Giving Your Greytrapping a Helping Hand

← Back to Stories (view on slashdot.org)

Giving Your Greytrapping a Helping Hand

Posted by timothy on Sunday March 22, 2009 @08:36AM from the longing-for-more-actual-violence dept.

Peter N. M. Hansteen writes "Some spam houses have invested in real mail servers now, meaning that they are able to get past greylisting and even content filtering. Recently Peter Hansteen found himself resorting to active greytrapping to put some spammers in their place. The article also contains a list of spam houses' snail mail addresses in case you want to tour their sites."

109 comments

Min score:

Reason:

Sort:

Couldn't you just blacklist those servers? by interstellar_donkey · 2009-03-22 08:45 · Score: 3, Insightful

It just seems like it'd be easier now to find out the spam mail servers and block everything that comes from them.

--
The Internet is generally stupid
1. Re:Couldn't you just blacklist those servers? by Anonymous Coward · 2009-03-22 08:54 · Score: 0, Insightful
  
  Or everyone could just abandon email and move to using facebook to communicate.
  Oh, that already happened.
2. Re:Couldn't you just blacklist those servers? by Jurily · 2009-03-22 08:56 · Score: 1, Insightful
  
  Your post advocates a
  You know what, fill it out yourself.
3. Re:Couldn't you just blacklist those servers? by Nursie · 2009-03-22 09:01 · Score: 1
  
  Yeah, you would have thought that it would get into spamhaus pretty quickly and then RBL blocked like anything else.
4. Re:Couldn't you just blacklist those servers? by JoshuaZ · 2009-03-22 09:07 · Score: 1
  
  They are likely not keeping these servers indefinitely but renting them temporarily which makes this not a viable long-term solution.
5. Re:Couldn't you just blacklist those servers? by noidentity · 2009-03-22 09:08 · Score: 2, Informative
  
  Your post involves a knee-jerk response. The original poster wasn't proposing a spam solution, merely asking whether dedicated spam servers would make it easier to simply blacklist them.
6. Re:Couldn't you just blacklist those servers? by gmuslera · 2009-03-22 09:11 · Score: 2, Insightful
  
  They are likely not keeping these servers indefinitely but renting them temporarily which makes this not a viable long-term solution.
  For the ones renting them servers.
7. Re:Couldn't you just blacklist those servers? by KiloByte · 2009-03-22 09:28 · Score: 3, Funny
  
  Sure, if you run a spam server, please mail me at aaron@angband.pl (or, if you sort it the other way, zeke@angband.pl). Don't use these addresses otherwise. Thanks.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
8. Re:Couldn't you just blacklist those servers? by FooAtWFU · 2009-03-22 09:39 · Score: 4, Insightful
  
  This is the point where we send you Gmail invites and suddenly you've blocked Gmail.
  
  --
  The World Wide Web is dying. Soon, we shall have only the Internet.
9. Re:Couldn't you just blacklist those servers? by KiloByte · 2009-03-22 10:01 · Score: 3, Interesting
  
  Unlike the guy in TFA (who blocks the sender for 24 hours), I only assign some points in SpamAssassin.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
10. Re:Couldn't you just blacklist those servers? by Antique+Geekmeister · 2009-03-22 10:26 · Score: 1
  
  The knee-jerk is justified. The issues of botnetes used to send spam have been addressed here, repeatedly. And the issues of "legitimate" spam companies using forged SMTP information and co-located serves, worldwide, date back to the first commercial spam enterprises such as Canter&Siegel.
11. Re:Couldn't you just blacklist those servers? by JoshuaZ · 2009-03-22 11:23 · Score: 2, Insightful
  
  And are we not to expect that anyone renting servers has to check in advance that the people aren't spammers and if they mess up at all then they lose their entire business? How is that either just or practical?
12. Re:Couldn't you just blacklist those servers? by russotto · 2009-03-22 12:15 · Score: 1
  
  It just seems like it'd be easier now to find out the spam mail servers and block everything that comes from them.
  That's what he did. He just did it in an automated way by feeding the spammers addresses which, when used, would cause the automatic blacklisting of the host which used them.
13. Re:Couldn't you just blacklist those servers? by dgatwood · 2009-03-22 12:20 · Score: 1
  
  If the companies are not complicit, they will yank the server offline the moment they get a couple of spam complaints from the recipient. That usually translates to about 3-5 minutes after their client sends me spam. It takes about that long for me to do the whois lookup of their ISP and compose an appropriately worded email message.... Thus, it is unlikely that spammers will pay for real servers unless the hosting providers are well aware of what is going on and merely do not care.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
14. Re:Couldn't you just blacklist those servers? by Nursie · 2009-03-22 13:41 · Score: 3, Informative
  
  If you rent servers to people that spam me, then you lose the ability to email me until I here you've sorted your act out.
  It's that simple. And it has to be.
15. Re:Couldn't you just blacklist those servers? by Anonymous Coward · 2009-03-23 01:58 · Score: 0
  
  You would think so, but it seems like Spamhaus isn't always keeping pace with the spammers. Take, for example, this SBL entry: SBL74156
  It was added on March 23rd. However, looking through my mail logs, they started spamming us all the way back on March 11th. So unless I set the greylisting period to 12 days, greylisting+Spamhaus is insufficient.
  I do appreciate what Spamhaus does, and the XBL especially cuts out a lot of the spam I receive, but there's a lot that falls through the cracks.
16. Re:Couldn't you just blacklist those servers? by sgt+scrub · 2009-03-23 02:49 · Score: 1
  
  I think multiple MX domains on a single relay is the issue. If your site is hosted, run (unix/linux) host -t MX yourdomain.com. This will show you what your mail servers are. Now do that for someone else using the same hosting site. Every hosted site using that company will, typically, have the same response. Some ISPs create an alias so the MX request returns your domain but not many. Even the ones that do cheap out and use one ip address.
  
  --
  Having to work for a living is the root of all evil.
17. Re:Couldn't you just blacklist those servers? by Asic+Eng · 2009-03-23 03:23 · Score: 1
  
  Well the only long-term solution I've heard about is this: http://www.deekoo.net/peeves/spam/spammers/premiere/index2.htm Mind you, that's not a legal solution. However if you ever get too much spam, I recommend looking at that site - it sure helps you to relax.
18. Re:Couldn't you just blacklist those servers? by Lord+of+Hyphens · 2009-03-23 04:28 · Score: 1
  
  And you haven't pre-assembled 4-5 form letters and a couple scripts that parse the whois and send a complaint letter?
  
  --
  "I've spent my whole life figuring out crazy ways to do things. It'll work." -- Montgomery Scott, "Relics"
19. Re:Couldn't you just blacklist those servers? by Lord+of+Hyphens · 2009-03-23 04:31 · Score: 2, Informative
  
  A quick note, turn off page styles if you're going to read that -- the background+text color combination is atrocious.
  
  --
  "I've spent my whole life figuring out crazy ways to do things. It'll work." -- Montgomery Scott, "Relics"
20. Re:Couldn't you just blacklist those servers? by dgatwood · 2009-03-23 04:49 · Score: 1
  
  Obviously the company should confirm that the complaints are legitimate, but that usually doesn't take long.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
21. Re:Couldn't you just blacklist those servers? by Onymous+Coward · 2009-03-23 21:10 · Score: 1
  
  The SBL is a slow-to-add list, and well it should be -- it's manual. They get to do some sleuthing that digs up more than automated systems typically do.
  And it's only one of three Spamhaus lists. You make no mention of whether the IP showed up on the XBL or the PBL.
  Anyway, it's pretty widely understood that you need more than a DNSBL or two with greylisting to catch "everything". Together they do indeed catch a lot. But I can't imagine why you might try to use just XBL+greylisting as a complete anti-spam solution.
  For a week:
  4281 total connects: 90.79% rejected (or dropped), 9.20% delivered. (Unknown quantity nolisted.)
  Of 394 delivered: 1.77% spam.
  For the rejects: 41% bad HELO name, 35% XBL, 12% greylisting, 10% bad destination address, 1% spamcop DNSBL.
  Together Spamhaus and greylisting account for half my blocks. That's worth keeping.
22. Re:Couldn't you just blacklist those servers? by jonadab · 2009-03-24 02:41 · Score: 1
  
  > It just seems like it'd be easier now to find out the spam mail servers and block everything that comes from them.
  They migrate from IP address to IP address too often for that. Apparently some ISPs will just hand you a different Class A block every couple of weeks, no questions asked, as long as you're paying your bill. This has been common in APNIC space at least since the late nineties.
  And then there are the botnets.
  
  --
  Cut that out, or I will ship you to Norilsk in a box.
Um, by Darkness404 · 2009-03-22 08:55 · Score: 2, Interesting

Um, how much spam does the average /.er even get per day? I have gotten exactly one spam message that has made it past Gmail's spam filtering this year (2009) and it was quick and easy to delete. I don't give my e-mail address out to everyone, but I do sign up to many things with it yet still it is very rare for spam to make it to even my spam filter. So is spam really that large of problem in 2009?

--
Taxation is legalized theft, no more, no less.
1. Re:Um, by tepples · 2009-03-22 08:58 · Score: 4, Insightful
  
  So is spam really that large of problem in 2009?
  It's Gmail's problem. The cost of filtering spam means Google has to put more ads on your messages and, if Gmail becomes unprofitable, possibly even terminate free Gmail.
2. Re:Um, by neiltrodden · 2009-03-22 08:59 · Score: 1
  
  They aren't targeting these emails at your average /.er though.
3. Re:Um, by corsec67 · 2009-03-22 08:59 · Score: 2, Informative
  
  Just because you don't see doesn't mean that Google doesn't have to invest a large amount of resources to process spam, in terms of storage, network transfer, and CPU overhead.
  
  --
  If I have nothing to hide, don't search me
4. Re:Um, by Anonymous Coward · 2009-03-22 09:04 · Score: 2, Informative
  
  I wouldn't say that spam is a problem for the savy and those behind a properly configured server. But as a system admin for several area businesses, they would find themselves swimming in spam without proper filtering. Thankfully Spamassassin coupled with Vipul's Razor gives results comparable to Gmail's spam filter.
5. Re:Um, by dirvine · 2009-03-22 09:05 · Score: 1
  
  Is this spam sending not illegal in the USA? I see many of these addresses as located there, surely a quick federal related visit is warranted.
  Surely these illegal activities can escalate or be backed by some pretty unscrupulous folks, seems like a good start to go get them now.
6. Re:Um, by TheOtherChimeraTwin · 2009-03-22 09:07 · Score: 5, Funny
  
  how much spam does the average /.er even get per day? I have gotten exactly one spam message that has made it past Gmail's spam filtering
  Wow. I remember when the average /.er was running their own mail server. Let me tell you kids, those where the days! The world economy was strong, and I didn't have to have cat food for dinner.
7. Re:Um, by chimpo13 · 2009-03-22 09:09 · Score: 3, Interesting
  
  I've seen an increase in spam that has made it past my gmail spambox in the last week, but I get several thousand spams a day so it's not a big deal.
  I used to allow any email that shows up to the domains that I have, and I'd get way more spam. It's weird that 3,000 spams a day is slow since it's not like I go out signing up for stuff but I also don't hide my email.
  I still get actual email that gets filtered as spam which sucks, but I put up with it since gmail works about 99.5% of the time. I wonder how many legit emails I've had that people think I ignored since I didn't respond.
  
  --
  riding round the world on an old motorcycle
8. Re:Um, by Idiomatick · 2009-03-22 09:10 · Score: 2, Interesting
  
  Talking about costs. Spamming isn't free if you are running your own servers. And it is high risk. But as GP said spam never gets through gmail. One would think that the scrupulous spammer would not bother spamming gmail anyways. There is no benefit to doing so unless you just hate google and are using a lame form of ddos.
9. Re:Um, by noidentity · 2009-03-22 09:13 · Score: 4, Insightful
  
  I have gotten exactly one spam message that has made it past Gmail's spam filtering this year (2009) and it was quick and easy to delete. I don't give my e-mail address out to everyone, but I do sign up to many things with it yet still it is very rare for spam to make it to even my spam filter. So is spam really that large of problem in 2009?
  I have seen exactly one malware on my machine that my virus scanner picked up and it was quick and easy to delete. I don't leave all my machine's ports open, but I do leave several vulnerable ones open yet it is still very rare for any of the malware's operation to be noticeable to me. So is malware really that large of a problem in 2009?
10. Re:Um, by Runaway1956 · 2009-03-22 09:38 · Score: 1
  
  I never count my spam. I've gotten a huge increase in spam, recently. At least 6 pieces since January 1st, maybe 10 pieces. I dunno if I carelessly filled in the wrong form somewhere, or what, but man, it's killing me. ;) Like yourself, I just marked them as spam on my gmail account, and I haven't seen any of them again. :-)
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
11. Re:Um, by Anonymous Coward · 2009-03-22 09:57 · Score: 3, Funny
  
  "The world economy was strong, and I didn't have to have cat food for dinner."
  I miss mom's cooking too.
12. Re:Um, by dberstein · 2009-03-22 10:04 · Score: 2, Informative
  I run my own mail server(s) and actually the number of spams I get is quite low with a daily average of 0.75 spams per day. That's down from ~20 spams a day before I enabled gray listing, RBL on my MTA and HELO restrictions.
  There 0.75 spam/day emails are detected by my MUA's spam filter, meaning I tend to never have a spam email in my inbox!
  You can find good/reliable VPS'es from $10/mo. that'll allow you to:
  
  Run your own DNS servers.
  
  Run your own SMTP/IMAP/POP servers (Postfix/Dovecote make a great combo).
  
  Run your own web server.
  
  Practice/learn sysadmin skills.
  
  No lock-in to any vendor.
  
  I rather pay for my own VPS than pay Google for a freaking email account and/or their App Engine.
13. Re:Um, by cibyr · 2009-03-22 10:37 · Score: 3, Informative
  
  I rather pay for my own VPS than pay Google for a freaking email account and/or their App Engine.
  Except google apps "Standard edition" is free. And it's pretty much all you'd need unless you're a largish business. Pretty much the only difference is you get a mere 5GB (of which I'm using something like 200MB) instead of 25GB per mailbox, a limit of something like 50 users, and you don't get their mobile access and migration tools. You get SMTP/IMAP/POP and the best webmail interface there is :)
  
  --
  It's not exactly rocket surgery.
14. Re:Um, by Anonymous Coward · 2009-03-22 10:59 · Score: 0
  
  yeah, I'd suggest moving more towards deer food. Cat food can get you in trouble when your neighbors start noticing the disapearnce of their pets.
15. Re:Um, by dberstein · 2009-03-22 11:54 · Score: 2, Interesting
  
  Webmail as your primary MUA?! Are you kidding me?
  I guess that's like saying skateboarding should be your primary transportation vehicle. Some people do it I suppose, but is it the best idea?
  Get your own infrastructure and access your emails as you wish, like for example mutt on a remote terminal, or webmail (squirrelmail), or in any mobile IMAP client (my iPhone works great).
  What about backups? What if tomorrow they change the policy of old/archived message?
  I do have a couple of gmail accounts, but those are mostly for redundancy and seldom used by me.
16. Re:Um, by johnjones · 2009-03-22 12:12 · Score: 1
  
  they (google) are not so wonderful for bussiness stuff for personal stuff I like them but they seem to put a lot of bussiness email in the bucket...
  oh well try explaining that to the CEO "well google trains the software not us"
  exit stage left
17. Re:Um, by Nursie · 2009-03-22 13:44 · Score: 1
  
  "Wow. I remember when the average /.er was running their own mail server."
  Hi there. I'm still here!
  I also have a friend who runs a couple. Gmail is for suckers that don't mind giving away their data and don't have the balls to do it themselves.
  I get minimal spam (about 1 a day maybe?) after setting up postfix to check headers, check spf and ask spamhaus.
18. Re:Um, by maxume · 2009-03-22 14:44 · Score: 1
  
  Gmail does imap. It supports iphone. You can backup using imap.
  There are still plenty of reasons for someone to run their own server, but "I need imap" isn't a strong one.
  
  --
  Nerd rage is the funniest rage.
19. Re:Um, by wvmarle · 2009-03-22 15:29 · Score: 1
  
  You mean you left the basement already and for good?
20. Re:Um, by Anonymous Coward · 2009-03-22 23:58 · Score: 0
  
  You mean you left the basement already and for good?
  No, my mother's dead, you insensitive clod!
  I'm renting out the upstairs to cover costs.
21. Re:Um, by geminidomino · 2009-03-23 00:08 · Score: 2, Funny
  
  One would think that the scrupulous spammer would not bother spamming gmail anyways.
  This message brought to you by Microsoft Works(TM).
22. Re:Um, by sgt+scrub · 2009-03-23 03:08 · Score: 1
  
  So you don't give out your email address unless it is to sign up for stuff? I would say you are a good reason why google's spam filter is so well tuned :-p
  
  --
  Having to work for a living is the root of all evil.
23. Re:Um, by Anonymous Coward · 2009-03-23 03:21 · Score: 0
  
  I'm convinced that spammers are just not that bright. Fortunately for them there are plenty of dumber people with small penises out there to support them.
24. Re:Um, by cptdondo · 2009-03-23 03:24 · Score: 1
  
  I've had the same email address since 1994. I get about a thousand a day; some days it peaks at several hundred an hour.
  Spam shows no signs of going away.
  With Greylisting, SA, and dspam I get about 99% rejection rate. Still, about 10-20 get through a day.
25. Re:Um, by Anonymous Coward · 2009-03-23 04:37 · Score: 0
  
  http://www.symantec.com/business/security_response/landing/spam/index.jsp
26. Re:Um, by Deagol · 2009-03-23 04:38 · Score: 1
  
  $10/month? Please, *please* name names.
  The only one I know of is prgmr.com -- but they don't do FreeBSD, which is what I'd prefer.
  
  --
  Method of processing duck feet
27. Re:Um, by dberstein · 2009-03-23 05:26 · Score: 1
  
  I've been happy with http://cheapvps.co.uk/ (Xen).
  FreeBSD VPS I don't know, I've always used Linux ones (Debian in particular).
28. Re:Um, by GMFTatsujin · 2009-03-23 05:45 · Score: 1
  
  Gmail's not so bad. It's even useful for professional purposes. For me, a Gmail account is good just to give to the outside world during job interviews.
  It seemed more respectable, if not just easier, to say "me at gmail dot com." My other email address, which I actually use a lot, has a weird domain name that raised too many eyebrows, despite how personal and clever I think it is.
  My infrastructure was set up when I had other professional goals in mind. I didn't want to have to rejigger it all for marketing purposes. Not when there was a simple, reputable, free alternative.
  My job interview hits went up when I had an easy email account to give out. Gmail was a handy service to have when I wanted to remove obstacles to communication.
29. Re:Um, by zero1101 · 2009-03-23 07:15 · Score: 1
  
  I can't speak for anyone else, but I stopped running my own mail server when free webmail services got as fast, convenient, and effective at blocking spam. There's no real benefit to running my own server that outweighs the administration effort at this point.
30. Re:Um, by Mike+Van+Pelt · 2009-03-23 11:50 · Score: 1
  
  Spam rarely gets through gmail. A little does.
  Unfortunately, good mail gets caught in gmail's spam trap. Its false positive rate would be utterly unacceptable, except addresses on your contact list get through, and you can set "if it matches this pattern, never spam trap" filters, which help with some mailing lists I'm on that often trip Gmail's spam filter, but still, just today there were two legit emails in the trap that I'd really hate to have missed.
  Why they were trapped, I have no idea; they did not look at all 'spammy'.
  So I still have to look at the contents of the spam trap regularly looking for legit email that was improperly blocked, which means the spam continues to be a horrible nuisance.
  I much prefer the trap at a small ISP I use. Spam in the trap is sorted by spam score, so I don't have to look at all the spam, just the lower-scored stuff. The reason Gmail can't do this is obvious, alas. (Well, they could, but it would be providing way too much information to the enemy.)
Dynamic Dolphin?? by azav · 2009-03-22 08:59 · Score: 2, Interesting

I seem to remember reading about a convicted spammer who created Dynamic Dolphin in Broomfield, Colorado. Does anyone else remember who this asshole was? I would not be surprised if he started the whole thing.

--
- Zav - Imagine a Beowulf cluster of insensitive clods...
1. Re:Dynamic Dolphin?? by wmbetts · 2009-03-22 09:09 · Score: 3, Informative
  
  His name is Scott Richter.
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
2. Re:Dynamic Dolphin?? by azav · 2009-03-22 13:41 · Score: 1
  
  Ahhh yes, Snotty Scotty. Why is this man still alive?
  
  --
  - Zav - Imagine a Beowulf cluster of insensitive clods...
3. Re:Dynamic Dolphin?? by geminidomino · 2009-03-23 00:11 · Score: 1
  
  Because it's illegal to kill him. Only reason.
More self-promotion on Slashdot... thanks! by macraig · 2009-03-22 09:16 · Score: 1

Not that there was ever really anything more than a facade of impartiality at Slashdot, but thanks a bunch for tossing even that facade in the dumpster.
This twit even writes about himself in the third person in an attempt to disguise his self-promotion; disgusting.
Wow! by Anonymous Coward · 2009-03-22 09:17 · Score: 1, Funny

From TFA:

Dynamic Dolphin Privacy Protect
5023 W 120th Ave #233
Broomfield
null,80020
Hey, I used to live in null! Had to leave though, there was nothing to do.
Grey-trapping by goombah99 · 2009-03-22 09:18 · Score: 4, Informative

I was not clear on the definition of grey-trapping. It is the process of providing decoy e-mail addresses that are discoverable by harvesters but not by ordinary humans. When mail arrives at the destination of a decoy, the sender IP address is then added to the spam filter of the receiver.
Basically sort of a honey pot approach.
So you might ask why can't ISPS do this at the ISP level rather than the user level? Make it opt-in, white-listable, etc..
The problem is what happens when some reputable sender get's on the list.
FOr example, Joe Spammer takes his address list and does a sing-up operation to Yahoo for all the addresses. Now the Yahoo registration server then does not automatically enroll them but still it sends an e-mail to every one of the e-mail addresses. some of which are the decoys.
so Yahoo gets grey-listed by the ISP.
I would think this attack would also foul up every grey-list in existance as well. So I don't actually understand how grey-listing works.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Grey-trapping by Anonymous Coward · 2009-03-22 09:35 · Score: 3, Interesting
  
  The problem is what happens when some reputable sender get's on the list.
  I mentioned this to Mr. Hansteen a while back on usenet, warning him about putting his greytraps (and spamtraps) in public view on his webpages. All it takes for a legitimate sender to be listed with him, is one single newsletter signup with one of his traps.
  Even though the trap will never respond, the sender will nevertheless have to send a message to the trap to attempt to verify the signup. Apparently, his list protects quite a lot of accounts, and he cannot whitelist everything ...
  I never got a decent reply. I'm not sure what Mr. Hansteen's goal is, other than researching for its own sake and performing some good old sub-optimization of questionable value in the process.
2. Re:Grey-trapping by Erwin-42 · 2009-03-22 19:49 · Score: 1
  
  The ISPs are using this approach, it's called a "spamtrap". If you look at the spamcop reports for an IP or SNDS data from Microsoft you can see the number of spamtrap hits. This does not blacklist the sender right away, but it does increase their spamscore.
  I think your Yahoo situation is unlikely -- I'm sure Yahoo has some rate limiting/captcha/etc. in place to prevent someone to sign up thousands of accounts programmatically.
Sounds familiar. by khasim · 2009-03-22 10:16 · Score: 2, Interesting

I was using something similar. The trick is to identify the ISP mail servers. Usually by some naming convention of the ISP ... but in some cases you have to just wait for a complaint to come when they get blacklisted. I solved part of that by sending the rejection list to the recipients at times so they could check it.
Meanwhile, greylisting is completely different.
Greylisting means that any new "triplet" (recipient name + sender's name + sending IP address) is TEMPORARILY rejected for X minutes. This is because many spammers were using zombie machines that would not try to resend the message OR would keep trying with different sender's names. Legitimate senders and email servers would (MOST OF THE TIME) be able to handle the delay and the message would get through. All future messages with that "triplet" would be received without delay.
1. Re:Sounds familiar. by wvmarle · 2009-03-22 15:27 · Score: 1
  
  I have the feeling that this grey-trapping is in combination with grey-listing. The honey pot e-mail server presumably uses greylisting by itself: it is as I understand meant to be the same server as that handles your regular mail.
  So only mails that pass the greylisting will be trapped, so that are mails, presumably spam, that pass the greylisting and are sent from a real mailserver.
  Those servers you want to trap and blacklist.
  Now the problem arises indeed when junk is being sent through legitimate servers, in my case that is a very real problem as many Chinese webmail services are used by spammers, and by customers of mine as well. So I don't want to blacklist them.
  The handful of mails that makes it through greylisting and spamassassin I can deal with manually. I used to get about 300 spam a day, greylisting takes care of the first 280, then spamassassin takes care of another 16 or so, and the last four well I can handle. I do have the strong feeling though that spamassassin is less accurate at detecting spam coming through real mail servers, probably because there are no/less obviously faked headers as well.
Yawn. Antispam is a commodity purchase now. by CFD339 · 2009-03-22 10:32 · Score: 4, Informative

At one time I invested a few weeks time into building a heuristic antispam filter. One of the principles I used was very similar to this (there were many others).
I came to the conclusion pretty quickly that in the game of anti-spam, the larger the email pool you have, the more efficient your heuristic tools can be. Once I proved that to myself, I went looking for who was doing the best job using the techniques I decided worked best, and routed my mail through them.
Its cheap, effective, and gets the spam off my network bandwidth. Even if you do a perfect job yourself, you're still paying for the traffic. That's a waste by itself.
If you're so worried about privacy, get yourself an appliance that uses the same principles as the services (like postini, etc.). Either way, antispam is no longer a business for the individual.

--
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Content filtering? by martin-boundary · 2009-03-22 11:27 · Score: 3, Interesting

How does "investing in real servers" let the mail through content filtering? Last time I checked, a content filter reads the *contents* of the mail (ie not the envelope or the header, hence the name). The spammers can buy servers until they're blue in the face, that won't make a blind bit of difference to the outcome in that case.
I want to trap a Grey by Oktober+Sunset · 2009-03-22 11:39 · Score: 1

Damn, I thought this was going to be about ways to construct a better snare for catching the aliens.

So far my pit trap has only caught a few squirrels, but I'll get one of those little alien bastards one day. And then we'll see how he likes being anally probed. SQUEAL PIGGY!! YEEHAW!!

--
What if Tetris was invented by Nazis?
1. Re:I want to trap a Grey by PopeRatzo · 2009-03-22 13:01 · Score: 1
  
  They're not "aliens" so much as home invaders.
  
  --
  You are welcome on my lawn.
Re:Yawn. Antispam is a commodity purchase now. by Gerald · 2009-03-22 11:43 · Score: 3, Informative

Seconded. My email addresses tend to be old, public, and static. This means they get a ton of spam. It's not worth the time and effort of handling anti-spam in-house when Postini can do an equivalent or better job at a reasonable price.
Switching to Postini also freed up a ton of RAM and CPU on our hosted servers.
Re:Content filtering ? exactly and add DKIM... by johnjones · 2009-03-22 12:17 · Score: 1

exactly combine this with DKIM and a external reputation system....
(looking at ones navel is fascinating but knowing what other people this is spam is a good idea)
regards
John Jones
www.johnjones.me.uk
Re:Give your COCK-AND-BALLS a "hand" by PopeRatzo · 2009-03-22 12:58 · Score: 3, Interesting

I did my best to resist the impulse to stop browsing these comments at -1 because I had too often found interesting comments that had been modded down for the wrong reasons.
I guess I won't be able to do that any more, because I get too sad when I see how much energy some people expend in hatred of gays and blacks. Say, maybe we could filter comments by more than just the number? I wouldn't mind being able to see "-1 Flamebait" because often you find insightful comments that have been modded down by committed astroturfers, but "-1 Offtopic" (which my own comment here is, by the way) could get filtered out. Or how about a "-1 Racist/Sexist Asshole" moderation choice?
Where's the suggestion box here at Slashdot, anyway?

--
You are welcome on my lawn.
Final Solution by PopeRatzo · 2009-03-22 13:00 · Score: 4, Interesting

The article also contains a list of spam houses' snail mail addresses in case you want to tour their sites.
Can we "tour" those sites with molotov cocktails and pipe bombs?

--
You are welcome on my lawn.
1. Re:Final Solution by anonymous+cowshed · 2009-03-22 21:17 · Score: 1
  
  Someone should tour them with a lawyer and sue the parasites. How much time & money is spent on spam blocking, they should repay it. It's shameful that they are all in the US too.
2. Re:Final Solution by Hillgiant · 2009-03-23 05:24 · Score: 1
  
  Dust off and nuke the site from orbit. It's the only way to be sure.
  
  --
  -
Re:Give your COCK-AND-BALLS a "hand" by Miseph · 2009-03-22 14:45 · Score: 3, Informative

You are able to do all sorts of wacky things with moderation effects. Just make all moderation other than off-topic have no effect on rating, and browse at 0. Presto chango, "-1, off-topic" goes away and everything else gets to stay.

--
Try not to take me more seriously than I take myself.
Stats by coryking · 2009-03-22 18:05 · Score: 3, Informative

For every single message you are getting, google is probably filtering out at least a hundred.
My own mail servers, tiny in comparison, get about a connection every second. 98% of those connections are rejected out of hand (bad HELO, fucked reverse DNS, residential IP address, bullshit brute-forced email address, etc) and of that remaining 2%, half is legitimate email. Which means for every hundred connections, one is legitimate. So 1% of all our mail traffic as legitimate. 1%.
In other words, you have no clue at all how fucking bad spam is. It is bad. Really bad.
1. Re:Stats by leromarinvit · 2009-03-23 09:05 · Score: 1
  
  I must be doing something wrong then. I run my own mail server too, and I get maybe 3-5 attempts at relaying a mail to somewhere else per day, and maybe one or two spam attempts per day. Some of which are filtered by SPF or reverse DNS checks, the rest is up to dspam to catch.
  
  --
  Proud member of the Ferengi Socialist Party.
The problem with that is by coryking · 2009-03-22 18:12 · Score: 0, Troll

You'll turn into SPEWs, or SORBS, or whoever those assholes are.
Start blacklisting ISP's who rent them servers, and soon enough You'll have blacklisted pretty much half the internet. Most of them are innocent too.
Vengeance blacklisting is for assholes. I once had a netblock land in SPEW's snare and rather than try to get de-listed, I just emailed the managers and sales people of the company who refused our email. I figured if I went over the power-tripping asshole running the mail server and went to somebody who understood how much legit email they probably losing, maybe the asshole mail dude would get fired.
Hope he did get fired too. You can blacklist whoever you want in your basement computer, but it is a whole different story when the company you work for starts rejecting corporate mail based on spite-lists like SPEWs or whatever you are suggesting.
1. Re:The problem with that is by N1AK · 2009-03-22 22:11 · Score: 1
  
  Your points not that informative, and simply referring to mail admins who are trying to minimise spam mail to there users as assholes a dozen times won't change that.
  
  Firstly, who says these people were talking about a corporate environment anyway? Secondly, when they blacklist emails there are other options than simply destroying all mail that reaches your domain. I have seen a number of setups which simply respond to 'spam' email with an email explaining the reason for the rejection and a phone number to contact to get your domain cleared.
2. Re:The problem with that is by sgt+scrub · 2009-03-23 03:03 · Score: 1
  
  Most of us "assholes" use metrics to make those kinds of decisions. From there it is easy to show the dumber ups how much spam is originating from specific sources and get them to agree on the +2 to spam score. Road Runner comes to mind (99.3% Jan08-Mar09). So does fdcservers (100% Jan08-Dec08). If you find anything other than open relays, proxy sites, or malware on fdcservers your doing good.
  
  --
  Having to work for a living is the root of all evil.
3. Re:The problem with that is by coryking · 2009-03-23 03:15 · Score: 1, Troll
  
  Okay. Fair enough. There are exceptions.
  I'm bitter because the now defunct SWEWs were overzealous assholes who cast a giant net. Our tiny /26 got caught when our upstreams /16 got blocked for whatever reason. We only had a couple clients get their shit rejected--and in those cases our client knew the recipients personally, I just had them call the recipient to inform them they had an idiot running their mail server.
  The people using things like SPEWs to block mail traffic were not thinking like you are. They are either hoping for a quick fix or are on some kind of vigilante mission. The former can be educated by letting them know how much legit shit they've blocked. The latter are hopeless and as I said a few times, it is easier to let the higher-ups know what the deal is.
  If you've got the stats to back it up, that is a whole different ball of wax. If I was in your list, I probably has doing some serious shit. I do the same thing only with comment spammers that have IPs of open proxies. As long as you have the metrics to back things up in the off-chance you do block a little legit traffic, life is cool. But you gotta have the metrics, which means you gotta thing. People who use spite-lists aren't thinking, and that is the problem.
Thats fine with me by coryking · 2009-03-22 18:18 · Score: 0, Troll

Cause I'll just email your manager and the sales guy who didn't get my customers email and hopefully you'll be fired.
Playing email games like that with your own personal mail server is fine. Doing it on a corporate network isn't. And nothing makes me more happy then sicking pissed off sales guys and managers in your company after you. It is far easier to get your manager or sales staff to force you to remove that blacklist then it is to deal with with the assholes like you or the guys running the RBL. The only legit RBL's are places like Spamhaus who have automated ways to remove yourself from their automated list. I have no problems with those lists because botnets will not remove themselves from the list, but legit people just follow the link in the bounce and are removed immediately. Anything else, I try to get assholes who use the list fired from their company.
1. Re:Thats fine with me by Nursie · 2009-03-23 00:09 · Score: 3, Informative
  
  "Cause I'll just email your manager and the sales guy who didn't get my customers email and hopefully you'll be fired."
  I'll be fired because I blocked email from an IP address in your range that's set up to fire spam at people?
  No, I don't think so, in fact I can advise the sales guys and management that anything coming from that IP address is likely to be fraudulent anyway. Check who you rent servers to, and check their activity, or lose the ability for that IP address to mail my servers until I'm happy you've got your act together. The end.
2. Re:Thats fine with me by coryking · 2009-03-23 02:59 · Score: 0, Troll
  
  Except you'd be wrong because we aren't spammers and dont have any on our network. "You" are just an overzealous sysadmin who blocked legit email that was meant for your sales staff.
3. Re:Thats fine with me by Nursie · 2009-03-23 04:00 · Score: 2
  
  "Except you'd be wrong because we aren't spammers and dont have any on our network. "You" are just an overzealous sysadmin who blocked legit email that was meant for your sales staff."
  Why have I blocked you in response to spam then?
  What the hell are you even fucking well talking about at this point?
  I propose to block a host I receive spam from until I receive some sort of assurance that it's not spamming any more. Why are you so angry about this?
4. Re:Thats fine with me by Anonymous Coward · 2009-03-23 10:38 · Score: 0
  
  Well, I don't know what he's talking about, but here's what I've seen happen, a lot.
  User "Ftard" in China starts spamming with a spoofed return IP, and a bogus return address which matches the mail server at the spoofed IP.
  Spammed server "Monkey" begins to backscatter to the spoofed IP "bystander", which simply drops the backscatter.
  Admin "Rtard" who runs "Monkey" proceeds to blacklist "bystander". "bystander" server admin calls you and you tell him to stop spamming. Since he's not spamming, he can't stop.
  
  I propose to block a host I receive spam from until I receive some sort of assurance that it's not spamming any more.
  That is understandable, and reasonable. However, I would add that upon request, you also be willing to prove both the origin AND content of the messages to be spam. I can't count how many times I've had to tell people "Look, just because you don't want email from your credit card or bank doesn't make it spam. You signed an agreement that they could email you."
  In addition, think about someone running a hosting company. They might have 20 different customers all sourcing from the same IP but different domains. By blacklisting just the IP, you're actually shutting down multiple other email providers who haven't been spamming you.
5. Re:Thats fine with me by Nursie · 2009-03-23 23:25 · Score: 1
  
  "User "Ftard" in China starts spamming with a spoofed return IP, and a bogus return address which matches the mail server at the spoofed IP."
  Well unless Ftard is using an open proxy, which I'm quite happy to block too (this is sadly not 1990 any more), then his TCP/IP session has to come from somewhere and that's going to be more reliable an indicator of where it came from than the return address. Never bother looking at the return address on spam.
  "However, I would add that upon request, you also be willing to prove both the origin AND content of the messages to be spam."
  Ch34p V1@gr4 !! Ph4rm4cy 4 U!
  I think that's usually proof enough.
  "In addition, think about someone running a hosting company. They might have 20 different customers all sourcing from the same IP but different domains. By blacklisting just the IP, you're actually shutting down multiple other email providers who haven't been spamming you."
  Sure, but in this case it's either allowing spam to get through and try to filter it by content, or a little collateral damage.
  I prefer the latter because it has consequences. spamUall.com rents space on one of these and starts to get the IP blacklisted. Other customers start having problems and contact El Cheapo ISP to do something about it. Spammer gets kicked, El Cheapo might be more careful who they rent to next time. If they aren't more careful then the other customers find another provider because El Cheapo keep getting blocked.
Except it sucks by coryking · 2009-03-22 18:26 · Score: 2, Interesting

IMAP is flaky and slow. It is a hack to map googles lack of folders onto IMAP's idea of folders.
It is a bitch for an administrator. There is no good way for an admin to setup email forwarding accounts--yeah, the user can do it, but you have to create an account for them and they have to do it, you cannot!. Their concept of distribution lists suck. You cannot change somebodies email address without creating a new account. I could go on but I wont.
Basically, for a business, using Google apps sucks. The only thing it has for it is the webmail interface. But integrating "real" mail programs with it sucks.
Bottom line is Google apps is 100% lock-in. It does thing in its own unique way and does not integrate with anything else worth a damn.
Pretty much my experiance as well by coryking · 2009-03-22 18:32 · Score: 3, Interesting

Just switched a client to google mail for business (really, what is it called? Google Apps? Google Mail? huh) and have heard nothing but complaints. The "gmail" thing gets email that never shows up in their imap folder, their imap folder gets stuff that disappears from their gmail thing.
Attachments work funny.
If you delete message from a "thread" in gmail, it will delete every "send" and "reply" message in the whole damn thread and thus nukes all of it in Outlook. If you nuke a single message in IMAP, it fucks up how gmail handles the thread.
All kinds of things. Their thole thing is great, but the minute you want to use a "real" mail program on top of it (like most businesses I know), trouble brews and shit just doesn't work the way you'd expect. There was a reason Google took so long to add IMAP support--their whole damn system works like no other email program. I bet they had to basically hack the whole damn thing to work like a "real" mail system IMAP was designed for. Basically, using them is a horrible form of lock-in.
Now I have to move them back to a "real" mail system this coming week so their life can work as it always did.
1. Re:Pretty much my experiance as well by KGBear · 2009-03-23 06:13 · Score: 1
  
  Sorry, but Gmail is not the problem here. Outlook is. I find it hilarious that you think Outlook is a "real" mail program. Outlook is a MS Exchange client and very good at that. But it is a lousy client for anything else. We have all sorts of users here (state university) and the Outlook users are constantly whining about IMAP, so much so that now they just don't even try it anymore. They just have decided "IMAP sucks" and they all just POP. Meanwhile the people using Thunderbird, Apple Mail, Eudora, Netscape Mail (yes, there are some of those. No, really.), heck, even Pine use IMAP with no problem at all. If you want to know about "real" mail programs, try something other than Outlook and take the time to learn -- say, Thunderbird -- properly. You'll be amazed.
2. Re:Pretty much my experiance as well by Mr.+Slippery · 2009-03-24 06:34 · Score: 1
  
  They just have decided "IMAP sucks" and they all just POP.
  
  Well, IMAP does suck. Silly idea. Why do I want my old mail hanging around on the server, where I can't grep it, and a bored admin can poke around in it? POP your mail off the server and store it locally.
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
3. Re:Pretty much my experiance as well by KGBear · 2009-03-24 06:45 · Score: 1
  
  Be that as it may, it doesn't change the fact that there are many MUAs that have no problems with IMAP while Outlook constantly chokes on it.
  There are many reasons why you'd leave messages on the server. You may want to get to them from different computers in different parts of the world and you wan to use your MUA of choice; or you want to ride with the server backups; or your server, sitting behind a locked door, is more secure than your laptop, which could be stolen taking all your e-mail history with it... I'll stop here but there are many others.
4. Re:Pretty much my experiance as well by Mr.+Slippery · 2009-03-24 07:25 · Score: 1
  
  Be that as it may, it doesn't change the fact that there are many MUAs that have no problems with IMAP while Outlook constantly chokes on it.
  Sure. IMAP is mild suckage and I generally recommend against it for tech-savvy users, but Outlook is Pure Concentrated Evil that must be cleansed from the face of the earth with atomic fire...
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
Easy by coryking · 2009-03-22 18:41 · Score: 3, Insightful

Because it is cheaper in terms of bandwidth and CPU to first reject email based on things other than content. For example, you can quickly weed out about 85% of all spam traffic by just rejecting assholes who use mail-formed HELO's or don't have proper DNS. Filtering based on simple things like that dont eat your CPU and are very effective*. You can also weed out a bunch of trash by simply blocking residentail IP addresses using Spamhaus**. Greylisting will nuke about 10% of the rest, leaving you with 5% for content filtering.
If spammers buy "real servers" it means they aren't sending you bullshit headers with funky smelling DNS. It means they will eat into your CPU budget because you now have to fall back on content filtering. You dont want to do content filtering. You want to have spammers strike out because they aren't acting like real mail servers. 85% of spam comes from shit that acts nothing like a legit mail server.
* If you your EHLO doesn't match your reverse DNS record, say HELO to a disconnect. If AOL and Yahoo are doing it, I'll do it too. Cause if you don't have it configured the way the big-boys like it, you have worse problems then me rejecting your email...
** whose list of residential IP's are provided by the carriers themselves, not a bunch of spiteful assholes like SPEW's. And if you insist on running some SMTP server at home, you can de-block yourself automatically by visiting their website. Plus I'm pretty sure the bigboys use this list as well, so again, if I block your email, AOL and Yahoo are blocking it too.
1. Re:Easy by chrysrobyn · 2009-03-23 02:36 · Score: 1
  
  list of residential IP's are provided by the carriers themselves
  Where do I get this list?
2. Re:Easy by coryking · 2009-03-23 03:33 · Score: 1
  
  PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies.
  Spamhaus PBL
  That list will block a good hunk of botnet spam before it ever gets past HELO.
RBN by mgcarley · 2009-03-22 22:24 · Score: 1

Ethics aside, has anyone thought of hiring the RBN to SPAM/DDoS these people? (Just to annoy them)
Fight fire with... Vodka... In Soviet Russia, fire fights you! (Sorry, had to be said).

--
Founder & COO, Hayai India (hayai.in) / USA (hayaibroadband.com) // t: @mgcarley
what's greytrapping? by Uzik2 · 2009-03-23 00:24 · Score: 1

and why is it different than greylisting? Why did these guys feel the need to make up a new name for the something they're copying from someone else?

--
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
this is an idiotic by nimbius · 2009-03-23 00:31 · Score: 2, Interesting

and unsustainable practice. just because jacksauce saw some AOL ips spam him with subscription notices doesnt mean the return addresses actually map to real people, or the intended effort was prankish in nature. it could simply have been designed to manually harvest emails, all part of a botnetted script.

this guys out of touch. real people, the ones you hope for revenge, dont exist anymore in the spam world. if the problem becomes pronounced enough your spam filters should be able to generate a report of the offending subnets and allow you to blacklist them. problem solved.

--
Good people go to bed earlier.
Gmail is a goldmine by coryking · 2009-03-23 03:18 · Score: 1

I'm sure it is well worth a spammers time to at least try their luck spamming google. After all, the hard part isn't getting a list of addresses--you just spam a-zzzzzzzzzzz@gmail.com. The hard part is getting past their filter and if you can be the only spammer to gets it right, you win at being a spammer.
But yeah, something tells me spamming google from a real server would result in getting blocked pretty quickly.
Stupid spammers.
A proposal: Solicited Bulk Realtime List (SBRL) by Khopesh · 2009-03-23 05:32 · Score: 2, Interesting

I've actually proposed something very similar to this before, called a Solicited Bulk Realtime List, which would be an elaborate DNSBL-style spamtrap whose purpose is determining which lists play fair (no-unsubscribe vs opt-out vs opt-in vs confirmed-opt-in) regardless of solicitations. Such an index would enable users to safely unsubscribe, and perhaps more importantly, its widespread adoption would force all "list" emailers, be they spammers or not, to better implement subscription management.
SBRL would also enable the ability for a filter to set a threshold for new list mail. Let's say I completely block any "list" mail that the SBRL can't confirm unsusbscribe works, and then I count a day's incoming confirmed-opt-in emails plus twice the number of the remaining emails (opt-in/opt-out). Anything over my threshold gets digested just like a mailman list with the digest feature (a collection of all of them that came in over the day) rather than direct delivery.
An IT-grade implementation could have new addresses start at a high threshold (e.g. 10) and then lessen by one per business day until it hits the default threshold, e.g. 3.

--
Use my userscript to add story images to Slashdot. There's no going back.
Re:Yawn. Antispam is a commodity purchase now. by Mike+Van+Pelt · 2009-03-23 12:00 · Score: 1

How is Postini doing with false positives these days?
We had them at a medium-sized company I used to work for a few years ago, and it was a huge help, but some of the marketing people had a terrible time getting email from some sources they wanted that Postini was deciding was "blatant spam", and dropping without putting it in the quarantine.
Yeah, none of that email was anything that I would want, or probably you either, but the marketroids thought it was pretty important.
Some of the other providers have better efficacy these days. I'd name names, but plugging the company I work for now would probably be considered spamming.
Re:Yawn. Antispam is a commodity purchase now. by CFD339 · 2009-03-25 07:16 · Score: 1

Postini provides 3 levels of detection:
Believed to be valid mail - This gets delivered. Of the hundreds of spams I get daily, a few fairly innocuous ones do get through. I am not diligent about forwarding these to postini to report them.
High Probability Spam - This is the nasty, obvious spam that's fairly easy to detect. Its the vast majority of spam. I've got postini set to not even both showing these to me in my daily block list.
Probably-Spam - Postini holds these, and sends me an email every day at a specified time with a list and links. I get between 10 and 20 of these in a day. The overwhelming majority are spam and can be ignore. One or two in a day are not spam, but most of these are from sites that send out bulk mail -- vendors with reciepts, social sites with notifications, stuff like that. Almost never is a personal note or one to one business email caught in that trap. With two clicks I get those delivered.
Overall, I'm extremely happy with the service.
Yes, I know it has privacy issues. I've decided that with my mail (at least these accounts) this is acceptable to me.

--
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln