Slashdot Mirror
DoS Assaults Underway Against Spam Blocklists
Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
Of course it probably is spammers, but it wouldn't suprise me if some people who've had themselves blacklisted unfairly would like to ddos some blacklist servers into the beyond.
Personally I don't believe blacklists are the way to go, I think simply intelligent filtering should be installed wherever possible, and eventually spam will die out. I know spammers are smart and work their way around all sorts of blocks, but so are we, and there's a lot more of us than there are of them.
ObDisc:Don't bother flaming me about "collateral damage" or any of that crap, since I'm not the one ddosing the servers, and I've yet to find myself blacklisted, so I'm not interested.
Send lawyers, guns, and money!
Earlier this week when people talked about the writer of SoBig leasing his virus network for spamming many people said spammers wouldn't want to be involved with virii/attacks. I think the DOSing of black list sites pretty much shows that the people sending spam have little moral problem with invading your computer to break the law.
what makes you think its spammers? there a plenty of legitimate email users with a beef against these fascists--me, for one. i had a domain on a subnet that's entirely blocked despite the fact that i don't have open relays nor have i ever done any kind of spamming. several of my clients within larger corporate structures couldn't receive email from me because some PHB read in DildoCTO Quarterly that these lists can stop spam--never mind the fact that they can stop any kind of legitimate email use as well. There were a LOT of times i'd wished i had had the wherewithal to undertake something like this; spammers or not, i applaud the culprits.
I'm not too disappointed to hear of these new attacks. Conspiracy theories and the like aside, I'd rather have the responsibility for SPAM-blocking placed on the client side.
Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.
Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.
Peas,
j
Because you can reject mail at the SMTP level. I typically get about 70 emails a day to my own server. About 40-50 get denied by a DNS based filter on qmail (rblsmtpd). Which means on average, only 25 get through to Spamassassin, where another 15-20 are deleted due to high spam thresholds. Then I get about 5-8 real emails, and maybe 1 or 2 spams that make it through (which Mozilla mail promptly eats as spam).
If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
DNS based BL is useful because it doesn't even let it in the door.
I want to delete my account but Slashdot doesn't allow it.
Maybe this is the SoBig.F zombies at work. They have awakened from their "sleeper cells". There was a rummor that they were going to be used by spammers -- but not in this way.
I know it sounds heartless, but as a group, blacklists are becoming less-useful by the minute.
If they were all to disappear today, it would only speed the adoption of much more valuable tools against spam, namely bayesian-type filters that are far more effective.
You, sir, are a know-nothing dumbass .
Have you -ever- worked in network security?
Have you -ever- worked an abuse desk?
Having cleaned up one hosting providers network (and reputation) I take great umbrage with this statement:
They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.
These blocklists are very effective in stopping the entry of spam into a user's network. While I also think the guys running SPEWS could use some lessons in public relations, and have an easier way of getting IPs removed, that does -not- mean that they're evil and inneffective.
I also do not believe it is the large ISPs that are behind this. That's almost as laughable as Julian's statement that it's organized crim behind it. It's likely the larger spam groups that are behind it, like Ralsky and his ilk. And I -know- he has no moral compunction to not break the law.
And just a reminder:
Spamming is ILLEGAL in a not insignificant number of states, and several of them explicitly allow for blocking of offending IPs if the ISPs involved are unresponsive.
Has there ever been studies on who responds to spam, and why?
I can easily see web content filtering going the same way eventually.
People need to understand two reasons why they get spam and DDOS attacks:
1. The backbone providers make money based on bandwidth consumption. They don't care whether the traffic is legitimate or not. It's in their financial interest to not take action against DOS/DDOS attacks and they don't. Many top-level providers will not even intervene unless a lower-level ISP's pipes are completely saturated, even if they complain about a DOS attack.
It would be so easy for the backbone providers to implement temporary blocking of DDOS attacks. These types of attacks are identifiable and the whole procedure could be automated and authenticated, but the top-level ISPs make money off spam and illegal DOS/DDOS activity. People need to petition the backbones to start taking responsibility and implmenting measures to shut down networks that have rogue systems consuming illegitimate bandwidth.
2. The local and federal governments do not effectively (if at all) enforce the plethora of existing computer tampering/break in/attack laws that are already on the books. These attacks CAN be tracked. The law enforcement agencies are either ignorant, unmotivated or unwilling to take action.
No new laws are needed. There are plenty of existing laws on the books right now to justify criminal prosecution of these attackers, which don't merely attack relay blacklists, but every other network along the way, making everyone suffer, including systems that don't use blacklists.
We need to hold the proper people accountable for not using the existing legal system to stop this; we need to hold the top-level providers responsible for allowing a majority of the traffic they bill their clients for to be unauthorized and illegitimate.
Imagine if 70% of the time you picked up your telephone someone else was using it? This is what's happening with Internet bandwidth.
A friend of mine who runs an ISP filed a case with the FBI. He had all the evidence, he had $100,000+ worth of damage he could prove. The case was meticulously documented. The FBI felt it was a rock solid case. They presented it to the DAs in multiple juridictions and they refused to prosecute or pursue the case. He even had the perps home address and telephone number and enough evidence to link him to credit card fraud, attacks on major corporations and much more, and the authorities blew the case off and didn't take action.
Perhaps it's Something Awful that's doing it?
Fark seems to think so.
(Ever feel like you're writing for memepool or Everything2? I sure do!)
What makes you think they don't? Most U.S. based ISPs don't require anything more than enough complaints with reasonable evidence to shut spammers down. It's really unnecessary to block an entire /24 or /16 if you think that's what is necessary to get attention. Spamcop, ordb, dsbl, & maps are just great and actually are bold enough to let the world know who they are and what they are doing. Spews takes it WAY too far, are completely irresponsible, are the worst chickenhawks on the net, and completely ineffective. Just for argument's sake, a couple years back, I used osirusoft for about a month with not even a dent in the amount of crap I received in my inbox. But did lose a lot of email from people that should have never been associated with their listings. This cost me time and money. I don't blame the isp who got themself blacklisted because they never received any complaints directly. This was because the only relation between them to the said spammer, was a freaking email address hosted by one of their customers, which was used as a the administrative contact record, for a domain they had nothing to do with.
N.A.N.A.E, Osirusoft, s.p.e.w.s. : Chug one.
I'm happy to see you getting what you've had coming for a long time.
So, write down in your day planner, right there on the date that your current contract is due to expire, this simple action item: negotiate next contract duration to be dependent on the provider not being blacklisted.
Maybe this time it's a decent excuse, but next time you know. And any provider not willing to include a clause that lets you out if they get blacklisted is probably knowingly hiding spammers.
As to whether the provider is really "fine otherwise", to me that's like saying "my new dog keeps chewing the neighborhood kids' finger off, but otherwise he's fine . . . "
I'm really sorry that SPEWS has been a hassle for you and others, but it's worth it to me, and I wish more providers used SPEWS or similar (well, if it ever comes back). And, now that you know, you can plan for this sort of eventuality in the future, because it's only going to get more and more common as spam continues to grow.
everything in moderation
We use Spam Assasin on Sendmail. We have Sendmail configured so that when a message is positively identified as spam, we automatically update our local access file to blacklist the entire class C of the relay host.
I have been watching this closely for several weeks. Originally, I thought there would be trouble -- surely we would nail some legitimate networks and have to unblock them. But NOOOOO! Every day we reject more and more via the local blacklist and it's always the evildoers. I don't think anyone needs a DNS-based blacklist, all you have to do is harvest the power of the spam data you already have.
I used to use dnsbls. When it was clear that blacklists weren't sufficient, I used them in conjunction with filtering. Then I had trouble with false positives of various dnsbls to the point where I'm now only using the filters. Of course, simply filtering doesn't solve the network and computing resources problem. So I had hatched Yet Another Plan for Spam a while back (had mucked around a bit with implementing it but got distracted).
The plan is essentially to use bayesian analysis of incoming mail to detect "open relays" and maintaining a personalized dnsbl. Initially every piece of incoming mail is analyzed. Upon being tagged spam, the connecting IP is added to the dnsbl preventing additional relaying of messages.
Pros:
1. No external testing/probing is required. All blacklisted IP's have been known to be an originator/relay point of spam.
2. A copy of the spam message can be retained in case of any dispute.
3. It's a personalized dnsbl so that it is generally immune to becoming a target by spammers (either ddosed or litigation).
4. A false positive does not impact systems not directly under your control.
5. Corrections to the dnsbl can be made as urgently as your time would allow.
6. Saves network and cpu resources due to rejection of additional messages from blacklisted IPs.
Cons:
1. Bayesian filter requires training and maintenance.
2. Personal dnsbl also means personal attention. More time and resources required to manage.
3. Not immune to false positives (actually amplifies the effect).
I'm sure I've missed some points on both the pros and cons, but it's a start.
Additional details of the plan had included a web interface for the blacklisted IP's delist the IP. The scheme works on a token system. Each IP is given a configured number of tokens per a configured period. Each delisting requires a token and is subtracted. Hopefully, this will minimize manual effort as it's trivially easy to get delisted (only requiring the blacklisted admin to visit a page and click on a button). However, if the problem is not fixed and the same IP continues to get listed and runs out of tokens, then my plan was to have the blacklisted party to purchase more tokens (something like the same webpage generating a tracking number linked to a paypal account). That way, there would also be financial incentives for the admin to fix their open relays.
My intention with the personal dnsbl was to reject future SMTP relay attempts based on IPs that have been known to relay spam. It doesn't exist to identify every open relay or proxy, but simply to deny those hosts the opportunity to send me more spam. I could careless if someone is running an open relay as long as it doesn't send me spam. So my plan is to only reject mail from people that have actually spammed me, and not in theory of being capable of spamming me. And the reason to use the connecting IP instead of any content in the email is to prevent junk data (too easily spoofed).
Anyhow, that was my YAPS. If enough people used such a system, it would probably put a decent dent in spam and open relays.
Any volunteers?
So yes, let's block the entire nation of Brazil. Those people in Brazil who want websites will just have to use another ISP... you know, the one that doesn't exist. Hell, if they don't want to support the spammers they should all move to another country! Plus, it's not like ISPs have vastly different capabilities. It should be increadibly easy for sites that upload terabytes of information to find another ISP that blocks spammers the nano-second they are informed. Also, those same sites obviously have no long term contracts with their ISP, so their shouldn't be any severe monetary, let alone logistical or legal, penalties for them to switch.
It seems to me that, in fact, it is YOU who just doesn't get it. Not to put this on the same level or anything, but the exact same attitude was used to justify 9/11.
common sense: noun
What those who are ignorant of the subject matter think; usually wrong.
As usual (for a pro-SPEWS poster), you've twisted the parent post to fit your facist world view. If you read carefully and without bias, you will find out that Fastmail.fm actually is extremely aggressive in killing spammers, often within seconds. Does some spam get through? Yes, up to 100 spams per account. Why? Becasue Spammers don't set the Evil Bit when they sign up for an account. So the spammers have to do something that identifies themselves as spammers. As soon as that happens, bammo! This is what I would call a zero-tolerance for spam. The statistics about valid:spam emails aren't to justify the spam that does get through. As you should have seen, Fastmail.fm kicks spam in the ass. They statistic is supposed to show the harm that the reactionary blocking lists are causing.