Slashdot Mirror

And how would anybody find out how much of the baby is being thrown out with the bathwater?

Easy - go through your mail log and collect a representitative sample of IP addresses that connect to it, then write a perl script to check these against the list. Net::DNS::Resolver is your friend.

This is exactly what we did when we were deciding which DNSBLs to use. In the end we went with ORBZ inputs and SPEWS. There were some discrepencies in the relays.osirusoft.com zone, however, which prompted us not to use it.

What all of this rambling means is that you can filter out a great deal of spam with the right DNS blacklists. I only use DNSbl's that allow zone transfers because I don't want network latency to slow down mail delivery. It really is a worthwhile thing to do.

Finally the best thing that you can do for your users is educate them. Give them very clear examples of how doing simple things like giving your personal email to a credit card company, entering it in a guestbook, using it in USENET, using it on any public discussion board, and many more can increase their spam intake many fold. Explain that to them. Show them the proof. It's not hard to generate spam. Hell create a dummy account and make a few posts in the newsgroups. Never give the address to anyone else and don't use it yourself. Give it a week. Then show the results to your users as proof of USENET address harvesting.

Finally, don't be part of the problem (this is to the parent of the article). Be proactive in fighting spam. Sitting back and bitching about it doesn't help anyone. If you put up a server that's an open relay then you fucked up. It's your responsibility as an administrator to make sure you do your job right. Putting up and open relay isn't doing your job right (are you listening all of you damned Exchange admins?! 90% of the open relays I find and report are running Exchange!!!). When you get spam, report it (called LARTing). Drop a copy to uce@ftc.gov. Reporting stock spam to the SEC. Report bogus drug scams (loose 100lbs tonight while you sleep!) to the FDA. Report Nigerian Monet scams to the Secret Service. Report the spamertised sites to their providers and ask that they investigate (don't accuse in case it's a Joe Job). Parse through the headers and learn to identify relayed spam, BS headers, and other tricks of the trade. Submit open relays for listing in all the open relay blacklists. Report it to the owner of the IP as well. DO YOU PART! If you're not going to do you part to fight spam or ensure that you're servers are properly configured, THEN GET YOU SERVERS AND YOUR ASS OFF THE 'NET BECAUSE YOU DON"T BELONG IN THIS COMMUNITY!! Don't be part of the problem.

Here is the real bad thing about this. Spews blackholed a /18 when in fact this ISP only had a /19. I contacted a maintainer of one of the RBL's that utilizes SPEWS and gave him a heads up that not only is this listing in error but Spews has blocked an additional 32 class C's that belong to another ISP.

WARNING - BS METER: 75%

As a usenet spam newsgroup reader and a Spam-l list memeber, I think their listing of a /18 or /19 that contained thousands of legit, not spamming users would have been and still would be big news. I haven't seen anything.

I informed him of a possible liability for such a mistake. He did not want to hear it and pointed me back to the news groups.

WARNING - BS METER: 85%

Why yes, he probably decided that taking legal advice from you about "liability" and who's email packets he was required to carry was total foolishness.

Seems that he was nice enough to contact the guys at spews as the /18 changed to a /19 but my client remains blacklisted to this day.

WARNING - BS METER: 95%

Everyone knows there is no way to contact spews. Known for months in the newsgroups, posted on their site.

In reallity it has not been a huge problem for them as I think even the hard core anti-spam advocates have distanced themselves from spews.

WARNING - BS METER: 100% }}} TROLL ALERT!!!!!!!!!

Hah, hello troll. The hard core anti-spam advocates who make up Spam-l, the "news.admin.net-abuse.email" newsgroup, etc., have come to love spews and the effectivness of these lists in general.

Methinks this troll could also be a spammer.

SPEWS
And his FAQ
And no, im not in for the karma, is just that i wanted a link, meaby others too.

SPEWS
And his FAQ
And no, im not in for the karma, is just that i wanted a link, meaby others too.

Spam is Free Speaaech (A Troll)

No it isn't (Baittaker543)

Yes it is (Anonymous Spammer) 30 post thread snipped

My webserver got RBL'd (warfire) So I've come here to cry instead of ditching my low-file ISP. Your technical solutions are no good.

I know more than you do (karmawhore23) I am cleverer than you.

In many cases, it's easy to trace the spam back to the ISP from which it was sent, or to the ISP that's hosting the spamvertized website.

The problem comes when the spammer's ISP is unresponsive, either because they don't give a fsck about the problem, or because they're being paid well enough by the spammer.

SPEWS presents an interesting solution to the problem. In a nutshell, networks that harbor spammers get listed, and you can configure your mail server to use that list to refuse traffic from spam-harboring network providers.

The more people that use services such as SPEWS, the more likely it is that large, unresponsive ISPs (you know who you are) who also happen to have legitimate customers will receive mail from those customers saying "Hey! Clean up your act so people stop rejecting all mail from your customers! You've got real customers to service, not just spammers, you know!" and will be forced by market necessity to take their network abuse problem seriously.

If you're a user of one of these networks, and don't like the fact that some of your mail now bounces, look at it this way. You're living in a crackhouse, and your landlord is doing nothing to solve the problem. We're tired of dealing with your neighbors' rusty needles and used condoms. If your landlord won't clean up the building because he'd rather have a crack dealer's protection money than your rent, maybe it's time you moved somewhere civilized.

"Have a place to submit spam incidents, such as a web form. Then process them to look for patterns."

Have you ever tried to run more than a handful of LARTS through a web form? It's a nightmare. I have 1200 pieces of Broadwing.net spam that I need to LART tonight. I don't know how I'd LART all of them via a web form.

Patterns aren't something that the average Joe would pick up on anyhow. Few people noticed that recently more and more spam uses a spoofed From: in the form of BSUser@yourowndomain.tld. If they do want to look for patterns, they could easily view thousands of spam reports in news.admin.net-abuse.sightings. Numerous people post their spam to it.

Provide separate zones for blocking sources of spam, and blocking web sites and ISPs where spammers might be hosting a web page. Not everyone wants to block the latter; I only want to block the source of spam."

Many DNS blacklist authors do just this. MAPS is a good example. You have the DUL which lists dial-up IPs only. The RSS which lists known && abused open relays. The RBL contains ISPs that are known to harbor spammers or at least be neutral to their abuse and ignore abuse complaints. The RBL+ is a combination of those 3. All 4 of those are their own zones. SPEWS lists /24's from which spam originates. Occasionally they'll even list a whole provider that harbors spammers or spamware sites, repeated lies to people that mail abuse@, or are known to bit bucket abuse complaints. relays.osirusoft.com hosts many lists. Individual queries can be made to for any of the lists it hosts or you can transfer them all at once in a big zone file. relays.visi.com is the home of the RSL. It only lists open relays that have been abused, like the RSS and relays.osirusoft.com's base DNSbl. blackholes.2mbit.com is the home of the SBL (Summit Block List), not to be confused with the SBL (Spamhaus Block List) which is hosted by osirusoft. The Summit Block List contains abused open relays and hosts that have been directly involved in spamming. The Spamhaus Block List contains "known spammers, spam gangs, or spam support services" and is "by the same team that maintains the ROKSO database", a list of those spammers.

"Some anti-spammers are on a crusade to maximize collateral damage. I am not. I won't block a whole ISP because of a spammer unless that ISP is making it difficult to isolate and focus on the spammer."

In a small way I agree. I used to feel like you do now. I was very leary about blocking an entire ISP just because of the possibility of lossing legit mail. I quickly came to realize that blocking just a small piece of that ISP that's know to spam wasn't solving the problem. They'd just move elsewhere within that ISP.

"If they corner the spammer operation to a specific static subnet, I'll gladly block that, and I'd want to use a DNS blacklist that is equally focused."

This doesn't accomplish anything in the long term and little in the short term. Sure you block some spam from a spammer for a couple of weeks but they'll quickly figure that out and move to another block. If the ISP facilitates their move then they are supporting spammers. It's an all or nothing deal. You can't have your cake and eat it too.

Personally I block entire ISPs myself, in my personal access lists that are independant of group maintainted DNS blacklists, that are known to harbor spammers and ignore complaints. A perfect example of this is Broadwing.net. I have blacklisted every IP they have registered to them. That includes 3 /14's, a /24, and a /28. That's a lot of IPs. I have never seen anything but spam come directly from them. They harbor Alan Ralsky and many other well known spammers. They ignore spam complaints. They simply don't care. Whenever I LART their spam, I also LART their upstreams because I believe someone there will eventually notice. I know that no one at Broadwing will.

"Some of the anti-spammers are on the wrong crusade and not very many people will follow them."

This I have to strongly disagree with. I've been involved in protecting my resources from spam for some time now and have implemented many steps to prevent as much spam from entering my system as possible. I reject just under 1400 known spamming domains. I also reject all mail from a number of providers that harbor spammers as well. I utilize all the lists hosted by Osirusoft, relays.visi.com, blackholes.2mbit.com, and I'm in the process of resubscribing to the RSS and DUL. I even do some filtering on message content which has been incredibly successful. Last week I rejected almost 96,000 pieces of spam on one of my servers. That's pretty darn good. Of the 2400 users on this particular server, I've only had complaints from 3. 3 of them couldn't receive mail from a particular person on the 'Net that wsa being filtered by me. 1 was on an osirusoft list. 1 was attempting to send mail through their mailing list that's run by cybercon.com (a known spam supporter) and mail to subscribers on our end was bouncing. The other was a customer of a customer of Broadwing's. After explaining to them that we couldn't selectively allow mail to just them from the affected host and that we'd have to allow all mail to them unfiltered, they decided to suffer from more spam than miss out on their friend's email. One has changed his mind though. The rest seem to love it. The best advice I can say to you is to keep an open mind about these lists and what they do for us. Not every list is meant for all situations. I personally don't want to use the RBL. In the beginning I was leary about SPEWS. The rest I like. Join news.admin.net-abuse.email and keep up with some of the conversations of the anti-spammers that reside there. A plethora of information and insight can be had with them (I'm there too). good luck!

here's an idea... would this work? set up a service somewhere so people could submit e-mail addys and ip addresses from spammers. then we could all block those individuals. perhaps this is already done... and perhaps it won't work.

Already done. Check out MAPS and SPEWS.

These systems are primarily designed to be used at a server or router level. However with a bit of work, you can integrate them into procmail.

Myself and many other anti-spammers have found joker.com to be completely unresponsive to spam complaints regarding domains they register. It would be irresponsible to support spamming services. It would be irresponsible to see someone drop their wallet and not tell that person. It would be irresponsible to witness a crime and not report it. It's not irresponsible to choose to not do business with a registrar that may not directly suppport a spamming service but doesn't do jack to stop it after it's been reported. It's a choice. You're the type of person to be against SPEWS that lists pro-spam ISPs in a DNS blacklist. You're probably the type of person to not support *any* blacklist. You're probably like a few of my users that want 80 extra pieces of spam in their inbox every week and ask me for unfiltered email. All I can say is happy pressing the D button.

I just wish I had the resources to build a better system. I know what to do to make it; I just don't have the cash to put it together.

Probably the subnet. Although MAPS seems to have unlisted it, SPEWS is still listing it. See the file here.

Well, you let enough people take their bite, and you don't have any apple left for yourself. All the bill requires is contact information and some sort of remove link.

Just about every spam has some sort of contact, although that contact is the spam's payload. It's the toll-free phone number that you call to order the toner cartridges. It's the website that you visit to order the herbal viagra. It's the Post Office box that you use to piss money away on useless "credit repair" scams. Or it's the drop-box address on Yahoo/Hotmail/Netaddress/whatever to request more information on the laundry balls.

And the people who trust remove lists are either naive or not very bright. Spammers are well-known for using them merely to harvest more addresses to sell. Why would anybody trust them? You might want to look into Rodney Joffe's SafeEPS system. It was intended to be a remove list developed by a known and trusted anti-spammer, and the DMA pretended to be interested. Joffe offered to sell it to the US Direct Marketing Association for one dollar-and the DMA refused. They make their money by forcing their spew on people. Taking away their ability to market to people who don't want it takes away their reason-to-be. SafeEPS, of course, died after that. No spammer is going to use it.

If the gentleman from Texas wants a legitimate spam bill, he needs to think more in terms of opt-in. Opt-in means no marketing email unless you actually REQUEST marketing email. In other words, the whole thing goes only with the permission of ALL of the people involved. Considering that the recipient has to pay to receive the crap, it seems only fair that he should decide just what gets sent to him.

Or we could do something even more sensible and leave Congress out of it. MAPS had something going with their RBL. They're dying now, under the weight of frivolous but expensive lawsuits and a very questionable settlement with Exactis/Experian. However, SPEWS seems to be taking their place. Those two organizations, SPEWS in particular, are doing more to fight spam than even the best new law could hope for.

But the bills referenced in the article above? Somewhere between useless and worse-than-useless.

Already done. And you know what is funny? Because of the sue happy nature of the common or garden-variety spammer, the people compiling the blocklist are anonymous and will remain so. The only way out is to stop spamming.

Granted, it smacks of vigilante justice to some, but it works. See this for an example.

Hmmm, the way I read the RFCs, Abuse@ and postmaster@ should accept mail if the system has users who use mail. Reading the spews.org site, it seems they don't communicate via email at all.

Ponder: If no one is sending, must anyone be listening?

Does anyone know a major site that actually _uses_ spews? I couldn't find one.

I couldn't find any statements (definitive or otherwise) from any big players saying that they are using SPEWS. However, by looking at the reports in news.admin.net-abuse.email and the bounce messages that I asked to be forwarded to me I think the two largest users of SPEWS are:

Pacific Bell - a large telecom on the US west coast.

Outblaze - a mailbox outsource company which handles mail for such sites as Mail.Com (a free mailbox provider).

[29/Sep/01] OptusNet listing removed
Optusnet.com.au, reports they have shut down the dynamic-DNS spam service run by the Dean Westbury gang on their network. In response, the SPEWS listed network addresses were removed from the list.

Check all the spam he's done

Blocked from mailing by anti-spam lists

Someone adopted the spammer as a "personal pet"

Now what'cha going to do!? I have ideas, but they all may be illegal. ;-)

Maybe in this case the slashdot effect will do some good for the world....

One can hope. Until then, use the SBL to block them:

http://spamhaus.org/sbl

I've been dreaming about setting up an anti-spam program and service (free, I hope) that would use real-time reporting like MAPS/ORBS and user feedback like spamcop. The idea would be to keep an near-real-time updated list of regexes with match all the recent spams but are highly unlikely to match any normal emails.

I wonder if anyone else is doing this sort of real-time-regex list?

This seems to be close:

http://spews.org

BTW, ORBS is dead and MAPS now charges larger users. There are many free ORBS like replacements.

/.!