Slashdot Mirror
DoS Assaults Underway Against Spam Blocklists
Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
Apparently spammers aren't going to sit by...
Has anyone stopped to think that maybe it's not spammers who are doing this? I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down. They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.
All of these centralized blacklists have made so many enemies in their history that any finger pointing is simply laughable. They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks. This is not your normal DDOS: it is not only the originators of the DDOS, but the very network itself that wants them destroyed!
I'm not condoning this DDoS, but the perpetrator is probably just some sysadmin running a legitimate, secure server that found its way onto some blacklists and got frustrated by all the red tape getting off the lists. This may be his last hope to get off their list.
I wonder how many people really rely on blacklists anymore. I've tried using them before only to find out that over half of my legitimate email was being filtered and a significant amount of spam was still getting through.
Bayesian is the only affective method I've seen for significant spam reduction.
So when do we get to launch our DDoS against the spammers again?
ELOI, ELOI, LAMA SABACHTHANI!?
Would someone please remind the federal government that DOS attacks are illegal? Anyone want to encourage them to take action against these people? Can they stop playing golf long enough to do their job?
Althought he presents a valid arguement, WE DONT WANT TO HEAR THAT!
Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.Too bad my users and I are behind a trained spamassassin, then, eh?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Of course it probably is spammers, but it wouldn't suprise me if some people who've had themselves blacklisted unfairly would like to ddos some blacklist servers into the beyond.
Personally I don't believe blacklists are the way to go, I think simply intelligent filtering should be installed wherever possible, and eventually spam will die out. I know spammers are smart and work their way around all sorts of blocks, but so are we, and there's a lot more of us than there are of them.
ObDisc:Don't bother flaming me about "collateral damage" or any of that crap, since I'm not the one ddosing the servers, and I've yet to find myself blacklisted, so I'm not interested.
Send lawyers, guns, and money!
Earlier this week when people talked about the writer of SoBig leasing his virus network for spamming many people said spammers wouldn't want to be involved with virii/attacks. I think the DOSing of black list sites pretty much shows that the people sending spam have little moral problem with invading your computer to break the law.
Why don't we just offer all the main spammers a free seminar on some small island in the south pacific or somewhere where no one will care, then when they all get there..
:)
NUKE IT!!!
Problem solved
K Man
what makes you think its spammers? there a plenty of legitimate email users with a beef against these fascists--me, for one. i had a domain on a subnet that's entirely blocked despite the fact that i don't have open relays nor have i ever done any kind of spamming. several of my clients within larger corporate structures couldn't receive email from me because some PHB read in DildoCTO Quarterly that these lists can stop spam--never mind the fact that they can stop any kind of legitimate email use as well. There were a LOT of times i'd wished i had had the wherewithal to undertake something like this; spammers or not, i applaud the culprits.
Bad for them. The main reason for creating centralized blocklists was so people who reformed, or who kicked spammers off their blocks, could have their IPs relisted without having to worry that random admins had hardcoded filters into their routers. One central source for listing, one central source for delisting.
If they succeed in negating the value of centralized blocklists, guess what - admins will go back to blacklisting blocks manually. Those IP blocks will become useless once enough people add them to their blocklists, and there won't be any easy way of redeeming them.
Anyone who wants to get internet access better get a clause in their contract guaranteeing that the IPs they get weren't abused by someone in the past, or else they might be getting a useless connection.
This is an act of desparation on the part of spammers that proves the anti-spammers are winning the battle. Fortunately, the next phase of the "war" is moving away from blacklists and focusing on technologies that are user-based and user-specific, such as Bayesian filtering. There is no level of DDoS attack that can stop that battle.
Impressive.
Hopefully there isn't a slashdot story linking to them any time soon!
Why are there only 19 people folding@home for slashdot?
Spammers HAVE to have a weaknes. .
I find most people, when a hammer is liberally applied to the head, find their weakness to be blunt objects.
They tend to dislike them.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Might need to move these block lists onto a distributed network. If lists were sent out via a Gnutella- or BitTorrent-like system, using digital signatures to verify authenticity, it'd be impossible to DoS.
Everyone appears to want to direct mod power today, so why not?
I'm not too disappointed to hear of these new attacks. Conspiracy theories and the like aside, I'd rather have the responsibility for SPAM-blocking placed on the client side.
Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.
Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.
Peas,
j
Because you can reject mail at the SMTP level. I typically get about 70 emails a day to my own server. About 40-50 get denied by a DNS based filter on qmail (rblsmtpd). Which means on average, only 25 get through to Spamassassin, where another 15-20 are deleted due to high spam thresholds. Then I get about 5-8 real emails, and maybe 1 or 2 spams that make it through (which Mozilla mail promptly eats as spam).
If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
DNS based BL is useful because it doesn't even let it in the door.
I want to delete my account but Slashdot doesn't allow it.
From the article: In a technique called a "distributed denial of service attack," vandals exploit security flaws to plant programs, called "Trojan arses," on thousands of Internet-connected computers. They then order the Trojan arse programs to spew useless data at a targeted machine.
The mental image of a bunch of Greek soldiers pouring from the sphincter of a huge, wooden butt is just too funny for words.
~Philly
Good riddance, I say. I sure won't miss them.
Go to nana-e, and they'll tell you that robots from space run SPEWS, and there's no way to get a hold of them. They start with Class C's, then progress to banning class A's. Some of the crazies who post on nana-e even have the whole country of Brazil banned on their private lists. SPEWS had information too on DNS blackholing (i.e. preventing your users from going to internet sites) and on HTTP blocking. If it was anyone else (the government) who was advocating this, people would be outraged.
the internet has become self-aware.. these aren't trojans and virii that we see.. (well, they are, but) we're seeing the Internot wake up. It's practicing by attacking blacklists.. since they prevent full unfettered emailing. Network Packets have become the flowing nuerons of it's killer Internett brain.. all these random SoBigs and Slammer.Dongs are multiplying to the point where sentient behaviour must emerge!!!!
HAAHAHAHAHAHAHAHAAHAHAHA@@@@#!!  ; you beloNG TO THE INTERRRNOTT@@!!
Maybe this is the SoBig.F zombies at work. They have awakened from their "sleeper cells". There was a rummor that they were going to be used by spammers -- but not in this way.
Even if you happen to like the blocklists and agree with their methods, it's clearly irresponsible to assume they're being attacked by spammers -- there are a lot of non-spammers who would love to take them out.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I know it sounds heartless, but as a group, blacklists are becoming less-useful by the minute.
If they were all to disappear today, it would only speed the adoption of much more valuable tools against spam, namely bayesian-type filters that are far more effective.
This is the silliest thing I ever expected to read in a spam story...
pamcop's Haight theorizes that the increasingly sophisticated attacks suggest a link with organized crime, but admits he hasn't a shred of evidence.
Anyone else have a wilder guess?
Yes. It's Aliens launching a denial of service attack in advance of their assimilation of the human race. This is clear and obvious to the most casual observer, although I don't have a shred of evidence to support this notion.
The Future of Human Evolution: Autonomy
.. cryptographically sign or hash the blacklist databases, and let mail admins p2p/rsync them..
Still, the only workable solution is cryptographically-secure signatures, probably with a SSL/TLS set of root certs.
Hell, sounds like a job for the post office! Keep it relevant in the age of email..
No way, it's so obviously Jonny Lee Miller and Angelina Jolie.
And depending on just Bayesian filtering is putting all of your eggs in one basket, IMHO (though it is a pretty darn good basket). There are many spammers out there trying to poison Bayes databases by adding random dictonary words to their HTML based emails.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
the best solutions we currently have.
Blacklists by their very design have a HIGH false-positive ratio. How is that a "best solution"? I don't even think it's a "so-so solution." I'd call it a "horrible solution." On top of that, they are easily avoided.
Content filters are the next level of spam protection. It doesn't matter where the email came from, if you're trying to sell me a 12" dong I won't accept it. This is the only thing that will save us from a large P2P spam network.
Has there ever been studies on who responds to spam, and why?
I can easily see web content filtering going the same way eventually.
If people would only take a few minutes out of their day to READ spam rather than just trying to block it en mass, spammers wouldn't have to resort to this!
1) Your analysis is based on bad assumptions so your result is way off. 2) You're a sick bastard for fucking a horse.
People need to understand two reasons why they get spam and DDOS attacks:
1. The backbone providers make money based on bandwidth consumption. They don't care whether the traffic is legitimate or not. It's in their financial interest to not take action against DOS/DDOS attacks and they don't. Many top-level providers will not even intervene unless a lower-level ISP's pipes are completely saturated, even if they complain about a DOS attack.
It would be so easy for the backbone providers to implement temporary blocking of DDOS attacks. These types of attacks are identifiable and the whole procedure could be automated and authenticated, but the top-level ISPs make money off spam and illegal DOS/DDOS activity. People need to petition the backbones to start taking responsibility and implmenting measures to shut down networks that have rogue systems consuming illegitimate bandwidth.
2. The local and federal governments do not effectively (if at all) enforce the plethora of existing computer tampering/break in/attack laws that are already on the books. These attacks CAN be tracked. The law enforcement agencies are either ignorant, unmotivated or unwilling to take action.
No new laws are needed. There are plenty of existing laws on the books right now to justify criminal prosecution of these attackers, which don't merely attack relay blacklists, but every other network along the way, making everyone suffer, including systems that don't use blacklists.
We need to hold the proper people accountable for not using the existing legal system to stop this; we need to hold the top-level providers responsible for allowing a majority of the traffic they bill their clients for to be unauthorized and illegitimate.
Imagine if 70% of the time you picked up your telephone someone else was using it? This is what's happening with Internet bandwidth.
There's no connection proven yet between the ddos and spammers. That's like the fact that no WMDs being found proves they're there and hidden.
Where did you learn to draw conclusions, from the president?;)
Bill
Upon seeing the box was too small, Schrodinger's Elephant breathed a sigh of relief.
As the anti spam officer in a Major ISP in India, I have no problems with blocklists as such. But the people who maintain the blacklists also has a responsibility to correct their mistakes immediatly. They must listen to people who maintain networks and if a machine is wrongly listed they must remove it. The procedure for taking out a machine from blacklists must be documented and verifiable.
We have a large cable network, and there are 3 4 trouble making customers. We do allow people to run their own mail servers. But that also means that some customers misuse it to send spam. It takes us a day or 2 to shut down the spammer, and by then the C bloc will be listed in some black holes.
Now de listing it becomes a major pain if the black holes are not responsive. If the procedures are well documented life of ISPs become much easir.
and no we have not considered denying the freedom of our customers to run their own outgoing mail servers. one or two random spammers cannot force us to deny that freedom to majority of legitimate users in our network.
raj
Sarovar.org Hosting for open source projects in Indi
The farther you let junk travel into the system, the worst your problem is. Bayesian is hard to apply at the network level, you must leave it to the individual users, causing a twofold problem: you keep letting the scum of Earth parasite your network (if you are an ISP) and you expand the processing needs of the end user (ever saw Mozilla Mail "think" for a couple of minutes after you mark one or two email as junk?). This is undesirable.
Lists work pretty well. They ocasionally piss people off, but the cost-benefit ratio is still largely on their side.
I'm getting a bit tired of people applauding DOS attacks on blocklists. Many of us run small mail servers for ourselves and/or small companies where EVERYONE who recieves email is in agreement that blocking spam is the right thing to do. When everyone chooses to do this, it's not censorship. Seriously -- the volume of spam is overwhelming, and in a small business there is no one delegate managing email to, and it's consuming precious bandwidth. Spam is the problem, not block lists. No spam, no blocklists, simple as that.
My server has seen as many as 500 spams a day directed at it -- for just two email accounts releated to my business. I had little choice but to elect to use drastic measures and escalate them until the spam became manageable -- and the best defense due to bandwidth issues (we run on just 128K because that's all that's available to us) is blocklists. The problem has been so bad that I maintain an internal block list that uses iptables to simply not route packets from IP blocks (/24) for any email that gets through the first layer of blocklists that sendmail checks.
Osirusoft in particular was very, very useful to me, because they maintained a number of DNS mirrors of other blocklists, so you could pick and choose how drastic you wished your blocking to be. I will miss their service greatly -- and can already notice it as my spam has doubled since it was removed from my sendmail config.
Without blocklists, email for my small business at least would be useless. I know that I've lost business using them, but I'd lose more business/time/money without -- there's no friggin' way I'm going to search through (and accept the bandwidth hit from) five hundred messages to find the few legitimate ones and still have time to get real work done.
Blocklists are vigilante defense, if not vigilante justice. Vigilante justice is justice meted out by self-appointed individuals or groups. Blocklists aren't, for the most part, trying to punish/mete out justice to spammers. They're just trying to block the flow of spam.
But they are self-appointed and work according to a set of informal rules that they adhere to voluntarily. That sounds like vigilante to me.
I'm not saying this as criticism, but simply as a description of what is going on. I maintain a procmail-based spam filter with a fair number of users, and it supports various blocklists. I'm not anti-blocklist, to put it mildly.
At the same time, I think most anti-spammers would like to see a less chaotic means of fighting back against spam. Most of us are just trying to hang on until various governments wake up and realize what spam is doing to the Internet, and start taking it seriously as a conversion of resources that the spammers do not own. Theft, in other words. :/
Catherine
As the blocklist lists more sites/providers, then it stands to reason those sites will follow the trail back to the blocklist, such as Osirusoft or SPEWS, in order to get information regarding their inclusion in that list, and how to get delisted. (Reference: The "Slashdot Effect).
I noticed that Joe Jared mentions his other site as a collateral casualty of the DDoS. Now where did I hear the term "collateral damage" before? As a provider of SPEWS blocklists, that would in effect make him as accountable as SPEWS, to use their own twisted logic of "a customer of an ISP is as guilty of spamming as the spammer themselves".
We do not condone any DDoS attack, nor do we condone the actions of SPEWS. The demise of Osirusoft demonstrates that unaccountable "vigilantism" does nothing to stem the tide of unwanted commercial emails and as stated in previous posts regarding spam, more rational discussion should be forthcoming, with real solutions, rather than the tactics used by the blocklists that would hack down the forest to fell one tree.
Pete Carr Owner Chatmag.com
Whitelist: allow everything in from anyone on that list
IFF doesn't meet above criteria, filter it.
So, it doesn't prevent anyone from contacting you the first time, unleass their email says something like "bigger penis breast enlarger xxx sex goatse.cx tubgirl"
This is WAR. Spammers will stoop to any level to get their crap into people's mailboxes, and now the blacklists are giving into their guerilla tactics - I say keep fighting, eventually they will figure out where the attack is coming from, and shut the damn thing down. We must never give up fighting spam, at any cost.
I personally HAVE been blacklisted (by ordb.org) and once I cleared up the problem (some ability to relay) I was let out. This took 2 hours total, so I feel comfortable USING ordb.org myself, now that I am responsible for protecting a large network from spam. I also use spamassassin, quarantining and a number of other methods to prevent false positives, and we do notify once you get past spamassassin.
If I did not use SOME rbl though, I would be sending out 6000 spam blocking notification messages a day mostly to people who aren't there or are not the real sender. Since I block things prior to getting through postfix, I am able to send them back a clear informative message on the blockage, DURING the transmission.
In any case, I have heard of lots of bad stuff about SPEWS and all but my experience with spamhaus and ordb are that both help block alot of mail, and are responsible with their efforts.
In any case, it is my business (and my company's business of course) how we handle our incoming stream. If we choose to use a blacklist that is our right. As it waspointed out, we could always create our own (It is pretty easy to create a dnsbased one even to share with a few friends or whatnot)...
No one is going to be able to stop ALL blacklists, but by attacking the large centralized ones, it does not IMPROVE the ability to get taken off an RBL. It just makes it harder really.
This morning around 6:30AM MST, the spam levels on our work server dropped from ~800 spam/hr to ~35/hr. They'd been hovering at the 800 level for more than a week (most are not actualy spam, but "bounces" from SoBig.F faking our domain as the From address). It's staying right around 35 still about 7 hours later..
Not complaining, but very strange nonetheless!
Perhaps it's Something Awful that's doing it?
Fark seems to think so.
(Ever feel like you're writing for memepool or Everything2? I sure do!)
on that.
http://www.baarbd.org - bay area adventure racing
I took over an SMTP server that was an open relay. Spam had been relayed, so the server was blacklisted. I secured the server, contacted the various blacklists, and the server was removed from the blacklists. I had no problem with any of the blacklists, and had no problem getting the server removed. Of course I was polite, and I went through the appropriate channels...
The volume of spam is sufficient without removing the blacklists.
You got me into this! You were the ideologue! I'm only a poor assassin! - Twenty evocations, Bruce Sterling
We use Spam Assasin on Sendmail. We have Sendmail configured so that when a message is positively identified as spam, we automatically update our local access file to blacklist the entire class C of the relay host.
I have been watching this closely for several weeks. Originally, I thought there would be trouble -- surely we would nail some legitimate networks and have to unblock them. But NOOOOO! Every day we reject more and more via the local blacklist and it's always the evildoers. I don't think anyone needs a DNS-based blacklist, all you have to do is harvest the power of the spam data you already have.
A malfunctioning IP blacklist will give a message more points, but only a fraction necessary to send the message to dev/null
Thought of in another way is that the decision of whether the message is spam or not is distributed among lots of "decision makers" The weight of those decision makers is determined by the number of points they are allowed to assign to a given message.
We also use Spam Sleuth Enterprise to protect our server from SoBig.F. We just look for the text "X-MailScanner: Found to be clean" and set it to enough points to delete the message. It takes the load off of our internal servers.
Hope this helps somebody.
Unfortunately, spammers are like bad apples - when they find a spam-friendly ISP, they tend to conglomerate. Second, you don't think that individual SysAdmins will do worse? At least with centralized blocklists, you can be removed. Try that with a ton of individual admins.
-Looking for a job as a materials chemist or multivariat
Yes, many have the entirety of Brazil blocked. And for good reason, too. Doing so cuts out a huge chunk of spam and reduces the costs on the receiving mail servers and networks noticeably. It works.
The problem is that most of Brazil is served by one big telco monopoly that is operated entirely incompetently. That doesn't necessarily mean each person in that company is incompetent, but those that are not are surely aware of their inability to do the right thing and stop the spam.
Some people even blocked all of 200/8.
Now I don't actually agree with the actions those people did. What I did was scan those networks for patterns and figured out specific domains to block. I'm getting most of the effectiveness without the false positives. I do have almost all the cable modem and dynamic DSL lines blocked as best as I can.
But the real goal is to get spammers disconnected so they can't even send a SYN packet, much less make an SMTP connection. You have a better idea that meets those goals that what is being done now? If so, post it.
now we need to go OSS in diesel cars
Spam really brings out the worst in everyone - both those who recieve it, those who fight it, and those who send it.
/. belong to this group, but I would include myself.
But there are some mature Internet users who do not believe the way to solving things is running a DDoS against a party or blocking subnets carelessly. I do not know how many are on
There is no panacea for spam. Sorry.
It is very unresponsible of any maintainer of a blacklist to target large IP blocks. There is no possible way to maintain such a list accurately without targeting innocent parties. Collateral damage is understandable, but it should also be looked down upon and avoided at great cost, not accepted. Imagine IPv6 blacklists.
Admins need to take the responsibility to make use of blacklists which are strict in the conservative sense (i.e. very specific). We can all understand this is not as effective as blacklisting the entire Internet.
This is really ridiculous and childish, except with adult repercussions. On the one hand, we have virtual fascism with blacklists. On the other, we have DDoS attacks to end them. And what does this do for the users? Nothing. More bandwidth wasted, more time diverted from the real issue, and disruptive communications.
The Internet is not a playground anymore. Some people actually use it for business, important communication, etc. We need to get serious, not extreme.
I think this is cool. An epic battle between good and evil rages on the Internet. It's sort of like a Lord of the Rings for geeks. Oh wait, Lord of the Rings is for geeks.
I used to use dnsbls. When it was clear that blacklists weren't sufficient, I used them in conjunction with filtering. Then I had trouble with false positives of various dnsbls to the point where I'm now only using the filters. Of course, simply filtering doesn't solve the network and computing resources problem. So I had hatched Yet Another Plan for Spam a while back (had mucked around a bit with implementing it but got distracted).
The plan is essentially to use bayesian analysis of incoming mail to detect "open relays" and maintaining a personalized dnsbl. Initially every piece of incoming mail is analyzed. Upon being tagged spam, the connecting IP is added to the dnsbl preventing additional relaying of messages.
Pros:
1. No external testing/probing is required. All blacklisted IP's have been known to be an originator/relay point of spam.
2. A copy of the spam message can be retained in case of any dispute.
3. It's a personalized dnsbl so that it is generally immune to becoming a target by spammers (either ddosed or litigation).
4. A false positive does not impact systems not directly under your control.
5. Corrections to the dnsbl can be made as urgently as your time would allow.
6. Saves network and cpu resources due to rejection of additional messages from blacklisted IPs.
Cons:
1. Bayesian filter requires training and maintenance.
2. Personal dnsbl also means personal attention. More time and resources required to manage.
3. Not immune to false positives (actually amplifies the effect).
I'm sure I've missed some points on both the pros and cons, but it's a start.
Additional details of the plan had included a web interface for the blacklisted IP's delist the IP. The scheme works on a token system. Each IP is given a configured number of tokens per a configured period. Each delisting requires a token and is subtracted. Hopefully, this will minimize manual effort as it's trivially easy to get delisted (only requiring the blacklisted admin to visit a page and click on a button). However, if the problem is not fixed and the same IP continues to get listed and runs out of tokens, then my plan was to have the blacklisted party to purchase more tokens (something like the same webpage generating a tracking number linked to a paypal account). That way, there would also be financial incentives for the admin to fix their open relays.
My intention with the personal dnsbl was to reject future SMTP relay attempts based on IPs that have been known to relay spam. It doesn't exist to identify every open relay or proxy, but simply to deny those hosts the opportunity to send me more spam. I could careless if someone is running an open relay as long as it doesn't send me spam. So my plan is to only reject mail from people that have actually spammed me, and not in theory of being capable of spamming me. And the reason to use the connecting IP instead of any content in the email is to prevent junk data (too easily spoofed).
Anyhow, that was my YAPS. If enough people used such a system, it would probably put a decent dent in spam and open relays.
Any volunteers?
I run a mail system for a regional isp and in the last week or so I have seen my average mail load rais exponentially. Right now I am processing more mail in a 24 hour period than I had previously been in over a month. There are alot of people that are using these blocklists that didn't have the good sense to set up their own and mirror that data. So if every incoming message represents a query to the dns serving the data and the mail load on a typical isp server has increased literally by 10,000% it stands to reason that sobiga-f certainly did create most of this problem.
So yes, let's block the entire nation of Brazil. Those people in Brazil who want websites will just have to use another ISP... you know, the one that doesn't exist. Hell, if they don't want to support the spammers they should all move to another country! Plus, it's not like ISPs have vastly different capabilities. It should be increadibly easy for sites that upload terabytes of information to find another ISP that blocks spammers the nano-second they are informed. Also, those same sites obviously have no long term contracts with their ISP, so their shouldn't be any severe monetary, let alone logistical or legal, penalties for them to switch.
It seems to me that, in fact, it is YOU who just doesn't get it. Not to put this on the same level or anything, but the exact same attitude was used to justify 9/11.
common sense: noun
What those who are ignorant of the subject matter think; usually wrong.
Maybe this is NOT even a DDoS attack at all. The SoBig.F virus includes its own SMTP engine, and so, is bypassing the smart host mail server at each of the various ISPs the infected machines are served by. It is now making SMTP connections to various MX hosts all over the network directly from that access IP address which probably never was used that way in the past by most people. DNSBLs are, or were, scalable because the queries done by the receiving MX servers to verify each sending IP address would be cached by the DNS server there for usually at least a day or two. That caching is effective when the number of connecting SMTP clients (the sending role) is small. What SoBig.F did was greatly increase the number of different IP addresses being SMTP clients. This could be immensely greater, many times the number originally seen. That would mean the resolving DNS server at the MX server site would be missing its cache much more often, both due to the more diverse queries being done, as well as the increased volume of mail. My theory is that this alone, if the increase factor is high enough, could overwhelm the authoritative DNS servers for the DNSBL zones and appear like a DDoS attack.
DNSBLs might have also be configured in more servers as a result of the SoBig.F virus going around, too, to help block it.
How to verify this would be to examine the range of source addresses hitting the authoritative servers. If the range is about the same as before, or generally represents the resolving DNS servers those MX servers are using, then I could be right. Still, it is possible for a real DDoS attack to fake exactly that so as to look like this theory holds.
If the attack has source addresses that are not functioning as resolving DNS servers, then the theory would be wrong. But resolving servers, when run separate from authoritative servers, are usually blocked from outside usage. So simple testing would be inadequate to show that they are not real DNS servers.
now we need to go OSS in diesel cars
As usual (for a pro-SPEWS poster), you've twisted the parent post to fit your facist world view. If you read carefully and without bias, you will find out that Fastmail.fm actually is extremely aggressive in killing spammers, often within seconds. Does some spam get through? Yes, up to 100 spams per account. Why? Becasue Spammers don't set the Evil Bit when they sign up for an account. So the spammers have to do something that identifies themselves as spammers. As soon as that happens, bammo! This is what I would call a zero-tolerance for spam. The statistics about valid:spam emails aren't to justify the spam that does get through. As you should have seen, Fastmail.fm kicks spam in the ass. They statistic is supposed to show the harm that the reactionary blocking lists are causing.
If I don't know anyone in Brazil and don't expect to, why should I not block Brazil when all I get from Brazil is spam?
considering that we might as well get a laugh out of their demise, nuking an island full of spammers is a perfectly fine idea
Plus, we'd get to see that really cool looking mushroom cloud.
There are only 10 kinds of people in this world... those who understand binary and those who don't
Since the latest virii do DDoS attacks against the MS update sites and anti-spam sites, the really good virus writers would DDoS the anti-virus companies sites so that people couldn't get new definition files. Just imagine... if all the anti-spam sites were DDoS'd off the net and the next virus did the same to the update sites for MS and Symantic, McAfee, AVG, Skywalker, etc... the only choice would be to just turn off all the infected machines. Who knows how long it would take to get updates.
I don't have a problem with people keeping a list of IP-ranges that has spammers. What I don't like is having my e-mail filtered for me by my ISP
While SPEWS's tactics may appear "doomed to failure" in your eyes, they are having a noticeable effect on spam-friendly ISPs. If you read nanae you regularly see ISPs that have ignored all spam complaints for months or years finally start dumping their spammers in response to a SPEWS listing.
Ok we have all this wonderful file sharing technology avalible, why not put it to good use. Why not build a distributed black list. One that is shared over an automated file sharing network similar to Napster or Kazaa. DDOS only works with a target, with 100 or more geographically diverse machines sharing it I wish them luck. Make being able to access the list depend on your willingness to share it out too. Of course someone would have to figure out the infrastructure but this would rock.
Sick of stupidity? http://www.patentlystupid.com
First of all, it's sending email that is the problem for people on an email blocklist/blacklist. Not receiving email. And certainly not hosting websites.
And there's nothing difficult about paying someone to provide an email "smarthost" for you somewhere else, in unlisted netspace. Though you should of course bitch incessantly at your network provider for forcing you to take that option.
And of course, you should always remember while you're feeling sorry for yourself about being on an email blacklist, that there are a large number of people in the world with problems much worse than yours.
(I'm going to have to find out one day exactly why it is that Brazil apparently only has one ISP. It seems quite bizarre.)
Pete.I generally do like blacklists, but I do not trust them to get everything right.
:) for mail.
My ISP has multiple POP boxes for each customer though. Currently all the spam gets into one box and the (presumed) legit mail gets into my normal mail box.
Now and then some legit mail gets into the spam pop account. Now and then I check this account for messages that are non-spam. Until now, only some mailinglists have been incorrectly identified as spam (ironically, mostly from IT security companies).
There is still an amount of spam in my inbox too, but some rules take most of that out as well.
I would not want my ISP to throw away all the mail they think as spam; they should never do that without my consent. But blacklistst do not have to be a 0 or 1 (or black or white
Warper
0 - evil bit
The real problem is large ISPs/backbones like UUNet/MCI, Cogent, Comcast, Level3, China Netcom, AT&T, Brasil Telecom, and Above.net (among others) who flat-out refuse to do anything about the spammers to whom they provide connectivity.
Complaints sent to any of them are promptly auto-acked and then /dev/nulled (if they don't bounce) and so the spammers keep on spamming, most likely due to ephemeral pink contracts and the crooked marketing/sales departments that agree to them, who then put pressure on abuse personel and network admins to ignore complaints about the contracted spammers.
Because of this, those large ISPs and backbones end up on blacklists, DNS blocklists, and a wide variety of other filters. For them, the money they make off the spammers seems to be of greater concern than the money they make off legitimate customers, i.e. those who end up with their netblocks on every blacklist because of who their providers are.
If it weren't for rogue ISPs and backbones, there would be little use for blacklists or blocklists. However, those reprehensible companies do exist. And because of their policies on spam, they continue to be blocked. Money gained from spammers guarantees the blacklists' continued existence.
It's all just cause and effect. As much as it sounds like a conspiracy theory, I truly believe that it isn't, after fighting spam, one email at a time, since 1997.