Slashdot Mirror
Fighting the Hydra -- A Spam Warrior's Tale
Selanit writes "Salon has an interesting article about the battle against spam from the viewpoint of Suresh Ramasubramanian, a sysadmin working in Hong Kong. His most interesting complaint concerns the fragmentation of anti-spam forces: not only does he have to deal with spammers, but also with anti-spammers who assume because his company is Chinese that he isn't doing anything about spam. Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"
I think this article does bring up a good point that people do tar Asia with the same brush in that you can just block them and have no problems. Its nice to see someone doing a decent job. For more fun on fighting spam see NANA
rus
Cheap UK and US VPS
No matter what he does, he can't please everyone. According to Tiffiany Mork, senior abuse engineer at Allegiance Internet, a very thick skin is a requirement for an abuse-desk worker. Her typical day includes verbal harassment, screaming, threats, and "all manner of nasty things."
Like that is different from working in any other kind of helpdesk!
... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?
Yes, it's like the horde of trolls striking while other people are trying to discuss the subject at hand.
This whole spammers versus spamblockers has proven to be a destructive arms race.
Many legitimate machines and users - even whole ISPs - unfairly end up on blacklists, while the spammers just find another way through.
The spamblocker tools and their heuristics get smarter, but don't forget that spammers keep up with these tools and constantly find new ways around them.
I was using Razor and SpamAssassin for months. Formidable combination - networked blocklists plus pattern matching. Gave me a bit of peace. Very few false negatives. But in the last month, I've seen a whole new generation of spam coming through that the filters don't even touch.
Peace has finally come from a package called Active Spam Killer, a package which works from a white list, and provides a convenient way for new correspondents to get themselves onto the whitelist.
There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up.
Result?
Spams to my mailbox have gone from 40 a day to zero.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
From the article: expert spammers can also switch IP addresses as quickly as the blocks are applied.
A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly, then discard it. It's not a trivial programming task, since the spam would have to be recognized, then treated differently from that point on from regular email. But it's feasible, I think and would help fight the large scale attack noted at the beginning of the linked article.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Every day, 80 percent of all incoming mail to Outblaze is rejected as spam and filtered out before Ramasubramanian and his team have to deal with it. Out of the remaining 15 million messages per day that do pass through Outblaze servers
So if 15 million messages is 20% of what they get, they receive 75 million individual messages a day? That seems a little high...
Time for all responsible ISPs to assign their own anti spam reps, reach out, get a list of ALL isps, contact their anti spam reps and take action.
:]
Get organized and form a plan but first, get organized on a global level.
Then kick some ass and pool for legal action against the thieves.
- Zav - Imagine a Beowulf cluster of insensitive clods...
Just the thought of this makes me sick.. Almost as sick as those who make spamming profitable.
Now that I've thought about it. How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?
Now, some people may feel it's my own fault for taking advantage of the part of RFC 2821 which states that if a mailserver defers checking to see if it can relay or deliver the mail then "These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6.".
But, I guess they feel that everyone runs sendmail, so every time they test my mailserver, I end up with another batch of relay rejected messages intended for them sitting in my postmaster mailbox.
There are two parts of this that bug me:
"There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up."
And how do you feel about making all innocent senders of mail do extra work, while spammers simply ignore it and move on?
I simply cannot justify that, based on the redistribution of workload and increased aggravation - you send me a bounce message, I consider your email address invalid whether that bounce is "500 address unrouteable" (a valid, understandable error) *or* "500 I Don't Like You" - which I consider frankly offensive.
Go back to SpamAssassin, get 2.50 or better, which includes Bayesian analysis as well as all the above. Or just shove a Bayesian filter in the way after SA; here, I have outright regexp-based rejection and SA in exiscan, followed by bogofilter in procmail - very few spams get past the first hurdle (From: headers snarfed from Usenet) and those that do are caught either by SA and/or bogofilter.
This way happiness lies.
~Tim
--
Rushing on down to the circle of the turn
If 50% of all mail in the US is spam, then the other 50% must be the bounces for all that undeliverable mail!
I run a mail gateway for a medium sized company, and although not on the scale of a large ISP, I see many of the same problems. Dealing with spam on a gateway level is quite different from dealing with a single personal mailbox. And spam flooding has gotten much worse in the last few months. Getting over a 1000 messages in under a minute can really start to tax your infrastructure. Actually from my own observations, I'd say that at least 75% of all mail is spam, and 80% of that is undeliverable.
Of course one of the big problems as Ramasubramanian points out is that spammers are getting very sophisticated at impersonating other entities. This results in a large number of bounces being directed back to the wrong guy. So not only are you getting spammed, but you are also indirectly spamming the poor guy who is being impersonated with your flood of bounces. And the bounces also cause other problems because it tends to fill up your outbound mail spools, as well as making the required postmaster account near useless sometimes.
One thing I've learned is that a mail administrator must be very careful about constructing blacklists and filters. I use sendmail and make heavy use of it's milter programatic filter interface. It's amazing how being able to analyze the mail at the protocol level (such as the HELO command) helps identify impersonated mail that can't just be done by only looking at mail headers or the message body. It is also possible to help correlate large volumes of nearly identical inbound mail from a large number of different servers, as well as correlate them with large number of undeliverable outbounds. I'm also very careful to check whois an other registrar databases before adding blacklist entries, to help prevent blacklisting the wrong guy. But I do admit that for a few of the most audacious flood attacks, I actually have to resort to iptables firewall blocks to stop it even before sendmail sees it. I really dislike having to disobey the SMTP standards, but spam floods are IMHO just as destructive as worms and viruses!
The thing I fear most as a mail administrator is not the inbound spam, but that some spammer may start impersonating my company! We'd start getting placed on blacklists and blocked, plus we'd start getting flooded with all those bounce messages (probably an order of magnitude more than direct spam). How can one possibly protect against that?
<link rel="DoNotEmail" href="mailto:aa0u@kjernsmo.net" />
(yeah, that's a real, living trollbox, spambots, do your worst! :-) ) Very few users will ever see this, but the spambots will harvest it. It is clear that many of them do.
The other thing you mention, I think that is what is meant by a Teergrube. Marc Merlin has some good stuff on using Exim and SpamAssassin to reject messages or making spammers stick in a teergrube. He has some debs too.
Unfortunately, I haven't had time and I haven't been feeling adventurous enough to try all this, but clearly, it works well.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being.
First.
Get off the USA bashing kick, all countries look after their own economic needs. (aka, sweat shops are illegal in the USA, but the WTO says that in 3rd world countries as its the only work available, they are legal...)
Second.
The USA (aka Federal Government) has nothing to do with Spam guidelines unless its a Federal Law. (Which could be considered a violation of Interstate Commerce, thats part of the reason no laws are passed at the Federal level... btw, IANAL...) This is also why we are trying to pass State level laws for Spam.
But, if ISPs who want to deal with SPAM can join blacklists, whitelists, coalition, etc. Nothing is stopping them. But on the Other side, there is money to be made in Spam, and companies willing to make a buck will do it. (All around the world, not just the USA or Hong Kong.)
Shuresh is also a regular poster in the newsgroup news.admin.net-abuse.email, a discussion forum about e-mail abuse.
Check his postings from the Google Groups archive.
/me shudders
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
How do people feel about scripts to fill website logs with crap? Here's mine, quick and dirty, written in about 30 seconds because I was pissed off:
#!/bin/bashCOUNT=0
while [ $COUNT -lt 10000 ]; do
lynx -dump http://www.resumeagencies.com/recruiterspage.asp?
sleep 1
let COUNT=COUNT+1
echo $COUNT
done
Note the fact that I'm calling what I hope is a dynamic page, so with luck, I'm wasting their server's processor time. The script is otherwise, as you can see, completely unrefined.
Legality, anyone? Other problems (despite the obvious fact that I have to waste my bandwidth to fuck with spammers)? Obviously, it's a DoS attack of sorts, but then again, so is an unsolicited e-mail. If they want to challenge me legally on that point, then I will do the same to them. My website very clearly points to the policies which apply to all e-mails sent to my domain.
Fire and Meat. Yummy.
>According to the article, this guy is having to >block off a flood of mail from spammers to his >system. The way I read the article, this flood >is not for Outblaze users, but just for >relaying. Why the bleep does his mail server >even accept this mail? Any modern sensible set >up mail server should follow a ruleset like:
Don't put words in Suresh's mouth. He said he was trying to deal with a flood of BOUNCES to his system because the spammers FORGED addresses serviced by Outblaze.
>
>if (sender is one of my users)
> accept
>else if (recepient is one of my users)
> accept
>else
> bugger off spammer
>endif
Twit. Anybody who runs his server like this is bound to be abused by spammers because ANYBODY can FORGE the sender. Any modern sensible setup will NEVER use rules like this. All modern sensible setups use these rules:
1) for ISPs who have dialup/broadband users:
if email is from ISP network ips = RELAY
if connection authenticates via POP-B4-SMTP or SMTP-Auth = RELAY
if not, if recipient is ours = ACCEPT
else DENY
2) ISPs who do not have a bunch of ips to relay for:
if connection authenticates via POP-B4-SMTP or SMTP-Auth = RELAY
if recipient is ours ACCEPT
else DENY
>Having received spams relayed by Outblaze >servers, I don't think that's what is happening. >I think they are running open mail servers, and >trying to keep the spammers from using them.
I think you are lying and not very good at it. 1) Post headers with proof that they are 'open mail servers'. 2) There are plenty of spammers out there who would love to make use of the delivery capacity of a system that can deliver 15 million emails daily and there are more who are anti-spammers who would immediately recommend Outblaze servers be listed on SPEWS, ORB, SPAMCOP and other RBLs but for some reason they haven't.
>I could be wrong, but that's how I read the >article.
Looks like you need to go back to school and take comprehension tests and I doubt that will help since the post you made shows an obvious attempt to badmouth Outblaze. Not much a school can do when the problem is not in the mind.
Which, of course, raises the possibility of dropping "bunker busters" on the offices of spammers. ;-)
I fully support this idea.
--- Ban humanity.