Slashdot Mirror
Osirusoft Blacklists The World
NSXDavid writes "Earlier today our site mysteriously ended up on Joe Jared's Osirusoft SPAM blacklist which is used by lots of antispam software (like SpamAssassin and sendmail). Since he is currently under a serious DDoS attack, there was no way to appeal this decision. We contacted Mr. Jared by phone who informed us that 'everyone needs to stop using Osirusoft and that he's going to be shutting the service down.' Then he says he's going to blacklist 'the world' (aka, ban *.*.*.*) to get his point across. Later on this evening, he apparently went ahead and did just that. Succumbing to lawsuits and DDoS, a once great blacklist is dead. SpamAssassin is removing it from their config in the next release (rc3) and email admins around the globe are reconfiguring their mail servers."
My co-located server has been blacklisted by SPEWS for months now. And it's only because of a spammer elsewhere on my two-providers-up-the-chain regional ISP. And the spammer is on a different C-class entirely, yet my IP range was still included as punishment to the ISP. The fact that I suffer as a result doesn't matter to these people. Changing providers is not an option for me at this point (long story) so I've just had to live with it. I can't email several friends, and regularly field complaints from people who host on my server.
I believe in fighting spam, and I think that blacklists are a good idea to a certain degree, but I've always felt that SPEWS was too draconian, and had no option for recourse for those of us who were (as they put it) "collateral damage".
I posted to the referred newsgroup a few times, and got nothing but venom from the locals.
I'm not sad to see them go.
-- b0rk.
One idea I've had (or maybe I've heard it somewhere else, I can't remember) is authorization. Change the protocol, or maybe just implement at server, so that before anyone can send you an email they have to request permission. In that request they would identify themselves, and before they start emailing you stuff you would have to send them back permission. Anyone that is in your contact list would automatically be given permission. If it turns out to be spam you could revoke permission. Also analyze the email header and do reverse lookup to see if the domain names resolve properly. If a domain is spoofed, deny it automatically.
Perhaps this has been done before, and I'm sure there are flaws, but I am tierd of hearing about how big a problem this is, without hearing any good ideas about fixing it. Any other thoughts?
Sigs are out of style, so I'm not going to use one...oh wait..
I can't completely describe my satisfaction with Bayesian filtering. I've been using SpamBayes for a few weeks w/ Outlook (please don't smite me), and it hasn't let me down. I have received absolutely no spam in my inbox these last couple of weeks. Granted, I built up a collection of >500 unwanted e-mails, but it only took a couple of days :)
Robert Bindler
A Computer Science student's views on technology.
As someone who was blocked by both osirusoft and spews as part of their policy of blocking entire IP blocks, I feel no pity for them or for those who use them. In fact, I hope that at least some of them are learning their lessons.
The IP address of my server happened to fall a few dozen numbers away from that of a spammer. As a result, it cost me thousands of dollars in lost time and expenses to track down the issue, contact my isp and have them contact whoever it is on Mt. Self-Righteousness that takes you back off the list. Getting on the lists takes day(s), while getting off the lists takes weeks.
Blocking entire IP blocks is nothing short of techie-terrorism. In other words, you can't convince the real wrong doers to stop, so you harm the innocent bystanders to try to get them to revolt.
SPEWS and those that support them point the finger at the ISP while purposely hurting innocent small businesses like mine. It's time they take responsibility for the tools they provide, and in this way, they are no different than Microsoft.
I run a Postfix setup which uses Osirusoft as one of its blacklists, and going through my maillogs I see that the RBL was unresponsive early on the 24th, and then started answering again later in the day. It was down the 25th and most of the 26th, until it briefly came on and started answering only some of the requests with "blocked using relays.osirusoft.com, reason: Please stop using relays.osirusoft.com". But it wasn't rejecting everything as the 2nd article says - just a subset of our mail. The rejects might even have been legitimate blacklisted IPs - perhaps they just changed the rejection message so admins would see it in their logs?
Additionally Postfix is a smart enough MTA so that during the RBL downtime it didn't reject any mail - the default behavior is to deliver if the RBL can't be contacted.
Having been myself unfairly blacklisted (not by Spews, but by another list) because of the actions of my ISP, I really have come to have serious issues about the blacklisting process. I understand the principle - get innocent bystanders pissed off at their ISPs, then have them complain to their ISPs, or switch ISPs, and then ISPs change their behavior.
The problem is that many people, for a variety of reasons (geography being one) can't change ISPs, and many ISPs (mine included) did nothing in response to my complaints (because they knew I wasn't going to move). So what does this do? It certainly doesn't help anyone!
I hate spam as much as the next gal, and I think that the SpamAssassin approach (which is to label mail as spam depending upon certain criteria) is a much, much better approach than blacklisting.
> What happens when the spammers start using worms and viruses to create open relays on people you trust?
They already get through whitelists... a few months ago a person I provided free webspace for got a nasty porn spam with my address in the *from*. She was rather concerned. When she contacted me, I found that I had in fact recieved the same spam "from her." What's more, her address was a special purpose address that was only listed on the website I provided for her. A few lines lower on the site was a "Thanks to Scott Walde for providing this webspace for free" with a link to my email address. The only reason I can see for using email addresses found near each other this way is to get through whitelists. (software or human... I often scan the "from" to decide which emails to read.)
--srw
typically, there is a way for the sender to get onto the whitelist, without the recipient needing to take special action.
Alternatives are confiriming the email (respond with this specially crafted string as subject) or running some computationally expensive operation For example, postmasters of well adminstered machines may run a number factoring service: to prove that a non-whitelisted message isn't spam, they are willing to spend their computational resources to factor a largish number for you.
The idea for both of these is that the main difference between spam and legit mail is that a legit sender will have just a few recipients but many messages, and thus can afford a one-time-per-recipient hassle to get on a whitelist, while a spammer cannot.
Neither address distributed compromised senders, which is effectively a way for spammers to make others pay to get on whitelists. If whitelists become wide-spread, a worm-based mass-compromise is the only option left to spammers.
I don't see the problem. Well, personally at least. I mentioned to the wife, in March I believe, that I sensed something and nailed it on the head (spammers hi-jacking Windows PC's for relaying).
.01 of nothing that I'd want to show any REAL programmer at least. :) It's dirty, ugly, yet very effective...
:)I started peppering the Internet with email address' on USENET, and then web pages, etc.
:) -- and I frankly don't personally see it anymore. Literally. NONE. I read about it in the logs, of course. :)
/24 subnet. I arbitrarily see X number of subnets and I block the /16 subnet.
/8 ball after that and those are pretty much final. 210, 211, or 212 ring a bell to anyone?
... I'll take care of it...
/24 subnets [255]) :)
I have got to say. I sure do like the Unix's. Linux, BSD, OS X -- doesn't matter. A little thinking, some *shell* scripts, and even a few hack job "vi" scripts. Version
I've tried spamassassin, this filter, that filter. For me, my way seems to be working _very_ nicely. I use it at home (Linux), at work (Linux & BSD) and for a few architect friends/clients (OS X). Years ago now (right after the lawyer's emailed me
Those are my harvesting address'. Nobody should EVER email them, realistically. Oh the spammers like to try dictionary type attempts/attacks. Thanks -- I added those to the alias database as well for future attempts.
A couple of hacked up scripts (I'm working on it in C for even FASTER speed and some learning
Can it scale? Sure -- I'm figuring between 3-500 messages a _second_ isn't a problem. More will simply get queued and then I may notice a "lag" on my server. Bring it on. 1 IP and I whack the entire
It's the
Sure -- sometimes somebody will in inadvertently get blocked. The bounced message directs them to a web page explaining what to do next. BEST solution is to call me. You know me right? Heck, you probably have my 800 number... Oh, you DON'T? Piss off then.
Heck, I even spell out a completely external email address (@Mac.com) that you can forward the blocked message to
Ever wonder what those MAILER-DAEMON messages are all about? The Windows user's machine _starts_ the transmit of the message and disconnect. Your mail server sits there waiting for data from them to a local user -- which becomes un-deliverable and drops a note to whatever you use for the postmaster (can't publish THAT anymore, can we?).
Re-routed now. Thanks, got ANOTHER IP subnet to black ball.
I've racked up a large chunk of the Internet already -- and the stat's only seem to be increasing. Of course I've "white-listed" specific IP's of ISP's mail servers as needed. 3 so far I think. Most ISP's will put their mail server on a different subnet than their assigned IP's. Thanks. 1 white-listing was for a dedicated single IP user who's neighbor turned out to be a spammer. He had words with his ISP -- the spammer was kicked after that turned into conference call.
Sure -- some loser ISP will see more money from the spammer and side with them. We all know those ISP's -- and I've seen the same IP ranges in their listings as mine. I doubt the legit customer will remain there for long as I know I'm not the only one blocking them. Ultimately $$$ talks and the spammers are going to run dry eventually. They're now resorting to theft of services since they can't find legit connections anymore...
REJECT(S) TODAY: 482
Subnets Blocked: 434210 (110289340 total hosts in the
Percentage: 2.834% (3906250000 Internet addresses' [~3.9 BILLION] Served
Subnets TODAY? 142 (36068 total IP's)
Harvested: 49 messages
URL Lookups: 0
That's 49 messages today to some dummy account. No hits for the right web page (from a blocked message) in the logs... 142 IP's (now complete subnets
if one country bombards me with spam, and i get no legit traffic from that country, then that country gets introduced to my firewall. The mail and network admins in brazil DO NOT respond to abuse complaints. I do not do business in Brazil. Ergo, its a simple solution to plonk 200.0.0.0/8 port 25 into my firewall and be done with it.
Dont like it?
Then be part of the solution and start fighting network abuse in your country. Or you can whine like the rest of the plonked spammers and watch a boatload of mail admins nuke south america. There was an informal poll held in NANAE (network.admin.net-abuse.email) on how mail server admins block all of 200.0.0.0/8. And dozens if not hundreds of people replied they do block all of it. How long before it becomes thousands of networks block your country for spam abuse?
Lawyers, MBA's, RIAA? A jedi fears not these things!
That only works if I require them to sign mail they send to me, with my public key.
Possibly having a key system of public keys and private keys. You put your own private key out there, saying you'll accept mail with anything that signs their mail with the public key. You add any mailing lists you want public key, they sign all outgoing messages with their private key. Thus you'll accep their mail.
You can white list on anybody else you're willing, using a Web of Trust from PGP if they are considered "trusted" enough. However, that will lead to problems.
However, public and private keys will suddenly become tokens of value to spammers. Suddenly people will start creating worms, and scripted attacks to pull peoples keys. They will start trying to break into machines. It'll create a black market for trusted keys the world over. They'll just be new attacks, and new problems. Creating a large scale web of trust, won't work. A worm can easily go steal the tokens of trust, and then start using them to spam with. It'll just be another arms race.
Now letting forcing people to sign with your key is probably the most doable, but it also means that running mailing list software is a real, real CPU intensive application. I'm not particularly thrilled with that.
The only way to stop spam is to make it stop being cost effective, that involves causing e-mail to be an expensive operation if it involves untrusted e-mail servers.
Kirby
This is exactly why I think that SoBig is the perfect spamming mechanism. AFAICT, it essentially gets around nearly every non-content-based spam filter (ie Bayesian and SpamAssassin et al).
By sending spam from an amazing depth and breadth of compromised networks, it forces blacklist operators to go into "block everything" mode, which is so draconian that users of the blacklists will disable them.
As I posted in another story, if ISPs start blocking outbound port 25, the next iteration of the worm simply uses the Outlook SMTP settings to relay through the official MXs of the ISP. Given the flood of abuse reports, many ISPs (especially larger ones) are simply going to /dev/null abuse reports; they can be reasonably sure that their servers aren't going to end up in blacklists used by a lot of people (because heads will start to roll among the admins who use the blacklists).
By pretending to come from an address that has at most two degrees of separation from the recipient, they will get around a fair amount of whitelisting (this is exploiting the greatest flaw in TMDA and the like: trust of the From: address).
Spam is starting to hurt me a lot worse than I would have ever imagined. It's not the volume of spam I get, which is obscene, but rather the shotgun anti-spam efforts that we somehow get caught in.
:(
About a month ago Earthlink decided we were sending out spam and cut us off. So, despite the fact that we have no relationship at all to spam, we were unable to communicate with any of our customers who use Earthlink. After appealing, they realized the mistake and removed the block. How did it happen? Seems that if an Earthlink customer just accuses you fo spam you can end up on the list. Thankfully cooler heads prevailed at Earthlink and the matter was resolved quickly.
We were blocked by AOL once too. How ironic since we use to be their #1 3rd party content provider back-in-da-day (remember hourly?). They should have know about us. (grin) Fortunately that was resolved too.
Then, of course, today we got hit by SPEWS and that lead to our phone call to Mr. Jared. The poor guy was frazzled, and rightly so. But we had a legit beef...
Our business is entirely web based. We have to deal with a heavy volume of customer feedback, all of which want fast responses. Any hickup and we can get really far behind. But when we get blocked, we're almost helpless. We get an email "Hey, my character got killed by a ravenous bugblaster beast from trall!" And we write back, "Oh my, let me restore your character!" only to have it be filtered out by some shotgun blacklist. They get no response and start flaming us for "not responding". A day or more of this and things get really messy.
You start to feel like you are at the mercy of some so-called "authority" that could not care less about your guilt or innocence. If he or she wants to, they can just take you out. We've participated in opensource, contributed back, done the good netizen thing... yet this real-time blacklist thing hangs over us. We never know when something else like this is going to bite us. And maybe next time there won't be any appeal.
David Whatley
It's going to be functionally impossible to fix the problem of spammers opening an account and pumping email through it until it gets closed, but the transmission of email could be hardened by changing the SMTP protocol from 'call-up' to 'call-back'.
The SMTP protocol is set up to allow a host to contact another host and dump mail to it; there's no validation that the originating host is who it claims to be in the SMTP transaction. If you change the setup for the mail transfer connection to use the following mechanism:
This would establish a traceable chain of resolved hosts from the point at which the email entered the SMTP routing to its destination. Putting an email message into a mail transfer agent would still be vulnerable to the use of hacked or temporary accounts, but the upload would still require a trackable username and password for an account on the MTA. From that point, getting an MTA to accept an SMTP connection from a bogus host would require hacking the DNS server chain so that, when the receiving MTA host received the request, the IP address the passed hostname resolved to pointed back at the spammer's machine -- otherwise, you'd get a mail transaction sequence that looked like this:
Not a panacea, but it would make the mail hop path trustable until you start seeing hacked mail daemons that would mangle the mail hop path of any mail going through it -- but that would still leave the host with the hacked daemon having to identify itself, from which it could be blocked.