Slashdot Mirror
Spammer DDoS-By-Virus On spamhaus.org
McDutchie writes "Steve Linford of Spamhaus announced in a press release that the latest Wintel virus, W32/Mimail-E, was created by spammers for the specific purpose of DDoS'ing Spamhaus, Spamcop, and SPEWS. It's becoming more and more clear that the spambags are the ones behind the recent mess with the Windows viruses. They must really be getting desperate."
Hate to rain on your parade here, but SpamAssassin does use blocklists by default (as described in the FAQ). It is the existence of such blocklists that has forced certain major ISPs to stop writing "pink contracts" to known spammers and they are the only anti-spam measure that reduces the cost that ISPs have to bear in terms of mail-server storage and excess bandwidth that spam causes. Rest assured that the spam epidemic would be far worse without DNSBLs and the cost of Internet access far higher.
Whitelists may work for some people, but others may need to keep their inboxes open (e.g. vendor support).
Oh, puhhlleeeze:
Read the virus analysis before making untrue claims:
The worm sends a large amount of data to remote servers (port 80 and ICMP). The worm verifies that a connection is active by contacting www.google.com. If successful, an attack is initiated on the following domains:
* spews.org
* spamhaus.org
* spamcop.net
* www.spews.org
* www.spamhaus.org
* www.spamcop.net
signatures pending - ansa@kos.to - (dont mail there)
I've had a lot of luck spam killing with Popfile from http://popfile.sourceforge.net/ Works very well once the initial training is done and is handy for basic mail classification as well.
Seriously, if you want to reject stuff at SMTP time rather than accepting it then processing it, try using sa-exim (a freshmeat search will turn it up) - it fits into exim and rejects as soon as it's worked out it's spam - mid-DATA if need be.
Smegma.
These cyber-crimes should be addressed in the same way as any other (international crime). Your national law enforcement officers should track down the country of residence of the culprit and/or send out an international search warrant. Contrary to popular belief, 'overseas' isn't some backwards region whose citizens have barely discovered the abacus. In many countries, writing or distributing virii is a crime, as is executing DDOS attacks. Which is good, because it means law enforcement in those countries will generally assist in bringing these criminals to justice.
If you want to complain about nothing happening, complain to your local cybercops.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
If you use blocklists to block mail rather than score mail you have no idea if you are getting false positives (they aren't even accepted).
Of course this means that your users won't be able to complain about false positives.
What they don't see can't hurt you. Right?!
You should be very careful about using blocklists which you don't control to block mail.
Spamassassin has Baysian filtering, in addition to the extensive ruleset it uses.
It can also optionally "autolearn", where decisions about what is spam based on existing knowledge can be used to provide automatic learning input for the Baysian system for future emails.
May we never see th
While it is true that some DNSBLs block entire netblocks, those lists are used by the fewest people. There are a great many DNSBLs one can use to block mail, some are maintained better than others and most have different criteria for inclusion and removal. Use the ones that match your philosophical opinion of spam, don't use the ones that you feel are too extreme.
It's all about freedom of choice!
So don't use the extremist ones like SPEWS. There are plenty of other DNSBLs to choose from.
In a sane world, your response would be correct. Everyone could choose their own degree of filtering.
Unfortunately, that just isn't the case. I can't control the degree of filtering that happens that the compay where I work, as I'm not a member of IT. Furthermore, I cannot control the degree of filtering that happens to other people that I need to send mail to from *their* IT departments.
ISPs aren't so bad on this front. Business IT departments are *awful*. CEOs get pissy about spam and frequently don't deal directly with other companies via email (voice messages are more personal and don't get archived, plus they may have secretaries do contacts for them). IT feels pressure to block spam, so they promptly take a heavy-handed approach. Blam, false positives.
IMO, in a business environment, a 2% false positive rate is unacceptable. You frequently cannot afford to have emails not go through. However, that is also when emails are frequently filtered the most harshly.
May we never see th
Anomy mailtools does this one better, stripping out malicious HTML like spam web bugs and such. I'm currently implementing it on my employer's mail servers: http://mailtools.anomy.net/.
It's not attacking several financial sites, just Fethard Finance.
.biz TLD has been regularly used by spammers, who use the zombie networks to host their websites and even DNS servers. I bet fethard.biz is ran by someone, who is sick and tired of getting the .biz domain thorouhgly plonked by blocklists and complained either directly to the criminal spammers or the admins of the .biz TLD and the spammers got a word of that.
The
Proletariat of the world, unite to kill spammers.
The more painfully and slowly, the better.
In Soviet Russia, I ruled you
you are required to pay a small escrow fee as part of your ISP service fee, AND
if someone receives and e-mail from you and deems it as spam, then he clicks the appropriate button, AND
your escrow fee is charged *once per e-mail* and his is increased by the same amount.
The balance of the escrow fee would be refundable at any time, but accounts with a balance of 0 would be unable to send e-mails.
As I think through this, I can see several virtues:
1. The senders of spam would have to pay per offensive e-mail and would thus have strong incentive to stop.
2. Senders of legit e-mail would continue to have free or mostly free e-mail.
3. Those affected by spam would have immediate recourse and receive compensation for their time.
4. The spirit of the plan seems right: if you are going to waste my time with your spam, then you pay me for it. But if you are a friend, you get my time for free.
Does anyone see drawbacks to this plan? Perhaps increase in net traffic per e-mail sent, but that would presumably be offset by a substantial decrease in spam.
Human being (n.): A genetically human, genetically distinct, functioning organism.
1) SA uses blacklists, not blocklists.
Uhhh...same thing.
The behavior I find objectionable is the blocking of email based on IP. Providing notification to the user that the ISP thinks that email may be spam is not bad -- I can't see how it would be anything but good. SA does not (by default) *eat* email. It may mark it up.
Of course, each score contributes to the mail being rejected. You'd really rather have all the mail actually blocked by blacklist fail silently instead of giving you a 550 when you try to send?
2) I don't use said features of SA.
Hey, good for you. Mind if I ask why?
3) As I've posted elsewhere in the thread, there are better technical fixes (limiting amplification is a good, simple one) to attempting to keep network costs from being unacceptable. Conflating the problem of dealing with network costs on the server and the problem of avoiding wasted human time on the client is the major reason antispam folks have cause others so much pain.
Say...what? I can't even parse that. Are you trying to say in a roundabout way that "antispammers" have wasted end-users time? Given the amount of complaining end users do about spam, I don't think that argument holds up. Although the tactics we've had to use have matured and become more effective as time went on, the root cause is and always was spammers.
4) Vendor support shouldn't be automatically dropping questionable email *anyway*. All email originating from dialup IPs is decidedly not spam. It'd be pretty awful if someone sends out a question and then just doesn't get a response.
Most e-mail originating from dial-up IPs is spam. I don't know where you're running your mailserver or for whom but your experience seems to exactly contradict mine.
Since the site is currently being slashdotted, here is a copy of the press release:
A new virus released by spammers on Saturday 1st November is infecting computers worldwide, and this time the purpose of the virus is to attack www.Spamhaus.org. The W32.Mimail.D virus is the latest in a string of viruses, each one released by spammers for the purpose of creating a vast worldwide network of spam-sending machines and building an attack network consisting of hundreds of thousands of virus-infected zombie machines with which the spammers then attack anti-spam organizations.
W32.Mimail.D is designed to infect computers worldwide causing them to each begin making overwhelming amounts of bogus requests to Spamhaus.org's web server, www.spamhaus.org, and also attacks the web servers of www.spamcop.net and www.spews.org.
Spamhaus began coming under massive distributed Denial of Service (dDoS) attacks in July 2003, soon after the release of the SoBig.E virus and the Fizzer virus (W32.HLLW.Fizzer). In June Spamhaus stated that spammers had now moved from simple spamming through open proxies to actually manufacturing and sending out viruses to create a network of spam proxies, infecting hundreds of thousands of mainly home-user machines on broadband (ADSL) lines.
Fizzer (W32.Fizzer-A) in particular is a very wide-spread worm which spreads by emailing itself to contacts in Microsoft Outlook and Windows address books. The purpose of Fizzer is to install a minature web server on which spammers then host typically "pills & porn" sites, an IRC backdoor, and a DoS attack tool specifically for attacking anti-spam organizations. In August and September 4 anti-spam systems were forced into closure under overwhelming dDoS attacks that hit them for weeks at a time.
Spamhaus itself was subjected to the same intense dDoS attacks for 3 months but survived thanks to its large distributed network capable of absorbing the attacks. Still, expecting more attacks, in mid September we moved the Spamhaus web site behind an anti-dDoS device known as iSecure supplied by Melior CyberWarefare Defence (www.ddos.com) and can therefore now withstand the waves of dDoS attacks.
From: http://www.spamhaus.org/news.lasso?article=13
My parents have an SBC DSL account and now I can't send them email from my server (admittedly hosted on a roadrunner cable modem) because they're blocking everything from 'dialups'.
Then relay your mail through your ISPs SMTP server and move on with life. Suddenly, everything works, and you still have control over your own mail server. This also offloads SMTP re-sends, etc, onto the ISP mail server, rather than your own, which is rather nice.
Quoting from the MAPS RBL website, with some emphasis added:
I don't see how a p2p network will work.
PJRC: Electronic Projects, 8051 Microcontroller Tools