armies of cracked computers on Fios connections. Verizon certainly doesn't care. Perhaps the damaged caused by drone armies on higher speed connections will result in enough backlash to make Verizon become part of the solution for a change...

Most spammers are not in U.S.

This is false. The SpamHaus list shows the USA hosts more spammers than the other countries put together.

the FBI who has bigger fish to fry

This is somewhat true. We won't put a dent in spam from a legal perspective until a federal agency devotes some serious infrastructure to the job.

That's mainly due to lack of willpower and expertise rather than funding, however. A competent "Spam Czar" armed with the authority to seize spammer's personal assets could easily achieve self-funded operation within a year.

because it sure looks like it, and people wonder why the Americans get such a bad reputation, perhaps spamassasin should use the dollar sign as a "+5 US currency mentioned"

Ronnie Scelson comes to mind.

verizon is quite spammy as well, just not as bad as mci/worldfraud is

sbl listings for verizon

sbl listings for level 3, which verizon owns

verizon is quite spammy as well, just not as bad as mci/worldfraud is

sbl listings for verizon

sbl listings for level 3, which verizon owns

and the same MCI that is the number 1 spammer according to the Spamhaus charts. Spamhaus also put out this article charging that MCI profits from spam. Verizon's getting all that.

and the same MCI that is the number 1 spammer according to the Spamhaus charts. Spamhaus also put out this article charging that MCI profits from spam. Verizon's getting all that.

Over 70% of current spam comes from proxies (PCs infected with viruses/trojans). Since the release of Sobig, the first commercial spam virus designed by spammers to infect PCs turning them into networks of proxies through which spammers then send millions of spams anonymously, spammers have released countless virus variants, mostly variations of the original Sobig code, and have been infecting an estimated 80,000-100,000 new PCs every week.

So what I want to know is when is MS going to get off their butt and make their desktops more secure and resistant to these _simple_ types of attacks? There really should be no reason for a simple email or web browser exploit to be able to take over a users _entire_ system and exploit it like this. Hell, at least Linux and Mac OS X run normal users as NON ADMIN USERS and prompt for a password for admin activity. Why can't MS do this? And No the runas command doesn't even come close to the ease of use of having a dialog just pop up and ask for a root password when needed. Heck, Linux is Open Source, MS can look at how the major Linux distros do it if MS is not certain about how to go about it.

A few simple changes on the part of MS and the majority (70%+) of spam can be stopped.

I know that a ton of MS Windows applications die if they are not run from a user with Admin rights. However, all MS needs to do is implement a system like Linux or Mac has done and make _every_ user a non-admin user by default instead of making _every_ user in the Administrator group out-of-the-box. Then you will be running an MS Windows desktop as a non-privileged user. Now if you run one of those MS Windows applications that need Administrator access, MS Windows just prompts you for the Admin password. How hard could that be? This small change will allow all those "we need admin" programs to still run, however, it should prevent most of these email/web browser types of attacks from taking over a users system without their knowledge. For example, with this new system, an MS user using an exploited IE goes to a site, the next thing the user knows is that a site prompts for the admin password, the user clicks cancel and no-harm done. It is much easier to teach Joe User to _never_ put in his admin password for any web site than it is to teach Joe User to go out and spen money on an Anti-Virus program and _true_ two-way firewall program (MS's firewall is only one-way) and install them both and keep them updated.

Unauthorized computer access was made a felony in the late 90s. Unauthorized computer access was also labeled 'terrorism' by the so-called Patriot Act. But these unauthorized accesses are defacto protected by the current federal govt. because they are commercial(tm) and are not prosecuted like a lone pimply cracker defacing a commercial(tm) website would be.

It is said that the creators of the Sobe and workalike viruses also created this commercial(tm) and openly available bulk-email package which anyone can use to send their commercial(tm) spam through infected, cracked computers. Send-safe.com sells their spamware via unregulated, greedy Visa and MasterCard networks, and is hosted openly in uunet/MCI/Worldcom netspace.

A large bank of PCs running send-safe for a non-commercial(tm) (terrorist) purpose could bring the internet to its knees.

Details... Well, they're floating around a fractional percent to nearly 6% of spam, by month. I label mail by ASN as I report it to news.admin.net-abuse.sightings, so you can search for ASNs 1221 and 4763 there. Bounces around a lot. July was about the worst, since it's been about 0.1-0.2% of spam (2-87 messages).

If you have anything else in mind, drop me a line (email works). Note that Telstra's pretty much in the same boat as most mainstream ISPs. Given Oz is a moderately-sized, but advanced, economy, and Telstra's got a monopoly on network services, it's not entirely surprising that the share is up there.

Again, Spamhaus provides per-ISP stats, and might be a good place to start your research. I see one current ROKSO listing. And there's a current news item, Follow Australia describing progress in killing AU spam. Though other initiatives with Savvis and China have produced few tangible results.

Details... Well, they're floating around a fractional percent to nearly 6% of spam, by month. I label mail by ASN as I report it to news.admin.net-abuse.sightings, so you can search for ASNs 1221 and 4763 there. Bounces around a lot. July was about the worst, since it's been about 0.1-0.2% of spam (2-87 messages).

If you have anything else in mind, drop me a line (email works). Note that Telstra's pretty much in the same boat as most mainstream ISPs. Given Oz is a moderately-sized, but advanced, economy, and Telstra's got a monopoly on network services, it's not entirely surprising that the share is up there.

Again, Spamhaus provides per-ISP stats, and might be a good place to start your research. I see one current ROKSO listing. And there's a current news item, Follow Australia describing progress in killing AU spam. Though other initiatives with Savvis and China have produced few tangible results.

Spam received by ASN. Not entirely current ATM, but recent.

For the past year, about 15% of all spam I see comes out of AS4766 - KORnet. The of the top 4-5 rest bounce around Chinese IISPs, Telstra, SBC, Tiscali, AT&T Worldnet, and account for 25% of all spam received. The problem is highly concentrated.

You can also check postings to NANAS (news.admin.net-abuse.sightings). Or just check at Spamhaus for ROKSO spammers and their ISPs.

Unfortunately, for some people (and the ISPs they run), there is no shame.

Looks like not only do they have multiple Spamhaus SBL listings including a few repeat offenders, they're under a SPEWS Level 2 (monitor, don't block) advisory.

Well, according to the article and other sources ALTRIKS is doing some illegal things... such as harvesting email records from whois queries and installing malware on people's computers without their express permission. If the president authorized these actions, that would indeed make him a criminal.

Now and if this is all wrong and all of the sources (including Spamhaus and ALTRIKS OWN WEBSITE) that list ALTRIKS illegal operations is just part of a massive campaign by the defendant to defame ALTRIKS, then I'm fine with the defendant being penalized. Then he would also be able to get busted for hacking into ALTRIKS own web site.

The company making the charges is listed on ROKSO and SPEWS and sparked similar controversy with a Slashdot article last year. The defendant, Jay Stuler calls it a "frivolous lawsuit designed to harass and intimidate" and is asking for PayPal donations to help him fight it. More at Spamfo and DSL reports

Ergh, "SpamHaus tidbits" should read: SpamHaus has a few interesting tidbits about this guy.

Episode V

The Spammer Strikes Back

It is a dark time for the Internet. Although Spamford Wallace has been shut down, Atriks spammers have driven the irate users from their inboxes and pursued them into court.

Evading the dreaded Distributed Mail Corporation, a group of freedom fighters led by Jay Stuler has established a new secret base on the remote ice world of Ohio.

The evil lord Darth Haberstroh, obsessed with harassing young Stuler, has dispatched thousands of spambots into the far reaches of the Internet...

I was considering blocking the entire IP range for the US, since I never get anything other than spam from there.

Not surprising, since they account for more than 50% of all spam, according to spamhaus.

D3CR.E4SE Y0.UR SP4M BY 0V3R 5O%!
ASK US HOW!

Whatever are you on about? InteNAP isn't even in the top 10 spam hosting ISP's. They don't tolerate spammers on their network as a general rule.

On the other hand they aren't going to boot a customer just because some crank complains about getting a commercial email from that customer. It does happen too. I've seen people sign up for a product newsletter. Confirm the subscription and then complain that the newsletter was spam to every single place they could possibly think of reporting it.

For contrast compare them to MCI, XO, or Above.net. All of those providers are far more spam friendly.

sounds like all the fucking spammers they host overtaxed spammer-nap's power resources and brought it all down.

Seriously though, spammer-nap is a massive spam haus, see for yourself

And before the usual trolls roll in to claim that most of the spam is from China and whatever:

Top 10 Spammer Countries

If you're too lazy to look, the US is 1st with over 3 times the score of the 2nd place, which is indeed China.

Culprits?

http://www.spamhaus.org/rokso/

We have unique WHOIS addresses and a lot of the spam comes from here but also from website scraping.

You can also see the source of SPAM migrate around the world, as new lists are produced and the old ones sold on. Our oldest unique addresses now receive almost all their SPAM from Asia in non English Languages.