UUNet Is The Number 1 Spam Host

An anonymous reader submits "Statistics for February have UUnet leading the Spamhaus top 10 worst Spam ISPs chart. The Register point out that ISPs like UUnet and Abovenet continue to host spammers despite advertising anti-spam AUPs." And the competition is probably wishing they had as much luck.

Re:Largest ISP?

UU carries 50% of the US's total Internet traffic and 90% of its e-mail. It makes an easy target.

Clue

[Cranx]

Spammers can sneak into even the most STRINGENT anti-spam ISP network. A stolen credit card that works only once gets a spammer an account that can deliver many thousands of letters before they're shut down. UUnet isn't spam-friendly anymore than Rackspace is spam-friendly. Spam is going nowhere until good authentication techniques are implemented internet-wide.

Re:Clue

[eaolson]

Spammers can sneak into even the most STRINGENT anti-spam ISP network. A stolen credit card that works only once gets a spammer an account that can deliver many thousands of letters before they're shut down.

The question isn't whether or not spammers get on the network. Any system that allows people to sign up automatically with a credit card is vulnerable to that. The question is whether or not UUnet is willing to do anything about a spammer once he's brought to their attention. Although some of the SBL records for UUnet appear to be out of date, some spammers dating back at least to April 2003 are still present on their network.

UUnet isn't spam-friendly anymore than Rackspace is spam-friendly.

It's amusing that you mention Rackspace. I understand they appear to be cleaning up recently, but previously, they were more than happy to host spammers, so long as they paid their bills.

Spam is going nowhere until good authentication techniques are implemented internet-wide.

You'll excuse me if I don't hold my breath. IMHO, so long as there is a China, there will be spam. Until then, I'm going to keep using Spamcop and SPEWS.

Re:Clue

[Monkelectric]

The problem with that statement is its unqualified, when you see statements that say "more then ..." someone is trying to manipulate you.

Here's why -- UUNET is a *HUGE* ISP they have more spammers then anyone else because they're bigger then anyone else. What you need to know is if they have a higher spammer/customer or spammer/site ratio than usual.

You always hear this same stuff about crime statistics. I just heard on the news that crime in california is down 50% and they were credting the 3 strikes law. Of course it means nothing, because if you look at population statistics you'll find out that theres a dramatic drop in population of young people who statistically are most likely to commit crimes. So crime is occuring LESS (total number), but the crime rate is more or less the same.

Re:Clue

[LostCluster]

The only thing that can truely take care of spam is a protocol for the provider upstream of a user to be able to revoke an e-mail that passed through them. It means moving to an e-mail system that doesn't trust home e-mail servers that don't pass through a trusted company anymore.

Right now, any IP address holding computer has the ability to become a mail server, so any IP address holding computer has the ability to spew spam.

UUNET is largely innocent

[Dezsr5]

The reason UUNET is known as a facilitator of the largest amount of spam is that they are the largest ISP. And many of their customers have what is called an open relay. Since most UUNET customers send thier outbound mail through mail.uu.net (UUNET's mail relay), spammers that find an open relay send email that looks as if it is coming from a UUNET customer (and UUNET's mail relay.) This is a problem that UUNET tries to remedy, but educating a I-D-10-T customer )not to mention 10,000 customers) about his/their own mail server's open relaying capabilities is difficult to say the least. If a spammer tries to use UUNET's mail relays directly, it does not last long and eventually he is told to take his buisness elsewhere. The people that think that UUNET is using spammers to make more money are just plain ignorant.

Re:Largest ISP?

[ackthpt]

MCI was never WorldCom.

Check again. When WorldCom filed for bankruptcy they changed the name back to MCI.

Re:grasping for customers

[clymere]

I thought that UUnet was just a backbone? I know that my ISP is a small local cable company, and that in turn they get their connection from UUnet. I'm not sure that a regular home user can get an account there. And yes, it is by far the nation's largest ISP, this probably has something to do with the problem in more ways then one. It's the MS syndrome: if you are big enough, you're going to be the most-targeted for lots of malicious things. At the same time, being the biggest means not worrying as much about taking care of your customers: where else are they going to go?

Re:grasping for customers

[Dezsr5]

This is just untrue. UUNET sets limits on the amount of email a customer sends out. If they want to send over that limit, they have to document why and confirm that the emails are actually wanted. If it is determined that someone is spamming they are warned once. Then thier service is cut off and they are told to take thier business elsewhere. The problem is open relays as I explained in my post lower down in the thread.

I'm not seeing it...

[chriskenrick]

I run a report daily that tells me where my Bayesian-identified spam came from (IP address and host name via reverse lookup).

Out of the approximately 16 daily reports in my inbox, only two addresses are uu.net. I'm seeing comcast.net (37 occurences) and adelphia.net (29 occurences) a lot more, by comparison.

Re:Largest ISP?

[JeremyALogan]

Could this probably be because UUNet in my understanding is one of the largest ISP's?

You are correct... they are North America's largest ISP. The problem lies in that, whether you realize it or not, you are probably one of their customers. Back in the day it was common for a company to buy one of their T1s (or T3s, or OC3s, or OC12s, or OC48s, or whatever), a couple phone lines/modems and WHOLLA... instant dial-up ISP. I'm not sure, but I wouldn't be surprised if this doesn't still go on (not everyone uses AOL and Earthlink, ya know). At my last job we had one of their T1 lines and, so far as I can tell, they didn't really cared what we did with it. The only time we ever heard from them was when they couldn't ping our router and then it was just to make sure everything was okay.

And yeah... why do they still use that name? They've been owned by MCI/Worldcom for years now... eveen says so on their front page.

Re:Um, are these results weighted?

[Jayjay75]

Did we RTFA?

"UUNet hosts more spammers than any other ISP. It has 151 listings on the Spammers Block List (SBL), including 34 known spam gangs with ROKSO records, according to the anti-spam organisation Spamhaus' records for February 2004."

They host 34 known professional hard-core spam-gangs. Size has nothing to do with it.

I just block domains

[KalvinB]

nearly all spams contain a link to somewhere. I just filter out the domains those links go to since no legitimate e-mail will contain a link to those domains. You also can't hide the destination of a link if you don't leave the harvesting solely up to an automated system.

Takes care of most of the spam. And it costs spammers money every time they get a new domain so I can deal with what little spam gets through before the filter is updated. I've put hundreds of domains in my Mercury Mail filter which equals thousands of dollars worth of domains that are now useless for sending spam through my mail server. And it doesn't matter how distorted the header or body is. The domain can't be distorted or it won't work as a link.

Ben

Re:This is a problem with all top-tier providers

[legomad]

Sounds like you have a shared T1/T3. I suggest getting a dedicated one.

I've used grey listing..

[msimm]

Although I'm not sure its the project you've described: Tagged Message Delivery Agent (TMDA), from their site:

TMDA is an open source software application designed to significantly reduce the amount of spam (Internet junk-mail) you receive. TMDA strives to be more effective, yet less time-consuming than traditional spam filters. TMDA can also be used as a general purpose local mail delivery agent to filter, sort, deliver and dispose of incoming mail.

The technical countermeasures used by TMDA to thwart spam include:

* whitelists: accept mail from known, trusted senders.

* blacklists: refuse mail from undesired senders.

* challenge/response: allows unknown senders which aren't on the whitelist or blacklist the chance to confirm that their message is legitimate (non-spam).

* tagged addresses: special-purpose e-mail addresses such as time-dependent addresses, or addresses which only accept certain kinds of communication. These increase the transparency of TMDA for unknown senders by allowing them to safely circumvent the challenge/response system.

I currently use bluebottle.com who just recently re-emerged after shutting their service down (siting DDOS attacks by spammers). Their service is basically what the TMDA site describes with a nice setup and a few extra features. Its a free service so if your thinking about trying something like this out, this is the one. I personally am not a fan of filter and to date this is my favorite option. Stuff that I need gets in.

Re:how about blacklisting until they clean up

[jonesvery]

[...] it holds an email and doesn't tell the sender's server if it was successfull or not [timeout] then waits for the sender's server to try again and since most spammers use a mass-mailing program that uses a "take it or leave it" tactic, it catches most spam.

Link to more information here, just to make sure that people don't get the wrong idea: a greylisting server will respond to all attempted deliveries from unknown sources with an RFC-compliant deferral, which should cause the sending MTA to queue the message for later delivery. The theory here is that most spam (as well as viruses) is sent by crap software which doesn't understand how to attempt a true "retry." No retry on a deferred message, no delivery for messages from the sending server.

I don't recall having seen any data on effectiveness -- would be interested in hearing from anyone actually using this approach in the wild.

Re:Spam doesn't matter to me

[cuban321]

My experience is that Thunderbird's spam filter is unfinished (as it is an alpha product). Spambayes catches 99% of all spam for me. It's proven better than even spamassassin. It will even work with Thunderbird.

Daniel

Re:Your sig

[ceejayoz]

In the couple weeks I've had this sig, I have yet to receive a single troll mod.

So, no, not going to change my sig, as it quite nicely explains my feelings for both Bush and Kerry.

Re:grasping for customers

[slash-tard]

Just FYI, UUnet is now owned by MCI. UUnet/MCI also have a large amount of dial-up (modem) POPs, which is resold through other companies and used by end users. They also offer DSL in some markets.

All of this is in addition to them being the largest backbone.

Re:Largest ISP?

[slash-tard]

The MCI / UUnet thing is mostly internal politics but also a little bit business related. You can get 2 internet circuits or 2 frame relay connections from the company and have it go over 2 different networks for diversity. One would run on the MCI network, the other would run on the UUnet network. This gear is supposed to be completely separate.

Also they dont monitor your traffic, can you imagine the logs that would create. They only contact you about spam (or whatever else) if someone complains to them about something coming from your IPs.

It's worth noting...

[signe]

I know they're not anyone's favorite company, but it's worth noting that AOL is not anywhere on the top 10 list. Not so many years ago (less than 5), they used to top that list most of the time, and the rest of the time they were in the top 3 (not necc. Spamhaus's list, but Spamcop's definitely, back when they meant something).

Having been involved in the work, I can tell you that AOL was one of the first, if not the first, large ISP to implement tagging of outbound email with the true email address of the sender, regardless of whether or not they put it in there (the X-Apparently-From header that AOL inserted). Also close to the first, or the first, to implement outbound filtering of email for spam. When the second one was put into place, I watched the ranking and saw AOL drop from #1 to nowhere on the top 10.

-Todd

Re:Slashdotting spam domains ...

[Jerf]

Your post advocates a

(X) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(X) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!


(Yes, it's pulled from here. The meta-point is, if we're going to progress in the war on spam we need to move past the solutions that have been proposed a million times with obvious holes in them. Either that, or face the possibility that the system we have now is already optimal.

Primary justification of the above snarky copy&paste job is that this patently obvious scheme has a patently obvious DDoS scheme built into it, left as an exercise for the reader.)

Re:Spam doesn't matter to me

[Czmyt]

Yes, true, but I think it's possible to throw away the stuff that is most definitely spam (SpamAssassin score of 10+), leaving just the very likely spam messages (SpamAssassin score from 5 to 10) for you to check occasionally in your Spam folder. Personally, I throw away anything that's 6+ and move the 4-6 stuff into a Spam folder for end-of-the-day review.

Re:Do they use stolen credit cards regularly?

[elemental23]

You'd be surprised. I work in the abuse department of a large ISP and we see spammers setting up throw-away accounts with unique stolen credit card numbers daily. Spammers are no longer just sending bulk e-mail; now they also frequently traffic in stolen CC numbers and create viruses that install proxy servers on home users' Windows machines for the purpose of covering their tracks.

I guess they figure the reward is worth the risk. Plus they're stupid.

Re:How to stop spam.

[laymil]

That is essentiall what I was trying to say. A lot of connections via UUNET are made without an ISP relationship - so even though they own the block of IPs, etc - it's not their responsibility.

Already happening

[TekGoNos]

My ISP is blocking all outgoing port 25 connections.

More and more ISP's force this onto their home users and render the Internet less usable.
Granted, it gives them a little more control over the email traffic - it has to go through *their* mail-server, so they can set preciser rules (limit the number of emails per minute or so) - but it also limits my freedom to do with my connection what I want.

And this only because some idiots catch some Windows malware and turn into zombies.

Why am I pissed off? Sounds like a good idea?
Yeah, except that their SysAdmins, that dont trust me, arent good enough to keep their own mailserver running. And if I have to wait 1 hour to get my mail send, just because they prevent me from delivering it myself, I'm pissed.
And I really liked to read my error logs to find out instantly if there are problems with an email instead of waiting 2 days till my ISP sends me a : "I've tried several times and still wasnt able to deliver it"-message.

Finally, I dont like the whole : "let's protect our stupid lusers from themself"-strategy.
Educate them, instead of putting them in a cotton wool cage.