Slashdot Mirror
Spam Slows AT&T Email
jonerik writes: "MSNBC has this article about AT&T's frustration with the increasing quantity and sophistication of spam traffic. As has been noted here already, much of it these days is originating from Asia and, according to the article, 'now represents 20 percent of all e-mail floating around the Internet.'"
Steps in curing email spam
1. Close all open relays. That way the route of email is from your ISP to their ISP. [well at least as far as SMTP is concerned]
2. Use a HashCash like system.
3. Actively deny connection from IPs that try to connect more than N times in L seconds.
Duh...
Someday, I'll have a real sig.
The other possibility is a net-block equivalent of ORBS. Some on the Sec-Focus Incidents list (and other fora, over the years) have bounced around the idea of blocking netoblocks who'#s POCs don't work, or who don't have or respond to mail to the RFC-mandated abuse@, security@, hostmaster@,.. standard mail accounts. I'm all in favour. Automate probes, the way ORBS did for anonymous relays. I think this would be a Good Thing. People do have a legitimate need to communicate between Asia, America and Europe: simply dropping everything from .kr is evil and wrong, IMHO.
Finally - y'all know that anonymous HTTP proxies are just as bad, if not worse, than traditional open mail relays? Just testing ;)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
http://www.iks-jena.de/mitarb/lutz/usenet/teergru
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
What the rest of the world needs is legislation (not only!) in the US against those trying to sell via this irritating system.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The reason for the spam is because of the prepaid internet access common in asia! You buy those prepaid cards, in malls, and you are totally anonymous if you buy in cash. As discussed here, the spam therefore come from asia, but the content of the spam is from the US.
I agree with the other posters who note that the economics of Spamming need to be reversed in order to stop it, but I think that, even before that, public opinion needs to be swayed such that it is perceived as a significant problem worth addressing all over the place, not just at one ISP or for one open relay. A lot of people have just gotten used to ignoring/deleting 5, 20, 100 spam messages per day. "It's just part of using the Internet, right?" This needs to change. When things like the AT&T congestion happen, they should be used to get the public a little more outraged.
The address wasn't sniffed at the work end -- a tier-one ISP definitely not involved in address harvesting. Entirely unlikely it was sniffed on the backbone itself. That leaves swbell.net as a prime suspect in selling email addresses of their subscribers. At best, their infrastructure allows others to harvest the traffic, and that's hardly excusable, either.
Kornet.net (the biggest offender)
abuse@kornet.net, ip@ns.kornet.net, ip@ns.kornet21.net, domain@NS.KORNET.NET, donghk@soback.kornet.net, ever@kt.co.kr, jeonnam3@soback.kornet.net, jeon@kornet.net, jeonbuk3@kornet.net, koreatelecom@KORNET.NET, gfd5246@soback.kornet.net, gspark@kornet.net, help@KORNET.NET, helpdesk@KORNET.NET, haewha1@soback.kornet.net, heyeunmi@kornet.net, kmhno1@soback.kornet.net, hopewon3@soback.kornet.net, kgromc@soback.kornet21.net, kmhno1@soback.kornet.net, legal@KORNET.NET, network@kornet.net, packet@soback.kornet.net, postmaster@kornet.net, postmaster@soback.kornet.net, postmaster@ns.kornet.net, postmaster@soback.kornet.net, pusanpub@soback.kornet.net, root@soback.kornet.net, root@kt.co.kr, service@kornet.net, support@kornet.net, system@kornet.net, yjjeon61@kornet.net, abuse@ns.kornet21.net, domain@ns.kornet21.net, network@ns.kornet21.net, postmaster@ns.kornet21.net, resume@kornet.net, root@ns.kornet21.net, service@ns.kornet21.net, support@ns.kornet21.net, system@ns.kornet21.net, wong@kornet.net, abuse@ASADAL.NET, postmaster@ASADAL.NET,
Itnsoft.com (the #1 spamvertised Korean domain)
abuse@itnsoft.com, help@itnsoft.com, ip@ns.kornet.net, hostmaster@nic.or.kr, marom@itnsoft.com, postmaster@itnsoft.com, root@itnsoft.com, eglee@yesnic.com, info@yesnic.com, hostmaster@yesnic.com, postmaster@yesnic.com, eglee@whois.co.kr, postmaster@whois.co.kr, whois@whois.co.kr, brkim@INWANG.NOWCOM.CO.KR, domain@NOWNURI.NET, busisik@nownuri.net, kbr@nownuri.net, memory@nownuri.net, abuse@nownuri.net, postmaster@nownuri.net,
DreamX.net (Korean porn spam, mostly)
abuse@dreamx.net, abuse@cjdream.net, abuse@todream.net, admin@dreamx.net, admin@cjdream.net, administration@dreamx.net, administration@cjdream.net, billing@DREAMX.NET, billing@cjdream.net, brkim@cjdream.com, dns@dreamx.net, dns@cjdream.net, dnsadmin@dreamx.net, dnsadmin@cjdream.net, domain@DREAMX.NET, domain@todream.net, domains@DREAMX.NET, domain@todream.net, feedback@DREAMX.NET, feedback@cjdream.net, help@DREAMX.NET, help@cjdream.net, helpdesk@DREAMX.NET, helpdesk@cjdream.net, hostmaster@dreamx.net, hostmaster@cjdream.net, inhanna@cjdream.net, info@dreamx.net, info@cjdream.net, jyan@dreamx.net, jyan@cjdream.net, ley319@dreamx.net, loveabuse@dreamx.net, loveabuse@cjdream.net, mail@dreamx.net, mail@cjdream.net, mgr@cjdream.com, news@dreamx.net, news@cjdream.net, newsabuse@dreamx.net, newsabuse@cjdream.net, postmaster@dreamx.net, postmaster@todream.net, raven3@dreamx.net, raven3@empal.com, root@dreamx.net, root@cjdream.net, soip@cjdream.com, sales@dreamx.net, sales@cjdream.net, sbkim091@dreamx.net, sbkim091@cjdream.net, service@DREAMX.NET, service@cjdream.net, solhan@cjdream.net, spam@DREAMX.NET, spam@cjdream.net, support@cjdream.net, support@dreamx.net, sysop@DREAMX.NET, sysop@cjdream.net, sysop@todream.net, tech@dreamx.net, tech@cjdream.net, technical@dreamx.net, technical@cjdream.net, technicalsupport@dreamx.net, technicalsupport@cjdream.net, system@cjdream.net, system@dreamx.net, sysop@todream.net, ykshin@cjdream.net, ykshin@dreamx.net, eglee@yesnic.com, info@yesnic.com, hostmaster@yesnic.com, eglee@whois.co.kr, brkim@INWANG.NOWCOM.CO.KR, domain@NOWNURI.NET, kbr@nownuri.net, memory@nownuri.net, busisik@nownuri.net, abuse@nownuri.net, postmaster@nownuri.net, inhanna@sysone.co.kr,
Thrunet.com
abuse@thrunet.com, abuse@korea.com, admin@thrunet.com, admin@korea.com, administration@thrunet.com, dns@thrunet.com, dns@korea.com, dnsadmin@thrunet.com, domain@thrunet.com, feedback@thrunet.com, feedback@korea.com, help@thrunet.com, helpdesk@thrunet.com, hostmaster@thrunet.com, mail@thrunet.com, mail@korea.com, news@thrunet.com, news@korea.com, newsabuse@thrunet.com, postmaster@thrunet.com, postmaster@korea.com, root@thrunet.com, service@thrunet.com, support@thrunet.com, sysop@thrunet.com, tech@thrunet.com, tech@korea.com, technical@thrunet.com, technical@korea.com, technicalsupport@thrunet.com, youngkim@thrunet.com, youngkim@korea.com, hostmaster@nic.or.kr,
hananet.net
abuse@hananet.net, bluelinux@hananet.net, domain@hananet.net, domains@hananet.net, feedback@hananet.net, help@hananet.net, helpdesk@hananet.net, info@hananet.net, hostmaster@hananet.net, lee@hananet.net, linux@hananet.net, news@hananet.net, postmaster@hananet.net, root@hananet.net, service@hananet.net, spam@hananet.net, support@hananet.net, system@hananet.net, sysop@hananet.net, tech@hananet.net, technical@hananet.net, webmaster@hananet.net, WooJooLee@hananet.net, WJLee@hananet.net, ysjeon7@hananet.net, bspark@kci.co.kr, bluelinux@YAHOO.CO.KR, abuse@YAHOO.CO.KR, postmaster@YAHOO.CO.KR,
KIDC.NET
abuse@KIDC.NET, billing@KIDC.NET, dnsadm@KIDC.NET, domain@KIDC.NET, guard@kidc.net, helpdesk@KIDC.NET, hostmaster@KIDC.NET, hostmast@KIDC.NET, hjryu@kidc.net, ishan96@kidc.net, postmaster@KIDC.NET, root@KIDC.NET, security@kidc.net, support@KIDC.NET, abuse@BORA.NET, anti1473@bora.net, b4012391@users.bora.net, badmail@bora.net, billing@BORA.NET, dnsadm@BORA.NET, domain@BORA.NET, help@BORA.NET, ipadm@bora.net, ipadm@nic.bora.net, hostmast@BORA.NET, lyt082@bora.net, news@BORA.NET, postmaster@BORA.NET, root@BORA.NET, security@BORA.NET, sysop@BORA.NET, ysjeon7@bora.net, sexxkorea@hanmail.net, abuse@hanmail.net, postmaster@hanmail.net, hostmaster@hanmail.net, abuse@chollian.net, muscle73@chollian.net, zcedomain@chollian.net, znotice5@chollian.net, abuse@kr.iasiaworks.com, postmaster@kr.iasiaworks.com, webmaster@kr.iasiaworks.com, 1004@domain1004.com, I@i1004.com,
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
I beg to differ with you on many points:
FIRST! Filtering at the receiving end is not the answer... at least not the whole answer and doesn't address all the other problems. The filter does not prevent the use of bandwidth!! It merely prevents the packets from being processed beyond initial reception and inspection. So the badthwidth is still being eaten.
SECOND! As another reader/writer has commented, in order to own an internet domain, a valid email address MUST be supplied. This is completely unavoidable. And simply being 'vulnerable' is not an excuse or justification for someone else to unfairly exploit your resources!!!
I also use ATTBI but I don't use the email service they provide. I guess it means I don't get the updates, bulletins and other information but asside from having essential connectivity, I get my services from elsewhere. I'm very happy with that arrangement.
Got hit with this a couple days ago. Hmm, Why am I (postmaster) getting 400 bounce messages from one of our webservers? (we are an isp).
Starting digging through the logs and find an autotmated tool is using an old version of formmail that one of our users had installed. Seems like a spider found that is was a formmail cgi and tested it and found it to be vulnerable. so It sent e-mail to an aol box. 4 hours later what appears to be a Windoze program using the Microsoft URL Control is Sending tons of messages through this formmail cgi. By passing any rules we have setup in the mail server to dynamic blackholing of people that send too many messages or messages with too many invalid to's in the header, cause it came from a trusted host.
Besides that fact that I was pissed, I was intrigued. That was pretty slick, once you start closing down one way for them to spam they keep coming up with more.
On a side note we have found that if you simply strictly follow the RFC's you cut back a lot of mail you accept, and also Doing a reverse dns lookup, just to make sure their ip resolves to something helps a lot. By turing on Reverse Dns lookups and not accepting mail from ip's that don't resolve. We drop about 68K messages a day.
To E-mail me, replace the first period in my domain with an @
The article notes that AT&T uses Brightmail spam filtering, and the Brightmail systems were overwhelmed by the quantity of spam mail. I've had a similar experience.
I have a Verizon DSL account and they recently added Brightmail spam filtering. All spam that Brightmail detects goes into a special "folder" - inaccessible to POP3 clients but available via their webmail interface. Nice feature, eh? You would think so. But:
The spam builds up in this folder until it grows larger than your 6MB email quota, at which time all mail to your account is returned to sender with a "server quota exceeded" error. You, as the user, never get notified. You simply stop receiving email. For those of us who never use the web mail interface, it is a confusing and frustrating problem.
My spam folder fills up once every 2-3 days, requring me to access the webmail interface and clean it out. And no, there is no way to turn this feature off. Thank god for cron jobs and wget, or I'd be forever tied to my computer... I have a cron job that hits the web site, logs in and deletes the mail for me every evening.
I've written to the Office of the President at Verizon to tell them what a stupid feature this is. Either allow us to turn off Brightmail filtering, or don't count the spam mail against our quota. One month later, no response at all from Verizion.
At least that's what my ISP does. I have to set up my sendmail to smarthost through my ISP's mail server, and it works fine.