Walling off Asian E-mail to Prevent Spam

SomeoneYouDontKnow writes: "Seems there's been lots of spam news lately. This piece from Wired describes how frustrated sysadmins in the West are responding to a torrent of Asian spam by simply refusing all e-mail from that part of the world. As anyone who's ever reported spam to Asian ISPs can attest, getting a response of any kind is almost impossible, so some ISPs are simply giving up on receiving any mail from them. Setting up barriers like this is regrettable, but when the originating ISPs refuse to take responsibility for the actions of their users or close their open mail servers, there would seem to be no other choice. Has anyone ever had any kind of constructive conversation with one of these ISPs to see why they are unable or unwilling to do anything?"

Ban Asia???

[Markvs]

Sure, why not. Heck, I blocked France on principle!

I can't disagree more

[MicroBerto]

As the Ex-AbuseDesk admin at a local ISP, I must say that I wanted to do that VERY badly, but wasn't allowed to. There's simply no way to get a response from them. I have absolutely no qualms about cutting communication off from them. It's just so frustrating for EVERYONE.

On the other end, if many of those domains are in the Orbz or other blacklists, maybe just using those would be better.

Re:I can't disagree more

[Rogerborg]

• On the other end, if many of those domains are in the Orbz [orbz.org] or other blacklists, maybe just using those would be better

Do the reading. Despite the shrieking tone of the article, what we are talking about here is Spamhaus blacklisting China Telecom, not "all Asian ISP's". That's the entire story. And Spamhaus themselves suggest that their list should be used in conjunction with an open relay list.

Sadly, this is the only way to go

[InterruptDescriptorT]

I feel bad for the legitimate Asian users of e-mail trying to communicate with their comrades in the West, but it has been proven that this is the only way that ISPs will finally own up to the task of stopping spammers abusing the networks. Look what just the mere threat of the Usenet Death Penalty did to @Home--they have cleaned up their act significantly.

Strange as it is to say, this 'denial of service' is one that I think may actually have some future positive effect. The way the world seems to work is that no one will bother to do anything unless you threaten them with the loss of their service, and then they take action. Sad, but true.

Re:Sadly, this is the only way to go

[#if+0]

It may be necessary to eventually threaten those ISPs with being blocked, but still there are a lot of *constructive* steps that could be used to help the situation.

**Like actually bothering to translate your contact messages into various non-English languages. After all, when was the last time You, as a sysadmin, responded to an informative message to postmaster@your.org that was written in an Asian language?? I didn't think so...

Re:Sadly, this is the only way to go

[jedrek]

Like actually bothering to translate your contact messages into various non-English languages. After all, when was the last time You, as a sysadmin, responded to an informative message to postmaster@your.org that was written in an Asian language??

The international language of snail mail is French. That's why air mail is par avion. It's like that all around the world and no one really complains. If the admin knows enough to postmaster@ he knows it should be in english. English is *the* offical language of email. Just look at the headers, I don't see a 'Od: instead of 'From:' or 'Temat:' instead of 'Subject:'.

Admins speak english, you can't really be a good admin if you can't communicate with your computer and 90% of software - even software created in non english speaking nations - is in english.

jedrek

Filtering email

[johnburton]

Well blocking whole areas is a start, but not an ideal solution. I'm going to start filtering my email so that unless it meets one of the following conditions it gets rejected and sent back to the sender :- 1. The mail claims to be From someone I have pre-approved. 2. It's from a mailing list I've registered with. 3. It's sent To: a special purpose address within a couple of days of creating that address. (So I can post to newsgroups with addresses like jb10202 which will be valid for a couple of days for replies only) 4. The email contains a special approval code to bypass the checking. The purpose of 4) is that when I get an email that is rejected it will send it back to the sender with an apology and a 4 digit random code which is valid only for a single mail from that address and only for 48 hours. They can simply forward the mail back to me and it will contain the code and get through. I get *so* much spam, and 99% of my real email is from the same few address that I need to block the junk, and I think this scheme will annoy relativly few people, and not too much but should cut ALL the spam. I've not implemented this yet, but it shouldn't be too hard to write.

An interesting counter point...

[Amarok.Org]

I run a small mail server, mostly providing mailing lists to the automotive community. While my lists weren't affected (I have reasonable anti-spam rules in place), a server in Taiwan was spamming every address it could find in my domain with dozens of unique spam per day.

The usual ip tracing ensued and I tracked it back to a small ISP. Hoping that I would reach someone who spoke (or wrote) English, I sent a copy of my logs and an explanation to "postmaster@", "abuse@", "webmaster@", and any other address I could think of. Amazingly enough, after about 12 hours, I received a reply (in somewhat broken English) asking for more logs, and a confirmation of the time zone I was using in my logs (UTC, for what it's worth). After I replied, I received an appology that one of their "clients" had bothered me and assured me it would be taken care of.

To this date, I have not received another piece of spam that I have attributed to that ISP. I realize that this is the exception and not the rule, but I thought it was worth noting that there really are reasonable sysadmins "over there".

Re:An interesting counter point...

[CodeMonky]

what you don't know is that the client was hunted down and shot.

Remember UUNet's "Death Sentence"

[biomech]

The first parallel that came to mind was the "death sentence" proposed against UUNet a few years ago for their fostering spamming activity.

The action represented the response of a group of responsible internet members that had finally tired of both the activity and the lack of response from a greedy company who seemed to have no respect for bandwidth and privacy issues.

It seemed to work then and maybe it's just what's needed now.

It's about time that some of these ISP's discover what happens when the fecal matter hits the oscillator.

Constructive dialogs

[buss_error]

I turned in a complaint to hinet.cn, I think it was, about a system with Code Red banging away at one of my web servers. I included a snip of the web server log, along with a note that my servers are NTP sync'ed.

The response was "without full e-mail headers, we can't do anything."

Hmmm. It's not e-mail.
I am discussing with my employer the option of blocking all 202/8 203/8 210/8 211/8, all of Road Runner but the MX'es, *.cn, *.tw, *.ru, *.pl, and *.mx domains too. I don't know the ip range assigned to the domains, so if you do, post a follow up! (I have Road Runner netblocks, there are just too many to put them here.)

Screw Asia... I blocked Hotmail

[ellem]

in fact for a few months I blocked:

Hotmail
Yahoo
MSN
USA.net

When those folks learn how to close their relays and strip a virus then we can deal with the Asians....

I like this quote:

[mESSDan]

While some spam being transmitted by Asian servers appears to be sent by the locals, Western spammers are exploiting Asian mail servers and using them to relay mail.Many Asian systems often run old software or software that hasn't been configured securely or patched properly, experts say.

Well, if people can exploit the problem and get a response from the sysadmins saying "I can't do anything about it", maybe instead of us blocking their servers (quite easy to do), someone should put on a blackhat and go patch some of those holes. (This came up and was heavily discussed during the Code Red and Nimda attacks.)

I dunno, but I think a moral hacker would find it quite rewarding to screw up a spam creaters cash cow.

I have done my bit for mankind!

[doctor_oktagon]

In November 2000 I spent 1 month in Hong Kong sorting out the Spam problems one of the largest ISPs was having, in my job as security consultant.

The situation was dreadfull, with no abuse department and no way of detecting/stopping abusing customers, or even stopping customers being abused.

I killed 99% of the Spam by warning all customers we were testing for open relays, and offering to actually help them if they didn't know.

I then spent 2 weeks trying to configure about 30 different mail servers I had never even heard of, and one which didn't even return 1 result on Google!!

We got there in the end, especially once we firewalled port 25 for those customers who didn't want to listed.

The next step was to write belt-and-braces Terms of Service for the client and ensure the abuse@isp address was checked and actioned on a daily basis by a full-time member of staff. If abuse went unchecked, then we pulled the plug on the customer and banned them from coming back, or we'd prosecute (sometimes tricky in HK)

I *always* check who sends me spam, and I'm pleased to say none has originated from that ISP since I did my work there.

We tried to re-sell the solution to all other ISPs in the region, but they didn't bite due to a) expensive consultant fees, and b) not really caring.

I pointed out they were large ISPs who fully deserved their .net addresses, but were rapidly losing face amongst their peers for continuing to ignore the problems. *sigh*

okay, fine - so we block

[hrieke]

But what else can be done to solve this problem with China and other Asian countries?
I agree that the 'no response' from many of these places is frustrating, but has anyone offered to train[1] some of these people in setup and configuration of their servers?
Has anyone who is bilingual offered to translate the user manuals into Japanese, Chinese, or Korean?
Has anyone taken the time to explain to them that by lax secuitry / improper setup on the EMail server usually points to more problems with in their network?
Education is the answer to this problem, and we need to take the lead.

[1] Okay, it might be impractial to fly halfway around the world to train someone in server configurations just to stop spam, (although a cost /benfit analysis might prove otherwise if the volumn is extream!) but has anyone offered to train someone from Asia on this side of the globe?

Watch out with that scheme

[phr2]

I've been doing something like that for a while (periodically changing addresses for news posts). The trouble is that every address you use gets on spam lists and gets spammed forever. By having 100's of addresses, you get 100's of times more spam than you otherwise would. Even if you can filter it on arrival so you don't have to see it, it's still clogging your bandwidth and you can always filter a legitimate email.

I don't generate unique reply addresses per news post, but change addresses a few times a year. I have a bunch of old addresses that mostly get spam, so my filters dump incoming mail to them into a mailbox file that I look in every now and then. That's much less annoying than seeing the spam as it arrives, but still, it's better to keep the volume down.

I think I'll completely stop putting replyable email addresses on news posts. I'll just have a URL for my web site where people can leave me messages through a CGI. That lets me make another political statement too, since my web site runs SSL so any incoming messages I get from the CGI will be encrypted while in transit. We tell people to use ssh instead of telnet--we should also try to avoid sending email in the clear without a reason.

Re:Watch out with that scheme

[mjh]

I think you might be interested in using self destructing email addresses. I've just started using TMDA. You can set it up so that all outgoing email to someone that you don't know will generate a "dated" address. This address will be valid (by default) for 5 days. After 5 days, TMDA will automatically reject any email directed to it.

Other things you can do with TMDA include:

• Requring anyone unknown to you to send a confirmation
• Automatically adding all valid confirmations to your "known" list
• Generating sender email addresses, that will allow a specific sender (such as a mailing list) to send you email. No one other than that specific sender will be able to use a sender address
• Generating keyword email addresses. This is similar to what you're talking about already. Where you generate unique addresses, each of which will be allowed to get to your mailbox. But will also allow you to track who is giving out your email address.

TMDA takes a little bit of work to be able to understand what's going on, but once you get it set up, it's pretty effective.

Good luck.

Re:Setback for the net?

[Skirwan]

What about getting laws that say that unsolicitated mail is illegal?

That's brilliant! Then, we can make a law that outlaws terrorism! And then fascism! And rudeness, and poor driving, and taking the last donut! Hell, we could just make a law that outlaws 'being mean' in general!

And while we're at it, we should make it illegal to respond sarcastically to extremely simplistic solutions to complex problems! Yeah!

--
Damn the Emperor!

my ISP just did this

[option8]

the place where i colo is just now doing this after tracing the bulk of the spam coming into their own network from chinese ISPs and most especially china.com

rather than refusing email from the offending ISPs, they are going to the rather extreme measure of refusing connections entirely (at the router, i guess, though i'm not certain how the network is set up...) from the entire IP ranges of a number of the offenders.

so, now all my domains (and all those colo'd at my ISP) will basically be inaccessible to anyone in china. big deal. all the traffic i get from china is either spam or nimda requests. woo friggin hoo.

it has yet to go into effect, but i expect it will make a big difference in my monthly bills, as i pay for bandwidth, even if it's spam sent to people on my mail server.

as some folks are bound to say, it's more than a bit presumptuous to basically say "play by my rules or get off the field" where "my rules" are typically those of the mostly american, english speaking internet population, but in this case it's more a case of "play nice or go home"

Chinese ISPs need to think globally

[mblase]

The article says:

Some Chinese and Korean systems administrators said documentation for the software they use is often available only in English, which complicates securing their systems.

This is an honest problem, because it's not the the ISP's fault that they can't get native-language documentation for the software. But if they're running the software at all, it becomes their problem. Why would any responsible system administrator install software when he can't read the documentation? Educated English speakers aren't such a minority in the far East. It's the ISP's responsibility to hire them, or else get software documented in their own language.

Cultural issues also contribute to the problem. Many spammers in Asia say they do not understand why spam is a problem. "It's a sign of respect that someone sends you an electric business card. It means he wants you as a customer."

This is just willful naivete on their part. If they think that sending an electronic business card is a "sign of respect", that's fine. But they need to understand that in the West, unsolicited advertising is an overwhelming inconvenience and is not welcome by the vast majority. Cultural relativism swings both ways.

Piracy is free and open and common in the far East, which irritates Western corporations and makes poor Western college students and hackers giggle with glee. It's rampant and unpoliced because the notion of information ownership and copyright just don't exist over there. But here's the flip side to that coin: unrestricted dataflow from the West into the East also means unrestricted dataflow from the East to the West. As music, movies and software comes in, spam goes out. Like it or not, they're both travelling through the same door.

If the Chinese ISPs want to provide their people a gateway to the free world, then it's their responsibility to cooperate with how the free world works and act responsibly within that setting. If they don't, then they get blacklisted like this and lose their right to be a gateway.

SHOCK! HORROR! journalism

[Rogerborg]

• • frustrated sysadmins in the West are responding to a torrent of Asian spam by simply refusing all e-mail from that part of the world [says Slashdot]
  Anti-spam activists confirm that a growing number of beleaguered systems administrators are now blocking all e-mail originating from Asia from their systems [says the article]

Bollocks, says anyone reading it with a critical eye. There are no references or sources for this sweeping "all Asian email" statement. The single reference is to Spamhaus which implements selective listing of domains that persistently generate or carry spam and decline to respond to spam reports. Most of their listed ISP's are currently US based. There is specific mention of two Chinese ISP's, and none from any other Asian nation.

To make a story out of this, you have to cite metrics. The fact that Spamhaus are currently blacklisting China Telecomm no more proves that "the west" is blocking "the east" than a story about anyone temporarily blacklisting AOL (again) proves that there is some mass move to block "the west".

Without giving metrics, you're just providing anecdotes. Persuasive anecdotes, sure, that probably appeal to our personal experiences, but those are the most dangerous kind, because they stop you looking for the real story and asking the real questions.

The real question here isn't "Why do Spamhaus currently blacklist China Telecomm?" but "Why don't Spamhaus currently blacklist Roadrunner?" or any of another half dozen ignorant ISP's that deny that they are injecting spam even in the face of unequivocable header evidence. Perhaps we in the "west" (sweeping-generalisations-r-us) could go about cleaning up our own house before we go gunning for those coming late to the party.

Dealing with Chinese spam ;-)

[Ryu2]

As most /.ers should know by now, the Chinese government just ordered all ISPs in China to start monitoring
email for subversive phrases and the like, so just reply to
Chinese spam with little replies of the form at the end of this spam.
Might be a useful tactic on companies who think that unsolicited
email is "just regular advertising".

Bill

"Jack(export manager)" wrote:
>
> Dear Sir
> How are you .
>
> We are a lighting factory in China ,It is glad
> to introduce ourselves to you:
>
> I am XUBIN (Jack) , XUBIN is my chinese name , you can just
> call me Jack !! , I am export manager of [deleted] ,
> China, our group have four factory
[snipped]
>
> Here is our company profile :
>

[Rest of sales talk snipped]

(And now, the reply)

Thank you for your coded order. The weapons and ammunition
will ship by way of the usual route in ten days, and you
already know our secret Swiss bank account number to
wire the payment to.

It is a pleasure doing business with you for so long,
and I hope your cause will prevail. I am new to this
particular computer, so I hope the encryption is
working and the monitoring authorities cannot read
what I am sending you.

Long live the Falun Gong! Free Tibet!

Best regards,
Your arms supplier

When I contact a French ISP...

[lww]

they usually surrender right away ;)