Slashdot Mirror
DoS Assaults Underway Against Spam Blocklists
Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
I'm not condoning this DDoS, but the perpetrator is probably just some sysadmin running a legitimate, secure server that found its way onto some blacklists and got frustrated by all the red tape getting off the lists. This may be his last hope to get off their list.
I wonder how many people really rely on blacklists anymore. I've tried using them before only to find out that over half of my legitimate email was being filtered and a significant amount of spam was still getting through.
Bayesian is the only affective method I've seen for significant spam reduction.
Of course it probably is spammers, but it wouldn't suprise me if some people who've had themselves blacklisted unfairly would like to ddos some blacklist servers into the beyond.
Personally I don't believe blacklists are the way to go, I think simply intelligent filtering should be installed wherever possible, and eventually spam will die out. I know spammers are smart and work their way around all sorts of blocks, but so are we, and there's a lot more of us than there are of them.
ObDisc:Don't bother flaming me about "collateral damage" or any of that crap, since I'm not the one ddosing the servers, and I've yet to find myself blacklisted, so I'm not interested.
Send lawyers, guns, and money!
Earlier this week when people talked about the writer of SoBig leasing his virus network for spamming many people said spammers wouldn't want to be involved with virii/attacks. I think the DOSing of black list sites pretty much shows that the people sending spam have little moral problem with invading your computer to break the law.
what makes you think its spammers? there a plenty of legitimate email users with a beef against these fascists--me, for one. i had a domain on a subnet that's entirely blocked despite the fact that i don't have open relays nor have i ever done any kind of spamming. several of my clients within larger corporate structures couldn't receive email from me because some PHB read in DildoCTO Quarterly that these lists can stop spam--never mind the fact that they can stop any kind of legitimate email use as well. There were a LOT of times i'd wished i had had the wherewithal to undertake something like this; spammers or not, i applaud the culprits.
Might need to move these block lists onto a distributed network. If lists were sent out via a Gnutella- or BitTorrent-like system, using digital signatures to verify authenticity, it'd be impossible to DoS.
I'm not too disappointed to hear of these new attacks. Conspiracy theories and the like aside, I'd rather have the responsibility for SPAM-blocking placed on the client side.
Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.
Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.
Peas,
j
See the thing about DoS attacks is that they are normally (at least now-a-days) DDoS. Distrubuted Denial of Service.
Attempting to find who is launching these attacks (its not right that the media assumes its the spammers) is VERY VERY unlikley.
The only thing you can really do is filter the attack. You cant really block 1000's of different legitamite, even if they are comprimised, from your services.
Unless you can find the IRC Bot, which 99.9% of these attacks are controlled from, you cant determine who started the DDoS. Even if you find a IRC hostname, chances are its BNC'd anyway, and what good would that do you.
Yes it might be illegal, but the internet is still very much like the wild wild west, sherrifs have no control and there are too many wide open spaces to hide.
Because you can reject mail at the SMTP level. I typically get about 70 emails a day to my own server. About 40-50 get denied by a DNS based filter on qmail (rblsmtpd). Which means on average, only 25 get through to Spamassassin, where another 15-20 are deleted due to high spam thresholds. Then I get about 5-8 real emails, and maybe 1 or 2 spams that make it through (which Mozilla mail promptly eats as spam).
If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
DNS based BL is useful because it doesn't even let it in the door.
I want to delete my account but Slashdot doesn't allow it.
The FBI ought to make this a priority. Instead they're probably busy investigating some company's claims to have lost $100k to an intrusion. That kind of damage figure is a gross overestimation 99% of the time... e.g. the IT people weren't going to be overly productive doing something else (rather than investigate the attack) anyways. Instead, here you have tens of thousands of people losing real value. The economic definition of value lost to a nuisance is the maximum amount of money you'd be willing to pay to get rid of the nuisance. I'd personally be willing to pay up to $500 a year to get rid of spam permanently (to anyone but the spammer of course.) Assuming that the average RBL user's a little less sensitive than I am, say, at $100 a year, that's still $1 million for just 10,000 RBL users, and I'm sure there are at least that many mail server operators that use the lists, let alone spam-sensitive users on those servers.
Maybe this is the SoBig.F zombies at work. They have awakened from their "sleeper cells". There was a rummor that they were going to be used by spammers -- but not in this way.
I know it sounds heartless, but as a group, blacklists are becoming less-useful by the minute.
If they were all to disappear today, it would only speed the adoption of much more valuable tools against spam, namely bayesian-type filters that are far more effective.
.. cryptographically sign or hash the blacklist databases, and let mail admins p2p/rsync them..
Still, the only workable solution is cryptographically-secure signatures, probably with a SSL/TLS set of root certs.
Hell, sounds like a job for the post office! Keep it relevant in the age of email..
the best solutions we currently have.
Blacklists by their very design have a HIGH false-positive ratio. How is that a "best solution"? I don't even think it's a "so-so solution." I'd call it a "horrible solution." On top of that, they are easily avoided.
Content filters are the next level of spam protection. It doesn't matter where the email came from, if you're trying to sell me a 12" dong I won't accept it. This is the only thing that will save us from a large P2P spam network.
You, sir, are a know-nothing dumbass .
Have you -ever- worked in network security?
Have you -ever- worked an abuse desk?
Having cleaned up one hosting providers network (and reputation) I take great umbrage with this statement:
They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.
These blocklists are very effective in stopping the entry of spam into a user's network. While I also think the guys running SPEWS could use some lessons in public relations, and have an easier way of getting IPs removed, that does -not- mean that they're evil and inneffective.
I also do not believe it is the large ISPs that are behind this. That's almost as laughable as Julian's statement that it's organized crim behind it. It's likely the larger spam groups that are behind it, like Ralsky and his ilk. And I -know- he has no moral compunction to not break the law.
And just a reminder:
Spamming is ILLEGAL in a not insignificant number of states, and several of them explicitly allow for blocking of offending IPs if the ISPs involved are unresponsive.
Has there ever been studies on who responds to spam, and why?
I can easily see web content filtering going the same way eventually.
People need to understand two reasons why they get spam and DDOS attacks:
1. The backbone providers make money based on bandwidth consumption. They don't care whether the traffic is legitimate or not. It's in their financial interest to not take action against DOS/DDOS attacks and they don't. Many top-level providers will not even intervene unless a lower-level ISP's pipes are completely saturated, even if they complain about a DOS attack.
It would be so easy for the backbone providers to implement temporary blocking of DDOS attacks. These types of attacks are identifiable and the whole procedure could be automated and authenticated, but the top-level ISPs make money off spam and illegal DOS/DDOS activity. People need to petition the backbones to start taking responsibility and implmenting measures to shut down networks that have rogue systems consuming illegitimate bandwidth.
2. The local and federal governments do not effectively (if at all) enforce the plethora of existing computer tampering/break in/attack laws that are already on the books. These attacks CAN be tracked. The law enforcement agencies are either ignorant, unmotivated or unwilling to take action.
No new laws are needed. There are plenty of existing laws on the books right now to justify criminal prosecution of these attackers, which don't merely attack relay blacklists, but every other network along the way, making everyone suffer, including systems that don't use blacklists.
We need to hold the proper people accountable for not using the existing legal system to stop this; we need to hold the top-level providers responsible for allowing a majority of the traffic they bill their clients for to be unauthorized and illegitimate.
Imagine if 70% of the time you picked up your telephone someone else was using it? This is what's happening with Internet bandwidth.
A friend of mine who runs an ISP filed a case with the FBI. He had all the evidence, he had $100,000+ worth of damage he could prove. The case was meticulously documented. The FBI felt it was a rock solid case. They presented it to the DAs in multiple juridictions and they refused to prosecute or pursue the case. He even had the perps home address and telephone number and enough evidence to link him to credit card fraud, attacks on major corporations and much more, and the authorities blew the case off and didn't take action.
As the blocklist lists more sites/providers, then it stands to reason those sites will follow the trail back to the blocklist, such as Osirusoft or SPEWS, in order to get information regarding their inclusion in that list, and how to get delisted. (Reference: The "Slashdot Effect).
I noticed that Joe Jared mentions his other site as a collateral casualty of the DDoS. Now where did I hear the term "collateral damage" before? As a provider of SPEWS blocklists, that would in effect make him as accountable as SPEWS, to use their own twisted logic of "a customer of an ISP is as guilty of spamming as the spammer themselves".
We do not condone any DDoS attack, nor do we condone the actions of SPEWS. The demise of Osirusoft demonstrates that unaccountable "vigilantism" does nothing to stem the tide of unwanted commercial emails and as stated in previous posts regarding spam, more rational discussion should be forthcoming, with real solutions, rather than the tactics used by the blocklists that would hack down the forest to fell one tree.
Pete Carr Owner Chatmag.com
How is it "evil" to publish a list of IP addresses that match a listing criteria?
...with very little collateral damage.
The devil is in the details. It's not a list of single IP addresses, that's far too large and complex to maintain. What's happening is large blocks (we're talking B class IP blocks here) are getting blacklisted because of the actions of a few individuals.
This does more harm than good especially with colocation services. What happens is one person starts spamming off a machine at a colocation company and SPEWS and other lists will blacklist the whole block that colocation company is on.
That kills mail services to the hundreds of other legitimate companies who are unfortunately on the same block as the one spammer.
Anyone familiar with Something Awful's battle with SPEWS knows this is a very real situation.
So what's a blacklister to do? Maintain a large list of several hundre thousand (at minimum) IP addresses or block B (and even A) class adress blocks to bring that list down to a far more easily maintained list?
That's why it's "evil". It's lazy, inefficient, ineffective, and does more harm than good.
Wait until someone who has a server within the same B class you're on to start spamming and you get put into the blacklist. Then we'll see if you're still singing the praises of blacklists.
Perhaps it's Something Awful that's doing it?
Fark seems to think so.
(Ever feel like you're writing for memepool or Everything2? I sure do!)
What makes you think they don't? Most U.S. based ISPs don't require anything more than enough complaints with reasonable evidence to shut spammers down. It's really unnecessary to block an entire /24 or /16 if you think that's what is necessary to get attention. Spamcop, ordb, dsbl, & maps are just great and actually are bold enough to let the world know who they are and what they are doing. Spews takes it WAY too far, are completely irresponsible, are the worst chickenhawks on the net, and completely ineffective. Just for argument's sake, a couple years back, I used osirusoft for about a month with not even a dent in the amount of crap I received in my inbox. But did lose a lot of email from people that should have never been associated with their listings. This cost me time and money. I don't blame the isp who got themself blacklisted because they never received any complaints directly. This was because the only relation between them to the said spammer, was a freaking email address hosted by one of their customers, which was used as a the administrative contact record, for a domain they had nothing to do with.
N.A.N.A.E, Osirusoft, s.p.e.w.s. : Chug one.
I'm happy to see you getting what you've had coming for a long time.
Oh...I just noticed, the poster is a proud Republican...that explains it. Anyone who feels the need to brag about their conservatism generally has a soft spot for Joe McCarthy.
Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.
There's not any fundamental difference between Joe McCarthy and Chairman Mao.
Like what I said? You might like my music
So, write down in your day planner, right there on the date that your current contract is due to expire, this simple action item: negotiate next contract duration to be dependent on the provider not being blacklisted.
Maybe this time it's a decent excuse, but next time you know. And any provider not willing to include a clause that lets you out if they get blacklisted is probably knowingly hiding spammers.
As to whether the provider is really "fine otherwise", to me that's like saying "my new dog keeps chewing the neighborhood kids' finger off, but otherwise he's fine . . . "
I'm really sorry that SPEWS has been a hassle for you and others, but it's worth it to me, and I wish more providers used SPEWS or similar (well, if it ever comes back). And, now that you know, you can plan for this sort of eventuality in the future, because it's only going to get more and more common as spam continues to grow.
everything in moderation
We use Spam Assasin on Sendmail. We have Sendmail configured so that when a message is positively identified as spam, we automatically update our local access file to blacklist the entire class C of the relay host.
I have been watching this closely for several weeks. Originally, I thought there would be trouble -- surely we would nail some legitimate networks and have to unblock them. But NOOOOO! Every day we reject more and more via the local blacklist and it's always the evildoers. I don't think anyone needs a DNS-based blacklist, all you have to do is harvest the power of the spam data you already have.
A malfunctioning IP blacklist will give a message more points, but only a fraction necessary to send the message to dev/null
Thought of in another way is that the decision of whether the message is spam or not is distributed among lots of "decision makers" The weight of those decision makers is determined by the number of points they are allowed to assign to a given message.
We also use Spam Sleuth Enterprise to protect our server from SoBig.F. We just look for the text "X-MailScanner: Found to be clean" and set it to enough points to delete the message. It takes the load off of our internal servers.
Hope this helps somebody.
I used to use dnsbls. When it was clear that blacklists weren't sufficient, I used them in conjunction with filtering. Then I had trouble with false positives of various dnsbls to the point where I'm now only using the filters. Of course, simply filtering doesn't solve the network and computing resources problem. So I had hatched Yet Another Plan for Spam a while back (had mucked around a bit with implementing it but got distracted).
The plan is essentially to use bayesian analysis of incoming mail to detect "open relays" and maintaining a personalized dnsbl. Initially every piece of incoming mail is analyzed. Upon being tagged spam, the connecting IP is added to the dnsbl preventing additional relaying of messages.
Pros:
1. No external testing/probing is required. All blacklisted IP's have been known to be an originator/relay point of spam.
2. A copy of the spam message can be retained in case of any dispute.
3. It's a personalized dnsbl so that it is generally immune to becoming a target by spammers (either ddosed or litigation).
4. A false positive does not impact systems not directly under your control.
5. Corrections to the dnsbl can be made as urgently as your time would allow.
6. Saves network and cpu resources due to rejection of additional messages from blacklisted IPs.
Cons:
1. Bayesian filter requires training and maintenance.
2. Personal dnsbl also means personal attention. More time and resources required to manage.
3. Not immune to false positives (actually amplifies the effect).
I'm sure I've missed some points on both the pros and cons, but it's a start.
Additional details of the plan had included a web interface for the blacklisted IP's delist the IP. The scheme works on a token system. Each IP is given a configured number of tokens per a configured period. Each delisting requires a token and is subtracted. Hopefully, this will minimize manual effort as it's trivially easy to get delisted (only requiring the blacklisted admin to visit a page and click on a button). However, if the problem is not fixed and the same IP continues to get listed and runs out of tokens, then my plan was to have the blacklisted party to purchase more tokens (something like the same webpage generating a tracking number linked to a paypal account). That way, there would also be financial incentives for the admin to fix their open relays.
My intention with the personal dnsbl was to reject future SMTP relay attempts based on IPs that have been known to relay spam. It doesn't exist to identify every open relay or proxy, but simply to deny those hosts the opportunity to send me more spam. I could careless if someone is running an open relay as long as it doesn't send me spam. So my plan is to only reject mail from people that have actually spammed me, and not in theory of being capable of spamming me. And the reason to use the connecting IP instead of any content in the email is to prevent junk data (too easily spoofed).
Anyhow, that was my YAPS. If enough people used such a system, it would probably put a decent dent in spam and open relays.
Any volunteers?
I run a mail system for a regional isp and in the last week or so I have seen my average mail load rais exponentially. Right now I am processing more mail in a 24 hour period than I had previously been in over a month. There are alot of people that are using these blocklists that didn't have the good sense to set up their own and mirror that data. So if every incoming message represents a query to the dns serving the data and the mail load on a typical isp server has increased literally by 10,000% it stands to reason that sobiga-f certainly did create most of this problem.
YAAASP - Yet Another Anecdotal Anti-SPEWS Post.
This is getting tiresome . . .
My own email provider (Fastmail.fm) is very proactive about eliminating spammers and has a very strict anti-spam policy; however, it has been erroneously listed on Spamcop on at least one occasion causing problems for all of its legitamite users.
How do you know, other than by the facade they present to you, how pro-active or strict their antispam policy is? How do you know the listing was erroneous? Bottom line: you don't.
I read the blow-by-blow you posted, and it includes a blatant admission of guilt which completely contradicts the claims you made above. The page you cited doesn't include denial of spamming. On the contrary, the guy admits that spammers were (and are!) using his service. He even goes to great lengths to prove the that ratio of "good" email to spam from his service is very large, like 100k to 1 or something, and then argues that he shouldn't be listed bcause the spam originating from his company is so small in relation to the real mail.
Like so many posters here angry with SPEWS, this totally misses the point! SPEWS isn't a gentle suggestion to reduce your ISP spam output, or to make sure yor real mail/spam ratio is high. It is hardcore non-negotiable insistance that your ISP have ZERO spam tolerance. That's hard for some ISP's that are used to even the occasional pink contract for a little extra income. But it's the only way to avoid the list (except I guess DDoS now, yay).
everything in moderation
Read about a project here [puremagic.com] to implement a grey list at the MTA level.
It basically involes inspecting the sending ip, sender envelope, and recipient envelope. If the receiving MTA has never seen this particular combination of the three before, it does not accept delivery of the mail piece with a temporary failure message. The vast majority of spam would then be ultimately rejected because it is often sent through open MXs and not a valid MTA with valid sender and recipient envelope information.
It is designed to be a compliment to other anti-spam measures without being as inflexible and cumbersome as black/white lists.
Along those same lines, you could also do a quick reverse check to verify reply-to addresses at the MTA level.
The battle against spam is not totally lost, and we shouldn't cut off our nose to spite our face the way blacklists do.
I don't want to sell anything, buy anything, or process anything. I don't want to sell anything bought or processed...
That sounds an awful lot like a terrorist who threatens to kill a hostage unless their terms are met. Cause undue pain and suffering to an innocent bystander until you are conceded to.
Does the end really justify the means?
Please be patient, I'm a work in progress! --Alan Jackson
So yes, let's block the entire nation of Brazil. Those people in Brazil who want websites will just have to use another ISP... you know, the one that doesn't exist. Hell, if they don't want to support the spammers they should all move to another country! Plus, it's not like ISPs have vastly different capabilities. It should be increadibly easy for sites that upload terabytes of information to find another ISP that blocks spammers the nano-second they are informed. Also, those same sites obviously have no long term contracts with their ISP, so their shouldn't be any severe monetary, let alone logistical or legal, penalties for them to switch.
It seems to me that, in fact, it is YOU who just doesn't get it. Not to put this on the same level or anything, but the exact same attitude was used to justify 9/11.
common sense: noun
What those who are ignorant of the subject matter think; usually wrong.
As usual (for a pro-SPEWS poster), you've twisted the parent post to fit your facist world view. If you read carefully and without bias, you will find out that Fastmail.fm actually is extremely aggressive in killing spammers, often within seconds. Does some spam get through? Yes, up to 100 spams per account. Why? Becasue Spammers don't set the Evil Bit when they sign up for an account. So the spammers have to do something that identifies themselves as spammers. As soon as that happens, bammo! This is what I would call a zero-tolerance for spam. The statistics about valid:spam emails aren't to justify the spam that does get through. As you should have seen, Fastmail.fm kicks spam in the ass. They statistic is supposed to show the harm that the reactionary blocking lists are causing.
If I don't know anyone in Brazil and don't expect to, why should I not block Brazil when all I get from Brazil is spam?
The problem isn't the ISP blocking "their" traffic - it is the ISP blocking other people's traffic. Usually without informing their customers that said blocking is occurring.
No it isn't. If I run an ISP mail server, it is my traffic -- if it weren't it wouldn't be going over my wire to my server.
There is no effort to hide the fact that blocklists are in use at my ISP, as in a typical installation we explain verbosely why we are rejecting a message. We also provide a web contact form which anyone may use to mail us regardless of their IP, and postmaster is always delivered. This is the method recommended in just about every FAQ on the subject I've seen so I presume it isn't unusual.
In fact we go further than that, most of our blocklists simply add points to the final 'score' of the message. The decision is left to the customer regarding what to do with messages that score as spam, in addition to giving them the ability to add whitelists and change the score that determines a messages spam status.
At last check, not a single user had disabled spam filtering. Evidently, this major concern over the right to filter doesn't really exist. We have our share of out-right tin foil hat wearing customers, and not one of them has been uncomfortable with our spam filtering.
I know of no ISP that makes an effort to hide the fact that they filter spam.
This results in their customers not receiving email. The decision that the sender of that email wasn't legitimate has been removed from the user and the sender and placed in the hands of some anonymous third party.
The ISP of the customer is not an anonymous third party by any means. They are the ones who own the traffic thats going over their wire.
If you were talking about random backbones filtering port 25 traffic going through their networks, I would agree with you. I know of no effort to do this, however.
In general, the ISP answer to blocking complaints is they simply use the list and do not control the content of it. The blocking list provider - if contactable - claims they just make up the list and the use of it is outside of their control. This means nobody is accountable for blocking.
The choice to use a blocklist operated by someone else is no less a choice than operating one yourself. Which would you rather ISPs use: coordinated, open blocklists or private, confidential, and individually assembled and maintained blocklists?
Whitelisting specific IPs within the SPEWS blocklist would defeat the point, to establish lists of bad neighborhoods in order to clear them out.
The problem with this sort of censorship - and it is indeed censorship
It's censorship? Then so is painting over the graffiti that someone sprays on your house under cover of darkness.
is the user never hears about it.
Again, I know of no service which does not inform the user that they block spam. My service even offers users a page you can go to and inspect each spam that's been caught.
When a business is blocked they quickly discover that blocking has made email unreliable for communications with customers. They can either abandon email for important stuff or they can try to convince the blockers that their commercial use of email is valid.
Or, they can change providers to one which does not support spam. Or, they can implement a technical solution such as smarthosting.
This is extremely difficult. Why? Spammers use email - if you use email commercially, then you might be a spammer.
If you "cold call" a non-personal communication over e-mail, you are a spammer in my opinion.
If you get blocked and claim you were blocked in error, you might be lying. Spammers lie, so anything you say can be considered to be a lie. Why should anyone unblock a spammer?
If SPEWS made a habit of whitelisting "legitimate" IPs, it would be no better than any other blocklist. SPEWS is not a
While SPEWS's tactics may appear "doomed to failure" in your eyes, they are having a noticeable effect on spam-friendly ISPs. If you read nanae you regularly see ISPs that have ignored all spam complaints for months or years finally start dumping their spammers in response to a SPEWS listing.
Blocking mail might do that, but there are any number of ways to stop spam, every last one of them involves making the price of spam a price no one is willing to pay.
Using Baysian filtering to build a set of IP's which have a threashold (say 90% of e-mail) is spam, then it gets added to your black list (Mailserver or router blacklist).
Kirby
First of all, it's sending email that is the problem for people on an email blocklist/blacklist. Not receiving email. And certainly not hosting websites.
And there's nothing difficult about paying someone to provide an email "smarthost" for you somewhere else, in unlisted netspace. Though you should of course bitch incessantly at your network provider for forcing you to take that option.
And of course, you should always remember while you're feeling sorry for yourself about being on an email blacklist, that there are a large number of people in the world with problems much worse than yours.
(I'm going to have to find out one day exactly why it is that Brazil apparently only has one ISP. It seems quite bizarre.)
Pete.I generally do like blacklists, but I do not trust them to get everything right.
:) for mail.
My ISP has multiple POP boxes for each customer though. Currently all the spam gets into one box and the (presumed) legit mail gets into my normal mail box.
Now and then some legit mail gets into the spam pop account. Now and then I check this account for messages that are non-spam. Until now, only some mailinglists have been incorrectly identified as spam (ironically, mostly from IT security companies).
There is still an amount of spam in my inbox too, but some rules take most of that out as well.
I would not want my ISP to throw away all the mail they think as spam; they should never do that without my consent. But blacklistst do not have to be a 0 or 1 (or black or white
Warper
0 - evil bit