DoS Assaults Underway Against Spam Blocklists

Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.

Why does he think it's spammers?

[seanadams.com]

Apparently spammers aren't going to sit by...

Has anyone stopped to think that maybe it's not spammers who are doing this? I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down. They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

All of these centralized blacklists have made so many enemies in their history that any finger pointing is simply laughable. They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks. This is not your normal DDOS: it is not only the originators of the DDOS, but the very network itself that wants them destroyed!

Re:Why does he think it's spammers?

[fmaxwell]

I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down.

I will be equally happy when someone uses a DoS to keep you from posting comments with which I disagree. As you point out, a DoS is a valid way to suppress free speech.

They are pure evil in their methods,

How is it "evil" to publish a list of IP addresses that match a listing criteria? You don't want to block e-mail from Nigeria? Fine. Don't use nigeria.blackholes.us. You don't like SPEWS listing criteria? Don't use them. (I don't because I don't like their criteria).

and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

Absolutely untrue. I use several of the blacklists for my domain and the quantity of spam blocked is tremendous with very little collateral damage. Without those blacklists, I would be seeing far more spam than legitimate e-mail every day.

They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks.

Yeah, the same large ISPs who, in many cases, were writing "pink contracts" for spammers and making money from spam. Those are the large ISPs that really hate the blacklists. And if it wasn't for the blacklists, more and more ISPs would be writing pink contracts.

Re:Why does he think it's spammers?

[nearlygod]

The problem is that they are not checked and updated (at least in my experience). My companyies IP (actually my ISP's entire C-block is blacklisted by one list and dispite trying for 6 months, I have had no luck getting removed. I have gotten zero responce from the blacklist dispite many attempts and following their removal instruction to the letter. No other blacklist has us listed and we have never had an open rlay or sent spam. So to me, this particular blacklist is evil and since they are the only one that I have had to deal with, I wouldn't be suprised if others have had the same experience.

Re:Why does he think it's spammers?

[P!Alexander]

My own email provider (Fastmail.fm) is very proactive about eliminating spammers and has a very strict anti-spam policy; however, it has been erroneously listed on Spamcop on at least one occasion causing problems for all of its legitamite users.

Here's a great blow by blow report of one such incident by Jeremy Howard, one of the directors of the company, as well as some reasons the list doesn't work.

Re:Why does he think it's spammers?

[TillmanJ]

Oh...I just noticed, the poster is a proud Republican...that explains it. Anyone who feels the need to brag about their conservatism generally has a soft spot for Joe McCarthy.

Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.

Re:Why does he think it's spammers?

[ahodgson]

The US government essentially said spam wasn't their problem, and that the industry should self-regulate. Blocklists are self-regulation in action.

Re:Why does he think it's spammers?

[hawkfish]

Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.

Amusingly enough, this can be applied to Rush Limbaugh and most of the other right wing fruitcakes in the US. As it is written, "Choose your enemies wisely, for you will end up resembling them."

Best defense is a good offense

[Lead+Butthead]

So when do we get to launch our DDoS against the spammers again?

MOD PARENT DOWN.

Althought he presents a valid arguement, WE DONT WANT TO HEAR THAT!

SoBig

[ifreakshow]

Earlier this week when people talked about the writer of SoBig leasing his virus network for spamming many people said spammers wouldn't want to be involved with virii/attacks. I think the DOSing of black list sites pretty much shows that the people sending spam have little moral problem with invading your computer to break the law.

who says its spammers?

[tongue]

what makes you think its spammers? there a plenty of legitimate email users with a beef against these fascists--me, for one. i had a domain on a subnet that's entirely blocked despite the fact that i don't have open relays nor have i ever done any kind of spamming. several of my clients within larger corporate structures couldn't receive email from me because some PHB read in DildoCTO Quarterly that these lists can stop spam--never mind the fact that they can stop any kind of legitimate email use as well. There were a LOT of times i'd wished i had had the wherewithal to undertake something like this; spammers or not, i applaud the culprits.

Distributed blocklists

[silentbozo]

Bad for them. The main reason for creating centralized blocklists was so people who reformed, or who kicked spammers off their blocks, could have their IPs relisted without having to worry that random admins had hardcoded filters into their routers. One central source for listing, one central source for delisting.

If they succeed in negating the value of centralized blocklists, guess what - admins will go back to blacklisting blocks manually. Those IP blocks will become useless once enough people add them to their blocklists, and there won't be any easy way of redeeming them.

Anyone who wants to get internet access better get a clause in their contract guaranteeing that the IPs they get weren't abused by someone in the past, or else they might be getting a useless connection.

MOD PARENT SIDEWAYS

Everyone appears to want to direct mod power today, so why not?

Client-side blocking

[jtoker]

I'm not too disappointed to hear of these new attacks. Conspiracy theories and the like aside, I'd rather have the responsibility for SPAM-blocking placed on the client side.

Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.

Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.

Peas,
j

Blacklists ARE useful

[Gothmolly]

Because you can reject mail at the SMTP level. I typically get about 70 emails a day to my own server. About 40-50 get denied by a DNS based filter on qmail (rblsmtpd). Which means on average, only 25 get through to Spamassassin, where another 15-20 are deleted due to high spam thresholds. Then I get about 5-8 real emails, and maybe 1 or 2 spams that make it through (which Mozilla mail promptly eats as spam).
If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
DNS based BL is useful because it doesn't even let it in the door.

"Trojan arses"???

[phillymjs]

From the article: In a technique called a "distributed denial of service attack," vandals exploit security flaws to plant programs, called "Trojan arses," on thousands of Internet-connected computers. They then order the Trojan arse programs to spew useless data at a targeted machine.

The mental image of a bunch of Greek soldiers pouring from the sphincter of a huge, wooden butt is just too funny for words.

~Philly

indeed

[Trepidity]

Even if you happen to like the blocklists and agree with their methods, it's clearly irresponsible to assume they're being attacked by spammers -- there are a lot of non-spammers who would love to take them out.

These attacks must be stopped!

[teamhasnoi]

Otherwise, we are going to be a nation of skinny, refinanced, gargantuan penises that want to show you something on our webcams!

Evolution of a blacklist architecture.

[emil]

• Centralization of the blacklist is bad. Therefore, the lists should be p2p.
• Each blacklist should be signed by the maintainer's private key. The public keys should be kept in several well-known locations.
• An application, running on a mailserver, should have options to:
  1. Download blacklists from specified upstream sources, preferably by rsync protocol, although even gzip would be an improvement over what we've had.
  2. Apply some or all of the blacklists to inbound messages.
  3. Offer the blacklists for further download.
  4. Automatically announce new blacklists, the recall of canceled blacklists, or newer/faster/replacement upstream blacklist servers.
• The blacklist application should work with all major MTAs, including sendmail and exchange. It should be platform-neutral, and we should do what is necessary to get MS to package it on the CD.

I can easily see web content filtering going the same way eventually.

Re:It's illegal

[mabu]

A friend of mine who runs an ISP filed a case with the FBI. He had all the evidence, he had $100,000+ worth of damage he could prove. The case was meticulously documented. The FBI felt it was a rock solid case. They presented it to the DAs in multiple juridictions and they refused to prosecute or pursue the case. He even had the perps home address and telephone number and enough evidence to link him to credit card fraud, attacks on major corporations and much more, and the authorities blew the case off and didn't take action.

Re:ever tried to get off SPEWS?

[mrex]

Go to nana-e, and they'll tell you that robots from space run SPEWS

Spammers with unbalanced ethics:lawyers ratios have already attempted to make life hell in court for blocklist owners that they could track down. I know of no instances where the spammers won, but the costs and hassles associated with defending yourself from a lawsuit exist whether one wins or loses.

Who can blame SPEWS for planning ahead for this? Answer: spammers who are really pissed off.

, and there's no way to get a hold of them. They start with Class C's, then progress to banning class A's.

That's the whole goal of SPEWS. SPEWS is not a list of spammers, its a Spam Prevention Early Warning System. Listing individual spammers addresses has not been entirely effective, as spammers simply find providers who are willing to lie for them, thus SPEWS was created to punish ISPs who are unresponsive to legitimate abuse reports. SPEWS exists to counterbalance the profit those ISPs may make from spammers with loss of profits from those who want to use the internet for a legitimate purpose.

Some of the crazies who post on nana-e even have the whole country of Brazil banned on their private lists.

I add a very very large score via SpamAssassin to any mail that comes from Brazil, Mexico, China, Taiwan, Korea, and several other nations who appear to be becoming spam havens. What's your point? I have, in many years on the net, never received an e-mail I wanted from those countries.

SPEWS had information too on DNS blackholing (i.e. preventing your users from going to internet sites) and on HTTP blocking.

Uhhhh...yes...and? Is there something immoral about administering the ISP you are responsible for in the manner you see fit? It's my business, I can do as I damn please. If I want to filter out every website except my own, that is my right. My customers vote with their business, they do not get a direct say in how I run my outfit. Every business owner understands this concept when it is put into their terms, yet spammers seem to be very against this right when it comes to ISP owners. Gee, wonder why.

If it was anyone else (the government) who was advocating this, people would be outraged.

So? Very often it is acceptable for an individual to do something that a government cannot. For instance, if the government tried to convince me to go to XYZ Church, I would be outraged. For an individual to do so is nothing short of normal.

A Defensive tool, not censorware

[mercuryresearch]

I'm getting a bit tired of people applauding DOS attacks on blocklists. Many of us run small mail servers for ourselves and/or small companies where EVERYONE who recieves email is in agreement that blocking spam is the right thing to do. When everyone chooses to do this, it's not censorship. Seriously -- the volume of spam is overwhelming, and in a small business there is no one delegate managing email to, and it's consuming precious bandwidth. Spam is the problem, not block lists. No spam, no blocklists, simple as that.

My server has seen as many as 500 spams a day directed at it -- for just two email accounts releated to my business. I had little choice but to elect to use drastic measures and escalate them until the spam became manageable -- and the best defense due to bandwidth issues (we run on just 128K because that's all that's available to us) is blocklists. The problem has been so bad that I maintain an internal block list that uses iptables to simply not route packets from IP blocks (/24) for any email that gets through the first layer of blocklists that sendmail checks.

Osirusoft in particular was very, very useful to me, because they maintained a number of DNS mirrors of other blocklists, so you could pick and choose how drastic you wished your blocking to be. I will miss their service greatly -- and can already notice it as my spam has doubled since it was removed from my sendmail config.

Without blocklists, email for my small business at least would be useless. I know that I've lost business using them, but I'd lose more business/time/money without -- there's no friggin' way I'm going to search through (and accept the bandwidth hit from) five hundred messages to find the few legitimate ones and still have time to get real work done.

Am I the only one who did not have this problem?

[junkgoof]

I took over an SMTP server that was an open relay. Spam had been relayed, so the server was blacklisted. I secured the server, contacted the various blacklists, and the server was removed from the blacklists. I had no problem with any of the blacklists, and had no problem getting the server removed. Of course I was polite, and I went through the appropriate channels...

The volume of spam is sufficient without removing the blacklists.