Slashdot Mirror
The Spam Problem: Moving Beyond RBLs
whirlycott writes "I just published a paper called The Spam Problem: Moving Beyond RBLs on my site. I comprehensively describe RBLs and list eight specific problems with them. I also get into ideas that next generation antispam system creators should read. I hope that this will be useful to anybody who is attending the Spam Conference at MIT on Jan 17th."
(refering to the intro in the article)
I mean, you can compare it to having your entire town roped off because one person was a fraud... completely destroying said town, but you still live in it.
Wasting an entire netblock by blacklisting it is not good....
--- Ãther SPOON!
Tell EVERYONE you know never to click on any spam links, or buy spamvertised products. People spam because it WORKS. The only real way to stop it is to STOP BUYING SPAMMED PRODUCTS.
on getting his site /.'d into a little ball of slag?
Seriously, I'll try and review the paper...
It's Christmas everyday with BitTorrent.
...some small country in the middle east.
Okay, bad joke.
I fail to see how active denial will ever work. The world is full of lazy people who keep relays open and don't bother. The solution has to be something passive, like RBL. You check it, it's a spammer, don't accept. The spammer relays can keep their configuration, only their mails won't reach anywhere!
You'll notice that he listed and then did not address the "Common Arguments and Justifications" for running and/or using a RBL. Just couldn't come up with a reason why privately owned servers have to accept mail from any particular person or group if they don't want to.
1. Don't let a spammer verify your email address
2. Don't post your email address on the internet
3. Secure your email client
4. Avoid common email traps
5. Fight back
Let me know if these can be improved.
Read my sig if you like, but I'll never see yours, thanks to Discussions, Viewing, Disable sigs...
The PriceJester Vol. II Issue 365
6 0
p 3?60
O UR_EMAI L_ADDRESS_HERE
Get 4 DVDs for 49 each!
Shipping & Processing ONLY $1.99 per DVD.
Click Here:
http://www.optilc.com/linkc/tue_a/go.php3?
The Columbia House DVD Club is the Best Way to Build Your DVD Collection.
Check Out Today's Best Sellers like Training Day, Sherk, Gladiator
and many more! Join Now and You Can...
More Details:
http://www.optilc.com/linkc/tue_a/go.ph
Cancel your subscription here:
http://sbase30.com/central/unsub.php?uni=Y
-----------
How do you like reading this spam? If you were us ing the RBL, this would have been blocked.
My spamassassin-tagged mail usually scores between 1 and 1.5 ( a 5 is needed for a **SPAM** tag) - which in the grand scheme of things seems to be enough of a weigh for the value of an RBL. Don't absolutely trust it's value, but don't ignore it completely either.
I don't really see why anyone would use RBLs just by themselves. Personally, I have spamassassin catching the "big spams", you know the ones with webbugs, html-only, forged headers, etc. etc. I occasionally tag those as junk in my Mozilla Mail, while tagging my normal mail as not-junk. The Bayesian filter takes care of the occasionally sneaky spam. Once trained it's an awesome combination.
I do really hope something can be done about the most persistant of spammers - how many penis extensions have I been offered now? The stuff that comes through the letter box annoys me much less, but its essentially the same thing. Maybe public floggings by all those affected by Spam should be inflicted on those who send this stuff out. God I hate this stuff.
Quite a bit, actually. This reads like a topical treatment by someone who really doesn't know the subject. For example he mentions whitelisting, but in the solutions section, completely ignoring the fact that there are already solutions, both commercial and open source, that use whitelisting, blacklisting, and greylisting. In fact, I wrote one about 6 months ago for a client, and they are quite happy about it, it affords them complete spam protection.
-- Ed Carp, N7EKG erc@pobox.com PGP KeyID: 0x0BD32C9B What I'm up to: http://intuitives.mine.nu
Is this "published" just because he put it up on his website and told people about it, or will it actually be published in a journal somewhere?
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
My company was collateral damage on SPEWS last month and I kicked the *^&^#$* out of our ISP for hosting Global Travel on our netblock. They got booted and we got cleaned off the list. Bada-bing bada boom.
5 2%24Db4.726975%40twister.tampabay.rr.com
RBL's are like a fever. They tell you when something it wrong and only a dork blames the fever when the problem is the disease. Get your ISP to whack the spammer or change ISP's.
http://groups.google.com/groups?threadm=Fc6K9.262
My God! It's full of Voids!
There was this woman who spammed and made a living out of selling anti-spam services. A bit like the mob, really.
She doesn't really on people clicking through - all she needs is to drive up the irritation factor.
Stupid job ads, weird spam, occasional insight at
It's funny. First it was the spammer networks complaining about getting blocked. Now it's the customers on those networks complaining.
Here's an immediate answer to the problem. Change to an ISP that can control their network better. There are more ISPs out there than you can shake a stick at. Find one that actually cares. Now every ISP will have a spammer on it but alls it takes is a staff who cares to get the problem solved.
However good article. I personally don't agree with bouncing email - tagging it is far better like with using SpamAssassin.
RBLs however are a necessary evil since some networks are willing to allow spamming (or aren't capable of fixing the problem). There has to be some way to identify those networks who aren't playing nice.
The section on open relays I find rather odd. An 'open' relay is a relay that accepts mail from anyone to anyone, something which is an extremely bad habit. This guy starts arguing it's necessary to have open relays to deliver mail for some unspecified reason. It's not. You relay mail to legitimate adresses behind your mail relay, and you relay mail from legitimate adresses behind your mail relay and you dont relay to anyone else. Then you dont have an open relay. There is no way there's any technical reason to relay from anyone on the outside to anyone else on the outside, ever.
Has he completely missed that point?
Oh, well. If I'm to replace RBL type filtering with another anti-spam mechanism, there's only one I'd consider. That one is going complete pre-mail opt-in, in which case he's far more screwed than he is today. Live with the trouble of RBL's and get your ISP to do the right thing, or get a far, far more draconian solution.
There is a simple web based front-end that allows users to add and modify rules for accepting or rejecting mail based on a variety of factors - all saved in the datbase. Things like checking the subject, to, from, or the body of an incoming email for the presense (or lack) certain strings is a simple example.
All of this is done is Perl using Mail::Audit of course. I know there's Spam Assassin, but this was a little more fun (and customizable) for us.
The final check is the Realtime Blackhole List. When we first implemented this solution, we noticed in the logs that almost everything was on the RBL (even mail from yahoo.com). In fact, our own server was on the RBL. We'd never sent spam before, but I'm sure our relay was open at one time or another.
Since the system is configured to look for "accept mail" rules first, the solution came down to adding "accept" rules for pretty much everyone we knew, so that mail from known parties would be accepted even if on the RBL.
So now I get no spam at all - ever. I get very little mail at all in fact. It's really analogous to having an unlisted phone number. It's not the perfect solution by any means, but I'll take it any day over slogging through literally hundreds of spam mails every day ...
Tim had just set up an RBL replacement filter, since the RBL had quit wasting netblocks.
One week later, he checked to see how his spam filter (for windows) was doing. An animated trash can popped up in his face and said "Look at all the spam I collected - 500 messages!"
"Wow. That's a lot", Tom said to himself.
"Well, yes," the trash can said. Then waving its arm toward the
Outlook inbox, it added, "But look at all the stuff I'm
leaving behind! You must be really popular"
"But most of those are spam", Tom added after looking through it. "I'm Microsoft Spam Catcher, I set the STANDARD for what is spam and what is not, now that there is no RBL I have a MONOPOLY."
I used to receive 60 or so per day. This was on my old dial-up account. And spam is getting bigger and bigger! There was one idiot who kept sending me files of 350K. To make matters even worse, my ISP had set up an alternative email address which also get spammed as bad as the regular one (despite the fact I never used it), effectively giving me a double copy of every spam that came in. Of course the ISP refused to even acknowledge the fact that they delivered mail from two addresses into my mailbox, let alone do something about it.
Some days I spent 20 minutes downloading other peoples' garbage. Yes, I can kill that in a matter of seconds. Just wait for the killer-phonebill at the end of the month (I'm in Europe, so local calls are paid by the second).
All this is in the past. My new provider offers excellent anti-spam services and ADSL.
OK. I do not have enough patience to read through the entire article. but here are some thoughts. SPAM is a form of intrusion of privacy. It would be best to apply all laws and regulations to prevent/deter SPAM as you would to prevent intrusion of privacy.
1. If SPAM wasn't so bad or annoying, or system resource draining the USE of RBL's would not only decline it would likely stop.
_NOTE_ IOHE RBL's in on a single mailserver rejected over 70% of all incoming requests. It took more than 90 days before we had our first complaint from using that RBL. Think of all the mail that didn't get delivered and the saved disk space, system resources et al.
2. Any RBL used is the choice of **insert org here** and not on the people sending mail.
_NOTE_
Very often the people charged with running **insert org here**'s mail server have been told "you must reduce the amount of spam I recieve". For many RBL's are an affective way of doing just that.
3. If the authors point about the legality of relay testing can in fact be upheld in a court, then ALL SPAM is illegal. Since this has not been found to be the case in US courts, then relay testing must be legal. (i.e. 18 USC Sec. 1030 (a) 2 (c))
4. If the Sherman anti-trust act can be applied here then it would also apply for spammers. SPAM is more in violation of the anti-trust act than RBL lists. (Why? because it prevents the delivery of legitimate e-mail, thus purposely causing delays and interfering with commerce)
Other solutions mentioned are worth merit, but it should be pointed out that these solutions are most often used and are most effective when used in conjunction with RBLs. A better solution would be to fundamentally change the way e-mail delivery works. DJB (http://cr.yp.to) had an idea some time ago where the cost of e-mail sent is born by the sender, not the reciever. That system may be the best bet. The ability to then block senders becomes a lot easier and your ISP doesn't have to do the very much "heavy lifting". The spammers get to do it. I like that idea better.
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Having briefly looked at the paper, it seems like the usual complaining about RBLs as being too broad you see all the time in NANAE (news:news.admin.net-abuse.email).
Summary: someone tries to send email and finds that they're listed on SPEWS. They complain because "we're not an open relay", without figuring out just why they're on that list. Almost invariably, they're on the list because their ISP persistently ignores spam complaints and prefers spammer money to honest customer money. I think there's been about two or three actual mistakes in the SPEWS listings in the year or so I've been following NANAE. Otherwise, it's all been a legitimate extension of the block because the ISP knowingly ignores complaints and supports spammers.
Spam is theft. Theft of Bandwidth, theft of service and theft of time. It's that simple. Spammers are thieves. ISPs which support spammers are thieves. Soon, they'll be blocked from the public internet for anti-social behaviour. After all, if your local bargain supermarket ignored the thieves stealing 20% from every transaction you make with them, will you go back?
Many South American and Asian ISPs are blacklisted because they were quite happy to spam everyone when they could steal bandwidth and service from other ISPs. Now that they're blacklisted, they're whinging and moaning about 'freadom of speach', interference with interstate commerce, and other such bullshit.
It's about none of these things. Blacklists are about protecting your network from a Denial of Service attack by spammers.
People who complaing about RBLs (OR DNSBLs, to be more accurate) are missing the point. They should be complaining about spammers who think it's acceptable to steal my bandwidth and your bandwidth to advertise their product..
dave "the only good spammer is a rotting corpse, dangling from the noose"
Since you don't really know who might be sending you mail from that area, you may as well just have an opt in list.
Then you can have all the people you want to send you mail, mail you to be put on your opt in list.
He did address it, if you'd care to read. He just didn't itemize the arguments, since they don't need to be. The arguments and justifications for are simple, and are addressed in batch right after the list you mentioned.
No, you don't have to accept mail from me, but when you ignore my entire network, you don't know who else you are ignoring. And, if you just subscribe to a list, you have no idea who you are blackholing, or why. And since you are posting on slashdot, I know you don't have the free time to acutally investigate these lists.
and
Scalable (resources)
Aren't mutually exclusive?
The author seems to be upset that innocent third-parties are being inconvenienced by black-hole lists. Tough shit. If it takes a thousand back-hoes cutting every Internet link to South Korea, China, Russia and other spam havens, to suppress spam, I will chip in for the diesel fuel. These ISPs don't care about spam and I don't care if they get BGP'd off the face of the Earth, along with any legitimate users they might serve.
Mea navis aericumbens anguillis abundat
I have an interesting program i use to check my mail with before my client downloads it.
... Obviously, friends e-mails are left alone, even if they are tagged as spam (als has internal friends list).
:ppp
It's called MailWasher (probably locatable on tucows or something).
It downloads a list of messages and depending on your configuration (now comes example of mine) the program has it's own blacklist (flags those mails as blacklisted), uses the SpamCop blacklist (to flag them as Blacklist by SpamCop) and has some rules flagging messages as spam and possible spam. Then, depending on your config again, those messages are either tagged as Bounce, Delete or Friend
This works very well. It only tagged 1 friend of mine once as Listed by SpamCop, and that probably was justified
Linux hosting for $2.50/mo
I run a server that was open relay for 2 weeks by accident. over 120,000 emails went threw and the server was added to the lists of spam servers out there. How do you get off teh spam lists now that its locked down???
Clever message on the open relay. How about this one?
220 mail.XXXXX.com: By connecting to this host
220 you agree to be open relay tested by
220 njabl.org. You also agree
220 to only send traffic that complies with our
220 AUP and our providers AUP. ESMTP
Seeing that your server must connect to mine first, I wonder which contract will be upheld in court?
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I suggest you read the mail. Go to the site. Use the resubmit for testing function, and hopefully if your secure. You will be off it in a few days.
1. RBLs are a good penalty for the world as a whole because no one wants to create good legislation(everyone is at fault for this).
2. If you hate spam, only accept encrypted messages. After all if you only hand out your public key to 'trusted' individuals, then you know when your mail is good.
3. This is yet another reason why everyone using the Internet should be required to be licensed. If you've been busted spamming, you should lose your license.
I don't get spam. At all. Despite my email address being posted to usenet groups regularly and being available on web sites.
If you're still getting spam, and whining about it, you really need to start thinking about how competent you are with respect to information technology and perhaps, maybe, it isn't the right profession for you.
There are many anti-spam technologies available and you know what? Some of them even work.
Government of the people, by corporate executives, for corporate profits.
Well, I have mod points but I have to reply.
So, this guy has a problem: his mail server is blacklisted because it is part of the same netblock as a spammer.
So, rather than switching to a responsible ISP that doesn't allow spammers on its network, he writes a long winded whine about how to solve the "problem" of RBLs (although, mind you, he doesn't give a solution, just what he thinks should be part of the solution).
What he doesn't seem to understand is that the blacklisting of entire netblocks is only done as a last resort when ISPs refuse to get rid of spammers on their networks. It is a punitive measure to try to force the ISP to act.
While I applaud this guy for doing his research, I think he is misguided and even narrow minded. If you are part of the 'collateral damage' because your ISP allows spammers on its network, do the right thing and take your business elsewhere.
I did not read the article in whole (I am at work right now) but it is a big deception to see that the author, in the section about other anti-spam measure, wrote only a single paragraph on user education. It's a big deception because this is the root of the problem. Sysadmin can fiddle all their time with Spamassassin and Vipul's Razor but as long as some moron will buy pensu enlargement cream from spammer, spam will continue to be profitable.
The only way to reliably and permanentely stop spam is to to make it unprofitable. Since spamming have near-zero cost, anti-spam measure must attack the revenu stream of spammer. The revenu stream is people buying into spam. Thus having less people buy into spam is the only effective anti-spam prevention measure. All the rest is just Band-Aid in a loosing battle.
BTW, this is the same thing with tele-marketing, junk fax, etc.
:wq
(1) You (and I) get too much spam.
(2) Your e-mail system administrator (and mine) need to keep beefing up the servers because the sheer volume of e-mail is growing so quickly.
To a first approximations, filters solve (1) but not (2), and black hole lists solve (2).
whirlycott summarizes the problem with (2) in two words: "collateral damage." How much of the e-mail network do we need to destroy in order to save it?
We need to move past first approximations. We need systems that work at the server level, but that somehow address the problems of collateral damage and false positives.
This is only the tip of the iceberg. Any network messaging medium is vulnerable to abuse by spammers. The problem started with Netnews, it continued with e-mail, it's happening now with instant messaging. We need at least high level solution that helps solve the problem regardless of prototcol.
I wish I had one.
Stupid job ads, weird spam, occasional insight at
Grab a copy of AI Roboform, install it, create accounts for each and every Senator and Repersentative you have. Sign the bums up for as much SPAM as you can. They may get the point. It will remain a problem as long as legislators are not personally affected by it. Drive the point home! Post their email addresses in newsgroups.
-----IGNORE this part-----
This way, perhaps, we can get Ralsky in jail, and stripped of his money from the SPAM. Make SPAM not pay, make it illegal to spam. Nuke foreign countries who allow SPAM, it would just take one nuke, and you just know SPAM comes from North Korea.
The problem, as I've said here before, is SMTP itself.
The RFC pretty much states that to be compliant, you have to accept the mail as it is presented. Can't achieve accurate or trusted reverse name lookup information on the sending system? Well, that's tough, take the mail (read this for yourself).
This problem stems from when systems on the Internet were inherrently trusted. That's not the case any longer, and it's time for a new mail transmission standard.
For starters, it should allow system administrators the ability to give priority to systems that can present some form of credentials. SSL or keyed encryption, whatever the standard is, it will permit systems to give totally trusted access to systems that meet the specific security and trust guidelines of the receiving system, not the RFC (times have changed, tough).
Those systems that do not meet minimum trust levels will either have to clean up their act or take the time to contact the remote system to figure out the issue.
It won't stop spam, but it will go a long way to slowing it down and possibly providing some secure method of mail transport in the process.
It's important to realize the point of RBL blocking. It isn't to make end-users happy, it's designed to lower traffic on the mail servers. So a proposed solution needs to be something that the ISP can execute without having to analyze the email. RBLs monitor a single variable, IP, to determine whether it should be accepted or not. If someone could come up with an idea that processed emails based on another single variable, then we'd have ourselves a good spam filter.
One proviso: if anyone complains, I will look at it.
RFCs require that one accepts mail for postmaster@domain.com and from the empty envelope sender. Since I do this, I believe I am fully RFC compliant.
So stop whining about DNSBL. The problem is wider than that, and will not be solved by getting rid of DNSBL. The system isn't perfect, but that is not the issue.
Conversion Rate Optimisation French / English consultant
So where is the commercial version? Oh, I see you just unplugged the computer! Brilliant, but I point to prior art...
What is your e-mail address like? Do you get spam, but won't see it (filtering) or do you not just get it at all. I was thinking that maybe there's some blacklisting of spammer addresses and yours fits the pattern. So, what's the address like?
One idea that I've not seen discussed very much is that of mass false positive attacks on spammers.
The business models of most spammers depend on a very small percentage of respondents wanting to buy their crap. So if the internet community decided to swamp these true positives with as many false positives as possible, e.g. people asking for more info, saying they want to buy something but repeatedly forgetting credit card info, generally getting into purchasing correspondence with the spammers but never buying anything... then the business model of many spammers dies!
Of course, this depends on many people willing to dedicate time and effort to engaging spammers, but think of the satisfaction...
good idea / bad idea?
I have been a very loud protestor about collateral damage in news.admin.net-abuse.email. I well understand the problem but I think you over-estimate it. SPEWS deliberately lists non-spam-source IPS - that's collateral damage, that's wrong and avoidable. Take that away and the remaining collateral damage is unfortunate but not severe.
Many have changed how they use RBLs - instead of simply rejecting they send a reply asking for confirmation the sender is a real human. If that confirmation is made the original message is delivered. That seems to be simple, straightforward, and capable of reducing collateral damage to a very low level. It even has intelligence behind it.
I advocate relay spam honeypots (and open proxy honeypots - move with the times, keep up with the spammers). The white paper doesn't even mention these. The WP has the section asking if open relays are necessary. Well, no, they probably aren't. Is there a point? For how many years has there been an effort to secure open relays? Has it succeeded? The fact is that they are there - asking if they are necessary may inform you but it doens't change the situation in any useful way.
For all these years the spammers have been given free access to the relay level - there's a self-satisfying division into the secure systems run by the wise and the open relays run by inept administrators. that division allows the operator of a secure system to condemn the operator of an open relay with confidence - he can strut. Yipee. As a spam-fighting tool it's a close to a complete bust. Well, yeah, lots of open relays have been secured. BFD - there's still enough for the spammers, and RFC 2505 said it would be this way. Yo: RTFM (in this case RTFRFC.)
You want to hurt the spammers? OK, hurt them. It's not like you have to go out of your way - accept and deliver one of their relay tests and the chances are excellent they'll send you spam that you can discard. That's still a secure system, but it has teeth instead of gums.
There's all these people falling over themselves devising elaborate filters. If you simply open up a relay enough to accept the spam but not deliver it there's no filter needed - a non-mail-server system that receives relay email receives close to pure spam - you will never get a filter as selective as that. Accept and deliver the relay tests and you have screwed the spammer. I won't even enumerate all the ways he is or can be screwed but there's a bunch.
If 5% of the Windows systems with network connections ran Jackpot then spam would be dealt a mortal blow:
http://jackpot.uk.net/
It isn't hard, and it does tremendous good. Check it out.
You (ISPs) just need to modify your IP allocation policies such that you put all known spammers in the "ghetto" address range. Said range gets blocked by RBL, none of your more legitamate users notice. The spammers can't complain because they are breaking your AUP (you have a well-defined AUP, don't you?).
People spam because it's dirt-cheap. If spammers had to pay 10 an email, you'd better believe they'd be a heck of a lot more cautious about who they send to.
And a "Stop Buying Spam Products" is doomed to fail, anyway, because it's a numbers game. If 1 person out of every 100 people spammed buys something, then it's probably an outrageously successful campaign.
The fact is, you may be throwing out 50 spam emails a day, but if you see a subject line that speaks to an immediate need, you're probably going to stop, read it, and consider a purchase.
So what you are saying is that we can get Ralsky put in jail, which will become his new company H.Q.
However, if he makes enough money spamming, we could use the money to make bigger jails so that we can imprision the other spammers
HallmarkOrnaments.Com
... see http://cr.yp.to/im2000.html
Isn't this how a blacklist is supposed to work? I thought the idea was precisely to annoy the honest users, such that they complain to the ISP. If the users know that they are blacklisted because of a spammer, they are likely to either leave the ISP or pressure it to turn the spammer off. It's not nice, but the intent is to get results.
I assert ownership of all trademarks and copyrights on this page.
See? More jails and the only food served would be...yep, Spam. all day all night Spam and water.
Actually I favor prisons being just that. Small rooms that are cold in the winter and hot in the summer. Hard, matressless stainless steel sleeping quarters. No TV, no nothing. No exercise! Just Spam for breakfast, lunch and dinner.
if you're not familiar yet with the good gnus, you may want to first acquire a browser that doesn't: begin to eXPloit you, &/or, "redirect" you, to the FraUDuleNT pourtolls of the stock markup hostage ransom scam liesense peddlers.
no phony DOWts any more?
ucann go over to father william's "free" hostdead session, if you knead this FraUDuleNT /.charade to .continue. you KNOW what to do, robbIE? @40?
Instead of running your mail server on a PC running Linux or a low - mid range Sun/IBM/HP/whatever box you have to run it on a Beowulf cluster of E10,000/s390/V-Class/Indian Supercomputers. Perfectly scalable, it's just that your hardware and support costs have gone up by several orders of magnitude.
Stephen
"Don't write down to your readers, the only people less intelligent than you can't read" - Sign on Newspaper Office Wall
Quirks mode instead of standards compliance mode! For shame!
A huge amount of spam is being sent through unsecured relays in Asia and South America. Consequently, an overwhelmingly large percentage of the hosts listed on RBLs are in fact based in these countries (see Wired article: Not All Asian E-Mail Is Spam). This amounts to nothing less than discrimination and isolationism that is being used to slowly cut off countries that have a critical importance in global matters
Obviously, if a huge amount of spam is coming from a huge amount of servers in a country, a huge amount of servers in that country are going to get blocked.
How about we drop the sensationalism here?
It's not some conspiracy to block all mail from Asia.
Look, maybe some people need to get mail from Asia, but I don't have any reason to. I'm not obligated to let anyone on the internet contact me at will. I can pick and choose who to block/accept at will. If people in don't want their servers to get blocked, maybe they should deal with their spam problem. I don't have time to fix it for them.
Look at it this way:
The internet is this huge shared network. It has a finite amount of bandwidth and it works because everyone carries data to its destination.
The question here should not be if any nodes should ever get blocked. The question should be: How much junk traffic should a single node on the network have to generate before it happens?
At some point you have to start blocking people. If I start DOSing an email server (almost what spam is), I can expect to have my traffic blocked at some point. Maybe I have to send a million junk messages, maybe a billion, but at some point it's costing too much to carry and process my traffic. Yes, bandwidth costs money. That's just the way a system like the internet has to work. There have to be mechanisms in block to handle the case were a node starts misbehaving. One of those mechanisms has to be dropping traffic from that node.
Carrying junk traffic costs money. Filtering costs money. At some amount of traffic, the cost becomes too high, and you have to block the traffic. Think of it as a signal to noise ratio. There always needs to be some number, at which you pull the plug, because the data isn't worth dealing with anymore.(And filtering it is too expensive)
Any time you share something you're going to need the ability to do this. If I start driving in the middle of a two lane highway, I can expectect to get pulled over and have my license revoked (eventually). It should be. I'm messing up things for everone else and the sensible way to fix it is to remove me.
Life is too short to proofread.
Flood them with responses. A volunteer organization which floods them with answers. Not the answers they want, but answers they nevertheless have to take time to deal with. The trick is not to make spam impossible, but to make it unprofitable.
.001 percent. That's right, .001 PERCENT. Our anti-spam measures actually help her target the gullible. But what if she had a response rate of 1 percent? She sends out millions of spams per day. Say she got 10,000 replies (or her customers did.) Not buying their dreck, but instead asking for more info or some such. Would they be able to find the legitimate responses in the deluge?
and a potential solution. Recently, I read an interview with a spammer. She said that she could make a profit with a response rate of
I work in tech support at a major ISP. At least twice a day I get a call from a customer who either has a friend who's e-mail was blocked, or is getting their e-mail blocked. I spent a week hearing from the same customer every day about their travails with our abuse department. Their friend lived in a small town in Canada with limited ISP's. Their friend spent six months ISP-hopping, having to notify everyone about their new e-mail address, etc. and then waiting for the local spammer to find that ISP and having to repeat the process. Some sort of more advanced filtering process is desperately needed. Blacklisting entire netblocks isn't going to stop spammers, as they can always find a new way to spam (see the new trend in Windows Messaging system spam). It's the legitimate users who get hurt. Better filtering technology will help, but I'm still in favor of charging users for e-mail. Once the profit margin is reduced far enough, spam will cease.
-merlyn
point taken. now we're up to -40.
It occurs to me that one way to avoid the spam is to keep a record of all outgoing emails on the backup servers, for (say) 1 week. Also, don't take accounts without a real, physical address, phone number, and either a real name or a corporate identity.
Finally, part of the user agreement should be that "if you send spam through us that gets us put on an RBL, you agree to pay damages of $1 per spam sent, $10 per spam if the number of spam emails was over 5000". Do that, and you can collect after a while.
As for me, I've found that I can set my Mozilla to block emails that contain the words "opt-in". Usually it works, but sometimes Mozilla misses it. I'm not sure why.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
This sounds so nobel, but there isn't any system out there that won't have ANY false positives. Some false positives are just more obvious than others.
For example, the common technique of not letting your email address out in the public means that people who you would like receive email from (and vice versa) will often never happen because you don't know how to contact each other. Sure, this doesn't generate a bounce, or an error message, but it still means that this "solution" to the spam problem has interfered with legitimate email.
If you switch email addresses when old email addresses get too spammy, you will lose email from people who don't know about your new email address.
If you obscure your email address to try to prevent bots from collecting your address will also prevent some people from figuring out how to email you. The same goes to email responders that require the sender to prove they are human before the email gets through.
Blacklists are judging everything based off an IP address and that can't possibly have no false positives.
Filters will trigger on keywords when the keywords aren't used in a spammy way.
I propose a different goal: People should be allowed to deal with spam any (legal) way they want. They can choose the method(s) that create an acceptable level of false positives for them. If you can't send email to them because they have made a choice, DON'T WHINE ABOUT IT.
I personally use spamassassin with modified DNSBL checks and RAZOR enabled. I have used DNSBLs before the block all email, but decided that created too many false positives for me, but I respect the choices of other people.
SPF support for most open source mail servers can be found at libspf2.
It couldn't have been easier.
While the article was very interesting, it seems that this Property of a Real Solution is not fully cooked. Nations, States, and Unions are defined by their laws and by the territorial boundaries over which those laws are operative. Removing the jurisdictional considerations from the law removes the basic tenet that one must have notice that any particular activity is criminal.
There is the saying that "Ignorance of the law is no excuse." This proposed legal solution requires not just knowledge of the law of your State of residence, but of every other jurisdiction in the world as well. That is indeed an untenable proposition, as there is unlikely any person alive that knows the laws, rules, and regulations of every jurisdiction.
While UCE is annoying, it is nothing special from a legal perspective. A *solution* to UCE (or any other annoyance) is not worth the consequences of a legal theory that subjects every person on the planet to every law on the planet.
The easiest solution to this is to use a mail client that supports PLAIN TEXT as an option to view all mail. I'm currently switching over to Mozilla Mail for this very reason. It's easy to do the following: View->Message Body As->Plain Text.
Violla, problem solved. Try that in Outlook, Hotmail, or Yahoo?
In addition my mail provider (pair.com) uses SquirrelMail for their web interface which has a handy feature: "Display Attached Images with Message" -> Set it to NO. SquirrelMail also allows you to chose plain text or HTML as the default view for mail.
The best way to protect yourself is to find mail clients that work with you, not against you. Evil Outlook Preview is a great example!
SMTP already has a good way of authenticating who you are receiving email from. It is called the IP address of the machine that is contacting you and the IP sequence numbers of the packets that have to travel between you. All you need is a list of the IP addresses of the people who you want to receive email from and a list of ones you don't.
But, of course, this is what the current blacklists do!
Any email authentication system is going to run into most, if not all, of the same problems that DNSBLs run into. They are also going to have the problem of trying to get the entire world to change.
SPF support for most open source mail servers can be found at libspf2.
They tell you what the fuck RBLs actually are before moving beyond them.
--well, wish I knew what I was talking about here, but I'll try anyway, perhaps someone will recognize what I'm trying for. It might even exist for all I know.
I see spam as being an email protocol problem as much as anything else. Too easy, too easy for bots to get addresses now or guess them. The spammers are like drunk drivers on their 15th DUI, lost their license long ago, but are still on the roads. the deal is, we don't really have any road control, there's no traffic cops (and don't want them thankew). So, we need "new roads" that people can use to send "electronic mail" to each other that ISN'T something in common use yet. It needs to be setup so that only people that are trusted by anyone "you" can use. It's this name@someplace.com. See that @ symbol? How about a replacement, and some sort of new way to start "electronic mail" from scratch and build trusted private networks for correspondence, and something that didn't use that @ symbol?
Yes I know this is probably naieve, don't know how to describe this better though. Is there such a critter in existence? If I was living in a floodplain, and had to constantly add to the sandbag piles to keep the water out, and it still leaked all the time, well, I'd just move someplace better. I see the email problem now to be just that, never ending war with spam, anti spam, anti anti spam, anti anti anti spam, etc. I'd rather scrap the whole email thing as it stands and start over with something "better", move OUT of the floodplain. So, I'm asking, where's the "high ground" to move to?
May I be rejecting legitimate e-mail if I block China.com? Absolutely. As a matter of fact I hope I do, I hope I block a whole bunch of them. Further, I'll tell them why.
"The network you're using sends an unacceptable amount of SPAM, there is a plethora of open relays and nothing is being done about it."
China.com admins may not give a rat's ass if I bitch and complain. But if their customer base goes ballistic because their service is unusable for this reason, then something may happen. The best solution? No, the best solution is to drag out and kill:
- Spammers
- Every idiot who's purchased herbal penis enlargement and HGH
IMHOComputer Science is Applied Philosophy
1. Don't let a spammer verify your email address
2. Don't post your email address on the internet
3. Secure your email client
4. Avoid common email traps
5. Fight back
-Lunar One (91127)
Ralsky. He says, in a Detroit Free Press interview, that he has 50 spam servers in Dallas.
2 .h tm
http://www.freep.com/money/tech/mwend22_2002112
Just try to get the ISPs in Dallas to act with integrity, seek out the spam servers (they should leap out in any traffic analysis) and shut them down. The DNSBL's are close to useless here, it seems. Ralsky spams from Dallas using asymmetric IP routing: he spoofs the IPs of dialup systems from the servers. If anything gets nuked its the dialup account, not the high-speed-linked system that actually sends the spam (the dialups only receive the return packets from the systems that receive the spam.)
(Maybe Ralsky spams from Dallas differently - earlier this year he surely was using the asymmetric IP approach. Ralsky did lose throwaway accounts on three different ISPs because of the actions of one honeypot operator: Michael Tokarev in Moscow. Unfortunately Michael shut the honeypot down in July:
http://www.corpit.ru/cgi-bin/h0n5yp0t )
Getting Ralsky in jail wuld be nice, and he deserves it. Before that it would be effective to so disrupt his spam operation that he experiences a negative cash flow. Honeypots are the way:
http://jackpot.uk.net/
Setting up the honeypots is the first step. Once enough are intercepting Ralsky spam notify the spam advertisers that huge amounts (don't tell them the actual amount) of their spam is being intercepted. Get them in billing disputes with Ralsky. If they also see sales going down (as they should) they may have a flash of intuition that tells them spam doesn't work any longer, and the interceptions are the reason.
But don't stop doing what works for you, of course - add in the honeypot for its effect on the spammers beyond your own system.
numbnuts.
Kinda like the one you're on for employment.
'SPEWS is bad, so DNSBLs are bad!'
Wrong. I use DNSBLs to block 10,000+ spams/week aimed at my users. I was using static relay REJECTs via the sendmail access file, but could not keep up with the torrent and increasing user complaints.
Aside from the obvious potential waste of time and bandwidth those 10,000 spams represent, much of it is obscene and sent by criminals.
I also track rejected mail and whitelist relays when necessary. This system works very well.
I chose not to use SPEWS due to collateral damage concerns. It's my call. If you are a postmaster, it's your call as well. One size does not fit all. DNSBLs are an invaluable tool.
I am admin/postmaster for a small college. Several months ago a new hack was developed that got through my version of sendmail. This was kind of ok because the spammers didn't know I was vulnerable.
Along comes one of the RBL's and test my site. So far so good. But instead of sending an email to postmaster@the-blocked-site they post my IP and a sample of how to use my system to forward spam.
Several days later, on a weekend of course, the spammers started using me. The spammers aren't stupid either. They use the RBL's to find new relays.
I have fixed the problem. However, one small email notification would have prevented several hundred thousand spams. I wonder how many sites have been used this way?
Email is protected speech
That may well be so, but my choice not to listen to that speech is also protected.
If I want to block any and all email coming in to my server I will do so. If I choose to let another entity (like an blackhole list) tell me which email to block I will do so. This is my choice.
For an organisation with such high ideals, the EFF is really clueless with regard to this simple point.
So I go and kick them in the head, tell them how stupid they are.
/. has ever come close to kicking someone in the head. Getting kicked in the head, probably......
No you don't. People around you are probably not as "savvy" as you and don't feel the same way about spam (i.e. care enough to be meticulous), so they're not as anal about hiding your address (or anyone else's).
Sure, you get bitter when you get that first bit o spam, but it would be pathetic to call these people stupid. And I doubt that anyone who posts to
The whole of his argument is "there might be collateral damage". Well duh! Choose an DNSBL (Note: RBL is the name of a specific DNS Blocking List) that has a policy against collateral damage. Some do, some don't. He's complaining that collateral damage hurts innocent parties. Well, he's just done the same thing he's complaining about by damaging the reputation of DNSBL's that don't do collateral damage.
-russ
Don't piss off The Angry Economist
My ass
Once your ISP allows people to test then maybe you'll get off the list of IPs that block open relay testing.
RBL results : 127.0.0.4, Test blockers: Null routed all access
So, exactly why is you, or your ISP afraid to be tested? Oh I see, your stance may be relay testing may well be illegal. Well tough. If someone turns up at your turn and asks for entry you would ask for identification. Your IPs stance in banning relay check connections is equivilant to not producing identification, but demanding entry anyway.
Until you can prove that you're not a spammer then don't expect your RBL status to change, and for those people that block on that status, you won't get through.
I forgot what does it mean to receive spam long time ago. I just started generating unique aliases to my real email address for everyone who wants my email i.e. instead of giving to Bill Gates realname@mydomain.com address I'm just giving him billgates@mydomain.com. If I start receiving spam sent to billgates@mydomain.com, I would know who leaked my address to the spammers and I can easily remove the alias. This is also very good for sites that don't have unsubscribe quite working - just delete the alias and you don't get more mails from these guys. You can do the same thing with subdomain i.e. me@billgates.mydomain.com
I wish all software supports this kind addressing and makes email address aliasing easy for everybody
I can sympathize with paying the bill and the slow connection, there are solutions though. Building blacklists and te vigilantism that goes with them is nothing more and digital road rage.
In short, nobody would slow down the spammers and our inboxes would be flooded by spam, even if the filters were 99% effective.
The only way to reduce the amount of spam you receive is by reducing the amount of spam being sent.
Personally I use the SBL and DSBL lists to block mail from known spammers, their supporters and open relays and open proxies.
Spammers have a right to free speech, but they have no right to free speech on my property. If they want to advertise, let them setup a website I can view when I want to. Free speech is about speech in public areas and is not relevant when it comes to private property. Free speech does not trump private property rights. If you think free speech does apply to private property, send me your address and I'll organise an industrial and hardrock concert in your garden.Having said that, I think it would be good if every user could choose for him/herself the filters used on his/her mailbox. If only because the users are likely to choose much more agressive filtering than ISPs could ever setup by default.
Yes, the article does appear very one-sided.
;-) I wish I could afford a T-1 to my basement just like you!
However, the point being made is legitimate: RBL's find it simpler to tar an entire block as spam than to surgically excise the cancer. They've lost the pinpoint accuracy of years ago.
Simply defining a spammer as a sender with a dialup IP who relays email through a third-party smtp server is not valid.
I spend a couple thousand dollars a year on DSL, hosting, and network charges. I've owned and maintained several domains for a number of years. I don't send spam, none of my users send spam. So, why am I a "designated spammer?" Just because I have a dial-up IP? Damn. Isn't that kinda harsh?
Whining? Unfounded complaining? No. I guess I'm just one of the poor unfortunates who can't afford a T-1 to the noc where their servers live
In my region, the fast access choices are Verizon DSL or cable modem. Verizon (through its monopolistic business practices) has made it extremely hard for other companies to get 1.5MB DSL lines into most COs. That gives them a lock on fast DSL service. Unfortunately, Verizon does not give fixed IP addresses.
Mr. Simpleanswer says, "Well, just request one."
Simply requesting a fixed IP won't get you one. The mythical "fixed-IP" tests are almost always in the VA area or _very_ small service areas in NY. Verizon uses DHCP and only leases the IP address for 24-36 hours.
Comcast Cable still sucks. They have longer dhcp leases, but they are a suck-assed ISP listed as dial-up in many lists. And they transfer limits on USENET. (WTF! What's up with that? What a dime-store operation!)
Changing ISPs to get a fixed-IP isn't an option. I need a fast line.
Mr. Simpleanswer says, "Well, why don't you just send email through your ISP's email servers?"
Well, that would look very professional and business-like, wouldn't it?
_My_ users expect _my_ emails to originate from _my_ domain. Does your sysadmin frequently send you email from a YaHoo address? From a Juno.com address? From a Verizon address?
Personally, if someone who represented themself as a SysAdmin from Verizon sent _me_ an email from a different domain, it'd go into the trash. And anyone who says they'd pay heed to any such email is probably also one of those people you read about who do odd sexual things for unknown phone callers. You know the ones, like the lady who gave herself a breast self-exam for a "doctor" conducting a phone survey....
Anyway, to summarize, RBls have lost the keen, effective edge they once held. Instead, they use the "Kill everyone and let god sort 'em out" approach to spam control. This is not a good thing.
Changing ISP or using an ISP's smtp server is not always practical.
Check out my spam-killing procmail script. It kills effectively 100% of all spam. You can find it here. I don't know why anyone would mess around with less effective spam filters. It's tiny, it's free, and NO MORE SPAM!
POPFile is a GREAT Bayesian based email categorization program. I've been using it for a couple of weeks. After minimal (~10 messages) training it has since been over 97% effective.
It only blocks LEGITIMATE e-mail from servers that may, at some time in the future possibly, be used by spammers as a relay. It does block from machines that have sent spam, but also those that have never done it, just the potential is there. It does not, however, block spam! At least, not effectively.
And, that's where the problems lie. Administrators are putting these things in, assuming they'll stop spam, and then getting pissy when you tell them legitimate mail isn't getting through.
I used to be the e-mail admin for my company. We somehow ended up on the worst of these lists, osirusoft. This, despite the fact that we used SMTP AUTH; YOU COULDN'T SEND MAIL WITHOUT A PASSWORD! And, once you get on one of the lists, you're on them all.
So, I spent the better part of a couple of days going through them all and having to prove I wasn't an open relay. They all but one removed us within a week, but that was a week we couldn't send mail to a few customers.
And, the one that didn't remove us in a week...osirusoft...they took over a month. Every day I went to their site and ran the "autotest". Every day I watched it say, "Relaying Denied, deleting from list". Every day, I watched another "proof" of our spamminess posted onto their list.
And, the idiot admins of the ISPs? "Well, you're obviously an open relay. I see dozens of spams being sent from your site on the osirusoft list!"
BTW, the osirusoft rbl is run by some loser in his basement. Great plan, basing your company's e-mail on some unemployed idiot with a chip on his shoulder.
Look at your spam, where does the majority come from? That's right, AOL & Hotmail. But, your company would NEVER allow you to block from them, they'd lose too many customers. Install an active filter, you'll see better results and less spam.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
I run a spam filtering service which uses DNSBLs along with other measures to reduce the spam that my customers receive. The customers who sign up for this service typically are completely swamped by unwanted email, in fact - one customer has a hit rate of over 60%. Yes, 60%. They had reached the point where their email was becoming useless, so they had to do something about it.
DNSBLs are a valuable tool when combined with other technologies and have a very low 'collateral damage' rate. For example, the customer mentioned above has never called to complain that valid email was blocked even though I remove over half of their mail before they get it.
As for someone's right to run an open relay, I guess they do have the right to run their server however they choose, but that right ends at my door. My server, my T1, my customers asking for help. I explain the risk of collateral damage to potential new customers, and explain they must trust me to make decisions on what is blocked and what is not. I try very hard not to be overzealous and it has served me well because no customer has ever left the service once they signed up.
I'm very sorry if the author of this article was inconvenienced by being blacklisted. But the needs of the many outweigh the needs of the few... or the one. (TM)
You seem to be upset that some groups have demanded that the smaller ISP's and less technological countries do the main work in solving the Spam problem. THEY ARE THE ONES RESPONSIBLE FOR IT IN THE FIRST PLACE. Yes, they may not personally be the people doing it, but they are part of a group that IS doing it. I think Blocking is TOTALLY appropriate Punishment to the Asian Countries for their failure to police their ISP's and fight the evil of Spam. Note, I personally have had my email to a friend blocked because of the RBLs. He gave me a new email address, (at another small ISP) and the problem was solved. If you have that problem, SOLVE it by moving AWAY from the SPAMMERS, instead of supporting them by your lazyness.
excitingthingstodo.blogspot.com
The same basic solutions to letting your customers know what public key(s) you use can be used to let your customers know what IP addresses you use.
While most DNS based systems are blacklists, there are DNS based whitelists such as Bonded Sender. The current version of spamassassin recognizes them.
The IP address is an identity and the IP sequence numbers prevent the identity from being spoofed/forged. Authentication based on the IP address is not the ultimate solution, but it has the advantage that it is already in use.
SPF support for most open source mail servers can be found at libspf2.
It performs a very similar function to Razor, but is a lot more open. You can run your own servers and participate in the global database, or run your own database independently.
http://www.rhyolite.com/anti-spam/dcc
Summary: someone tries to send email and finds that they're listed on SPEWS. They complain because "we're not an open relay", without figuring out just why they're on that list. Almost invariably, they're on the list because their ISP persistently ignores spam complaints and prefers spammer money to honest customer money. I think there's been about two or three actual mistakes in the SPEWS listings in the year or so I've been following NANAE. Otherwise, it's all been a legitimate extension of the block because the ISP knowingly ignores complaints and supports spammers.
Wait wait wait, let me quote that again. "it's a legitimate extension of the block because the ISP knowingly blah blah blah." My SMTP server is sitting on an IP block that is being "punished" by SPEWS. My ISP is not UUNet, but another ISP which is a customer of UUNet. SPEWS intention of punishing UUNet by blocking MY IP block is not "legitimate" by any definition of the word. I am not a spammer, and my ISP is not tolerant of spammers. But our upstream provider is. So screw us, we're paying the price for the spam jihad.
Open Relay RBLs, hell yes. That is fair and legitimate. But when you take the power given to you through the trust of those who use your service, and use it to beat down on the innocent in order to further your cause, that is unacceptable. I could spend weeks on the phone with UUNet. Do you think I could somehow convince them to stop supporting spammers? Give me a break. You think I can just switch ISPs? My company does telecommunications with voice lines over a DS3 with a contract with our provider for voice and data service. There is no chance of going to another ISP. So, if in the end I am forced to subscribe to ANOTHER T1, from a different provider, just so that our small company can do business, what purpose does that serve? How does that advance the cause? I am willing to make sacrifices for the anti-spam movement, but I don't see exactly what purpose blocking completely secured SMTP-AUTH non-spamming servers does. I followed the rules. I setup my servers responsibly. I still got fucked over. You tell me that's "legitimate."
Now listen to me very carefully. I HATE spam. I employ several spam filtering systems. I even use open relay black hole lists. I have even gone as far as to write my OWN anti-spam content filter system. I use SpamAssassin, but of course I had to comment out the rule for Osirusoft because Osirusoft uses SPEWS, and otherwise SPAM ASSASSIN ENDS UP BLOCKING MY OWN FRICKIN EMAIL. Here I stand, a supporter of the anti-spam cause, blocked with no recourse by people who refuse to talk to me about why I'm being punished. Whose ideas of legitimate include punishing so many of the innocent that the outcry is supposedly supposed to affect the guilty. (Read that sentence again, Mr. Bollocks) Blackhole lists are fair and legitimate as long as you aren't punishing one man for the action of another, and as long as you provide a method for clear and easy removal once terms have been complied with.
Miles "the only good anti-spammer, is the one who will take you off his damned list when you jump through the hoops"
The following is a list of the innocent businesses around my IP range which are punished for the actions of that worthless bastard Eric Reinertsen.
United Promotions, Inc 65.244.178.0 - 65.244.178.63
Affordable Computer Supply 65.244.178.64 - 65.244.178.95
Enpro Services Co, INC. 65.244.178.96 - 65.244.178.127
Verestar/Atlanta-GA 65.244.178.128 - 65.244.178.143
No More Forms, Inc. 65.244.178.144 - 65.244.178.159
Component Distributors, Inc. 65.244.178.160 - 65.244.178.191
Broadband Wireless Communications 65.244.179.0 - 65.244.179.255
Cemtec USA 65.244.184.0 - 65.244.184.31
ALLSTATE INSURANCE/PAUL BONOMO 65.244.184.32 - 65.244.184.39
CPH Engineers Inc 65.244.184.40 - 65.244.184.47
Conrad Yelvington Dist, Inc. 65.244.184.64 - 65.244.184.79
Optimum Nutrition, Inc 65.244.184.80 - 65.244.184.87
Teckn-O-Laser 65.244.184.96 - 65.244.184.111
Badcock Home Furniture & More 65.244.184.112 - 65.244.184.127
The Thornestone Group 65.244.184.128 - 65.244.184.143
Talk Visual, Inc. 65.244.184.160 - 65.244.184.191
College Park Campus Partners 65.244.184.192 - 65.244.184.255
Florida Family Mutual Insurance Company 65.244.185.0 - 65.244.185.255
PEPSICO 65.244.186.0 - 65.244.186.255
YOUR INFO INC 65.244.188.0 - 65.244.188.255
Orex Technologies 65.244.189.0 - 65.244.189.63
NDS INC. 65.244.189.64 - 65.244.189.95
Intermedia / Fightertown USA 65.244.189.96 - 65.244.189.127
Delphax Technologioes Inc 65.244.189.192 - 65.244.189.207
ALLSTATE INSURANCE/KAYODE OKEWUSI 65.244.189.208 - 65.244.189.215
ALLSTATE INSURANCE/PAUL SMITH 65.244.189.216 - 65.244.189.223
ALLSTATE INSURANCE/NEIL DOBBS 65.244.189.232 - 65.244.189.239
Intermedia / Haynes Brothers Furniture 65.244.189.240 - 65.244.189.247
ALLSTATE INSURANCE/JERRY HAIRSTON 65.244.189.248 - 65.244.189.255
FIDELITY NETWORKS INC. 65.244.191.0 - 65.244.191.127
ALLSTATE INSURANCE/JEFFREY STERN 65.244.191.128 - 65.244.191.135
Radiology Group / East Ridge Hospital 65.244.191.136 - 65.244.191.143
Trimeris, Inc. 65.244.191.144 - 65.244.191.159
ALLSTATE INSURANCE/DEANE LONG 65.244.191.160 - 65.244.191.167
custardinsurance 65.244.191.168 - 65.244.191.175
ALLSTATE INSURANCE/ANGELA RAGAN 65.244.191.184 - 65.244.191.191
ALLSTATE INSURANCE/ DERRICK MADDOX 65.244.191.192 - 65.244.191.199
ALLSTATE INSURANCE/TIM BOYCE 65.244.191.200 - 65.244.191.207
ALLSTATE INSURANCE/PAUL STOVALL 65.244.191.208 - 65.244.191.215
Hamilton Risk Management 65.244.191.216 - 65.244.191.223
ALLSTATE INSURANCE/JIMMIE BROWN 65.244.191.224 - 65.244.191.231
navigant 65.244.191.232 - 65.244.191.239
ALLSTATE INSURANCE/RONALD BARNES 65.244.191.240 - 65.244.191.247
ALLSTATE INSURANCE/THOMAS FITZPATRICK 65.244.191.248 - 65.244.191.255
Money Line Direct 65.244.193.0 - 65.244.193.255
KELLEY DRYE & WARREN L.L.P. 65.244.194.0 - 65.244.194.7
Senn Palumbo, Meulmans 65.244.194.64 - 65.244.194.127
Systrends, Inc. 65.244.195.0 - 65.244.195.127
Skytell 65.244.195.128 - 65.244.195.143
BMR Neurotech 65.244.199.48 - 65.244.199.63
Metro Republic Commercial Services 65.244.199.64 - 65.244.199.95
Call Catchers 65.244.199.128 - 65.244.199.159
This is why I like spamassassin. It lets you look up DNSBLs, and include those in a mail's score. It combines these and distributed spam reporing services like razor (which could be abused, too, but only on a per-message basis, not whole sites or netblocks) with its own content-based checks and an automated whitelist facility.
The author of the article is yet another person who misunderstands the problem. The problem is not how to prevent the delivery of spam; that has already been solved. The problem is how to get the ISPs hosting the spammers that continue to eat up our bandwidth to disconnect them from the network. Decent ISPs will just do that upon the discovery they have spammers. And it is acceptable to slap their hand once or even twice, but three spams and you're out. The problem is many ISPs are not decent at all, and will only act upon a financial incentive. Blocking the whole ISP is what is required. DNSBLs such as SPEWS are doing that incrementally with the intent to minimize the number of others affected for long enough to show to the ISP that they had better get rid of the spammers. At this point most ISPs will realize they will lose customers in the future, and will get rid of the spammers. A few will be stubborn, and will eventually have their entire address space listed. Not only do we not want mail from spammers, we don't want mail from anyone who supports spammers. And if you are paying money to an ISP who runs in turn is providing services to a spammer, then you are indirectly supporting spammers through financial benefits, such as the ISP offering the spammers lower rates through economy of scale. And do not forget that if you are doing this, that you and your ISP are benefitting off the costs incurred by others. All this article is, is a reflection of frustration by an individual who just doesn't get it, that he needs to either turn his ISP around to be a decent member of the internet community, or he needs to switch to another ISP. It looks like a lot of work went into it, but the premise being all wrong, the article is worthless and offers no solutions.
now we need to go OSS in diesel cars
I suggest you grow up.
DNSBLs function to block spam, not to punish.
As to who is responsible, an intelligent analysis would reveal that those who herd-like joined the "secure all open relays" crusade without even bothering to read the RFC (2505) that said that was a failed approach are more to blame - they pissed away years that could have been spent in an effective battle against spam (which would have been long gone if that had been done.) Now the herds follow SPEWS - more years of ineffectuality are being risked.
It is smaller ISPs and less technological countries that are to blame? Let me just mention a few entities that stand in stark contradiction to your claim: the United States, Worldcomm (uu.net), Broadwing, Sprint, Verio, Starnet, Rackspace. You gonna tell me that the 50 spam servers Ralsky uses in Dallas are on a smaller ISP? OK, name it - let's start telling them to act. I don't care if it's big or small - name it. I'd like to know.
Still, I agree that the case made against DNSBLs by the web page is weak - too weak to heed. I loudly oppose collateral damage but I see no evidence that it is rampant.
What I do is rather simple .. I filter all mail through my adressbook. If you are not on the list, I don't care about your mail.
This way, I only get mail from 'known sources' into my INBOX, the rest goes to a SPAM folder. Every few days I'll quickly scan the headers of the SPAM folder to see if I have some mail from somebody who should be on the whitelist.
How was SpamCop missed in the "research" ?
By the stated definition (Technology, 1) there is only the act of theft but no such a thing as a thief ?
For the writing to be taken seriously it somehow needs to add some value to an intelligent discussion. Just stating that RBLs are not perfect is like stating that operations and amputations have drawbacks.
I have been using DNSRBLs for a while now. I can say for a fact that in the past 5 months our mail server (75 users) has had 0 legit emails blocked. There were 2 emails blocked by two of our corporate customers because they were running open relays. I count those as legit because clue sticks were applied very fast.
Let's assume that those 2 emails were totally legit. That leaves me with 2 emails that were blocked out of approx 15,000 emails that have gone through this server.
I'm sorry if this guy is dealing with users who are using ISPs/working for companies where the mail admin's obvious job qualification was "I have a computer at home", but I am not going to subject my users to crap email any more than I have to, nor am I going to waste my bandwidth processing messages from con artists.
If this guy does not like it, tough. It is my mail server. I am in charge of it. My users all appreciate not walkin in the office Monday morning and having to sort through 300 emails trying to sell them fake viagra.
Oh-oh. "Double opt-in" is usually spammer-speak.
One line blog. I hear that they're called Twitters now.
Thinking about this (and having visited your website), I'd be really interested in seeing you spell out your logic. You say that you permanently block people who threaten to sue. Presumably those are people who are spamming? In that case, I can believe that you are within your rights not to receive their mail. For that matter, I can believe you within your rights not to receive anyone's mail.
If I was going to sue anyone (which looks unlikely, since we have only had one very short-lived SPEWS-related problem in over a year), it would not be for refusing to receive my mail, it would be for sending rejection notices that tell people that I am a spammer, which I am not. Exactly what is your problem with that? Has any innocent party ever tried litigation on that basis? If companies can be sued for the content of their websites, I really can't see how spreading damaging lies by automated email can be an acceptable activity.
Of course in this case, you are blocking my domain because I dared to express a point of view (which the moderators don't seem to dislike too much) in a discussion forum, despite the fact that our company has never sent a single spam, and I have never actually threatened you or any other company with any form of litigation. Have you seen Minority Report? If so, you appear to have been cheering for the wrong guys :-) This is the sort of orwellian behaviour that would normally result in a shock-horror article for YRO...
Virtually serving coffee
Spammers also scan mailservers for addresses. They try common last names with a letter or two prepended or appended, sometime truncated to eight caracters. They try common handles and nicknames. They try account names from other systems, etc.
Where I work, about every three months, our mailservers get massively attacked. It slows down incoming and outgoing mail and clogs our network. The only way we have thought to stop it is to modify sendmail to throttle the number of connections by IP, but that's a lot of work to stop a stupid spammer.
If using hotmail or yahoo on your browser, turn off images and javascript in email.
How? I can't find those options in the Yahoo Mail Options. Now I could disable images and javascript entirely on my browser, but that's like putting a tourniquet arounds one neck to stop the bleeding from a bloody nose.
Mail providers need to make it easy and painless for users to protect themselves.
We need a new protocal that makes the sender more accountable and traceable maybe. I would not think of knocking on your door to convince you that your disk is too small. But maybe via spam. Perhaps a protocol that demands a certain accountability from the sender ...
Another alternative is to use disposable email addresses for untrusted applications - qv spamgourmet.com (open source, with a free-to-use implementation).
The SMTP structure we have is a remarkable piece of engineering - it does a fantastic job of delivering each and every piece of mail, notifying the sender of failure, and trying for days to get through to intermittent servers. These principles are great for a network of people who are trustworthy -- we don't have that anymore. Spammers don't deserve this kind of reliability. Prolific use of disposable addresses that don't report back, and delete by default, would tend to lessen the value of the spammer's efforts.
who's moderating the meta-moderators?
Please use the lowercase version. Hormel has nicely let everyone use it even though it is similar to the name of their product. They only reserve the uppercase version.
Blackhole lists right now focus on the open relays. Why not focus on the original spammers themselves? Becuase the SMTP protocol doesn't allow for it. The fact is, you can put whatever addresses you want into the From: and Reply To: fields. There is no accountablity to assure that the return addresses are owned by the person who sent the message, or even that such addresses even exist. If mail servers were required to "stand behind" the messages that they sent, receiving server can call back the sending server, basically to ask "Did you really send that?" If the server denies sending the message, or the server doesn't exist in the first place, the message gets canceled and is never delivered to the named user. This would end the cloak of invisiblity for the spammers. They'd have to either use a traceable user account at their ISP, or spam only from their own domain. No traceroute required, an autheticated username and domain show up in the From: line. This would cut down the collateral damage, because instead of blocking by IP address or netblock, the block would be by username and/or domain. What's more, really reputable ISPs could kill most of the spam in the time delay between the sending and the reading, as it would simply be able to refuse to authenticate the messages after being told they were spam. If the ISP doesn't, a retroactive black hole can lock out offending user accounts without having to lock out whole domains, unless it is determined that the domain belongs not to a multi-user ISP but a single-user spammer.
In both cases they attack only a symptom, they barely reduce at all the actual problem, they produce far greater damage than they solve, they are carried out by largely unaccountable fascists, their advocates show not the slightest hint of understanding in their response to complaints, and they continue down a single path forever with total disregard of cause and effect. Sentience not required, pure inertia will do.
I don't know why whirlycott and the IETF folk even bother to present such comprehensive arguments, it's a complete waste of time --- the RBL crowd response here was totally predictable, and very much a la "War on Drugs".
There is only one way to leave RBL behind, and that is to create a really good and totally ubiquitous mail control system that allows ISPs to accept or block items on a per-message basis under the control of rules which are configurable by their end users, with defaults for simplicity. The whole RBL thing will then become obsolete, and we might at long last focus again on getting mail delivered rather than not delivered.
Neither IP based whitelists nor PGP/SMime are workable until enough servers recognize them. If everyone could agree on a system, we'd be all over it. Plus global whitelists are susceptable to the same whims that blacklists are, both are a reflection of the group that maintains them. Some IPs are on blacklists for political or personal reasons. I'll bet that some whitelist will refuse to list us because we send e-mail for a Muslim newspaper, ignoring the fact that we do the same for a Jewish paper also.
I have a serious spam problem on my server. I have a couple of users who are amazingly profligate with how and where they share their e-mail address, and it has turned my server into an interesting anti-spam lab.
I tried the RBLs, but in my experience, they only work if you are reasonably careful with your address. Once you get on enough opt-in lists, you get so much spam from legitimate servers that RBLs don't work anymore.
The final answer has been to use a Bayesian filter which tags messaages for filtering on the client. I'm using bogofilter, trained with a message corpus of about 10,000. This has been the only thing which has really worked, and the client side filter provides a safety valve against false positives. (Although, to date, I've had no false positives).
Well it's good to know where you stand on this.
However, you're being inefficient. Once you've identified a spammer's country, or at least their city, why not just nuke them? This will be really effective, as it takes out the spammer's infrastructure at the same time.
You really must try harder, or you'll get thrown out of the BOFH fascist guild for being a namby pamby moderate. I mean for crying out loud, you haven't even mentioned torture once. Sheesh.
What about all the porn spam??????
I am personally going to kill the bitch with her webcam, I AM SICK OF THE SPAM FOR PORN!!!
If that is true, then how do those work?
Religion is the opium of the people. Evolution is the opium of scientists.
Even if only implemented at a server level (verification of host/sender) this could remove a good deal of spam - and could do that on a per host basis.
For the most part its not hard to do either.
It will be hard to get done. At an individual level everyone needs to get the right software and keys. This won't be easy. Nor will it be easy to get governments - filled with politicians who are more likely to label any cryptographic services as helping terrorism or anti-government activities (and who may well have sold their souls to the spammers) to agree. And I can easily see the spammers suing people to try to prevent them from using this (more a problem at the server level - the idea of spammers filing a million or so suits against individuals just makes me grin - Spam Lawsuits).
Then too, if cryptographic services are available many people might just encrypt their email - and the folks in power would like that even less.
Key distribution is also a problem in the case that you might want to add someone to your accept list - you need to verify their identity somehow.
So its a great solution. It would probably work. And its unlikely to occur.
Religion is the opium of the people. Evolution is the opium of scientists.
...but I couldn't stand being labeled as the author's enemy and begged to keep reading.
They are many and varied. Some are completely automated and have no way to include "collateral damage". Some specifically say they will block entire netblocks if the ISP is unresponsive.
I have no problem with DNS black lists as long as they do what they say they are doing.
When they deviate, yes, that's a problem for both their users and, potentially, for owners of the IPs in the list.
So exactly which lists are you complaining about? MAPS? I believe they have been dropped by most users.
Since I blocked Asia (except Japan) in my firewall I get exactly 0 spam messages a day :)
ekrout (xmas edition)
Yes, DCC looks very promising. My university uses it and I have never seen it mark a message as spam when it wasn't (this is very good).
It often misses spams, but as more people run DCC servers the detection will improve. Detection also improves as spammers target more recipients at once - in a way, they're announcing their presence to the system.
Keep an eye on this one! See the dcc FAQ.With luck he'd be in one of those jails where he might find himself on the receiving end of (um, sorry about this) UCE (Unsolicited Cock Explorations) of his private space.
And a stop-gap solution is what is needed.
... damn, just think of all the boxes, all the software, that would have to be rewritten to use the new protocol. And filters are increasingly ineffective, basically because the spammers are aware of them and design the spam accordingly.
Legal solutions will take years, if they are ever effective. Fixing the SMTP protocol will take even longer. The process of writing the RFC is bound to be long and drawn out, and implementing it
We need a solution now, not years from now. Today, a portion of what I pay my ISP bill to cover the costs of receiving spam. Today, I have more than one email address that's become unusable due to the sheer volume of spam. Today, while I'll let my kid surf the net without worrying about it, I won't let her have an email address due to the fact that eventually she'll start getting explicit sexual photos in her mail.
Some have said that the spam situation should be fixed without breaking email. I agree. However, the spam situation is on the verge of breaking email all on its own.
No, your email isn't blocked. Were it blocked, it'd never leave your mail client. Here's what REALLY happens. Your email leaves your mail client, and goes to your ISPs mailserver. You have a contract with them, so they accept it. Then THEY try to send it to us. Now, at this point you're dealing ENTIRELY on OUR hardware, OUR bandwidth, and OUR good graces. Those of us who are SICK AND FUCKING TIRED of having 100x more spam then real mail have quit accepting mail from well-known spammers.
As long as you DIRECTLY support spammers by continuing to use a spam-friendly ISP, your mail will be blocked. Period. You subsudize the rape and pillage of my mailserver and the mindless wasting of my time. And you really have no choice but to move. Wah. Because the alternative is for EVERYONE ELSE ON THE FUCKING INTERNET TO CHANGE THEIR EMAIL ADDRESS EVERY MONTH SO IT'S NOT ON THE SPAMMERS LISTS. DO YOU UNDERSTAND THE COST SHIFTING INVOLVED HERE? IS THIS LOUD ENOUGH TO GET THROUGH?
YOU are DIRECTLY responsible for sending me "Young horny teens get f**ked by a horse with a 31 inch c**k!" (Yes, really *'d out in the message)
Spamassassin is useless. Spammers tune their spams to be under the 3.0... you can't really filter harsher then that without blocking legit mail. The fact that it's open source only makes about a 1 week difference anyway. (Closed filters like hotmail/AOL/earthlink get bypassed in about that long)
The 'bayesian' solution is cute, but dosn't really work beyond an individual level, which means that everyone gets to spend hours sorting through spam (and it still slips through). It also fails because it's looking at single-words. If a friend sends me a mail that includes just 15 poorly chosen words, it gets blocked. If someone implements a two-word version, it may work better.
Add to the fact that a single legit email blocked means you have to read through EVERY spam-marked message looking for more.
So far, the only solution that's made my email workable is whitelisting. And THAT is a lot fucking worse then the RBL. If you're not on my whitelist, you don't talk to me. Period. No Chineese. No Koreans. No Brazilians. No Dutch. No AOL users. Nobody from a small ISP. You're ALL off the net as far as I'm concerned. Nothing that's not a reply to an email I sent. My email is useless for you, but it works for me.
(That's actually an overstatement. I do read the discard folder. Once a week. With the 'd' key. So if you don't invite me to see your webcam, I may read your email.)
Hunt down spammers and IMPALE THEM!!!
While I like seeing reasonable balanced presentations of the pros-and-cons (having to operate spam filters for a very large corporation), his paper is not only riddled with factual errors, it's clear he doesn't understand the subject matter at all. The most egregious mistake: 1) He talks about RBLs (in his terms, "open relays"). The minority of DNSBLs are open relay lists. By his terms, several of his sample RBLs (ie: Spamhaus), are _not_ RBLs. His paper should have been about DNSBLs in general, not RBLs specifically, and indicated DNSBLs have different listing criteria. Ie: spam sources (ie: SPEWS, Spamhaus), open relays (his "RBL": ie: RSL, OSIRUS inputs, ORDB, ORBL, etc), open http/socks proxies (BOPM, MONKEYS, OSIRUS socks and proxy), DHCP pools (eg: PDL). Given the above _extreme_ defect, the paper is essentially useless. Here are defects in his coverage of RBLs: 2) He talks as if RBL listings for open relays should be "appealable". An open relay is either open and abuseable or it isn't. Most RBLs mechanically test servers for open relay - there is no subjective judgement here. 3) Claims that getting delisted by RBLs is difficult and rare - a little research will show that most RBLs retest (either on demand or by time schedule). ORDB and OSIRUS inputs are _particularly_ good at delisting relays that now test closed within a very short period of time. 4) He implies that open relays are desirable. There is no legitimate reason of _any_ kind for an unrestricted open relay. By policy, we will simply not accept email from an open relay/http/socks proxy, because virtually all of it is spam. 5) Unaccountable? If they were, we wouldn't use them. Undocumented? Ditto. DNSBLs have to have predictable behaviour before they're safe to use. Several of the ones he lists are very professionally run and quite trustworthy. Some of them are the opposite. Whether they're good or not is a defect in the implementation, not the concept of DNSBLs. 6) His research on alternate techniques is quite deficient - no mention of DCC, CloudMark, Postini etc. My favourite remark in the paper: RBL mechanisms frequently cause a lot of trouble for legitimate Internet users who are trying to send non-spam email in addition to their intended goal. This implies that the intended goal is to send spam. Oops.
With all due respect, you're an idiot.
"Well, why don't you just send email through your ISP's email servers?"
Well, that would look very professional and business-like, wouldn't it?
If you actually knew how to configure an email client, it sure would.
_My_ users expect _my_ emails to originate from _my_ domain.
You're saying that your users check the Received: headers, to make sure that the email you send comes from your server? If so, I call bullshit on you.
Does your sysadmin frequently send you email from a YaHoo address? From a Juno.com address? From a Verizon address?
Well, I am a sysadmin. And the "From:" line in my email comes from (gasp) my domain, even when I dial in from home, because (unlike you) I know how to configure an email client.
If you really are an admin, I have great pity for your users. I hope they find out how incompetant you really are, so they can find someone who actually knows what they're doing.
People who email me for the first time will get a "please confirm" message to get their email address into the whitelist. This request is sent automatically and the response is processed automatically, so it requires none of my time.
The bandwidth cost is the biggest thing. Every spam I get creates an outgoing "subscription request" message, and usually a "no such user" bounce because spammers almost always use bogus From and Reply-to addresses. The impact is pretty trivial for me on my DSL-hosted SMTP server. I'm not sure how it would scale for an ISP. But, if it cost a dollar per user per month... it works well enough that I'd pay that if I had to. Heck, it's half the reason I'm paying an extra $20/month for static IP address.
An PKI-based authentication with support at the transport level would be even better. In the meantime, this approach works for me, and it works really, really well. I get about a hundred messages a day, and about one spam per week.
Build stuff. Stuff that walks, stuff that rolls, whatever.
This puts undue pressure on a potentially responsible ISP
Potentially responsible? Isn't that like me claiming I was "potentially a 8'5" swedish woman"?
Either the ISP is responsible or they aren't. If they are, then they won't be on the DNSBL.
he spoofs the IPs of dialup systems from the servers.
Bzzzt! Thanks for playing, but you cannot send SPAM (or any other kind of email) using a spoofed IP address. SMTP rides over TCP, which requires a handshake prior to establishment of a session. And this requires a real IP address, because the initiator must reply to the reply, before any higher layer data can be sent. Nice try, though.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Some experienced sysadmins do not endorse SPEWS' wholesale blacklisting of entire netblock neighborhoods. Those admins choose not to use SPEWS RBL, but may choose to use RBLs that cause less collateral damage. Some experienced sysadmins use SPEWS RBL because they do endorse SPEWS' clearly documented process which bears many similarities to economic extortion.
Many inexperienced sysadmins use osirusoft (e.g via SpamAssassin) without knowing the difference between SPEWS and other RBLs aggregated by osirusoft. Without knowing that difference, these inexperienced sysadmins unknowingly endorse SPEWS' clearly documented process which bears many similarities to economic extortion.
One answer is a SPEWS whitelist + reciprocal blacklisting. Create a whitelist of SPEWS-blacklisted-but-collateral-damage IPs which have *never* been accused by SPEWS (or other RBL) of spamming. When an ISP causes collateral damage by enforcing the SPEWS RBL against a presumed-guilty-but-never-accused IP that exists in the SPEWS whitelist, ask the individual sysadmin to use the SPEWS-collateral-damage whitelist.
If an individual sysadmin uses the SPEWS RBL but chooses not to use the SPEWS-collateral-damage whitelist, they would be endorsing SPEWS clearly documented process which bears many similarities to economic extortion. Such explicit endorsement will earn such individual sysadmins membership in an IP blacklist of "sysadmins who support SPEWS' clearly documented process which bears many similarities to economic extortion". This blacklist would then be enforced by sysadmins whose IPs are SPEWS-blacklisted-without-spam-accusation .
This unbundling mechanism provides a technical means for individual sysadmins to endorse SPEWS valuable spam-fighting contributions without endorsing SPEWS' clearly documented process which bears many similarities to economic extortion.
Long-term, the solution is pseudonymnous, non-profit TLS certificates for SMTP servers with social (not economic or calendar) seniority (c.f. Apache Incubator). The economic variety exists at bondedsender.org, along with whitelist patches for popular open-source MTAs.
Instead of a single global list, would you rather your upstream's IP holdings be placed in the filters of thousands of individual ISPs? That way, when your upstream cleans up its act rather than being delisted from a single source, they'll have to be delisted from thousands of different sources (many of whom won't bother to fix their lists).
STOP MISUSING APOSTROPHES, YOU MORONS!!!
The problem is not you making a personal decision to create false positives for yourself. The problem is other people making decisions for you which block mail which is not spam without your knowledge.
The problem is some ISP between you and your friends/family/coworkers deciding that your friends'/family's/coworkers' mail is spam without you having any say in it.
The idea is that YOU should decide what false positives to deal with, not a government or an unaccountable entity like an ISP.
The fact is that RBLBLs in general, and SPEWS in particular, do *not* choose the brutal method first. But if the ISP insists on being irresponsible, then he has no right to a second warning.
Yo - I **saw*** it. Read what I said: he spoofs the IP of a dialup from a system with a fast connection and receives the handshake packets on the dialup IP. These he communicates back to the sending system - the loop is complete. That way he can do port 25 traffic on dialups (e.g. those of uu.net) which don't allow OUTGOING port 25 traffic. The outgoing traffic is on the fast side and spoofs the dialup IP. If a succesful spam complaint is made then all he loses is the account used to do the dialup - it's a throwaway account anyway. For a while the complaints would be ignored, if the claim was made that the spam came from the dialup. Abuse at the ISP KNOWS that outgoing port 25 is disabled - it can't be a spam source. But it is, as far as the IPs indicate. The ISP DOESN'T and CAN'T block outgoing spam with it's systems' IPs when that spam goes out from another ISP.
It took a while to convince uu.net (one of the dialup ISPs.) Once they were convinced they moved right smartly.
But Ralsky never anticipated getting throwaway accounts thrown away one after the other, in just minutes. By sending the URL of the Moscow web page (the last contents can still be seen at http://www.corpit.ru/cgi-bin/h0n5yp0t) to abuse at the ISP of the dialup you give the abuse desk a tool they can use to watch for new IP addresses in their space. They only need to hit reload on their browser to see if a new IP in their space appears. Once it does they verify how it is being used (to receive return packets for spam) and nuke.
Ralsky lost three ISPs in one weekend that way - he burned all his throwaway accounts on three different ISPs. He never saw anything like that before.
Next weekend he was back - he didn't figure out how he was being hit (right about then Shiksaa, who is know to communicate with Ralsky, said in NANAE "a spammer" was begging her to get off SPEWS - it was kiling him. Would *I* tell him what was really causing him the grief? I can't be sure it was Ralsky, but that's what I'd bet.)
As far as I can tell the sending system need not ever have an IP. Even if it does it need never use it or respond to it. (This is immaterial to the scam - just observations.)
You may not see one of the morals: The spammer can be tres clever but a simple, dumb honeypot can still overthrow him. Not that Michael's honeypot was dumb - he added the brilliant idea of a web page that had a real-time log of incoming relay spam.
(More recently Michael's very simple open proxy honeypot that he wrote at about the same time fooled another spammer - it was idle for months, then a spammer hit it. Too beautiful for words, almost.)
If you can't deliver mail to me because my provider bounces it, then find a different way to contact me. Don't tell him that I want him to whitelist you, because I don't. Had I wanted him to, I would have asked him to. If he stops blocking known spam sources, then I will move to a provider that is willing to block.
The Anti-Spam Nazis block YOU!
Charging for e-mail would kill the legitimate
mailing lists. What we need is legislation
comparable to the junk fax provisons of the TCPA
and to the failed H.R. 1748 from Rep Smith.
The legitimate part of the email list industry responded with "double opt-in" to indicate that the listbot sends the recipient a message saying "you or somebody pretending to be you asked to subscribe you to the list, click here or reply if you really want to be on the list" and doesn't add the user to the list if they don't confirm. Most legitimate mailing lists bots do that, though some don't bother. Spammers occasionally claim to be double opt-in, but that's just because they're liars.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There are a lot of ISP's that only allow their own
email adresses to pass. I think OP is hinting on this.
The Internet community used to do what you describe. It was ineffective, which is why the current tactives were adopted.
If you're an individual user, a computation-intensive spamassassin approach can do a really good job of blocking most spam and blocking very little non-spam. But if you're an ISP or Mail Service Provider, having a conservative RBL can save you a lot of resources, including bandwidth and computation, by throwing away the high-volume relay-abuse spams with as little work as possible, saving the more complex work for mail that's less likely to be spam. (By conservative, I mean "trying to only block actual relays and other known spammer systems", as opposed to "broad-spectrum insecticides and lists that do collateral damage to pressure ISPs or harass their competition.") That might be a 25-50% reduction in total email that the ISP needs to handle, but from an instantaneous-resources standpoint, it's probably higher than that, because spam tends to come in high-volume blasts, while real email is mostly Poisson arrivals. And if an ISP's failure responses are the "Temporarily inaccessible, try again later" type as opposed to permanent rejections, real email systems are much more likely to try again later than spammers are (though of course open relays may still try again later, because they're just mal-administered, not necessarily broken.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I don't know quite how many people use AOL, but it's about 30 million, plus or minus 50-200%. That's about 200 times as large as XS4ALL. Most of the other big US ISPs have somewhere between 1 and 10 million dialup users. I don't know how many people Hotmail and Yahoo provide email for, but most of those accounts are disposable and low-use. On the other hand, the ISP I use for my email and web page has somewhere around 1000 users, maybe a bit more, so XS4ALL is about 100 times as big :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A number of the Unix email systems let you get a similar effect by tagging addresses - myusername+tag1@example.net, myusername+tag2@example.net, etc., though sometimes the separator is a "-" or a "+" or something else, and sometimes web forms choke on the separators, and mail forwarding systems don't explicitly support them, and too many humans aren't good at copying them correctly (which has been the real limitation, unfortunately.) You have to discard the abused addresses in your mail client or procmail instead of rejecting it from sendmail or pointing the mailbox to /dev/null, but it otherwise works the same way as the domain solution. Also, if anybody sends mail to myusername@example.net, without the tag, you'll probably get it, and spammers can figure that one out.
Fastmail.fm has a nice intermediate solution, using third-level domains. If your account is username@fastmail.fm, you can use username+tag@fastmail.fm, or you can also use tag@username.fastmail.fm, which works well in web forms and people seem to be able to copy accurately. (They also seem to be much more generally clueful than most webmail systems I've seen.) Their system runs on some kind of Unix system - I think *BSD rather than Linux, but it's at least a flexible and stable enough environment for them to build mail handling tools.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
an unaccountable entity like an ISP.
I can leave my ISP at any time if I don't like what they're doing. Sound pretty accountable to me.
If I had a wideband option that advertised that they used SPEWS, I'd swap TO them in an instant.
There is no legitimate reason to have an open relay.
Repeat 10x.
Just to clear this up... why do spammers need an "open relay server"? Why can't they just send from their machines directly with something like sendmail?
Read the above post more carefully. The spammer was successful in spoofing the IP address of a TCP session, because he controlled both the dialup account and the high-speed account.
SYN from the dialup account.
SYN+ACK from the helpless email server back to the dialup account. Dialup account now has observed both sequence numbers.
ACK from the dialup account, and the SMTP transaction begins.
As sending mail consists mostly of uploading, upload packets to the server are forged from the high-speed account to the server. The dialup account only needs to receive the ACK for the sent data, and the SMTP responses from the server. The spammer uses both the dialup and the high-speed accounts in tandem to keep the connection alive, in effect intentionally hijacking his own TCP connection.
Very clever! The spammer must have had some help in setting up a scheme like this. I don't think he'd be smart enough to write the software on his own.
Dr. Demento On The 'Net!
popfile it!
Large print giveth, and the small print taketh away
There are a lot of ISP's that only allow their own email adresses to pass. I think OP is hinting on this.
If there are a lot, then you won't mind listing some of them, right?
Links, please.
If there were any decent ways to block spam without resorting to the netblock method, We would gladly use it
Cut off their income by billing people who respond to spam. Last time I suggested this, everyone said it couldn't be done, so please forgive the detail. All you need to do is build a database of spam messages (which already exist), extract the 'click here' addresses (about 3 lines of perl), scan the http log of the gateway your customers use (another 3 lines of perl), pick up the dynamic IP address of the machine requesting that page, find out which user it was and bill them.
I would start with three warnings followed by a bill of $5 a spam reply. For paying accounts, you debit their card. For free accounts, you close them after 3 violations. The point is that 99% of people will get the message after one warning, and certainly after one bill. Spam revenue plummets, game over.
Of course ISPs might not want to do this in case it upset their customers. It's much better upsetting my customers. But, as you appear to have conceded, this isn't about Joe Internet user, it's about reducing bandwidth for ISPs.
BTW, if RBLs are such a staggeringly great idea, you would expect ISPs that use them to be 2 to 3 times cheaper than those that don't, because their overheads are so much lower. Is this the case?
Virtually serving coffee
Ok, this guy is seems to be a particularly motivated victim of collateral damage. His paper was pretty much accurate though.
RBLs are primarily a reactionary measure. Sure spammers would keep sending spam from the same server if it were allowed, but they keep getting many accounts all over the world to send from. RBLs are like killing fleas with a hammer. You can't hit them fast enough to keep up, and what about the dog?
Users should not have to deal with being collateral damage, or having their mail arbitrarily filtered before it ever gets to them. Rural internet users may only have one ISP to choose from that's not long distance.
The only real solution to the spam problem is going to be in SMTP itself.
I've used it for about 4 months now, and it has cut my spam from the 100 or so a day I was getting to about 3 a month...
The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
/me whacks Philip Jacobe with a clue-by-four:
1)DNSBLs aren't perfect, therefore we should abandon them? Democracy isn't perfect, therefore we should abandon it? Come up with a better idea, then let's talk.
2)users of well-designed DNSBL-based systems can bounce mail that they suspect is spam, that include information (or a link thereto) about getting out of the DNSBL, AS WELL AS GETTING WHITELISTED/USING A WHITELIST KEYWORD to get mail through despite being blacklisted. This eliminates the false positive problem for email from people for whom it's important that the email get through, provided that they can follow the instructions (put a whitelist phrase in the email subject), and if they can't then I don't want to hear from them anyway.
3)DNSBL operators define an RBL as "A list of servers which send out spam or are known to be open relays"??? This is blatantly false; libelous even.
Make 'em pay! http://Payola.org #include "stddisclaimer
Given then the AGIS netblocks are effectively black holes now, which ISP do I avoid in order to not get assigned one of these cured IPs?
I know for sure that European cable ISP Chello does.
Yeah, I missed that little detail in the parenthetical.
Has anyone ever killed a spammer and claimed self-defense or justifiable homicide? Sure wqould be nice if Ralsky and other swine like him moved on to the next plane of existence.
I'm planning on putting up TMDA and some DNSRBL support on my server at home.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Ah, well yes. A SysAdmin. I see. Well, I call "newbie," so sit back down and do that homework so teacher isn't cross with you.
You'd better review the bat book and a simple dns/bind book (Sorry, O'Reilly, your's isn't) and see how things really work before you get huffy with your betters.
So, know how to use reply-to. La-di-da.
How are you spoofing the $client_* macros on server side? Schon, stick to playing with _User side_ software (snicker) and leave the server side to others, okay?
The client macros expand to provide the IP address and hostname for a header on the receipient's server. Some mere users (with more knowledge than you) filter on from, IP, and hostname to provide an additional level of filtering beyond what the sendmail provides.
Stick to Outlook Express and imapd and stop butting in.
See subject. That's a lot of the objection to spam - the recipient has to pay for it even though the recipient doesn't want it.
(This is old information, of course. I just couldn't resist the opportunity to turn the subject around.)
There's a lot more, but it's all along the same lines: factually inaccurate, loaded language and one sided. It does not reflect the case law and it does not reflect the difference between public and private actions. It does not accede to the right of an individual to control his own assets, property and time, as opposed to the desire of others to intrude on and seize them. And it presumes that the users agree with him. Well, I'm a user, and I dropped my previous provider because he wasn't blocking.
I know for sure that European cable ISP Chello does.
No link? (I went to www.chello.se, but I'm english-only.)
How do you know? Do you have a chello.se account?
So (at best) that's one unconfirmed.
Last time I checked, "lots" generally meant more than (at least) one.
When my company used UUnet/Worldcom for Internet services, we were plagued by the constant blacklisting of nearly all UUnet IP address blocks. I have sympathy for people who are in this situation. Last week, I tried a different approach from the typical RBL use. I tried using SpamAssassin, Razor in conjunction with Mailscanner. It worked amazingly well. Razor works in a way that legitimate e-mail will not be blacklisted and unsolicited email will be flagged. It is as simple as that. From what I understand, Razor takes the checksum of the incoming mail and compares it to a database of blacklisted mail. Spamassassin, although not flawless, does a pretty good job on determining what is spam. The only RBL I insist you use now is ORDB.
Am Ex Chello-helldesker.
Therefore I have no link, but maybe one can find one on their main site in a faq section, but probably not in English.
You'll have to find sb with a chello account (and IP, because they check the range too) to verify.
Since the mailservers are mostly unified over the countries (in Austria IIRC), that will be the same over most of the European countries. (don't know about Israel). At least for the larger countries(subscriberwise) like Belgium and the Netherlands.
>Isn't this how a blacklist is supposed to work? I thought the idea was precisely to annoy the honest users, such that they complain to the ISP. If the users know that they are blacklisted because of a spammer, they are likely to either leave the ISP or pressure it to turn the spammer off. It's not nice, but the intent is to get results.
Isn't this how terrorism is supposed to work? I thought the idea was precisely to intimidate the innocent civilians, such that they pressure their government. If the civilians know that they are attached because of the actions of their government, they are likely to either emigrate or pressure their government to change its policy. It's not nice, but the intent is to get results.