The Measured Effectiveness of Blocking Asian Spam

fadden writes: "I recently started blocking IP addresses in China and Korea that were sending me spam. Instead of a blanket ban, I only blocked the subnets from which spam was being sent. After my first week of scanning and banning, I wrote up a report on the effectiveness of the blocks." In related news, SSKennel adds that: "The U.S. Federal Trade Commission has discovered (prepare to be amazed!) that revealing your email address in chat rooms can get you spammed. It claims to have taken action against spammers who harvest email addresses and use them to send fraudulent spam." Shocker!

Blocking subnets? Use SPEWS.

[smnolde]

Subject says it all. I block so much spam by using spews.

How I block Korean spam

[Jim+the+Bad]

I just have KMail redirect all HTML formatted mail into the spam bucket. I check it once a day for the odd false positive - this is easy, as message titles in English stand out amoung all the Hangul ones. Only takes me a few seconds.

On the other hand, 15 or so spams a day (in a language I don't even understand) every day is a major waste of bandwidth, and as irritating as hell.

What can we do about this nusiance?

Re:How I block Korean spam

The most effective way I've seen is to have your own domain and have all email sent to any alias under that domain to a single mailbox. Then, whenever you need to have something emailed to you, just use a different alias (preferably a descriptive one; for example, if you order something from amazon.com, you can use you-amazon@yourdomain.com). That way you can not only see where your email address was picked up, but also block all email coming to that particular alias. You'll also know who to bitch out.

Re:How I block Korean spam

[Iguanaphobic]

You'll also know who to bitch out.

I use addresses like amazon_spam@yourdomain.com

That way I can tell for SURE where it came from. Plus I filter based on _spam in the To: field.

Re:How I block Korean spam

[Binestar]

While it is true that just dropping HTML can cause issues, you can still capture alot of spam by filtering on HTML e-mail without a CHARSET.

:0 f
* ^Content-type: text/html
* ! html; charset=
* ! from hotmail
| ${FORMAIL} -A"X-Spammers: text/html only message"

The above has *NEVER* given me a false positive in over 9 months of use.

Also, I use 3 rules that block Fake Netscape/Hotmail/Yahoo e-mails. Basically, if the e-mail has a from address from either of those but isn't really from thier servers they get tossed as well.

# hotmail-specific
:0
* ^(From|Return-Path):.+@hotmail\.com
{
&nbs p; :0
* ^From: ".+" <[a-z0-9_.-]+@hotmail\.com>
* ^X-OriginalArrivalTime:
* ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
* ^Received: from hotmail.com \(\/...
* $ ^Message-ID: <${MATCH}.+@hotmail\.com>
{ }

:0 Efhw
| formail -A "X-Spammers: fake hotmail"
}

# yahoo-specific
:0
* ^(From|Return-Path):.+@yahoo\.[a-z]+
{
&nb sp; :0
* ^Message-ID: <([0-9.]+\.qmail|[0-9]+\.[0-9A-Z]+)@\/[a-z0-9-]+\. yahoo\.[a-z.]+
* $ ^Received: from .+by $MATCH
{ }

:0 Efhw
| formail -A "X-Spammers: fake yahoo"
}

# netscape-specific
:0
* ^(From|Return-Path):.+@netscape\.
{
:0
* ^X-Mailer: Atlas
* ^Received: from +netscape.*MAILIN
* ^Return-Path: <\/[a-z0-9_.-]+@netscape\.[a-z.]+
* $ ^From:.*$MATCH
* $ ^Received: from $MATCH.*by [a-z0-9.-]+\.aol\.com
* ^Message-ID: <[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+@netscape\.[a-z.]+

:0 Efhw
| formail -A "X-Spammers: fake netscape"
}

Those 4 rules save me a big headache.

Re:How I block Korean spam

[mangu]

HTML email isn't evil by itself

Hmmm, beg to differ. Does your company enforce Lotus Notes 4.6 client?

Re:How I block Korean spam

[Ilgaz]

You don't need to block HTML mail. After I figured, Yahoo will do _nothing_ about enormious spam from hananet.net and kornet.net , I did a filter like (can't give all, too long)
If From contains "hanmail.net" (case sensitive)
then deliver to Trash
If From contains ".co.kr"
then deliver to Trash

(here comes the trick)

If Body contains "charset=KS_C_5601-1987"
then deliver to Trash
If Body contains "charset="ISO-2022-KR""
then deliver to Trash

(most funny is)

If Subject contains "!!!!"
then deliver to Trash

Yes, guess what? that 4 exclamation mark saves me from many spams! not a joke, they love 4 exclamation marks.

Let me tell you the amazing part, its a webmail filter, I can't do more, to block IP subnets, I need to root Yahoo :)) There are... 33 UNREAD mails on my Trashcan and I emptied it just a day ago!

I feedbacked to Yahoo and asked if they get any financial etc goods from those well known 2 damn companies... No reply. I kinda know them now. They are 2 huge ISP's, they are knowing the problem but they don't do anything about it.

If we lived in a good,ethical world, Yahoo pros knowing this thing would mail to them and those a$$holes wouldn't dare to ignore Yahoo giant as they do to us, end users. Like. "Close your port 25 for indivuals _now_ or we will block all the mails sent to our customers/users effective 1 week from now on". If I paid $25 for my mailbox, I'd still get that crap, can you believe?

Go to http://www.spamcop.net and check "top spammers", hanmail and kornet, always there!..

Re:How I block Korean spam

[Qrlx]

If you're in a corporate setting, then you should be installing Office from an Administrative Installation Point and have configured your install to override Outlook's default to send HTML, and changed it to Rich Text or Plain Text.

They can always go up to the menu bar and change it if they suddenly decide they need to send HTML emails.

By the way, I really, seriously, very strongly doubt that HTML mail format is necessary for your marketing group or whatever. I find it excpetionally unlikely that they are WRITING EMAIL IN HTML and that this is as core competency of your sales dogma. Most likely they are attaching files to email, which works fine with plain text.

HTML email actually IS evil. There's completely no point to it. And in fact it's part of the spam problem: Let's say a HTML email contains a ref to some JPG somewhere. You read the (spam) HTML email, your 'puter dowloads the JPG. Congratulations, now the spammer can check his web logs and determinie how many people got the message! If s/he's really crafty, you could even tell which recipients got it by cross-indexing the HTTP GET request with the virtual file name you've set up like 01010012001012712.jpg -> sucker1001@hotmail.com. Now you put that name on your "known good accounts" list and sell it.

Re:How I block Korean spam

what the fuck are we supposed to do with this crap?

man procmailrc

Asian Pacific network

[TheFlu]

I started blocking off all Asian Pacific networks about 6 months ago. I wrote a quick Sendmail tutorial about it right here.

How well does this work? Extremely well. I've gone from receiving 20 pieces of SPAM a day to only 1 or 2 (which Spamassassin typically catches. I realize that this method won't work for everyone, but it has worked out quite well for me.

Cloudmark - Outlook 2k/XP users

[exhilaration]

If you're running Outlook 2000 or XP - Cloudmark is a nearly PERFECT solution to Spam - and IT'S FREE (for now, at least).

Re:Cloudmark - Outlook 2k/XP users

[spongman]

I have noticed that many spammers are adding random crap to the end of their messages. This tactic is specifically designed to circumvent products like cloudmark. If you're running Outlook, try spambayes, it uses some pretty complicated statistics to determine whether or not an incoming message is spam, and it works surprisingly well. It requires a certain amount ofo technical knowledge to set up, though.

Re:blocking ip's isn't enough

[jensend]

Where is the onslaught of OSS Bayesian filters?

At Sourceforge. (Where else would you expect it to be?) That includes Bogofilter, POPFile, and a whole bunch of less-active programs. Searching for 'bayes spam' (Sourceforge uses OR searching by default) ought to get you more projects than you really want to look at. Mozilla is also looking at getting a similar filter- see bug 163188 at bugzilla.mozilla.org.

Re:Fraudulent Spam?

[doomdog]

Yes, there is a difference between regular spam and the fraudulent variety. Normal spam is sent by well known "bulk mailers" (as they call themselves, in a pitiful attempt to legitimize their business) on a contract-for-hire basis.

They send email directly from their own systems to your mailbox. They do not fake their headers, use open relays, hijacked proxies or root'ed boxes of other people to send out their messages. They generally have contracts with their ISPs to not cancel their connectivity as long as they have some type of proof, no matter how vague, that the mail *might* be considered opt-in (and as long as the complaints aren't too frequent. These people do listwash their own lists, if only to stop spamming people who actually complain about it, and also to show to their ISPs that they have an effective opt-out system. Their spam is annoying, but currently legal.

Fraudulent spam, on the other hand, is completely different. These are the people that hijack other people's machines to do the dirty work, rape open relays and consume all of their bandwidth during spam runs, actively probe for open relays and proxies, forge everything they can in the headers, study SpamAssassin and other filters in an attempt to craft messages that don't "look" like spam. These are the people that use their opt-out lists as a source of revenue (by selling the names to other spammers), and will frequently joe-job spam activists and others who complain too loudly and to the wrong people...

The first type of spammer sends out insurance offers, cell phones ads, inkjet ads and such. The second type sends out virus/trojan laden messages, porno by the bucketload, ads for illegal drugs, etc.

Both types of spam are annoying, but the "fraudulent" type is much more so because of its immoral content (and anyone who thinks that sending pornographic images to children isn't immoral should quietly remove themselves from the gene pool) and also because of the theft of services (bandwidth, hard drive space, etc.) from the relays and proxies that they abuse.

Re:blocking ip's isn't enough

[spongman]

Spambayes is simply the best spam filter I've ever seen. It's not a 'release' quality product but it's filtering is the best I've seen. There's an excellent plugin for Outlook which monitors your inbox and places spam in a 'spam' folder or an 'unsure' folder depending on your settings and its classification of incoming messages. It also notices when you move messages into/out of these folders and re-trains its database accordingly.

I believe they also have a POP3 proxy and an SMTP proxy is on its way. The automation for these is not quite so refined, however.

Re:Blocking subnets? Use SPEWS.

I hate spews. spews is everything that is wrong with anti-spam work.

There is no way to get off of the SPEWS blacklist, and if they black your entire NSP for one of the NSP's customers... tough luck for you. You can post to a usenet group and beg, and they wont do anything other than tell you to break your legal contract and go elsewhere. 20 people will harass you, and you can't even know which one to listen to.

SPEWS can rot in hell. A properly configured SpamAssassin will block 98% of spam and have 0.01% false positives (I haven't gotten one false positive in a year, but I will someday).

SPEWS is NOT how one prevents spam. SPEWS is how one pisses off the people trying to mail them.

I can't stress enough how much I hate SPEWS and how much it should die.

Please, please don't support SPEWS. I beg you.

misread title

i usually hate this type of comment, but i swear i really thought it said 'blocking asian sperm'

Obligatory OS X mail reminder

[djupedal]

'Mail' in OS X has a built-in junk mail filter mechanism that learns first, then goes on automatic. Might want to consider it next time you're thinking of changing to a new OS :)

Re:Spammers in Korea are required by law to

[dokebi]

To include "ADV" in the e-mali headings.
In Korean, it translates into ±í, which you can just filter for. From the bottom of the article, the subject lines #40, 51, 34 all have those.

Too bad US doesn't have similar laws

A cure for HTML spam...

[aquarian]

A lof of spammers *do* use these HTML mail tricks. However, a lot of plain users send HTML mail, often without knowing it, because Microsoft mail programs send HTML by default. So if you want to read HTML mail safely, do this: block your network connection while opening it. You can unplug the cable, take the mail program "offline", hit the "stop" button on ZoneAlarm, whatever. This won't cause problems with legit HTML mail, because the HTML is usually just for fonts and stuff. But it keeps the spam messages from "phoning home" successfully to get their graphics.

This works well for me

[laing]

A few months ago my spam level reached the point that made me do something about it. After looking carefully at all the headers, I concluded that about 80% of the junk (mostly from Asia) came from IP addresses with no reverse DNS database entry. (The IP did not resolve back into a hostname.) Just about all reputable mail exchangers have a reverse DNS entry. (The ones who don't are run by the clueless.)

I decided to use this to my advantage. You can too.

If your sendmail daemon uses the tcpwrappers library, you can create a /etc/hosts.deny
file with "sendmail: ALL" and a /etc/hosts.allow file with "sendmail: KNOWN". (Make sure "sendmail" equates to 25 in your /etc/services file.)

Doing the above will cause your mail exchanger to refuse incoming mail connections from any host with an unresolvable IP address. It will cut up to 80% of your spam.

For the clueless ISPs, you can add exceptions to your /etc/hosts.allow file. (e.g. "sendmail:66.187.232." will allow mail from RedHat.)

I wish more people would do this.

Annoying Forwards

[leabre]

I've had an email address for about a year that was not once used for any reason at all. Never received, never sent. One day, I sent an email to a relative who had just got their email account and was excited to be on the web.

A month later, I got forwarded one of those "send this to x people and Bill Gates will send you $3,014 for each 3rd person... no really, it's true, just the other day I recevied my $10 million dollar check from ..."

I replied and told her never to do that again or she will be blocked and I'll never email her. I explained to her why she shouldn't do that. It's because someone somewhere along the line will get the 30 times forwarded message and will glean the 100's of emails that are a part of the message body from all the forwards and put you on a list.

Now, everyday I get 1 or 2 Univerity Diplomas emails, they just don't stop sending them, Every day Janna wants to know what I was doing last night, King Kong keeps wanting me to buy some Herbal Viagra alternatives, FBI snooper detection prevention software, and a chance to win a free 3 carot dimand after I send $2,000 to sponser some foundation... yeah... uh huh...

I'll tell you, those funnies you send and recieve everyday is a really good way.

The other way is to reply to a spam to be removed from a mailing list. In the same mail account, I replied to a few to be removed from the list and shortly after the volume of messages recived almost doubled. Now it's a useless email account that receives over 600 emails per week. It's sad because I've only sent and recieved less than 10 legitimate messages from that account in the past 5 years and this is what I get in return for it.

Bottom line:

* Warn your friends and family not to send
you forwarded email. Explain to them
that most of those messages are hoaxes,
anyway. Companies don't pay to you to blast
the Internet with messages.

* Second, don't reply to spams when you do
receive them or it will just confirm an
active account. I used to spoof returned
mail notices but those don't help any,
they also make it worse.

* Third, if you do recieve a mass-forward,
you're already at odds.

* Each time you sign up to a new web-site, read
the privacy statement. Usually, you're info
will be shared with a partner. Check that
partners privacy, because usually that partner
will share your info with a partner and so on.

Your email address is usually not kept secret
anymore. They make too much money by selling
to people. If they are European based, then
it might be more secure because of privacy
laws.

* Opt-out of those "important updates from the
company and their partners". This will just
generate more unwanted messages than you'll
care about. I've opted-in to some in the past
that were supposed to be monthy tech news
updates on important issues. Well, one day it
became daily. They changed their policy with
out notifying me.

* Most sites reserve the right to change their
privacy policies at-will and with no obligation
to notify you. They expect you to keep up
on this yourself. The best advice is to do
so. I've cancelled membership to some sites
because of this. My data is not theirs to
profit from while I profit nothing from it.

* Obvious names, such as "kitty@domain.com,
bmwlover@domain.com, studmuff@domain.com, etc"
are likely culprits. Sometimes they perform
dictionary based attacks on many domains and
it may just be your lucky number. What's
worse, is that they CC so all emails are there
and other spammers gather those emails and then
you are placed on another list.

* Anything else not mentioned. Keep in mind,
these are only spam "reduction" techniques. I
think it's very difficult and next to
impossible to not be spammed. Being aware of
certain actions that will trigger a result and
preventing those actions, will help greatly.

* If they leave a return address, sometimes you
can complain and have their account revoked.
This won't stop them, they'll open another
account and continue.

* Push for a law that allows the sponsor of the
spam to be sued for damages and inconveniences
rather than the sender. For example, I've
recived over 200 unvirsity diplomas messages
which all have the same phone number, but each
message is from a different sender. If we can
sue the owner of the phone number, than that
would go a great distance because it would
make people afraid to market in that mannor.

Well, hope this helps,
Leabre

Re:Blocking subnets? Use SPEWS.

[thrig]

If you run SpamAssassin after the MTA, sure, the cows are out. Better to run SpamAssassin integrated with your MTA if possible, which can be done with Exim, Sendmail, and possibly others. Doing spam checks at the MTA level also lets you look at the mail envelope data and similar that SA cannot check on.

Granted, you tend to have to run your own mail server to do this, but hey...