Slashdot Mirror
Fighting the Hydra -- A Spam Warrior's Tale
Selanit writes "Salon has an interesting article about the battle against spam from the viewpoint of Suresh Ramasubramanian, a sysadmin working in Hong Kong. His most interesting complaint concerns the fragmentation of anti-spam forces: not only does he have to deal with spammers, but also with anti-spammers who assume because his company is Chinese that he isn't doing anything about spam. Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"
A Spam Warrior's Tale..
When is the sequel out? A Spammers Tale? I can't wait!
Note to self: get smarter troll to guard door.
Could this be the start of a grass roots organization similar to the WTO, UN, EU and other multi-national groups that are surposed to help with global issues? Can't you see it now the "United Spam Busters" USB!
Just one question... what if the spammer doesn't connect to your SMTP server to send billions of messages from it? What if the spammer (with half a brain, and some scripting ability), only sends a few emails through your SMTP server? Most SMTP servers are wide open still, and simply sending 10 emails on one server and moving on to another open server would be so low that statistical usage wouldn't show anything on the radar screen... or did I not understand what you are trying to do?
I don't get any feeling of "moral superiority" from seeing anyone hurt. I just want all spammers shot on sight or in a nice big line-up with a chaingun. Anyone asinine enough to send spam does not need to be contributing to the gene pool.
Burning Karma makes me feel all prickly inside though...
I cried when Slashdot told me that I was alone in the world...
I think this article does bring up a good point that people do tar Asia with the same brush in that you can just block them and have no problems. Its nice to see someone doing a decent job. For more fun on fighting spam see NANA
rus
Cheap UK and US VPS
No matter what he does, he can't please everyone. According to Tiffiany Mork, senior abuse engineer at Allegiance Internet, a very thick skin is a requirement for an abuse-desk worker. Her typical day includes verbal harassment, screaming, threats, and "all manner of nasty things."
Like that is different from working in any other kind of helpdesk!
... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?
Yes, it's like the horde of trolls striking while other people are trying to discuss the subject at hand.
I'll RTFA when pigs land on the moon.
Sturmbahnfuehrer... if its offensive I appologize. The fish says "Storm course leader" and that just doesn't seem right
This whole spammers versus spamblockers has proven to be a destructive arms race.
Many legitimate machines and users - even whole ISPs - unfairly end up on blacklists, while the spammers just find another way through.
The spamblocker tools and their heuristics get smarter, but don't forget that spammers keep up with these tools and constantly find new ways around them.
I was using Razor and SpamAssassin for months. Formidable combination - networked blocklists plus pattern matching. Gave me a bit of peace. Very few false negatives. But in the last month, I've seen a whole new generation of spam coming through that the filters don't even touch.
Peace has finally come from a package called Active Spam Killer, a package which works from a white list, and provides a convenient way for new correspondents to get themselves onto the whitelist.
There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up.
Result?
Spams to my mailbox have gone from 40 a day to zero.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
Ya, I can't even pronounce it very well. Hell, why couldn't have been "supercalifragilisticexpialidocious" instead? >:-P
From the article: expert spammers can also switch IP addresses as quickly as the blocks are applied.
A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly, then discard it. It's not a trivial programming task, since the spam would have to be recognized, then treated differently from that point on from regular email. But it's feasible, I think and would help fight the large scale attack noted at the beginning of the linked article.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Translated with google: "This first station is dedicated to Napoleon 1st!"
post-translated with brain: "This first post is dedicated to Napoleon the 1:st"
Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?
I don't know if this is a "Lord of the Rings" reference or a "War on Saddam" reference.
wee! wee! ala runny ass eggs (I want em in me)
Every day, 80 percent of all incoming mail to Outblaze is rejected as spam and filtered out before Ramasubramanian and his team have to deal with it. Out of the remaining 15 million messages per day that do pass through Outblaze servers
So if 15 million messages is 20% of what they get, they receive 75 million individual messages a day? That seems a little high...
Because he probably isn't gay,like yourself.Will you request that he skips whilst saying it? I fear the answer.
Maybe so,but you/they would be left in the cultural dark-ages!!Face it you love the USA while hating the USA!
Think about it...the dictionary spammers have not gotten as far as sramasubramanian@hotmail.com
And you know why spam doesn't bother me? Cause I don't waste my time running a crappy homepage that features my email address on every page. I don't give out my email to every Tim, Dink, and Henry that come around. I don't subscribe to mailing lists or other pointless subsciption services that can't be trusted. And I certainly don't put it on a god damned site teaming with trolls even if it IS protected by the highest security methods..... writingit backwards.
Time for all responsible ISPs to assign their own anti spam reps, reach out, get a list of ALL isps, contact their anti spam reps and take action.
:]
Get organized and form a plan but first, get organized on a global level.
Then kick some ass and pool for legal action against the thieves.
- Zav - Imagine a Beowulf cluster of insensitive clods...
Just the thought of this makes me sick.. Almost as sick as those who make spamming profitable.
Now that I've thought about it. How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?
Guaranteed Results: Hot Indian Men with 12" names
That is an emotional argument that has absolutely no place in international realpolitik.
Given a choice between causing a total breakdown of the international collaboration and diplomacy by embarking on unilateral war of agression and letting a tin-pot dictator oppress his people, I would always choose the latter. It is simply the lesser of two evils.
As heartless as it sounds, an unstable world where nation states are allowed to take unilateral, pre-emptive military action to pursue their own narrow minded nationalistic interests will cause more evil and suffering than a piss-ant dictator in a third world country could ever achieve.
Sure thing. Whatever you want. Just get off the box, please, you are crushing it with almighty force! The soap! Unggggghhhhhhh...
...decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?
Oh so I get it, fighting spam is like saving the Galaxy!
I had no idea it was THAT important. I'm on the edge of my seat now!
USA has no culture. What have you given the world...
*McDonalds... (gross)
*Crappy TV shows (Dumb comedy - Adam Sandler springs to mind)
That's it, culture wise.
Keep in mind I *don't* hate american people - just america's unprovoked invasion of Iraq.
Disconnect the mail server.
Sturmbahnfuehrer is pretty meaningless (which shows us that spammer don't even get their insults right). The correct word would have been "Sturmbannfuehrer" which was a title used by the german SS in the bad times of the so called "Third Reich". It's just a title for a leader of a small group (i'm not a military man nor a fan of NS history so i don't know the size of the group, so "small" could be plain wrong). More information is probably available at Google.
HTH
Now, some people may feel it's my own fault for taking advantage of the part of RFC 2821 which states that if a mailserver defers checking to see if it can relay or deliver the mail then "These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6.".
But, I guess they feel that everyone runs sendmail, so every time they test my mailserver, I end up with another batch of relay rejected messages intended for them sitting in my postmaster mailbox.
There are two parts of this that bug me:
"There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up."
And how do you feel about making all innocent senders of mail do extra work, while spammers simply ignore it and move on?
I simply cannot justify that, based on the redistribution of workload and increased aggravation - you send me a bounce message, I consider your email address invalid whether that bounce is "500 address unrouteable" (a valid, understandable error) *or* "500 I Don't Like You" - which I consider frankly offensive.
Go back to SpamAssassin, get 2.50 or better, which includes Bayesian analysis as well as all the above. Or just shove a Bayesian filter in the way after SA; here, I have outright regexp-based rejection and SA in exiscan, followed by bogofilter in procmail - very few spams get past the first hurdle (From: headers snarfed from Usenet) and those that do are caught either by SA and/or bogofilter.
This way happiness lies.
~Tim
--
Rushing on down to the circle of the turn
Yeah, these people blocking all mail from Chinese and korean subdomains are idiots. How are they supposed to work with anti-spammers there if they can't even talk to them?
I mean, I guess it'll help cut down on the spams they get, but it won't help stop the problem.
Anyway, the true way to stop spam is challange-response for the first message from a new person. Easy to implement, and it dosn't require any software for the sender.
autopr0n is like, down and stuff.
1) you would have their real email address and
2) you could use a 'what number is this a picture of' type questions. The problem is figuring out how to make it multilingual.
But really it dosn't need to be standardized at all, since these things are going to have to be handled by real people, rather then computers.
autopr0n is like, down and stuff.
If 50% of all mail in the US is spam, then the other 50% must be the bounces for all that undeliverable mail!
I run a mail gateway for a medium sized company, and although not on the scale of a large ISP, I see many of the same problems. Dealing with spam on a gateway level is quite different from dealing with a single personal mailbox. And spam flooding has gotten much worse in the last few months. Getting over a 1000 messages in under a minute can really start to tax your infrastructure. Actually from my own observations, I'd say that at least 75% of all mail is spam, and 80% of that is undeliverable.
Of course one of the big problems as Ramasubramanian points out is that spammers are getting very sophisticated at impersonating other entities. This results in a large number of bounces being directed back to the wrong guy. So not only are you getting spammed, but you are also indirectly spamming the poor guy who is being impersonated with your flood of bounces. And the bounces also cause other problems because it tends to fill up your outbound mail spools, as well as making the required postmaster account near useless sometimes.
One thing I've learned is that a mail administrator must be very careful about constructing blacklists and filters. I use sendmail and make heavy use of it's milter programatic filter interface. It's amazing how being able to analyze the mail at the protocol level (such as the HELO command) helps identify impersonated mail that can't just be done by only looking at mail headers or the message body. It is also possible to help correlate large volumes of nearly identical inbound mail from a large number of different servers, as well as correlate them with large number of undeliverable outbounds. I'm also very careful to check whois an other registrar databases before adding blacklist entries, to help prevent blacklisting the wrong guy. But I do admit that for a few of the most audacious flood attacks, I actually have to resort to iptables firewall blocks to stop it even before sendmail sees it. I really dislike having to disobey the SMTP standards, but spam floods are IMHO just as destructive as worms and viruses!
The thing I fear most as a mail administrator is not the inbound spam, but that some spammer may start impersonating my company! We'd start getting placed on blacklists and blocked, plus we'd start getting flooded with all those bounce messages (probably an order of magnitude more than direct spam). How can one possibly protect against that?
Taken from a larger context, spam is just another facet in life from which emerges attempts to control our behavior.
A glaring example brought forward by the war in Iraq is the ceaseless barrage of sloganeering one faces these days. Some of it in favor of the war, some against. Some more coordinated than others.
How much remains when the content added to bend our will is removed? How much from the war news, from life in general?
I'm sick of it. Life is complex enough without having to move about in a cloud of misleading information.
No wonder everyone is half nuts these days. GIGO.
Well, if at least it were Forrest Gump, this'd be cool as he's supposed to be a nice pacific fellow.
Let's hope so. Then I'd just accept all mail slowly and spam would go away!
Seriously there are flaws in this kind of defense. First, I'm already seeing several spammers who already send mail slowly, probably to avoid setting off statistical trappers and to make it harder to scan through log files. Also don't forget that the spammers usually have much more bandwidth than the recipient; you can never win by trying to fight the battle of resources!
BTW, this is NOT very tricky programming to do if you use the Milter programming interface to sendmail...in fact it is quite easy to do. But like I mentioned, you're sort of self defeating, because you burn your own resources by being slow.
<link rel="DoNotEmail" href="mailto:aa0u@kjernsmo.net" />
(yeah, that's a real, living trollbox, spambots, do your worst! :-) ) Very few users will ever see this, but the spambots will harvest it. It is clear that many of them do.
The other thing you mention, I think that is what is meant by a Teergrube. Marc Merlin has some good stuff on using Exim and SpamAssassin to reject messages or making spammers stick in a teergrube. He has some debs too.
Unfortunately, I haven't had time and I haven't been feeling adventurous enough to try all this, but clearly, it works well.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
How many spams do you get per day?
How many times per day do you email someone you've never emailed before?
If the second number is higher, then you're probably a spammer and even if you're not an email from you wouldn't be very special. If the first number is higher, you would have far less annoyance in your life if everyone adopted this system.
I'd rather have a few people's computers think I was guilty of spamming until proven otherwise then have to deal with deleting Spam, and for me, its a choice I'll make for everyone who wants to communicate with me.
autopr0n is like, down and stuff.
Thanks for not providing the link to Google, jackass. Now I have to look "Google" up in a search engine.
Southpark's cartman screaming "Cripple fight!!" comes to mind
I knew Suresh Ramasubramaniam personally a long time ago when he worked for Intel. Wow, I had no idea he was into spam-waring know.
Caution to all would-be spammers: Suresh is a guns and rifles enthusiast and has a very nice collection of assorted weapons and ammunition. Who knows what he might do to a spammer as a last resort...
I have found a truly wonderful proof of Fermat's Last Theorem, but unfortunately this sig is too small to contain it.
Shuresh is also a regular poster in the newsgroup news.admin.net-abuse.email, a discussion forum about e-mail abuse.
Check his postings from the Google Groups archive.
/me shudders
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
How do people feel about scripts to fill website logs with crap? Here's mine, quick and dirty, written in about 30 seconds because I was pissed off:
#!/bin/bashCOUNT=0
while [ $COUNT -lt 10000 ]; do
lynx -dump http://www.resumeagencies.com/recruiterspage.asp?
sleep 1
let COUNT=COUNT+1
echo $COUNT
done
Note the fact that I'm calling what I hope is a dynamic page, so with luck, I'm wasting their server's processor time. The script is otherwise, as you can see, completely unrefined.
Legality, anyone? Other problems (despite the obvious fact that I have to waste my bandwidth to fuck with spammers)? Obviously, it's a DoS attack of sorts, but then again, so is an unsolicited e-mail. If they want to challenge me legally on that point, then I will do the same to them. My website very clearly points to the policies which apply to all e-mails sent to my domain.
Fire and Meat. Yummy.
Actually, it's a very close skirting of Godwin's Law, in a modernized form where "terrorists" replaces "Nazis". And it was almost invoked before the discussion even began! :-)
Freedom: "I won't!"
Suresh Ramasubramaniam must be a very comm... Right. As you were.
Government of the people, by corporate executives, for corporate profits.
> Maybe so,but you/they would be left in the cultural dark-ages!!
You think your culture is innately superiour to other cultures, and therefore you must spread it all over the world? Sounds... fanatic. No culture is "better" than any other, just different.
> Face it you love the USA while hating the USA!
I do neither. But I'm disgusted at their current militarism, love for war and disregard for international law and agreements.
Sebastian
Personally, I don't mind replying to a verification challenge. In fact, it makes me feel good about the other person, since I know this person will be more attentive to the emails s/he does receive.
I have to say here that I've only had my whitelist-based filter running for a few hours, but already the effect is astounding. As I go about my work, and periodically check my spam-free mailbox, it feels a lot like I've been carrying this menacingly huge chronic debt, and suddenly won the lottery and paid it all off in one fell swoop.
Would be a worthy subject of a psychological study - find an office, send 50 spam messages a day to one group, and manually filter all the spam of the other group, and compare parameters like stress levels, job satisfaction etc. My bet is that you'd find a major difference.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
There was something about the article that bothered me - perhaps it was just unclear reporting, or perhaps it wasn't.
According to the article, this guy is having to block off a flood of mail from spammers to his system. The way I read the article, this flood is not for Outblaze users, but just for relaying. Why the bleep does his mail server even accept this mail? Any modern sensible set up mail server should follow a ruleset like:
if (sender is one of my users)
accept
else if (recepient is one of my users)
accept
else
bugger off spammer
endif
Ideally, the mail server would log system that were trying to send mail that didn't pass that test and tell the router to drop packets from them for a few hours.
Bam! 90% of problem solved.
Having received spams relayed by Outblaze servers, I don't think that's what is happening. I think they are running open mail servers, and trying to keep the spammers from using them.
I could be wrong, but that's how I read the article.
www.eFax.com are spammers
What I don't understand is why people can commit these seemingly hateful acts and call it "business". How can you call abusing another company's network business? A little restraint would still get the job done!
Gamingmuseum.com: Give your 3D accelerator a rest.
"The challenge we face is the same challenge little Hans Brinker faced when he stuck his finger into that dam," Ramasubramanian said. "We know that as soon as we let our collective fingers slip out of the thousands of tiny holes we are plugging we will drown in a massive sea of spam."
Maybe that's exactly what we need to get the attention of the Governments of the world to get serious about spam. Let the dam break for a couple days all over the world. Don't block anything. When people get thousands of spam in their inbox a day and servers around the world slow to a creeping halt perhaps the powers at be will finally get serious to stop spammers.
Dirk
Hey thanks for supercalifragilisticexpialidocious. I tried it in IBM's speech thingy and it almost pronounced it correctly. I am impressed.
Then I thought, hey we can't pronouce Ramasubramanian so I thought I would give IBM a go. And it did a good job.
Here is what I entered:
----
Ramasubramanian
Yeah, I know. I suck.
[ Reply to This ]
----
Heh. It even says, left bracket and right bracket.
Not a bad start, but you show your colour as a newbie troll. Sure you hooked a few, but you and I know that you can do so much more. The world (/. that is) is your oyster. Refine and practice your inate talent, and great things will come your way.
I rate this attempt at trolling a B.
everyone who said "Whitelisting is the answer" ran a business that used the web to obtain new clients. Because if they did, they'd realize straight off that it's NOT the answer. Ask a potential customer to do more than is necessary and they'll go elsewhere. I know I do.
Which, of course, raises the possibility of dropping "bunker busters" on the offices of spammers. ;-)
I fully support this idea.
--- Ban humanity.
First, try to convince the server to give you a listing of
Then, turn it into a big list of URLs for pages and images, say "url_file_you_made". Finally, write a shell script to use that for nefarious purposes, like this:That one really can suck down some bandwidth, especially if you tweak the usleep. In this case, each download is forked off and lasts for at most 1 second, so with usleep at
Also if the form is POST, you can use good ol' curl again like this to poison it:note it isn't URL encoded. That's multipart. You can do URL encoded POST with
Fuck Beta. Fuck Dice
When I worked the PC support desk back in the late 90's, I never had a user give me lip. I think assuming that kind of behavior is normal or acceptable is half the problem.
The other half is that people tend to hire tech support based on technical knowledge without considering communication skills. During my relatively short tech support stint (5 years with different companies) I went to half a dozen communication classes. Validate, empathize, assert. Solves most problems and diffuses even the wrost attitude.
I'm gonna give a big FU for the vailed attempt to paint anti-spammers as terrorists. Nice going Selanit.
Proletariat of the world, unite to kill spammers
In Soviet Russia, I ruled you
The work required to send an email should be exactly that; you type it and push Send, that's quite enough.
You bring up an interesting point. But I would like to point out that sense the inceptions of email the quality of communication has decreased significantly. One talk radio host even shut down her email and limited non-phone correspondence to fax's. Immediately the quality of correspondence with her fans increased dramatically.
You really do have an offensive view of the world, don't you know?
That's his right as well as anyone else's.
Without thought for people's modes of operation or needs, you tar everyone a baddie until they take the trouble to prove otherwise.
I don't have to have email. I don't have to provide any forum for anyone to communicate with me and if I want to hamstring easy entry to my email to make people reconsider sending me jokes every day or information on enlarging my genitals then I darn well will.
You *are* going to get some false-positives this way.
No I will not.
BASE Conflict for Quake 3
Good to know it's not just me. I get at least a once per day attempt from there checking my mailserver for an open relay. Attention stupid spammers: It wasn't an open relay last year, it wasn't one last month, it wasn't one yesterday, and it's NOT GOING TO BE ONE TOMORROW. Grrrr....
It is 'Sturmbannfuehrer', not 'bahn'.
'Bann' == Banner == standard (flag)
But who would think spammers can spell...
But if I would give a spam score to mails based in content, I would mark as spam all that in the text have mails or websites whose IPs are located inside China.
Spam warrior needs to get laid'n'loaded a lot more,
and stop worrying about what ignotant people think.
Worm and virus writters get thrown in jail for there efforts, that in some cases is less harmful than some spammer sending out a million+ spams. Perhaps we should ratchet up the punishment for spamming, or to be fair, ratchet down the punishment for worms and virus.
Actually, for some reason that description made me thing of Crouching Tiger, Hidden Dragon. LOTR would perhaps be a better fit...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
In a word,YES.And still the world turns and each passing day we grow stronger.Soon,United Nations Under America Under God!! Kinda gives ya a lump in your throat doesn't it? I mean this country has worked so very hard to get this far.Soon the worlds population wont be considered foreigners anymore..You will be under our mighty wing.And thats almost as good as being an original US citizen.
I know Suresh from the newsgroups. He's a great guy and quite knowledgable. Search comp.mail.sendmail and news.admin.net-abuse.* for Suresh and you'll see for yourself. I just wanted to through that out there in case some suspected a conspiracy in the ranks.
It also helps to say 'no' when you're asked to help with an obviously-spam-related project. I've had several prospective clients in the past year ask me to help them harvest email addresses from (I suspect purloined) databases/contact manager files/etc. When I politely refused to help, several got very huffy and demanded an explanation. To which I responded: I don't help people generate SPAM! That seemed to shut them up pretty well.
Because I am mean and because she deserves the scorn of the slashdot community. :)
Worth every penny. I get no spam now. Not one.
Nope. I think you can, on balance, evaluate a culture, and make relative choices between them. United States culture is the worst on Earth... except for all the others.
I like living in a place with no female genital mutilation (and where even male circumcision rates are on the decline), where women have a better-than-average-for-the-world shot at parity in rights and income with men, where (despite hysterical news hype) the odds of terrorist attack and other violence is actually quite low (violent crime is way down from the highs in the early 90's), etc.
Our stupid Department of Justice seems hell-bent on cutting out our freedom of speech, but I still can (and do) criticize the U.S. government on a regular basis (like this stupid, unnecessary war that we have idiotically comitted ourselves to) and haven't been disappeared. There's racism and such, but no rigid caste system in place.
I wish we had a more European attitude toward sex and violence (i.e. less violence in the media, and less puritanism) and there's other room for improvement but overall there's no place I'd rather live.
PHEM - party like it's 1997-2003!
If all you get from China is spam, why not block the entire country?
Most of the businesses outside of China have no need to get Email from China at all. There is no bias here, just a practical anti-spamming technique that works MUCH better than any boneheaded challenge-response system.
The problem with challenge-response systems is that it is yet another anti-spam measure that causes the innocents to spend more time fighting spam.
Spamming is not a technical problem, but a sociological problem. All technical solutions I've seen impose a burden on the victims, some more so than others. Spamming will cease to be a problem when ISPs start taking the problem seriously, when victims can sue spammers directly and when sanctions against spammers become strong enough to deter the sociopaths. It will take jail sentences or VERY stiff monetary penalties to do so. The new anti-spam bill in California is a step into the right direction (the only problem with that is that it still would allow "labeled" spam).
Proletariat of the world, unite to kill spammers. Remember, knees first so that they can't run away while you slowly torture them to death
In Soviet Russia, I ruled you
Sure, it may solve your problem, but there are plenty of people out there who cannot use whitelisting. No business can afford to annoy or obstruct potential customers. Otherwise, they'll never turn into actual customers. Even free software developers are going to be pretty reluctant to put obstacles between themselves and their users - as a Debian developer, I've considered trying whitelists, but I get too many mails from newbies who need help, and I'm not willing to put barriers in the way of those who are most likely to be unable to get past those barriers.
Heh...I run sendmail on a 486DX/33. I accept everything very slowly. :-)
But in all seriousness - I expect that some day, somebody will find a security hole which I've overlooked. However, when that day comes, my little 486 certainly won't be much of an asset. If a spammer finds a way to exploit sendmail, and tries to relay 5 bazillion e-mails, my box would certainly crash. I consider it a boon to the internet if I make myself very difficult to exploit, and sticking a just-barely-does-the-job server up there is a step in that direction. I'd rather have my home server fall on its sword than help fight a battle for the spammers.
A honeypot is for attracting crackers, making them think it's running a bunch of vulnerable software but in reality it's just a dummy machine with nothing interesting on it.
What you're talking about is a tarpit.
Bush compared to Napoleon I, now that's an interesting simile *g*
-uso.
Dreams, dreams, don't doubt dreams, dreaming children's dreaming dreams. Sailor Moon SS
5 Insightful
-uso.
Dreams, dreams, don't doubt dreams, dreaming children's dreaming dreams. Sailor Moon SS
I'm one of those businesses who can't afford to obstruct contact -- deleting spam is cheaper than losing customers. (Most of mine have enough trouble finding the mailto link ONCE.)
:(
I've also run into the situation where when I try to contact someone who runs a whitelist, I jump thru all the hoops, sometimes more than once, and the autoresponder still tells me that I need to do whatever again... I concluded that some whitelists filter against subjects like "Bug report".
You also have to wonder about the mentality of people who are so set on insulating themselves against any annoyance or timewasters. Spam is both, but so are lots of other ordinary human contacts.
~REZ~ #43301. Who'd fake being me anyway?
My business relies on average people emailing me.
Then you can forget about my patronage, because I do not expose my email address in this manner.
(My slashdot-published email is a blackhole, so don't bother.)
And you can also forget about asking me to use my email address as a userID.
"Everybody who asks for my email address is a spammer until proven otherwise."
Yes, I have no problem isolating myself from the rest of the outside world, especially spammers, telelmarketers, and other advertizers of all types: "If you're one of my friends, relatives, or aquantiances, leave a message, preferably including your number, and I'll get back to you. If you're trying to _sell_me_something_, I either don't want it, can't afford it, or I've already got one."
It's MY email box, dammit. I'll accept or reject anything I please, from whomever _I_ choose!
Email, as it stands today, is useless as a business contact medium. A hundred spams a day forces one to dig a moat and lower the drawbridge only for known friends. Sorry if this interferes with your "business model". Tell it to the spammers who've ruined email.
Exceeding the recommended torque is not recommended.
You know this is trivial to defeat right?
Detect and run from, sure, but not _defeat_. (for a value or "defeat" == "get yer spam through")
Excessively slow server detection will be a standard feature of all next generation spam software.
Oh it is now. Has been, for at least a year. My buddy, who runs his own mail server, teergrubes anything he can detect as spam. The spammers flee, then remove him from their lists. He cares not whether this is automatic or requires manual effort on the part of the spammer. They go away.
I'd make it even simpler: teergrube _everything_, for about fifteen seconds a line. Legit mail has to tolerate these kinds of delays (and much worse, in fact) in order to get through to servers which are stuffed with spam traffic. A spammer can't afford to fool around for even one minute to send a message - he has to send a million a day in order to make money. Of course this probably wouldn't work for Mr. Ramasubramanian, but it will for my friend, and for me if I ever put up a mail server. You'd probably be pleasantly surprised at how many of those 32767+ connections will be dropped _immediately_ at the first continuation reply, no matter how short its delay.
I still think you can never win the resource battle
Sure we can. A thousand spammers facing 1,000,000 tarpits haven't a chance.
Exceeding the recommended torque is not recommended.
Why can't I have a cool name like Suresh Ramasubramanian?
Stupid boring anglo-saxon name, bah.
That is an Indian Name and most probably the IBM machine thingie was also made by one.
Hence, the ability to pronounce it
Oops, sorry. I forgot to translate into symbolic redneck. Here ya go:
You got some apples, a nascar die cast model, two pencils, two cartons of milk. You put an apple on top of the nascar and drive it around the track several times.
Open each carton of milk and put one pencil in each. Take the pencils and shake the milk clinging to them over the little nascar track. Put the other apple in the middle of the nascar track.
Now do you get it?
yea, sounds like the anti-scientology movement....
supposedly working for the same thing, but continuosly accusing the other of being OSA ("secret" agents of scientology) and provocateurs and... well... basically trolls. its a shame they cant get their sh*t together.
OK, after reading up on Active Spam Killer, an interesting point comes to mind.
:)
Say you install Active Spam Killer locally. Some buddy of yours, who also has Active Spam Killer installed on his machine, sends you an e-mail. His e-mail ends up in the ASK queue, as his e-mail address is not in your local whitelist yet. So Active Spam killer sends off a confirmation e-mail to your buddy. But, your e-mail adress isn't in his whitelist either!
So... you don't get the original e-mail, and neither of you get the confirmation e-mail. DUH! That just defeated the whole purpose of sending e-mail in the first place!
So... ASK developers, or the programming community in general gets together to formulate a standard, so the confirmation e-mails can get through to your inbox without being stopped in the authentication layer. This brings up an additional problem: the sencond you set up this type of standard, then spammers can take advantage of it, and somehow (depending on how the confirmation standard is implemented) get their spam to bypass your authenticating layer, and go straight to your inbox.
Hmmm... that didn't work out so well, now did it.
The idea behind ASK is quite interesting, but also naive in the extreme. I think the programming community needs to gather together and develop a somewhat more robust method for active spam blocking.
--
Alex
does this mean that spam is a form of terrorism ?
This useless space for sale, inquire at front desk.
Think about the get-rich-quick-with-no-money-down real estate infomercials. Do you think the suckers buying these plans get rich? No, if they do succeed in actually closing a deal, the IRS has a big "profit on sale of depreciated property" surprise waiting for them. The bozo selling the books, tapes, and classes is the one raking in the dough. Same thing for the spam industry: the suppliers make the money (and stay out of the legal spotlight) while most of their victim-customers lose every cent they put into the SpamPlan(tm), and possibly much more if they are sued or prosecuted for wire fraud, obscenity, failure to pay sales taxes, etc.
The UN is totally irrelevant. They sit there and endlessly argue about resolutions and appeasement while the US has to go in and actually deal with brutal dictators who have demonstrated a willingness to use weapons of mass distruction. The UN would sit there and argue forever if we let them, until New York was vaporized by an Iraqi nuke.
I don't know how the hell you interpreted my post, but *I* am quite definitely NOT a spammer, and I DON'T randomly mail people out of the blue. People find my website via search engines and reference sites, come to look, and email me from there -- they have to actively inquire about my product. But they're 99% "regular joes" who don't know squat about email -- "if I click this link, I can send mail" is as far as they get before they're in over their heads. Dealing with a whitelist system would make most of them give up and go away.
BTW I don't normally flame back, but next time try reading what people wrote before going off the deep end.
~REZ~ #43301. Who'd fake being me anyway?
It's Deepak Ramachandran.
I have found a truly wonderful proof of Fermat's Last Theorem, but unfortunately this sig is too small to contain it.
Thank you for turning me on to curl
I'm not quite clear on these last bits. I man'ed curl (of course), and I've tried messing about with a "worthy candidate site", but haven't quite got it right. Would you be willing to show me an example for the type of form on the site of these scumbags? Many thanks
You, and several others, overlooked something about my post.
Notice that I didn't specify how the mail server would determine "if (sender is one of my users)" - ideally this would be a combination of SMTPAUTH, source address checks, possibly even an SSH style public/private keypair system.
www.eFax.com are spammers
Auto industry:
I know that in 1999 automotive plant floor workers might share one computer. Hundreds of them using a single email account which contained the latest news. I believe the foreman would just print and post the news on the bulletin board (the corkboard type, no modems involved.)
There are still top executives in automotive and even information technology companies who have their secretaries print all their email.
One IT executive in the auto industry returned his laptop (which docked at the office to be his desk computer) for an upgrade after 10 months without turning it on. He did take it home every day. I was there when IT booted it to the script that runs only the first time. IT was wondering if they would be better off if they gave him an empty case: less weight for the executive to carry, cheaper for the company, but decided against it because he was a VP of IT, and there was always a chance that a vendor might ask to demo software on his laptop.
---
Since 10 years ago was 1993: Yes, the computer using world has changed dramatically.
Before 1995, computers were definitely in the work place, but few outside IT used computers at home, not counting game machines. Commodore and Apple sold productivity software, but almost all of the uptime was used to play games. (Off-topic: I do not remember one crash from those days.)
The Internet changed that. Between 1995 and 1997, most people were buying their first computer. The PC sales crash was because everybody had one that did everything they wanted, so nobody was buying more. US PC sales are in maintenance mode. The only way to increase sales in the US is to send surges along the power lines. Watch out if Intel or HP start buying power companies.
1996 marked the change in my family from "Oh no, he's talking about computers" to "Windows is slow. Can you fix it?" That's how you decide when computers were everywhere.
I spend my life entertaining my brain.
nah, they didn't overlook anything. You posted your allegation that Outblaze is running 'open mail servers' without any proof to back it and you provided a set of rules that was used by sendmail and which allows spammers to abuse it and you call it 'modern'. If anything, the posters put things in the clear with proper actions attached too.
Let address your points in order:
You posted your allegation that Outblaze is running 'open mail servers...
Actually, if you read my post you will see that I was questioning the way the article was written - I was saying that the article implied Outblaze was running open servers.
you provided a set of rules that was used by sendmail and which allows spammers to abuse it...
No, because were my rules implemented the only ways a spammer could use the system would be to either spam the users of that system only, or to be a user of that system. Unfortunately, no ruleset will stop a spammer from abusing an SMTP server in that fashion.
www.eFax.com are spammers
No. You did not give that impression at all. You posted: Having received spams relayed by Outblaze servers, I don't think that's what is happening. I think they are running open mail servers, and trying to keep the spammers from using them.
After your 'modern' rules for a non-relaying setup, you make the above comment. You are no where saying the article implied that Outblaze was running open servers. First of all, you give your own interpration of the article that you think that the article is saying (which it is not) that Outblaze servers are RELAYING spam and not being flood by spam destined to accounts within Outblaze. You yourself say that the article reports that the guy had to block off a flood of mail from spammers to his sytem and then you add your interpretation that the mail is not destined for his system but was going through his system and you give the spurious reason that the mail was for relaying because he shouldn't be accepting them in the first place but since he is; it must be for relaying. Then you give your out-dated rules that supposedly tells spammers to go away and then state without proof that you have received spam relayed by Outblaze servers and finally conclude your interpretation that Outblaze is running 'open mail servers' which can only be if they were relaying spam.
Let's see proof of spam being RELAYED by Outblaze servers which you say you have received.
were my rules implemented the only ways a spammer could use the system would be to either spam the users of that system only, or to be a user of that system. Unfortunately, no ruleset will stop a spammer from abusing an SMTP server in that fashion.
Sorry, your rules match one a sendmail box could implement and that would also be an abusable. Coincidentally, Outblaze uses sendmail but not with your kind of rules AFAICT. The portion about if sender is one of my users could be implemented in sendmail as: if sender address domain is one of mine (eg: mail.com RELAY in access table) then accept and relay the mail. Any sendmail box using this configuration can be abused by forging the domain in the sender address and this is quite common among sendmail installations that are abusable. Sendmail is the only MTA that does this too.
Oh, Outblaze only provides smtp-auth relay service for paying users and they go through different servers than the ones used to accept mail for its users. I'm sure spammers are ready to lose money paying for an account to send their spam.
Nah, you were not questioning the way the article was written. You were giving your own interpretation of what was reported in the article. Then some Anonymous Coward came along and now you are defending yourself and blaming the article. Nice try.
Oh I read what you wrote, as well as your discussions with several others. I'm not accusing you personally of spamming, you appear completely ethical. You have my sympathy, for trying to use email to contact those too clueless to know how to use it. You have my sympathy for trying to _teach_ email to those too clueless to understand how to use it, for that matter.
Indeed, whitelisting is probably unworkable for your sales contact/response application. This IN NO WAY MAKES IT UNETHICAL.
I refuse to accept that, for the purposes of general email (NOT sales contact, where a higher level of convenience is required), the laiety is SO stupid that they cannot deal with a politely worded and conveniently responded-to whitelist reply request. "Regular" people deal with double-opt-in lists all the time. In general, if you're too stupid to use email I don't really want to correspond with you anyway. "You must be at least this tall to ride". I fully realize that as a businessman you don't have the option of refusing stupid people's money.
My point was that my real, personal email address has become a very private data item which I disclose as reluctantly as my SSN. If that's the only mechanism you have in place to attract contacts, well, you'll not be hearing from me that way.
Good luck.
Exceeding the recommended torque is not recommended.
[blink] Oh, I seem to have somehow got attached to the subject line, which I posted under (having no real reason to change it nor any better ideas as to what it shoulda been) but didn't invent.
:(
:)
To clarify, *I* don't think whitelisting is "unethical" per se, but I *do* think it's broadly impractical, and only of use in specialised cases, such as people who don't use email except for a very limited set of contacts.
If you fall into that category, great, fine with me if you want to use it... so long as you're honest in your use thereof! I've personally seen the whitelist process used to spurn bug reports some coder didn't want to see, and in that case, it was indeed "unethical" (pretending to be unable to hear user complaints).
Yeah, you should see some of the hoops I myself jump thru trying to get people to use email correctly without feeling any strain that would turn them off becoming a customer. Frex, I have an automated mailing list signup -- which even has an intruction page (you can't sign up without going there first) and a cartoon character you can't miss if you try, visually yelling "STOP! this is only for subscribing, it is not for inquiries, yadda yadda" -- yet I still get people who try to send correspondence to the mailing list (to which only I can post). If the list didn't go thru our BBS, where the sysop catches these morons' mail and forwards it to me, they'd be left out in the cold. But there is only so much you can do -- when people run a stopsign, wrecks will happen. *sigh*
I also do SOHO support, and it's amazing how many times average users will do exactly what you told them not to (can't always prevent that with tech tricks), then wonder why stuff stopped working.
Geeks tend do to forget that 99% of users are non-geeks.
~REZ~ #43301. Who'd fake being me anyway?
[blink] Oh, I seem to have somehow got attached to the subject line...
I probably had you confused with the guy who changed the title.
You also made a remark before about a software developer refusing emailed bug reports.
Was this FREE/GPL software, or commercial software?
If the former, the developer is under little obligation to listen if he does not wish to.
If this was commercial software, we all know that customer "support" and bug fixing represent after-sale co$t$ that commercial developers prefer to avoid.
Yeah, even though it _is_ "unethical".
The actual mechanism employed in the avoidance has little to do with it.
I *do* think it's broadly impractical, and only of use in specialised cases, such as people who don't use email except for a very limited set of contacts.
Whoa! This describes most induhvidual users of personal email. Most have a fairly short (under 100) list of family and friends with whom they exchange email. They want email only from people whom they already know, no spam please. Addresses are distributed via personal contact: "Oh, yeah, the first time you send anything to me you won't get through the spam barrier - you'll just get a reply from my whitelist manager. All you'll have to do to that is hit "Reply" and send it back."
Of course you'll hear: "What's a 'whitelist'?"
"Well, it's a spam elimination technique which...."
And I think you'd have the interest of any email user.
Also, when you exchange email addresses with a contact, you _could_ go ahead and put the new address into your whitelist and save even the trouble of that initial reply. That's how I'd handle my Mum.
Whitelists are no problem on a personal scale. Yes, the level of expertise required is a barrier to many. A good (l)user application might be some easy-to-configure (and easy-to-share with yer friends) scripts to handle this automagically.
No, they're not for everybody (particularly your website), and I don't represent them to be, even if the parent thread was titled "Whitelists are the Answer".
Exceeding the recommended torque is not recommended.
Well, it's not like confusion doesn't reign supreme on Slashdot :)
The whitelist that was apparently used as a "bug filter" was for some GPL project.. but I don't consider that a good excuse, especially since whatever it was (by now I've forgotten) had a web page that solicited comments.
"GPL = Not obligated to be responsive to users" is a great deal of why I've lost most of my initial enthusiasm for opensource. Yeah, maybe it's *literally* the case, but in my observation "not obligated" is mostly used as a cop-out. If someone really, truly wants no obligation to the users, then they should go public domain or at least BSD lic. If you keep the authority of copyright, you should also retain the responsibility of at least making an effort for the program's users. Too many of these people want authority without responsibility.
Back to the nominal topic.. whitelists may be no problem "on a personal scale" for you and people you're willing to help out, but 90% of average users wouldn't know what to do with them even if they loved the idea of zeroing out spam. That's why mailing list reply-to-confirms have progressed to where all it looks for is the user-ID hash in the subject line; they now mostly *assume* the user will screw up the message body.
My observation is that for most people, yeah, there's that 100 or so *personal* contacts, but there are also tons of machine-generated mails these same users NEED to see that WILL get bounced by a whitelist system, because they'll also stop perfectly legit but MACHINE-generated messages. Frex, ebay bid confirms and autoconfirms from mailing lists, which often don't come from a predictable address. (There was a long article re such problems with whitelists in today's Tourbus newsletter.)
~REZ~ #43301. Who'd fake being me anyway?