The Measured Effectiveness of Blocking Asian Spam

fadden writes: "I recently started blocking IP addresses in China and Korea that were sending me spam. Instead of a blanket ban, I only blocked the subnets from which spam was being sent. After my first week of scanning and banning, I wrote up a report on the effectiveness of the blocks." In related news, SSKennel adds that: "The U.S. Federal Trade Commission has discovered (prepare to be amazed!) that revealing your email address in chat rooms can get you spammed. It claims to have taken action against spammers who harvest email addresses and use them to send fraudulent spam." Shocker!

blocking ip's isn't enough

[martums]

We've had to block a number of Korean & China-based IP's in recent months (especially during the Summer). In addition to blocking a number of temporary (PPPOE and such) IP's by domestic service providers, (read: Comcast), the foreign IP's seem to be more static, but also offer a higher quantity of spam. (Are a number of these just open relays?) Though, in our case, it's usually short-lived. Except for Klez, which is the devil.

Good point about the pig singing. While Comcast is extremely unhelpful (bordering on incompetent), foreign ISP's don't face any accountability. There's no decent legal recourse. So blocking the IP is the simplest route.

Has anyone else seen a significant amount of spam from Brazil? Where is the onslaught of OSS Bayesian filters?

Argentinian Spam

[Macka]

I get about 10 spams a week now from Argentina. Normal spam is bad enough, but I can't even understand what it is they are supposed to be selling. How silly is that. For the life of me, I can't work out where they could have got my address from. I've never had anything at all to do with Argentina.

Bemused!

Speaking of exposed email...

[Anonvmous+Coward]

"The U.S. Federal Trade Commission has discovered (prepare to be amazed!) that revealing your email address in chat rooms can get you spammed. It claims to have taken action against spammers who harvest email addresses and use them to send fraudulent spam." Shocker! "

Revealing your email address on Slashdot can get you spammed. You may have noticed my sig says "Sig: I'm performing an experiment on the origination of SPAM, don't email me.". What I did was I set up a junkmail box and pointed my Slashdot email address at it. The only place this address has ever been made available is in my user address that is displayed whenever I comment. When this address is e-mailed, it automatically responds with "thanks for the unsolicited mail!" I don't read the messages unless somebody responds to it.

What prompted me to do this was the 'armor plate your email address' feature in my user settings here on Slashdot. It made me curious if having my e-mail address viewable in the comments I make would mean I'd recieve lots of Spam. My curiosity is satisfied: You can get a good deal of SPAM if you don't use the 'armor plating'.

You know what? They don't just look for e-mail addresses to send mail to. They also use the e-mail addresses as reply-to addresses. I found this out when I got an email from a guy who was puzzled by my auto-responder emailing him. It turns out that somebody sent a message to me and used his address as a reply-to address. Weird, Iddn't it? Fortunately he was very nice and we got that all settled, but it is a little disconcerting that the addresses are used in ways like that.

When I first started this experiment, I responded to the messages I got. I accused one guy of harvesting my address without really reading what the message said. Turns out, the guy ran a mailing list for local (to him) volunteer firefighters announcing a meeting. This wasn't the type of event that somebody would 'direct market'. Heh. Evidentally, somebody volunteered my user address only displayed on Slashdot to his list. How weird is that?

I am extremely curious if anybody has any insight into the motivations of people who'd use email addresses in these ways. I can understand somebody using my email addie as a reply to address, but I have no explanation for why somebody'd volunteer me for a volunteer firefighter's list.

Suing SPAM companies?

[bertok]

I've invested significant money some years back in a domain name so that I could give my clients and friends an easy to remember, unique email address. I consider it a significant investment, because it looks good on a CV, business card, or letterhead, is easy to remember, and it cost me time and money to establish it.

However, a number of spam companies have picked up on my email addresses at that domain, and have distributed it on a number of those unpteen-million address CDs sold to other spammers. I recieve over 100 unsolicited emails a day. Now, I try to filter them with software filters, but due to the hit-and-miss nature of heuristic filters, legitimate mail is deleted on occasion.

The way I see it, my unique and expensive email address has been devalued by these spam companies, because the whole point of buying that domain name was so that I could use it publically. If I have to keep it a secret to avoid spammers, it is worthless! I can't even use it as an example while writing this article, because it would be picked up by yet more spammers.

I wonder why nobody has tried suing along these grounds. Think about it: If some company had invested time, money, and effort into setting up a toll-free hotline for their customers and/or clients, but had the service ruined by telemarketers jamming the system with 100x more junk calls than the real calls the company recieves, the next outgoing call would be to a lawyer!

Re:I'd say something

[mudder]

Using Hotmail alone doesn't get you spammed. I've had a hotmail account for over a year now and haven't received more than 20 pieces of "unrequested" spam in total. I'm moderately careful with my email address, but it does get out there every so often. Also my email adress isn't terribly hard to guess (matt_allen_g....), and I don't have the Hotmail spam filter turned on. Maybe I'm lucky, but my experience does disprove the hypothesis that ALL hotmail accounts get spammed, simply due to the fact that they are hotmail accounts.

How can I block American spam?

[error0x100]

The /. crowd always seems to be talking about how huge the Asian spam problem is. So as an experiment, I've been keeping my spam in a separate folder for a few months, and less than 3% of it is Asian in origin (counted by relay server used AND the spammer itself). Over 70% of it, originates in the USA, and are mostly USA cons/scams/pseudo-products etc (diplomas, anti-spam software, spam software, porn sites, "hot strock investment advice newsletters", "work at home", MLM etc, "lose weight", search engine 'promote your website' offers etc).

Why the discrepancy, am I just an outlier, or are slashdotters exaggerating the non-US-originating spam problem in relation to the US-originating spam problem?

Re:How can I block American spam?

[error0x100]

Perhaps it has a lot to do with where you 'leave' your email address. Much of my spam is addressed to email addresses that were almost certainly harvested off websites I maintained or have maintained (a company website and a personal website, both .com domains), or off websites (such as forums) which my email address ended up on. With some of it its obvious its been sold by a company that has my email address (I also tend to sometimes create very specific email addresses that I use only for registering at individual companies .. most of the companies, fortunately, seem to be well behaved). Chatrooms, I don't use.

Re:How can I block American spam?

[error0x100]

I count it as "Asian in origina" if ANYTHING on it is Asian (China, Korea, Taiwan etc) in any way, e.g. if it went through an Asian relay server, or if the company spamming me is Asian, or the source email address looks Asian (e.g. chinese or korean suffix) etc, or the referred to website looks Asian. The small bit of Asian spam I have gotten was very obviously from China, they were openly Chinese companies selling openly Chinese products.

Much of my spam is very clearly from the US, and almost all of it is decidedly non-Asian. For most of it, all servers listed in the headers are in the USA, the products or pseudo-products they are selling are being sold out of the USA, the websites being advertised are in the USA, and run by Americans. If its a "hot stock investment advice newsletter" its for a company in the USA. Usually any phone numbers listed are USA phone numbers. Prices are in US$, and in the case of cons like MLM and "work from home" its also usually in US$ (yes I know that doesn't mean anything by itself, but its usually accompanied by other indicators, such as addresses/phone numbers). The text of the email also often indicates that whatever they are marketing, they are marketing at Americans *only* (e.g. they mention/offer things that are only valid in the USA, e.g. things that relate to the American tax system or voting system or American politics, or various other elements of American social infrastructure, or places in the US).

I suppose I shouldn't spend so much time analyzing my spam, but it bugs me that the country that seems to be pointing the most fingers is also (at least in MY mailbox) by far the biggest culprit. Just wanted to know if other people's experiences are similar.

Re:Epiphany

[Psx29]

You should have seen what happened when I put a throw-away email address in my away message on irc. Suddenly I was getting 1000 messages a day...scary

Re:Just a note

[djupedal]

I live, work and travel in Asia. I speak Japanese, Korean and Chinese (I'm a native English speaker, from Calif). I don't send mail...I talk to them in person. My situation is unique, I agree. And it's not viable for everyone that may consider helping.

I'm trying for a pragmatic approach, and I would never suggest that simply sending an email or making a phone call would be helpful. The admins I talk to want to fix things, but until a focused effort is made to help them (docs in their languages, etc.), things won't change, I agree. Certainly complaining isn't going to help...and ignoring it isn't going to make it go away.

I'm working on it the best I can...one admin at a time :)

Ultimate Anti-SPAM plan

[infiniti99]

Since a few people are posting about anti-spam methods, I thought I'd go over my idea to counter spam. Currently I am not actually using this procedure, I have just been pondering it for awhile.

First off, the core of this system relies on whitelist-confirmation. This means that first time senders are given an auto-response email which must be "confirmed" in order for their message to deliver. Once they have done this, they are whitelisted, and all email from them passes through. TMDA is what I use for this job. I leave my email address "unarmored", because no spam can get through. When I check my mail in KMail, there is no spam.

However, all is not perfect. After many many months of using TMDA, I still find myself sifting through the "pending" folder on my mail server, which keeps hold of all the mails from unconfirmed senders. I generally do this every couple of weeks, and there are often at least one or two legitimate emails that were never confirmed. There are many possible reasons: 1) they thought the confirmation request was spam, so they deleted it (either manually or through an anti-spam filter). 2) they don't like the idea of having to do a stupid confirm (although no one has actually brought this up to me yet). 3) Maybe they use a reply-to or something weird that trips up TMDA (perhaps fixable or not..)

Anyway, the point is that legit emails aren't 100% getting through. The next consideration then, is to use a word-filter (and who knows, maybe TMDA does this too), to see if legit mails can be detected by their content. Maybe this could be done using a bayesian (sp?) filter, as recently discussed here, or perhaps SpamAssassin. Emails detected as legit would be delivered directly, and the sender would be auto-whitelisted. Ambiguous emails would go through the usual whitelist-confirmation procedure. This way, the word-filter never actually throws email away. It gives the sender a second chance, by sending it through the whitelist system.

This, I think, would solve the problem completely for me, as all of the legit mails that wind up unconfirmed would very much pass the legitimacy test (they mention a software project of mine, or something else very obvious). If this were in place, I could send my pending bin to /dev/null. Ahh, a life of no spam!

Still no one has an answer, what do we do about it

[Mustang+Matt]

I have yet to see someone suggest a good approach to spam. I don't want to filter it, I want to block it. I want 100% accuracy too because the one odd ball that accidently gets blocked could be a big job for my company. Cause.org doesn't even list a suggested solution.

So far to combat it, I've removed email addresses from all my sites and replaced them with a contact form and when I do absolutely have to show an email I obfuscate it pretty well using a combination of character encoding and javascript's document.write. (Browsers still work fine.)

I also have a catchall so anytime I order something or fill out any other online form I use "the domain I'm browsing"@mydomain.com, that way if they give it out I can tell.

The thing that sucks is that the innocent average internet user doesn't realize that if THEY give my address out, companies will collect and sell MY information, thus I was opted in to their list without my knowledge or consent.

That stupid crushlink site and the smiley t-shirt were the worst. I quickly blocked them at my server in hopes that they would think I didn't exist.

Re:Asian Pacific network

Pipe down. He's right. Plus, I get regular Grim's ping scans from korea, china, and france. It's the only port (21) I open and it's a constant flood. EVERY SINGLE email complaint has gone unchecked... while nearly every email to American ISP's and universities has resulted in a quick response.... do the math, junior.

Re:USA SPAM

[duffbeer703]

I am not the original poster, but I'd like to respond to your rant.

At one time I worked as a DBA at a small company where I also got to administer the email system. (Don't ask.)

Our customer service addresses would be bombarded with nearly 5,000 spams a day from various sources. In general, US, European, and Australian ISPs did an excellent job in shutting down spam sites. This stemmed the flow to about 2,500 spams per day.

Of these roughly 2/3 orginated from Korean, Chinese or Romanian servers, whose admins never on any occasion took any action against the spammers.

So I spoke to the network people and computer systems director and decided to filter most of the subnets where the spam originated from (probaly about 7,000 address ranges).

It was a decision I was relectant to make, but it needed to be done. Our company provided services to customers in the US, Canada, Mexico and Chile. We weren't going to lose any asian business.

Until the ISPs in these nations decide to be good net citizens, the rest of the internet community should blacklist them.

TMDA is a quick route to the roundfile for many

While I can appreciate that spam is a problem (I'm currently getting ~30-40 at home, another ~50 at work), TMDA is annoying. Particularly when sending mail to a list, with multiple TMDA users. No, I'm not going to auth all my listmail for you and your kith.

I also use a whitelist/blacklist system, but maintain this on my own workstation. It's almost entirely transparent to my correspondents (occasionally I'll miss a mail and may take a day or two to get back to someone). The tools I use (mutt, procmail, shell scripts) make it trivial to add an address to a whitelist or blacklist (!wl-add, !bl-add in mutt -- these being shell scripts I put together). The entire scheme is base on Lars Wizenius's procmail filters. In combination with spamassassin, the little spam that isn't captured by SA lands in my 'greylist' box. Repeat offenders (few, but extant) get blacklisted.

Works for me and no hassle for anyone I deal with.

Re:Blocking subnets? Use SPEWS.

[walt-sjc]

While there are problems with SPEWS, spamassasin (which I also use) is locking the door after the cows got out. Spews (and other IP based blacklist) is about preventing spam from even getting to your server.

By sending spammers a "500" level error, some will actually remove you from their list. By accepting the mail (spamassasin) you basically confirm that the mail address is deliverable.

I don't personally use any spews like service, jut my own private blacklist which helps reduce the amount of crap that spamassasin has to go through.

I have found spamassasin to only be about 90% effective. If I crank up the settings, I start getting false positives on a regular basis.

How to get down to 0.0014%...

...even if you've naively left your e-mail address listed as the owner contact for your domain for years like I did. A three-pronged approach:

1) IP-level blackholing of certain large subnets, as I like many others virtually never get any legitimate email from China or Korea, and many of the craftiest fake headers ride on brand new Chinese and Korean open relays. In case of emergency, people there can always use Yahoo or the likes - and I suspect many Chinese and Koreans who communicate with people abroad are already used to doing just that, as blackholing is becoming more and more widespread.

2) RBL's. I personally use bl.spamcop.net and relays.osirusoft.com. These catch 99.2% of "quasi-legitimate" spam, and about 65% of the open-relay spam not caught above.

3) Heuristic tagging via Spam Assassin/procmail/filters/etc as a last line of defense. I personally use a filter file that I edit pretty much every time a POS (piece of spam ;-) manages to sneak through.

This is obviously more aggressive than many people can afford to be, but it's a viable solution for someone with a low signal-to-noise ratio and a high irritability ratio.

Re:Blocking subnets? Use SPEWS.

[Dimensio]

The philosophy of SPEWS is that if an ISP is willing to tolerate spammers, then it's probably best if that ISP is punished, and not just the spammers. If an ISP's 'legit' customers suffer the ill effects of a blacklist, then they should petition their ISP to get rid of their spammers. If that doesn't work, they should move, and deprive the ISP of any legit customers. I don't have a problem with that. The CEOs of ISPs that openly tolerate spam (Qwest) should be shot, but until that is legal, there is SPEWS. An ISP harboring criminals deserves to go under.

Koreans - they're so darned courteous

[K-Man]

If you look at the guy's subject header list, and change the encoding to EUC-KR, you can see that the subject of each Korean message identifies itself as spam. Look for this string (this page also in EUC-KR):

±í [ÎÆͱ] an advertisement; ad; an advert; [¾Ë] a notice; an announcement; [¼±Àü] advertising; publicity.

Re:Epiphany

[Moonshadow]

Perhaps deep down they know this, but they aren't consciously aware of it like geeks are. The mentality they approach a chatroom with is "I type, and once it scrolls off the screen, it's gone forever" whereas with a webform, they KNOW it's going into some database somewhere. The perceived threat is much lower in a chatroom, although the actual threat may be as high or higher than a webform.

Also, people tend to be a lot more paranoid about protecting their SSN, mailing address, etc than they are about their email. An email is a fairly disposable thing, and there is little threat perceived with it being public knowledge. A SSN or brick-and-mortar address is quite another thing.

Re:Epiphany

[jonadab]

> Now, you may say that giving out SSN is more dangerous than giving
> out e-mail

*I* wouldn't say so. I give out my email address (everywhere: on
slashdot, on usenet, on my own website, ... everywhere), but I know
the fire I'm playing with and am prepared to deal with the deluge.
(I use Gnus, so filtering can be arbitrarily elaborate. Some day,
I'll set up my own mail server and do the filtering server-side with
SMTP rejects, as this guy has done... but for now the client-side
filtering is getting me by. Only about 80 messages got past my
filters so far since last night... and of course they all landed in
my inbox, where almost none of my legitimate mail ever goes, because
it gets sorted into various folders by subject and sender and by To:
field (mailing lists) and so on. Legitimate mail is much easier to
filter than spam. I get _way_ more legit mail than spam, and way
less of it lands in my inbox for manual sorting.

Re:Blocking subnets? Use SPEWS.

[Dimensio]

If you contracted a pipe that has been blocked by a great number of sources because of your ISP's tolerance of spammers, then you could make an argument that they knowingly have hampered your services through their inaction.

Your ISP sold you connectivity with a reasonable expectation of functionality. If half of the internet is blocking that connectivity and it can be demonstrated that the blocking is being done because of your ISP's tolerance of criminals, blame your ISP. Complain to them, tell them that you won't pay for service that is less than adequate as a result of their actions.