Slashdot Mirror
Osirusoft Blacklists The World
NSXDavid writes "Earlier today our site mysteriously ended up on Joe Jared's Osirusoft SPAM blacklist which is used by lots of antispam software (like SpamAssassin and sendmail). Since he is currently under a serious DDoS attack, there was no way to appeal this decision. We contacted Mr. Jared by phone who informed us that 'everyone needs to stop using Osirusoft and that he's going to be shutting the service down.' Then he says he's going to blacklist 'the world' (aka, ban *.*.*.*) to get his point across. Later on this evening, he apparently went ahead and did just that. Succumbing to lawsuits and DDoS, a once great blacklist is dead. SpamAssassin is removing it from their config in the next release (rc3) and email admins around the globe are reconfiguring their mail servers."
For mail admins around the world try these alternatives.
bl.spamcop.net
one of the best blacklists, it catches a huge % of incoming spam, and virtually no collateral damage.
blackholes.easynet.nl
almost as good as spamcop, and seems to nail a lot of the spam hauses
dynablock.easynet.nl
nukes a lot of the dsl and dialup spammers
argentina.blackholes.us
south american country, what more needs be said ? : )
brazil.blackholes.us
ditto
cn-kr.blackholes.us
china and korea, what more need be said ? : )
turkey.blackholes.us
whole lotta spammers here
sbl.spamhaus.org
a bit too conservative for my tastes, but gets a lot of spam gangs, and has very low collateral damage
bl.reynolds.net.au
if you want to use the spews list, this provides a feed for it
malaysia.blackholes.us
another spammy asian country
wanadoo-fr.blackholes.us
one of the worst european isps
hongkong.blackholes.us
another spammy asian country
Lawyers, MBA's, RIAA? A jedi fears not these things!
This could turn into the same sort of gang-induced protection rackets as in meatspace. What would a company or individual do if a cracker group sent them an email saying, in effect, "Do $this or you're off the net."
It's hard to see a good technical solution for this. It's a tort--and possibly assault---like any other physical intimidation tactic, and will probably only stop if legal means are brought to bear.
Unfortunately, tort suits are hard to press across continents.
In your prefs file:
score X_OSIRU_OPEN_RELAY 0
score RCVD_IN_OSIRUSOFT_COM 0
score X_OSIRU_DUL 0
score X_OSIRU_SPAM_SRC 0
score X_OSIRU_SPAMWARE_SITE 0
score X_OSIRU_DUL_FH 0
Everything's gonna be all right.
I have been fighting problems with spews for months with the last 3 Class C IP blocks that we have recieved. It was the worst attempt that I have ever seen at a blacklist. Seems like they should have whitelisted everyone instead of blacklisting them. Going to be a lot of pissed off people tomorrow im sure.
See:
/not/ use the spamcop DNSBl for blocking, as Spamcop themselves state.
http://spamcop.net/bl.shtml
You should
Spamcop list on a statistical basis, based on headers of spam reports they receive. This means they also blacklist the upstreams of regular spamcop users (because if all of spamcop user X's mail comes to him via ISP Foo, then ISP Foo's mail server will be in all of user X's spamcop reports).
Do not use spamcop DNSBl for blacklisting - use it tagging or scoring.
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
I think you also need to add this line:
score RCVD_IN_OSIRUSOFT_COM 0 0 0 0
because all those X_OSIRU_* rules add on to the score of this base rule.
No, SPEWS exists so that the people who are violently against spam can pass the burden of fighting it onto the people who are responsible for causing it, i.e. spam-friendly ISPs.
The fact that "innocents" are caught up in the block is unfortunate, but unavoidable from a practical standpoint. SPEWS doesn't list netblocks because they have a spammer or two present. SPEWS lists netblocks because the ISP knowingly and willfully hosts spammers even after they have been notified about them. Once the spammers go, the listing goes. Usually quite rapidly.
Blocking entire IP blocks is nothing short of techie-terrorism. In other words, you can't convince the real wrong doers to stop, so you harm the innocent bystanders to try to get them to revolt.
In some cases blocking whole IP blocks was justified. I prefer spamhaus as a whole due becaue it makes my life easier making a valued judgement whether or not to block a whole block.
Spews does not seem to acknoloage the fact that they practice a form of censorship by encouraging others to censor out specific sites. What I find worse are their users who don't seem to understand that they are censoring sites. I use spamhaus my self and I freely admit i'm the final censor who is engaging in the censorship of unsolisited marketing materials.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
i for one recieve NO spam what soever. i run my own email server with NO spam filter either. i just never post my email address... ANYWHERE. it is easy to avoid recieving it, dont post it anywhere, and dont sign up for those "win one million dollars by shooting the moving monkey" ads. now to be honest this IS excluding the occasional spam from inktomi trying to get me to sign up to get my site listed on their search engine, but compared to others who recieve hundreds or more pieces of spam mail a day, this is nothing.
I've seen a LOT of people here who are glad that osirusoft is down because they've got listed along with the spammers in the past. I think they are missing the point on why they got listed and I will attempt to explain the philosophy of the more militant blacklists like Spews, Osirusoft, etc.
/24 then he was orginally in.
Many mail admins (including myself) consider spam to be network abuse and liken it to a criminal offensive. Simply blocking the IP of the spammer itself has been shown to not work very well or for long as the spammer jumps to a different ip addy, often in a different
In response to isp's shuffling the spammer around, more agressive blacklisting was done by the above mentioned blacklists. This instantly got a lot of the isps to pay attention and clean out their spammers. It also pissed off a lot of "innocent" users as well.
I say "innocent" because technically they are not pure white innocent, but more of a gray color innocent, because directly or indirectly, they ARE supporting spam. How so? Imagine the following.
Your next door neighbor is an islamic terrorist (spammer). Definitely a criminal. And his landlord (isp) (who is also your landlord) knows he is a terrorist and continues to willingly provide housing from him. In response, the FBI (the blacklists) blocks off your entire street (/24) (which the landlord owns all the housing on) and conducts house to house searches looking for terrorists. You complain when your house is searched. "But I am not a terrorist (spammer)". After finding out your landlord is housing terrorists, you continue to live there and pay rent to him, even though he is harboring terrorists and refuses to remove them off his property. As a result of you continuing to support your landlord finacially, your house keeps getting searched every so often (you stay on the blacklists with the spammer).
Now what do you do? Do you keep paying the landlord and supporting terrorism indirectly? Or do you move out and get a better landlord ?
Thats why you guys are on blacklists. Its not that you've done anything directly wrong, but your supporting spammy isps. The quickest way to find out if your isp is a spam haus, go here.
http://www.spamhaus.org/sbl/isp.lasso
Lawyers, MBA's, RIAA? A jedi fears not these things!
public key encryption is a good model
must... stay... awake...
http://www.somethingawful.com/articles.php?a=160 5
SPEWS does not list until after an ISP refuses to take action after being notified of AUP violations. That your IP range was listed in SPEWS means that your ISP refused to act for quite some time -- as initial SPEWS listings only cover the spammer's IPs and they do not expand to other IPs until after the ISP takes no action and lets the criminal stay up and running.
Once again, the wrong target is attacked. Your ISP was negligent, that is why they were listed in SPEWS. Had they booted the spammer when it was first reported, there would have been no problem. Contrary to the lies of anti-SPEWS whiners, SPEWS does not list an entire ISP's IP range the nanosecond after a single spam run.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Alternatives are confiriming the email (respond with this specially crafted string as subject) or running some computationally expensive operation.
Unfortunately, spammers already cracked this one, too. Any information used to get past filters will ultimately be presented in the header (otherwise is illegal). Get a sample, run some numbers and bam: you have an algorithm.
I need not go further into the explanation for most to know how they did it. Probably don't need much more proof either, for many recieve spam with keys in their subject or headers.
Someone before mentioned: "...We need to get rid of SMTP..."
He was right as day.
Of all the Universal Constants, here's one I know: Nice guys finish last
No. It's like people boycotting all of the stores at a mall because the mall allows one of the stores to sell drugs -- and moves the drug dealer to different stores at random to avoid police raids (leaving an innocent shop owner to be the target of the raid).
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Did it ever occur to you that ISPs do not get blocklisted in their entirety for signing up newbie spammers?
Did it ever occur to you that most career spammers that WOULD cause the ISP to get blocklisted to hell and back are all known and the reason why ISP's still sign them up is because they either do NO background checking or get greedy by the extra money the spamming scum is handing to them?
In Soviet Russia, I ruled you
Just one zero is needed, as it will disable the test for all modes.
By default, the OSIRU tests are enabled only when running network mode only, so if you havent customized your configuration and changed that, then you are in the clear - but it's a good idea to disable these tests nonetheless.
an't send an e-mail to my server because I blocked your domain? Too f-in bad. Contact your "customer" with a letter or by phone.
But if YOU are my ISP, and I'm a paying customer with an inbox, I expect that I will receive mail that is sent to me. If this is not the case, you need to specify that to me so I can decide whether I want to use your service.
By blocking mail to my inbox, which I've paid for, you could possibly even be considered in breach of contract.
Of course, if you're just running your own server, you're free to do what you want with it.
He does tell us. There is a new TXT record that has been inserted by the owner of the DNS site, and it carries his message in plain English:
$ host -t TXT IP.relays.osirusoft.com
IP.relays.osirusoft.com text "Please stop using relays.osirusoft.com"
First, this is more like because there's a terrorist in a town 30 miles from you, the military parks a tank in your living room until that terrorist moves out of state.
/10 as my ISP happens to have a similar name to my ISP. (the spammer was once a customer of my ISP; they spammed, they were removed. They moved across town to ISP #2, and continued to spam. But customer name and my ISP name are highly similar. Spews concludes they are the same company, despite NO evidence but the name. Result: my ISP is permanently blacklisted on spews because of a spammer that is NOT on their network). Both sets of IPs -- my ISPs and the spammer's new ISP -- are in the same evidence file, and my ISP continues to look 'fresh' as a spammer because of activity on the other net.
Second, were you aware that by consuming fossil fuels, you are funneling money the middle east, which produces almost all terrorist threats to the United States? That's supporting terrorism. I don't see you volunteering to stop buying fossil fuels until the OPEC countries clean up their terrorist problem.
Third, the idea behind spam prevention is to make email MORE USEFUL for legitimate users. SPEWs does not meet that criteria, because it causes more problems for legitimate users than gain. Moreover, it hides the true cost because few people are fully aware of what spews is doing and why. Even most email admins using spews are NOT AWARE of how it operates. They should publish their philosophy everywhere related to it. If every SPEWS doc had said, "We block enormous blocks of legitimate users, trying to use collateral damage to force ISPs to take action against their tiny fraction of spamming users", SPEWs would be irrelevant today.
Finally, spews is horribly non-responsive and error prone. I still have a colocated server blocked because some ISP on a block that's not even in the same
put the following line in your local.cf:
score RCVD_IN_OSIRUSOFT_COM 0
The online checker repeatedly told me that my server would be scheduled for more tests, and would then be removed from the blacklist.
But this never happened. No further checks were made. My server was never removed from the blacklist. And what's more, Osirusoft refused to reply to any of my e-mails. They refused to even explain why they were blacklisting, despite the fact on several occasions I politely requested either removal from the blacklist, or an explanation as to why I was on it. Ultimately I had to get a different IP address for the machine in question, which was exteremely inconvenient.
I'm strongly opposed to spam. However, any company that offers services to block spam have to accept that they will sometimes accidentally cause problems for legitemate users, and they have to have mechanisms in place for such users to sort the situation out. Ignoring people who have legitemate complaints against you is not the way to do it.
You got it wrong: by signing with your public key you, and only you can verify that it was intended for you. That is not what you want, what you want is email signed with their private key, so you can use their public key to verify who sent it. If I sign all my email with my private key, everyone in the world knows that it is me who sent it, and I cannot deny it. If I sign outgoing email with your public key (because I can't know your private key) then only you can verify it, and then all you know is I inteded for you to read it. To a Spammer that may cost enough CPU that it isn't worth it, but it does nothing to help you track down who sent it. (Since much spam is for illegal things tracking down who sent it would be very useful)
Time again to discuss greylisting?
Looks to me to be an elegant, viable alternative to traditional black/white -listing, both of which require lists be maintained -- and well maintained. Sometimes very large, very centralized lists, which have ugly consequences when they fail.
From the Greylisting Web site (with bolding from me):
The Greylisting method is very simple. It only looks at three pieces of information (which we will refer to as a "triplet" from now on) about any particular mail delivery attempt:
From this, we now have a unique triplet for identifying a mail "relationship". With this data, we simply follow a basic rule, which is:
If we have never seen this triplet before, then refuse this delivery and any others that may come within a certain period of time with a temporary failure.
Anybody know where we are as far as a working implementation of this idea goes?
i registered a new domain through ukreg.com and am getting spam to it already. mail at that account has never been used and the only online presence it has is a holding page at that domain's web page without an email address on it.
They already do. ISTR that a couple of recent viruses drop open proxies, even more evil than open relays (because of the other uses they have: bombing USENET, DDoSing, attacking websites and blaming it on someone else...)
Also, a certain popular provider of faux-"internet connection sharing" proxy software not only leaves it fully open in its default configuration, but it doesn't log either. You can guess the result.
In another recent thread, a suggested enhancement is for DNS to publish "allowed sender IP" addresses. The structure for this information is already there.
What is needed is for more people to opt in, in protecting their domains in this way, and for people to unilaterally start using that information. If any one of yahoo, aol or netscape opted into this approach I could well imagine it would cascade to comprehensive success overnight, forcing spammers to more obscure domains (such as my own - currently victim to a 12 month "Joe Job").
Because this is distributed information, it is not easily modifiable by spammers. Ultimately this sort of approach is the only one that can work.
Ultimately, I would be able to set spamassassin to add +5 for any e-mail coming from a domain that didn't publish this information, or -5 for any one that did.
And I would not be receiving 1000's of bounce messages for messages from spammers using my domain name.
Yes please. I want it.
Bah, no need to use blacklists. Just do what I did. I blocked all of APNIC from being able to connect to port 25 of my mail servers. Maybe a little drastic, but it has cut down spam by more than 70%.
It's better to burn out than to fade away
I'm sure that Dwork, Goldberg, and Naor are really happy to know this. Their scheme requires interaction (as do all of them I've seen) and has a quite reasonable complexity assumption.
F un ctions+for+Fighting+Spam&ie=UTF-8&oe=UTF-8
As far as I know, NO ONE has implemented any of the reasonable schemes that I've seen float around the crypto community. You can, however, find the paper and slides from talks on google:
http://www.google.com/search?q=On+Memory-Bound+
If you actually do have a way of breaking any of these family of schemes, I'd be very interested to know how. But "get a sample, run some numbers and bam: you have an algorithm" isn't very descriptive. The point that those numbers have special relationships which are believed to be difficult to compute without knowing a special piece of information (called the trapdoor information) may be slipping by you. If you send a response to a query which wasn't given out recently by the server, it's not going to be accepted. If you give out a wrong response, it's not going to be accepted. The probability that one of a reasonable (polynomial) number of queries was given recently is quite small (negligable).
In any case, I'm very interested if you can break any of these schemes, since most of them reduce to useful complexity assumptions, which I'd prefer to avoid if they were false.
Lea
SPEWS sucks.
---rhad
Slashdot needs to interview Natalie Portman.
Moral of this story: Don't post your email in machine-readable format on the web. Period.
This morning SpamAssassin tagged the daily cron email as spam.
"He did, several weeks ago." Can you cite something public to support that? I can't find a post from Joe in any of the public fora focused on spam for months. I suppose one could consider the increasingly poor availability of DNS under osirusoft.com a message of some sort, but it surely wasn't a very clear one. (Note that I do not use Joe's DNSBL and have not and would argue that Joe Jared has been making DNSBL's look bad for a long time. )
man, that's a damn shame. oh well, at least we can all say for a little while that "TEH INTARWEB WAS FREE OFS TEH SPAMMERS!!" thanks to the wanton chickenhawks at Spews.org and all of the whiney asshats on n.a.n.a.e. who have nothing better to do with their lives than refresh their nntp browser, looking for the next person requesting removal they can jump in and flame (read: GET A LIFE).
Let me paint you a picture:
Some bottom feeding marketing contractor rents a crappy, darkly-lit, 1-room office in some crappy part of town, orders a cable line, 3 or 4 dsl connections and maybe a fractional t1 to boot. He buys a list of a few million email addresses and begins spamming like mad over one of the lines. After x amount of warnings, gets shut down, moves operation to another line, reorders service on the one that got shutdown under a different name, and keeps going. This is a very typical scenario of a spam gang. I've seen/dealt with it many times. So taking cause/effect into account: what protection against spammers does a blacklist offer in this capacity? Nothing. At all. Spamming is a completely mobile enterprise. Only the isp gets hurt. Spammers aren't the least bit concerend about spews.org, or any other blacklist for that matter.
They don't sweat getting shutdown by the isps because they have other connection mediums waiting in the wing, and actually budget the service costs into their overhead without thinking twice, because the money they make is incredible.
I don't work for, nor have any association with brightmail, but they have a great product (if only my ISP would cough up the scratch and buy it...), but I think the mentality of spews could be summed up in their product review of brightmail (paraphrasing here, as the site is down and I can get an actual quote):
"only stops spam in real time, does nothing
punitive against the spammer".
HELLO???!?!! Missing the point a little?? If you're not getting the spam, who gives a crap about the spammer?
It's pretty clear that these people and their associated usenet scene whores are just looking to skewer people, anybody really, over alleged spam. In this method of blacklisting, you're only hurting the ISPs. Nearly all (not all unfortunatley) isps in the US will shutdown a spammer if enough people complain. killing email for (in some cases) up to 65536 other non-related ips doesn't help. If it did, spews (or any blacklist for that matter) would have been more successful. In the last year, we've had more active blacklists to utilize than at any other point in the history of the internet and spam has only gotten worse, not better. Spews & Osirusoft are a shameful failure.
Solutions: Whitelisting is an excellent option on an individual email account level. On a grander scale, make your representatives pass laws, put you're money where your mouth is, and sue the spammers. They're in it for profit, when it becomes a greater liability, they might find a more worthy means of revenue.
The difference is that if SPEWS lists my IP, they're effectively declaring that I am spamming. This is libellous; I never spam.
Incorrect assumption. In fact, SPEWS is very careful to declare no such thing.
That you infer this meaning on it means nothing and does not make it libel.