Slashdot Mirror
Sobig Worm Attacking RBL Lists?
Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"
We don't come here for have grammar
Everyone on the various anti-spam mailing lists and newsgroups were thinking that these worms were creating a network of spam proxies.
Maybe they were creating a network of DDoS zombies.
Why do you have put a link to spamhaus into this story? Readers might expect something new, special on their page, click on it and help using up spamhaus' valuable bandwidth.
No point in providing useless links..
If they 'win', people will stop using SMTP email as it would be useless. So even if they 'win', they 'lose' in the end anyway.
are the spammers actually winning the battle by using viruses?"
I most certainly hope so! Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here. What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal. Blacklists however make it nearly impossible for me to communicate with quite a few people (my ISP has found itself on one blacklist, and no matter what they're doing, they can't get off).
And of course, if the spammers are indeed using viruses, afterwards whn the blacklists are gone, we can nail them for having used those viruses, and we'll be rid off to pests, with an internet that's once more in nearly pristine condition.
Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.
OTOH, I have no friggin' idea what I'm talking about...
Look at it - virii tend to clog up systems, waste resources, and are bandwidth hogs. They are unwanted, and often involve mass mail outs from email addresses harvested without consent. They can cause the collapse of recipient mail systems by sheer volume.
Now replace the word 'virii' with 'spam'. See?
Nothing - well thats something.
In the short term, the mailing viruses are willing. I think it's to early to say that the spammers are going to benefit from this in the long run. True -- anti-spam services (especially those that are poorly funded or inadequately scalable) have been shutting down recently. They've been taxed, incredibly taxed, but the last two months' virus activity -- like the rest of the mail infrastructure. Add in some highly publicized ddos attacks, and, hell, many services would buckle under that kind of pressure. I think the real lesson is that many centralized spam services are inflexible and not hardened enough to meet the task (and the resistance). Maybe, generally speaking, that's the wrong idea. Maybe. In an even longer term, I think things are even less clear. Technologically, right now, it's spam/viruses 1, civiliam e-mail 0. But the troubles have been so well publicized, and so generally annoying, that already institutions are finally starting to implement basic hygiene measures, in some cases overcoming substantial status-quo / administrative pressure.
With the efficiency of spam filters and widespread use of blacklists and such, how can the spammers actually make any money? It's logical that they (the spammers) should try to bring attrition to the defenses of mail servers.
Btw, I have a novel idea for bringing spammers out of business. OK, here goes: spammers want to sell you penis enlargement programs, viagra, and pr0n right? Well, what if someone sets up a company solely dedicated to selling these things at the lowest price possible? People could just go to AllMyPerverseNeeds.com and get their fix cheaply and securely. Obviously we can't compete with Nigeria type spams, but it would bring down a lot of spam I think. So, anyone in favor of starting a non-profit Viagra depot?
Look what I got yesterday (with forged headers):
---- quote --------------
Dear Internet user.
We are an organization dedicated to stopping spam. Please help us as we are
funded solely by private donations.
visit www.spamcop.net for full details. Or you can send your donations to:
Julian Haight
PO Box 25732
Seattle, WA
98125-1232
As you can see by this message unsolicited e-mail is an invasion of your
privacy. As you can also see it can be sent anonymously
We will continue our efforts until all spam is eliminated.
To join please visit www.spamcop.net or contact
jkdom@mail.julianhaight.com
We will continue to send out this message until we convince all ISP's to
stop all spammers.
!!!Stop low-lifes from invading your inbox with their junk!!!
---- end quote ------------
If they spew out fake spam which can only be meant for slanderous purposes, would you really expect them to *not* be in the virus game. Almost all these Windows viruses, if you hexdump them, have smtp capability. It's quite thinkable that a fair amount of them are really experiments rather than 'bad things done to innocent users because the virus writer likes doing that'.
There must be a lot of money involved in the art of spamming still. I wouldn't be surprised if spamhauses are partially means of laundering money as well (think about it). Either way, these people *are* criminals and one should consider them as such.
are the spammers actually winning the battle by using viruses?
...
Just look at the godawful appearance of the meat, and smell the nasty stench from the can : how can you *not know* there are viruses in spam?
Yuk
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
If the sobig worm were attacking RBLs, wouldn't someone have done a "netstat" on an infected machine and found it? I've netstatted a couple of infected machines; seen nothing even close. Maybe it's just the mail _servers_ killing the RBLs, checking all those thousands of spam mails (sometimes 4 or 5 per server PER SECOND).
Dependable, Reliable Furnishings
All 3 located in 3 different. country's, but all involved in anti-Spam activity's in SE Asia This is not a Joke, only funny part is the low and dumb DDOS, as I'm now able to just block IP by IP, and the general hit rate is as low as 1 pr, 20 sec. (thank god for the bade routing setup in most of Asia)
Install p0f on your firewall and block all SMTP access from windows machines. How hard was that?
I know it sounds like an impossible task, but does anyone think we'll ever be able to move away from SMTP based email? If so, won't spammers find a way to spam no matter what email system/protocol we use...or maybe with a new protocol at least we'd have a better more reliable way to block spam.
Next question... who's going to buiild this new protocol, and who would trust it and prompt a widespread which to it. It would, it seems, have to be backward compatible with SMTP for some time.
© 2004 The SCO Group, Inc. All Rights Reserved.
Look at it this way, if they use a Virus it covers their tracks as to who is sending the spam. They can claim they didn't send it, that the infected system sent it which they don't own. The same for DDos attacks, they can claim other systems did it.
Spammers use Viruses to not only send out Spam, but also to launch DDoS attacks on Anti-Spam sites. I imagine they control them remotely by IRC or some other way to contact the Zombie to do their bidding.
You see by Spamming they already are breaking the law and doing something unethical. Why stop there? Why not create viruses that act as zombies that can send Spam and also launch DDoS attacks at will?
I hope that someone catches these Spammers in the act of spreading viruses and shuts them down.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
"the blacklist owners claim that spam costs people moeny, but what about the money people lose do to inaccurate or overzealous blacklisting?"
This from the country which bombed three whole countries because of the actions of a handful of people?
Thus, the US would feel free to invade Spamodia to free the oppressed Spamodians from the evil Spammer overlords. During the invasion, though, the major Spammers would escape, allowing them to continue their spam attacks against the anti-spam coalition forces. And other pro-spam zealots would flock to Spamodia to aid the effort.
I don't know if spammers are responsible for the SoBig virus, I would guess that they aren't but I can seriously believe that they are in control of a number of zombies and are capable of "defending" themselves using DoS attacks.
But this can be fixed through cooperation. All we need is a few hundred, or peraps a couple of thousand blocklist hosts and a method of coordinating them.
This is easier than it seems. The method already exists. It is called Newsgroups. The only problem that needs to be solved is a method of proving authenticity. Those solutions are also already available.
List updates could be delivered quickly via IRC too. May as well use the enemy's weapons against him.
I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.
Woohoo, you said postal in a reference to spam. Get it... e-mail... postal...
Damn, I'm lame today.
is an "Aattack" and Attack or is it like Ddos ????
Finally this is our chance to make Congress liken spammers to cyber-terrorists, and for a reason politicians fear and know well enough to do something about it: "Now some of the spammers are even building a network of worm-ridden computers, possibly at the fingertips of a madman who is willing to do anything for money, and may only be waiting to turn them into Weapons of Mass Disruption, wreaking havoc to the Nation, the Internet, and e-mail as we know it..." (spooky, huh? ;-))
Outlaw spammers, put an end to spam. Sometimes it's as simple as that. (And it works: Haven't seen much fax spam for years...)
Just be "Mr. Concerned Citizen" for once and send articles like this to your congresscritter now. Let them know what spammers have already done "to your kids" (rather omit the "to your p...s" part even if you've ordered their pills and pumps) "and to your computers".
I most certainly hope so! Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here.
Publishing spam blacklists is a form of free speech and what you're advocating is the use of illegal means (DDoS) to suppress free speech. You suck.
What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal.
Grandma isn't going to be able to install and use bayesian filtering or generate unique e-mail addresses, so your solution sucks. Any "solution" which doesn't keep the spammers from getting their messages to the vast majority of people is just some geek doing mental masturbation. The spammers will continue to spam, using up bandwidth and storage, while costing ISPs, their subscribers, and businesses huge sums of money. And you'll sit there at home patting yourself on the back (or elsewhere) even though the spammers used your bandwidth, your ISP's bandwidth, your ISP's storage, and your storage. Not seeing the spam means that you can't complain about it, so that means that the spammer has less chance of being shut down.
You're just a spam ostrich. You have your head buried in the sand so that you don't see the spam -- even though it's still there.
A secure network needs to be created where by ISPs create a special network which only allows emails to be sent to and from each other. Any email coming from relays not from the list of "acceptable" senders, the message is instantly deleted.
It is unfortunate, however, that the majority of the spam I am receiving is from low lives who run a virus and now I get 143K size attachments being rammed to me.
If they are going to do something there has to be a concerted effort by ISPs to work together to kill of open relays and people who spam rather than getting a real job; 8 to 6, crappy holidays and unreasonable pay. If 95% of people out there can live their lives like normal adults, I think that these spammers can too.
"The difference between pornography and erotica is the lighting" - Woody Allen
Blacklists are the equivalent of the guilty until proven innocent paradigm in the justice system. While they might stop spam by quickly blocking computers that have been hacked into by spammers, they cause problems for the poor people who got hacked.
Yes, but people just don't know what to do anymore. I know bosses who go really mad at admins when spam gets into their mailboxes. It happened to me too. Of course it's not the right solution, but we need some solution, and we need it now. It's sad, but what can we do?
Also, think about people/small businesses who have a bandwidth cap, or those who pay for the connected minute. No matter what filter they use (including Bayesian), they'll be paying for spam. Blocklists will certainly help them.
Bayesian filtering has been very successful
Yes, but it depends on the filter being trained periodically. And it works better for individuals than for groups (because the ham stats are very different for different people).
>> Its true. Blacklists only hurt innocent people who have nothing to do with spam.
Not only do they do so, this is their entire fucking *PURPOSE* - pissing off enough people that they'll complain to the ISP which will then take action. But after that the ISP still isn't removed from the blacklist.
Y'know what I call that? Fucking terrorism!
Most Spammers are Criminals, Scam Artiest and possible Terrorist anyways. So if they are caught they go to jail. So why not make a virus to stop the spam blocking sites. What is the worst that can happen, They get caught and go to jail. That is the problem of dealing with criminals when their back is to the wall they will do whatever. What they should do is a full media blitz explaining the dangers of Spam and also putting a lot of real pressure on people who keep their relays open, force them to fix it, or shell out cash for a qualified consultant to fix it. Spammers need to be in a situation where there is to much risk and work to be profitable.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
While grammar may be an issue, the title has a misspelled Attacking as Aattacking (or perhaps it is a Dutch spelling, since they are generous with vowels, at least we know it isn't Welsh, since if it were Welsh there wouldn't be any vowels :-)).
English ?
And if such a site is under attack, why on earth are you linking it on slashdot's front page ?
Sunny Dubey
Moderation - where cowards who can't reply hide behind.
Blatant censorship
Bayesian filtering has been very successful and has none of the negative affects of the aggressive blacklisting.
Except for the bandwidth costs, which are a big part of the spam problem.
As for the rest of your comment, it's so outstandingly stupid that I won't even bother to comment. And now that I think of it, this is the second anonymous comment that I've seen in this thread slandering RBLs for no reason. What, do spammers read Slashdot too?
How cool would it be if there was evidence that the Direct Marketing Association was behind the SoBig worm? We could sick the RIAA on them, and maybe tell SCO that the DMA was using Linux to develop it. With any luck, they could all come together and ignite like a small star, ridding the world of the lot of them!
Only in my dreams...
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
>Only skydivers know why birds sing, only birds know why skydivers smile.
It too bad that the birds don't know why birds sing and that the skydivers don't know why skydivers smile.
Go here to create your own Slashdot dis
What happened to monkeys.com anyway? Last Thursday I started bouncing messages because I was using their RBL and didn't notice it until I started to see an absence of messages from mailing lists. What is it with these fucking RBL's just starting to reject everything? Just shut it off and let it timeout.
I haven't used a news reader since the groups got bloated with spam and porn.
My main corporate email account is bloated with spam and with moron viruses sent to "all Microsoft Customers," of which I am not. It has got so bad that I just let the account bump against its mail box limit and bounce messages off.
Unfortunately, I have to use email for the auditability otherwise...
If it wasn't for spam, I'd have no traffic at all most days.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Change e-mail clients if this is a problem. Get one that can receive header information only. Delete the ones with 143K attachments on the server instead of downloading. My policy is even simpler, delete all executibles and HTML. Loosing a pretty style sheet doesn't make the message hard to read. Most of the time it makes it easier.
The truth shall set you free!
:-)
:-)
If you look at the statement in a truly logical way, yes, you are correct.
The Official Steve Ballmer Webpage
I think the solution here is to respond with the same kind, but more forceful DDoS attack on the systems that are trying to shut the anti-spam sites down. I should think we as good network admins, code hackers, et al can do a much better job that these spammers that are obviouslly loosing the battle since they are resorting to this kind of tactic. Find the IPs of the sites, and flame back!
-- DuckWing
at least read it- it IS funny :-)
Buttsex.
Before the SoBig virus, each mail server receiving mail would, in the course of a day (about how long DNS black list records would be cached), get SMTP connections from a certain set of other mail servers. Most of those mail servers would be the ones from which email regularly comes in. Although people would have lots of email addresses in their address books, and even more in other files, most only regularly exchange mail with a small subset.
Enter the SoBig virus. It gathers up email addresses, not only from the address book, but also from email contents, web cache, documents, and just about everything else. Then it sends email to them in a probably uniform distribution of selection. The number of different domains being sent to from one computer in a day is now much larger than normal (in addition to the increased traffic). At the receiving mail servers, the number of different mail servers the SoBig spam is coming from is also much larger than normal. Now mail servers are getting mail from just about every mail server that has any user with any instance of a user email address that names that receiving server.
With the same mail servers sending mail over and over, the receiving server's DNS cache will have hits very frequently. With an increase in diversity of mail servers trying to deliver the SoBig spam, the number of cache misses goes up. Each cache miss means a query that recurses back to the DNS blacklist servers. Thus the query load on those servers goes up, effectively a DDoS.
Additionally, most DNS servers out there are "open recursive name servers". That means they let anyone, anywhere, do a recursive lookup. Spammers can drive even more load on the DNS blacklists by sending out DNS queries (with forged source addresses, of course, so they don't have to deal with the bandwidth of the answers) to those open recursive name servers, forcing more and more queries to focus in on the authoritative servers for the DNS blacklists.
This attack can be successful because spammers have far more network access from a wide variety of places than there are authoritative name servers for DNS blacklists (the ultimate target). And since recursive DNS lookup only has that server for a source address, all the DNS blacklists will see are queries from those open servers.
One way to address some of this problem is to close off recursive lookups. But given that millions of networks are run by incompetent or non-existant administrators, that isn't likely to happen on the scale needed to prevent the abuse. And it won't stop lookups by the receiving mail servers trying to check out all the different SMTP connections due to the spam from the viruses.
Blacklists will most likely end up having to be done by a means other than DNS, unless blacklist operators can manage to acquire sufficient bandwidth and server power to ride out the loads (which could very well be even greater than the GTLD servers that host "com" and "net" would see). Some form of distributing a static list file will probably happen. And, unfortunately, that means whoever gets listed will have a much harder time getting out of all those distributed lists, as many people won't be updating them as often as they should. The original reason to use DNS was to have a relatively quick means to remove a listing and have it take effect throughout the internet. By breaking the DNS mechanism, the ability to remove a listing is what suffers the most.
What I hope will end up happening is that spammer networks and generic (dialup, cable modem, DHCP, etc) addresses get listed in distributed files, and the more transient cases still get handled by DNS. The listings in DNS would be the ones that won't be so important to big time spammers, so they would be less attractive targets of attack, and if attacked anyway, would not open up the major points spammers find easy to use (e.g. their own networks and the generic networks where open proxies are found all over the place).
now we need to go OSS in diesel cars
The main problem here is that we have millions of hosts connected to the Internet that just aren't robust or secure enough to be connected to a public network (I'm mostly talking about Windows machines here, if you hadn't guessed).
There was a discussion last week on slashdot about ISP's doing egress filtering home users's connections and I'm all in favour of that.
Unless you're hell-bent on running a mailserver on your DSL line, there's no reason for you to go out on port 25. Even if you do run a mailserver, you should have your box forward all outbound mail to your ISP's mail relay. AOL and some other large ISPs won't accept mail from you if you don't anyway.
IMHO ISPs have a responsibility to protect the backbones from their lame-ass customers with compromised machines.
Reply rather than mod if you think I'm talking out of my outbound relay.
Like tinyurl, but one letter less! http://qurl.co.uk/
Unfortunately I have tried to set it up with Mail (MacOS X), Lotus Notes 6 and Entourage, however, each of them download the message first them strip off the attachments. I've changed email addresses now, however, it is rather annonying that such a large number of people send attachments, HTML messages and run attachments thus I end up getting 134K *.exe files crammed in my inbox.
"The difference between pornography and erotica is the lighting" - Woody Allen
There is at least one gaping hole in your argument, namely that blacklists are also suppressing free speech. You Suck.
That's an idiotic statement. Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.
Suppose your ISP started blocking all e-mail from ISP X after reading a New York Times article that ISP X hosts spammers. Would you accuse the New York Times of suppressing free speech? If not, then why would you accuse a blacklist provider of suppressing free speech? Because it's easier to search their database than to search the NY Times archives?
You need to take a class in Constitutional law.
I don't see why a spammer, even a big one, should make an effort to take out anti-spam sites. Spammers, so common opinion holds, are just there to make money - not to engage in any sort of crusade against anti-UCE groups. So what does one individual spammer have to gain? If, after a great deal of effort, a spam blacklist is taken down, all spammers share in the benefits. It doesn't seem that one individual would make enough extra profit - possible profit at some time in the future - to justify getting into such games now.
More likely that crackers want to target Spamhaus and the like because it's a big target, just as Slashdot attracts trolls.
What is the motivation for one individual spammer to start launching attacks? Or is there some spammers' guild where they band together?
-- Ed Avis ed@membled.com
If they spew out fake spam which can only be meant for slanderous purposes, would you really expect them to *not* be in the virus game. Almost all these Windows viruses, if you hexdump them, have smtp capability.
Then it is suitably ironic that SpamCop does not allow reporting of virus-originated spam. If there is some connection between Sobig (and other Windows virus email) and spam fighting sites being attacked, then I would also think that SpamCop isn't that much farther down on the list of attacks, too. I never understood why these block lists were so against regular spam but allowed messages containing much more damaging exploits to flow freely in exponentially increasing amounts. Looks like that policy is biting them all in the ass now; time to change your battle plan, guys, and shithammer all abusive email.
Oh it's you again. You're still pissed off because your ISP harbors spammers and you think that you're not somehow supporting that by helping your ISP stay in business.
As to your statement about Bayesian filtering ... there are many negative effects. First, it works on the basis of content. What makes mail be spam is not what the content is; it's that the senders are using bulk methods to send to people who didn't want it. I do get some mailings that I have optted in to, which if they were sent to people that don't want them, would be spam to them. Bayesian filtering doesn't work on the basis of what spam really is. Secondly, to even use Bayesian filtering, it becomes necessary to let the spam arrive, using up network and server resources as it comes in. Then the Bayesian filtering has to be run which uses up even more server resources. And finally, if it is considered spam and rejected, then a bounce message has to be queued (taking up disk space), and delivery of it has to be attempted (which for most because it is from real spammers, cannot be delivered, and takes space and delivery attempts for several days). So I will never use Bayesian filtering because it is simply all wrong.
now we need to go OSS in diesel cars
I hate to put it like this, but you people are idiots. Just because noone who's being attacked is talking publically, doesn't mean that nothing is being done or we don't know whats going on.
Evidence has been gathered, and more is known about the source of the attacks then is made public.
Brielle
Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.
You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.
The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.
Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.
Except an all-out-spamwar to break out in 2004.
You have a good point. However, the original post has a good point as well. It just depends on what your needs are.
If you are John Q. Internetuser, who wants to reduce the amount of spam that he/she sees in the inbox, then Bayesian filtering is perfect.
However, it is not feasible for use by an ISP trying to reduce bandwidth consumption. Bayesian's content-based nature is wrong for this application--not to mention too intensive.
You also cannot ignore that blacklisting has huge problems. Any time a whole group of people gets blocked because one person in their IP range voluntarily or involuntarily spammed, there is a problem.
The unfortunate thing is that these seem to be some of the best solutions that are available right now.
Sobig Worm Aattacking on RBL Lists?
the virii have chosen a new target:
spellcheck.slashdot.org
The spammers are actually doing everyone else a favor by taking these sites down.
Well, they're sure not doing themselves or their ISPs a favor. Because some of my favorite blacklists are no longer available, I'm agressively adding entries to the local blocklists here, as are thousands of other small-ISP admins. The spammers will likely never get out of the local blocklists.
Ok it's off the wall out of the box anti-spam tactic time (I generally get critisised for attempting to solve this problem).
SPAM is successful because of a simple formula:
(Number of messages sent + cost of sending) / time = $$
Why not simply slightly revise the SMTP standard to only permit a fixed number of messages per sender over a period of time? For example only allow say 20 recipients per message per day? If you need more than that, then perhaps have some form of payment system? Isn't it a bit ridiculous to permit an unlimited number of messages? Obviously the SMTP standard was written without abuse in mind.
Coupled with other methods (such as verifying that originating domain exists (thanks a LOT verisign morons) then if the core ISP's implemented something like this it could seriously put a dent in the spammers ability to function.
Well.. take a look at the average slashdot user.
Now take a look at the average spammer.
In both cases we see people that happen to know how to use a computer, don't like to actually be productive, have inflated opinions of themselves and their own ideas, and are socially inept.
Hell, to be honest, I'm more surprised that non-spammers read slashdot.
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.
The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.
Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.
The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.
The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.
Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.
The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.
In the private sector (the internet is a network of PRIVATELY-OWNED NETWORKS, there is no place for a "justice system". Those network operators are perfectly allowed to BLOCK TRAFFIC THEY DON'T WANT FROM THEIR NETWORKS.
What part of MY NETWORK, MY RULES don't you get?
Google for "Joe Job".
As soon as the spammers are "booted" from the ISP the blocks magically disappear? While some may do this, It would really be stupid on the blacklist part to not teach the ISP a lesson or to not wait to see if the ISP is lying. The time is there to penalize the ISP and to discourage them from claiming to have killed the spammer only to bring the spammer back the second the blocklist takes them off.
The DDoS attacks began in earnest about the time there was a shouting match between NANAE, the Usenet Group used by SPEWS, and another web site a few months ago.
I don't believe that the SoBig and MSBlaster and subsequent DDoS attacks were orchestrated by spammers, but I'll hold final judgement. It may still be true, however, I think that a few misguided morons connected to another web site decided to DDoS the blacklists, and that is what we're seeing now. Logically, I can't see spammers bringing more heat down upon themselves than they already have. DDoSing is not going to solve anything, just make the situation worse by shutting down ISP's and sites not involved in the controversy. Just a few days ago in Slashdot there was a story about a spammer from South Florida, including his home address, etc.
As I stated in my report naming the administrator/owner of SPEWS, "Spews No Longer Anonymous", I firmly believe that there are people capable of doing real physical harm to persons on the opposite side, and it is time for this to cease. I'm sure that the authorities are actively seeking the authors of SoBig and MSBlaster, I see one has been apprehended the other day, and once apprehended, their systems would be confiscated for evidence. Should any of those systems hold any DDoS software, that leaves the authorities no alternative but to pursue charges for obstruction of communications, in addition to the charges of authoring a malicious program.
I'm not as much interested in the fate of the blacklists as I am the spillover into the general Internet, and the safety of all concerned, regardless of position. In the long run, I want to see those that are causing the DDoSing to be brought to justice, and that there will be some real dialogue between the factions, rather than the comments I've seen so far from both sides, which in some extreme cases border on terroristic threats.
From "Spews No Longer Anonymous"
The primary reason I devoted my time to tracking down the Administrator of SPEWS was that I saw that if left unchecked, SPEWS would go further out of control. In recent months, SPEWS has managed to anger a good number of persons with the ability to mount a DDoS attack against both SPEWS and Osirusoft, a provider of the SPEWS blacklist. I saw this as an escalation that had an impact beyond the simple email blocks, and believe that in my bringing SPEWS into the light, SPEWS will cease publication of their blacklist, or face what is sure to be a large number of lawsuits by affected companies and individuals. It is well known that SPEWS kept their identity secret in order to avoid lawsuits, and with this revelation, they have no choice but to either act responsibly, or cease operations.
In going through the Usenet NANAE archives, I found many instances of thinly veiled threats by SPEWS supporters against alleged spammers and the "collateral damage" casualties, including one remark that "you're lucky no one has firebombed your NOC". I could see that if left as-is, there would most likely be real physical harm done to either an alleged spammer or SPEWS supporter, and this also motivated me to act to track down the owner of SPEWS.
Pete Carr Owner Chatmag.com
Do RBL's really get scanned per every client email received? I was under the impression that the RBL list was generated in realtime, but updated on client machines at specified intervals instead of realtime?
:-)
Of course, I could be wrong, so I'll look forward to being corrected (flamed) soon
Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here. What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal.
You're kidding, right? Bayesian filtering is far from perfect. I've used Mozilla's built-in bayesian filtering as well as Spambayes' far-more-effective filtering system. There are still many spam messages let through in both instances. And there are still occasionally false-positives as well.
The big problem with ANY filtering solution (including Bayesian) is that false-positives are lost email. Unless you filter to a folder and then look through EVERY message (which kind of defeats the purpose) you will outright lose any false-positive message... and neither you nor the sender will know about it.
A well-run blacklist stops the message from even being delivered to your server AND the sending server is made aware of this at message send time. Thus, the sender receives a bounce message, and will know that their mail didn't get through. Unlike with filtering, where the message just disappears.
Portable versions of Firefox, GIMP, LibreOffice, etc
I kind of hope they are sending viruses. While some people (and some politicians) can be convinced that spam is OK, there's pretty much universal agreement that viruses are unacceptable and illegal. It may also get increased cooperation from spam-nests such as China in shutting spammers down.
if the government has to get more deeply involved in fighting spam:
1) the government could take control of RBL administration (with set procedures for getting oneself off the list) and subsidize the use of commercial content delivery networks to distribute the RBL. Akamai, C&W Footprint, Speedera, Mirror Image or some combination of these or other CDN vendors would all be very viable. Can't imagine anyone being able to DDoS Akamai.
2) start charging to send email. The first, let's say 50 or 100 emails daily per individual would be free. Registered corporations would be higher. Emails after that would be a penny each? Email coming in from overseas ISPs would also be subject to charges at the border or be dropped. Alright, I admit, technologically this would be a nightmare to implement. But I still think some form of sender pays will have to be implemented so as to drive up the cost of business.
You are exactly right. Any ISP can do what they want and consequently, affect how likely they are to get customers. That's the great thing about a free market. It is still in everyone's best interest to promote fair blacklisting as that will promote higher connectivity in the internet. We didn't get to where we are today by blocking people from the network for no reason.
The internet IS no place for a justice system. But that doesn't mean that we can't use it as an evaluation metric to gauge the usefullness/desireabiltiy of our system.
You realize in the first line of his post he put "(with forged headers)" right?
Why not fork?
Threats like that are the reason why anonymous blacklists/blocklists should not exist.
Pete Carr Owner Chatmag.com
"My actions are not vengeance. No, not vengeance... Punishment."
Thus, the US would feel free to invade Spamodia to free the oppressed Spamodians from the evil Spammer overlords
I, for one, welcome our new Spammer overlords...
0 1 - just my two bits
That was exactly my point. And yeah it was funny the postal pun, I didn't see that when I "posted" it. ;o)
But yeah, the spam problem, ain't just the poor user with the MTA and an inbox with 90+ spam a day, when an ISP gets on a black list say ORBS, then that a 7 day slap. There are no decent explanation on how to fix open relays that go in depth. And from what I learned in the last couple days, even if they close the relay, there's still a possibility that spam can be sent out. just telnet to bigfoot.com 25 you can send mail anywhere you freaking want, yet THEY are not in ORBS are they?
ORBS needs to help, sysad's plug the holes, that crap about we don't say squat about how we test, set up a new server and submit is is all a freaking bunch of crap.
And another thing.
There needs to be some SERIOUS how-to's for making sense out of headers. It's a fscking black art! Having to post it to USENET is a load of crap.
SMTP sucks.
We need something to replace it.
Or eventually there will be violence.
lateron
Jesus, who's the idiot with the +1, informative for this?
One, the link is broken.
Two, it just leads to a domain squatter.
"Oh look, it contains a link! +1!" Cretins...
This virus proves, one more time (for the millionth time) that spammers are an evil, unrepentant bunch of psychopats - they will shirk from nothing in order to shove spam down our throats, and attack anything and anyone that could stop them.
/. readers? Less than 180 comments. And very few moderations (which means, few reads). So if even the /. crowd is un-interested, how can we hope to awaken the masses from their slumber and meekness?
So, in the face of this spammers' blatant endevour, what is the level of interest of
Sigged!
But never mind all that, just suppose that we do allow owners of networks and servers absolute control of what passes over their wires. Is that something you really want? Sure, it gives them the power to shut down spam. But it also gives them the power to control what web sites their users can access. Or what their users can put on their own web sites. Now, if hardware is owned by a private company and all its users are employees who are supposed to be using the internet to do their jobs, I suppose you have to grant that company a large measure of control. But if we're talking about public ISPs, then we're talking about something very scary. These ISPs, if they coordinated their efforts, and were allowed to totally control whatever passes over their wires, could do something that governments have repeatedly tried and failed to do: censor the internet.
A few years ago, there was a site called blackdeath.org that offended certain parties with its anti-Christian rants. Who demanded that their ISP pull the plug. When the ISP declined, they went to the ISP's backbone provider. Which happened to be owned by a major media company. Now, media companies are not fans of censorship, but they like offending people even less -- they might complain to the FCC, or worse, stop watching TV. So the backbone provider told the ISP to pull the plug on blackdeath.org, or else they'd lose their own internet service, and be forced out of business. Naturally they complied. Blackdeath.org went dark, briefly came back with a low-bandwidth provider, then finally disappeared forever.
This really scared me at the time, since the internet backbone had been consolidated into just a few big companies, most of them with the same censorship-prone connections as the Time Warner backbone. Since then, the backbone situation has gotten a little more competitive. But with the trend to consolidate more and more communications into fewer and fewer companies, I wouldn't get to sanguine. And I'd look for solutions to the spam problem that emphasizes individual, not central, control over network traffic.
I like to run sendmail on my cable modem. Don't give my ISP any ideas about blocking this port. They have screwed with me enough already (i.e. AT&T @Home blocking port 80).
I run OpenBSD, and I'd really rather not be punished for some Win32 idiot that opens every EXE in Outlook.
You do realize that Microsoft Office's file formats have not changed since Office 97 right? Six years, zero changes.
mcox.com - Useful Information re: IT, Running, Fitness, Finance, or Ann Arbor!
Not a problem at all. The people that I am thinking of post replys such as this one.
I won't even dignify that post with a reply. Obviously he didnt read my full post, explaining why I tracked down the admin/owner of SPEWS.
Pete Carr Owner Chatmag.com
My POP account comes with a WEB interface also. I pull up a browser, check all the junk (not downloaded) and delete them off the server. Then I open an e-mail client and send/receive the rest. I don't waste the bandwidth retreiving the junk. I only see the headers and attachment names. It's the easy to keep a mailbox with a 10 Meg limit cleaned out.
Spam, delete before reading.
The truth shall set you free!
Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows Spamhaus is definatly gonna be slashdotted.
Doctors do Massage in Longview WA now, who knew?
Could a P2P defence be organised to block DDoS?
The anti-spam links could be spread across a P2P network ensuring no effective DDoS could be mounted?
I'll agree that when a whole group of people get blocked because one person in their IP range spammed, there is a problem. But the responsibility for there being a problem that escalates to more of the network being blacklisted belongs to that network administration for not having corrected the original spam problem that persists. Despite being blocked, spamming takes up resources. By being blocked it is a little less, but it is not zero. The goal is to get that spammer off the network. When the other users of that network refuse to pressure the network operator to fix the problem (often due to FUD and blame from the network operator, and ignorance by most users), they are just making things worse, not better. There is an intent behind expanded blocking and in many cases, the goals (get the ISP to clean up its act) have been accomplished.
now we need to go OSS in diesel cars
I'm a lowley script-kiddie. I'm going to get {YourCompany} in trouble by spamming out "Buy {YourProduct} from {YourCompany} cheap!"
You get in trouble, even though you had nothing to do with it.
Wouldn't a anti-spam tact be to hit them where it counts? what would it take to set up a distributed program that started hitting the sites the sammers are trying to promote and using up hords of bandwidth? Eventually if it cost them more then they made - wouldnt' they stop?
"my ISP has found itself on one blacklist, and no matter what they're doing, they can't get off"- well, if they either didn't lease lines off RFC-ignorant companies, or behave as RFC-ignorant companies themselves, they wouldn't be in the hole they have dug for themselves and tipped their paying customers into after them.
they're a business: it's their job not to do business in a dumb way. you have an excuse: you're an ignorant customer - they don't.
You name the (person you believe is the) leader of Spews, but you won't even name the website they had a shouting match with?
You quote a "Spews supporter", but the words you quote aren't there in Google Groups. And then you go for the Spews leaders instead of the person making what you percieve to be a threat (not a threat against you!)
You name people who want to remain anonymous, which enables DDOS and other attacks on these people and claim that the attacks are Spews' fault for being so provocative.
If you don't like Spews then don't use their blacklist. Is that so hard to understand? It's an opt-in list. If you can't send mail to someone because of Spews then you can reflect that they would rather do without your mail than accept a lot of spam. Perhaps your mail just isn't that valuable. Perhaps it's spam? Perhaps your ISP is soft on spam and you need a new ISP with better access to the net.
If Spews had actually done anything illegal then they could be sued regardless of their anonymity. It worked fine for Earthlink when suing the (initially anonymous) Buffalo Spammer. Your outing has enabled illegal attacks, not legal ones.
Spam supporting ISP don't you understand? If you were really aginst spam you would call up your ISP Burst.net to complain about its spam support untill they fix it or you would leave and chare the cost to Burst.net for selling you a defective service.
Here is a short history lesson, the MAPS system did not operate in secret, and guess where they are now? They died due to the lawsuits made by spammers. Thus the runners of SPEWS want to be anonymous.
I say they are acting responsible, if they operated the way you wanted the ISP would just rotate their spammers and have no incentive to clean up their act. SPEWS is one system for those who don't feel like playing the wack a mole game.
...that's the beauty of the blocklist approach. it's fair, it's simple, the good prosper and the bad go under.
It won't work. The spammer can always have lower prices than you, because he lies about what he's selling.
For instance, everyone gets spams for "generic Viagra," but there isn't any such thing. Pfizer is the only company that manufactures the medication, and they don't make a cheap generic version. At best the spammers are buying the real thing, grinding it, and mixing it with filler, to stretch one pill into dozens or hundreds. At worst, they're just selling sugar pills. Either way it's illegal, and ineffective to boot.
Your company would either work honestly and lose out to the spammers on price, or duplicate their tactics and get shut down for fraud. (The spammers don't worried about getting closed, even if someone tracks them down, since they can open a "new" company just by changing the email address and PO Box.)