Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fighting "Snowshoe" Spam

Posted by Soulskill on from the involves-neither-scissors-nor-hungry-wolves dept.

Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."

65 of 85 comments (clear)

  1. Snowshoe? by Brian+Gordon · · Score: 2, Insightful

    Whoever keeps naming things with these slightly-plausible analogies, please stop.

    1. Re:Snowshoe? by rhook · · Score: 1

      More like renaming, spammers have been using infected machines as proxies for years.

    2. Re:Snowshoe? by djupedal · · Score: 3, Funny

      Would you prefer: u e d a m IP a d i o t a t v b f

      unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters.

      Snowshoe: spam not ordinarily wanted sent hourly occupying email

    3. Re:Snowshoe? by Korbeau · · Score: 1

      Do you prefer yellow-snow spam? :)

    4. Re:Snowshoe? by martin-boundary · · Score: 3, Insightful

      wish all the PCs that have bots running on them would just blowup.. or like the good ole day viruses; just wipe out the drives.. .eeh..

      Blame Evolution. A virus that messes too much with the host PC has a low survival rate. The most successful viruses don't do too much damage, as that keeps them a low priority with AV software, and don't cripple the infection vectors, as that helps them spread, and aren't too OS specific, as that allows them to tolerate service packs and software upgrades.

    5. Re:Snowshoe? by darkpixel2k · · Score: 1

      A virus that messes too much with the host PC has a low survival rate.

      You're making me want to read The Andromeda Strain again. (Read the book, the movie is meh!)

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    6. Re:Snowshoe? by religious+freak · · Score: 2, Insightful

      I like to complain about stupid Internet names as much as the next person, but I actually like the name. It's descriptive without being cutesy and isn't nearly as stupid as something like "twitpocalypse" or even "cookie"

      --
      If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
    7. Re:Snowshoe? by MichaelSmith · · Score: 1

      A virus that messes too much with the host PC has a low survival rate.

      You're making me want to read The Andromeda Strain again. (Read the book, the movie is meh!)

      The other night at my wife's mothers place there was this crummy telemovie on. I nearly had a fit. It was a remake of The Andromeda Strain. You know, that original movie isn't so bad....

      (this line left intentionally blank).

      --
      http://michaelsmith.id.au
    8. Re:Snowshoe? by ozmanjusri · · Score: 4, Funny
      Blame Evolution.

      Evolution?

      More likely Outlook and the colander-like OS it runs on.

      --
      "I've got more toys than Teruhisa Kitahara."
    9. Re:Snowshoe? by Hurricane78 · · Score: 1

      So viruses are evolutionary winning against most of humanity. It was clear to me, that some day we would create life that would take over the world, but that it would happen this way...

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    10. Re:Snowshoe? by Dragonslicer · · Score: 1

      Blame Evolution.

      You mean Intelligent Design!

      </joke>

    11. Re:Snowshoe? by darkpixel2k · · Score: 1

      The other night at my wife's mothers place there was this crummy telemovie on. I nearly had a fit. It was a remake of The Andromeda Strain. You know, that original movie isn't so bad....

      (this line left intentionally blank).

      Yeah--I should have clarified. The book is awesome. The old 1970ish movie is great, the current movie was remade so the entire point was environmentalist garbage.

      If I want to get preached at, I'll go to church--not a movie theater.

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    12. Re:Snowshoe? by jonadab · · Score: 3, Informative

      > unsolicited email distributed across many IPs and domains
      > in order to avoid triggering volume-based filters.

      I hereby propose we just call it "spam" and have done.

      I mean, seriously, is anybody really still worried about the old-fashioned kind of spam that was sent back in the early nineties, going out from one mail server with one IP for months on end, using an actual valid return email address from an actual valid domain owned by the senders? Have you *received* any of that lately?

      I haven't. Near as I can tell, *all* modern spam is sent by a collection of nodes distributed across many IPs on many subnets and randomly generates a new forged sender address for each message. We don't need a special name specifically for spam that's sent like that. If you just say "spam", that communicates the whole idea. Everybody who has been paying attention knows that it's sent in the described fashion these days.

      --
      Cut that out, or I will ship you to Norilsk in a box.
  2. I represent that! by Anonymous Coward · · Score: 5, Informative

    As a Canadian I figured I'd better look that up.

    http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233

    Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming uses many frequently-changing IP addresses, domains and aliases to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Snowshoers use many fictitious business names (DBAs), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build their brand reputation based on a real business address, a known domain and a small permanent range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

    Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.

    1. Re:I represent that! by Anonymous Coward · · Score: 1, Insightful

      This isn't going to be popular, but its true...

      The thing is, what exactly is a 'legitimate mailer'? Defined by US law, its somebody who honors the provisions of CAN SPAM. As the US Appeals court so eloquently stated, "As should be apparent here, âthe lawâ(TM) that Gordon purportedly enforces relates more to his subjective view of what the law ought to be, and differs substantially from the law itself.". You seem to be losing sight of the fact that you are not law enforcement officers. You are vigilantes making up the law as you go along. Right or wrong, there is no law in the US requiring anything other than honoring opt-outs, proving a physical address in emails, and not falsifying headers. And the fact is in your efforts to "stamp out" spam are just making the problem worse because emailers just send out more spam to compensate for your efforts. Here is reality: email marketers aren't going anywhere. Organizations such as Spamhaus have failed to eliminate spam industry as any efforts to shut down a mailer are temporary at best. Gordon lost everything. With this kind of a victory on their side, its just a matter of time before emailers start standing up and suing the anti-spam crowd into oblivion for restraint of trade.

  3. Greylisting! by erroneus · · Score: 3, Insightful

    Okay okay! I heard you all the last time I brought it up. But the results are simply awesome. And greylisting is perfect against these snowshoe distribution methods. The downside might be the database filling up.

    1. Re:Greylisting! by grahamsaa · · Score: 2, Interesting

      Ummm, unfortunately . . . no.

      Greylisting just doesn't work in a business environment. When an e-mail is rejected with a "please try again later" response, it makes the recipient's company look bad at an organizational level. What's worse, senders may ignore these "try again" messages, or never see them at all. Greylisting doesn't work well in high volume business environments.

      --
      Facts have a liberal bias.
    2. Re:Greylisting! by Anonymous Coward · · Score: 1, Insightful

      Dude, do you actually know how greylisting works?

    3. Re:Greylisting! by aztracker1 · · Score: 3, Insightful

      Then the senders' mail servers are broken, and don't deserve to have their mail read. Greylisting is perfectly acceptable, however it is slightly less than effective as more and more bots will actually retry.

      --
      Michael J. Ryan - tracker1.info
    4. Re:Greylisting! by XanC · · Score: 2, Informative

      The "try again" message goes to the sender's mail server. Greylisting is performed between servers. The only perceptible result of greylisting for people is that the first time they email somebody, it might take longer than normal for the recipient to get it.

    5. Re:Greylisting! by jackbird · · Score: 3, Informative

      it is important to note that "longer than normal" can mean 24 or more hours for a surprisingly large number of mail servers. Forum registrations and the like are particularly frustrating.

    6. Re:Greylisting! by XanC · · Score: 1

      True, and I haven't found greylisting to be worthwhile enough yet to use myself. But it should also be noted that the problem you describe is a problem for the greylister, not the greylistee. It's problems for the greylistee that would cause most of the "we could lose business" issues, like the one to which I replied.

    7. Re:Greylisting! by corbettw · · Score: 1

      If the email in question is about a multi-million dollar business deal, then I guarantee you they have a right to have their email read. Suggesting otherwise is a good way to torpedo your company's future.

      --
      God invented whiskey so the Irish would not rule the world.
    8. Re:Greylisting! by agnosticnixie · · Score: 1

      There's not difference between email and phone in terms of "on the cheap" except in the eyes of moronic luddites.

    9. Re:Greylisting! by Hurricane78 · · Score: 1

      I agree. 90-99% of the usual spam does never pass greylisting. Sure you can create a nice whitelisting like SPF tried (but in my eyes failed) to do. But in the real world, greylisting is a simple way for big time real results. And to me, that is the ultimate scale I measure success by.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    10. Re:Greylisting! by Dragonslicer · · Score: 2, Insightful

      If the email in question is about a multi-million dollar business deal, then I guarantee you they have a right to have their email read. Suggesting otherwise is a good way to torpedo your company's future.

      Assuming that both sides are legitimate businesses (e.g. not selling millions of dollars worth of cocaine), I'm pretty sure they would both spend the extra few dollars on a reliable email provider or a competent IT person to run an SMTP server. Email delivery can fail on the first attempt for many different reasons, so giving up after one failure is never reasonable.

    11. Re:Greylisting! by erroneus · · Score: 1

      If they are negotiating a multi-million dollar deal, chances are really good that there is a lot of email correspondence going on in which case, they get right through the greylisting with no delays. Do you even know how it works? Only the first email is delayed.

    12. Re:Greylisting! by TheRaven64 · · Score: 2, Informative

      SPF is not a form of whitelisting, it is a way of validating whitelists. It lets you whitelist domains, rather than IPs. If example.com sends you emails and you use greylisting then the first email will be delayed. If they have multiple outgoing mail servers (not unusual in a large organisation, especially one with lots of different sites) then the next email from example.com may also be delayed by greylisting if it came from a different outgoing mail server. SPF lets your greylisting software automatically whitelist all of example.com's outgoing mail servers if one of them passes greylisting. The only reason SPF 'failed' is that people started assuming that 'has valid SPF record' and 'is not a spammer' meant the same thing, which is clearly nonsense.

      --
      I am TheRaven on Soylent News
    13. Re:Greylisting! by sjames · · Score: 1

      No person but a mail admin ever sees the try again messages at all. Any vaguely compliant mail server will try again after a back-off time without any user intervention at all.

    14. Re:Greylisting! by jonadab · · Score: 2, Informative

      > When an e-mail is rejected with a "please try again later"
      > response, it makes the recipient's company look bad at an
      > organizational level.

      Only if the delay gets noticed.

      > What's worse, senders may ignore these "try again" messages,
      > or never see them at all.

      Under anything vaguely resembling normal conditions, the sending user never sees the "try again" message and never knows that there's greylisting involved. The mail server takes care of all that. All the major MTAs since the beginning of time have supported queue-and-resend, because when the internet was young mail got delayed all the time due to unreliable infrastructure.

      The problem with greylisting isn't that mail would ever completely fail to get through, but rather than mail from new senders would be *delayed*, at least for several minutes, possibly for several *hours*. Given the way email was originally designed to work, this should theoretically be no big deal, but in practice a lot of organizations won't tolerate that kind of delay in incoming mail.

      For personal email, though, it can be an attractive option. Bear in mind, recognized whitelisted senders get through right away; only mail from unknown senders gets delayed.

      --
      Cut that out, or I will ship you to Norilsk in a box.
    15. Re:Greylisting! by hardwarefreak · · Score: 1

      You're obviously not a mail system op. Snowshoe is the _one_ form of spam that greylisting has little effect on. Most snowshoers are using real MTAs (i.e. qmail) on cheap VPS servers to send the spam. qmail, just like any real MTA, will retry upon temp failure (450). greylisting only stops bot spam and misconfigured/borken MTAs.

    16. Re:Greylisting! by hardwarefreak · · Score: 1

      And you're wrong too (mostly, see below). Jeez people. End users never see the 450 errors. The 450s are received and processed by the sending MTA. After the timeout period specified in the 450 message, the sending MTA sends again, and this time the mail is accepted at the greylisting destination MTA returning a 250. On extremely high volume servers greylisting does not scale mainly due to resource consumption.

      When you talk about "bad reputation" I'm guessing you're actually referring to challenge/response. C/R is itself a spam generator.

    17. Re:Greylisting! by hardwarefreak · · Score: 1

      it is important to note that "longer than normal" can mean 24 or more hours for a surprisingly large number of mail servers. Forum registrations and the like are particularly frustrating.

      This is what throw away freemail accounts are for.

    18. Re:Greylisting! by hardwarefreak · · Score: 1

      True, and I haven't found greylisting to be worthwhile enough yet to use myself. But it should also be noted that the problem you describe is a problem for the greylister, not the greylistee. It's problems for the greylistee that would cause most of the "we could lose business" issues, like the one to which I replied.

      A good greylisting implementation creates at most a 3-5 minute delay, assuming the MTA on the sending end isn't broken (which is why you don't put MS Exchange on the network edge sending direct email to MX'en).

    19. Re:Greylisting! by mvdwege · · Score: 1

      Or a compliant mailserver will immediately retry on the backup MX. Just hope that the greylister is clueful enough to handle that case.

      Unfortunately, not all are, as I found out this week. A 430 on the primary MX, and the backup accepts and drops silently, and the idiots on the other side are trying to blame a non-existent Exchange server. Yeah right.

      Mart

      --
      "I know I will be modded down for this": where's the option '-1, Asking for it'?
    20. Re:Greylisting! by sjames · · Score: 1

      There is that. If it's set up wrong there will be trouble. Of course if their secondary was going to /dev/null, they had some really serious flaws in their setup anyway.

  4. How is this different by gmuslera · · Score: 1

    from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.

    Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.

    1. Re:How is this different by Anonymous Coward · · Score: 5, Informative

      from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.

      Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.

      It's completely different. Snowshoe spam does not come from infected PCs (proxies or bots), it comes from *static* IP addresses *bought* by the spammers from ISPs. The spammers have been buying IP ranges, class Cs, directly from ISPs and filling these ranges with 'nonsense' domains, each one sending 'a bit' of spam is order to spread the load across the whole class C to lessen complaints.

    2. Re:How is this different by coryking · · Score: 2, Interesting

      In other words we've come full circle and are back to the days when spammers were actually hosted somewhere. Only this time in a bit more of a distributed fashion.

    3. Re:How is this different by deananderson · · Score: 1

      How does that practice lessen complaints? More IPs, more domains will still gets the same number of complaints if they send out the same amount of spam.

      As was pointed out, botnets have been doing this for years. They did it so that they didn't trigger automatic volume based filters run by the ISPs with the infected hosts. The purpose of those filters was to detect a virus-host. But using volume based filtering on //receiving// email has been useless since forever because of the virus detection tactics. So, Spamhaus' whole premise just falls apart.

  5. Snowshoe spam by Anonymous Coward · · Score: 2, Funny

    That's going to be annoying. I will never in a million years find myself in the market for snowshoes.

  6. Re:I have a fine idea by rhook · · Score: 2, Insightful

    Sounds like a good idea until one of your systems gets compromised and you receive the bill for the millions of emails that were sent through it. Perhaps you should go to prison if someone uses your car without permission and kills someone too?

  7. This is not new! by mcrbids · · Score: 2, Interesting

    Why is this being presented as if it were something new?

    As early back is 2001, as an admin for an ISP, I would see what I called a "spam attack" - a large number of emails sent over a 24 hour period or so, adding up to (typically) around a million attempted emails to random addresses at the domain name(s) for which I administered.

    We used greylisting to stop these attacks, but it was *very* taxing - in a typical attack, I logged well over 10,000 source IP addresses.

    These so-called "snow-shoe" spam attacks are pretty much exactly what I saw some 8 years ago.

    Everything old is new again...

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:This is not new! by deananderson · · Score: 1

      Spot on. I rather doubt that ISPs are selling this. Spamhaus offers no evidence of that. Furthermore, it would take a ton of IP resources, which would turn into big costs for the ISP. The big money to ISPs is in genuine commercial bulk emailers, not the scammers who already use botnets. There is never going to be big money in scam sites (those that change names every day). Such scam or no-reputation sites are just modern grifters using the internet. This just another media hack from the Spamhaus/SORBS/MAPS crew. Its very similar to the Dan Kaminsky thing, where they also took old news and "sold" it as new. See pages on spamhaus et al at www.iadl.org,

  8. This is the next escalation in the spam war by Dutchmang · · Score: 2, Insightful

    IP reputation and RBL will always be vulnerable because the attackers just hide within the population, like guerrillas or terrorists. If you block legitimate ranges or addresses because you saw a spam come from there, it's like bombing a village because someone shot at you from one of the houses. You may kill the bad guy but you make the population REALLY mad. This is consistent with recent findings that >50% of spam actually originates from "trusted domains."

    --
    I'm looking over the wall, and they're looking at me!
    1. Re:This is the next escalation in the spam war by awpoopy · · Score: 1

      Most RBLs block single IP addresses. Not easy to hide with one IP.
      Once the sender is blocked because their outsourced email provider is letting the zombies through, they need to be informed and get pissed at their provider - not the one who blocked it. The dimwit CEO just needs to be informed of his ignorant decision to use smartemailforeveryoneontheplanet.com for $2.99 a month. Problem solved!

      --
      I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
    2. Re:This is the next escalation in the spam war by timmarhy · · Score: 1
      fail. CEO's and the like aren't interested in technical details - they don't have time to.

      i see 2 sides to this debate. one side that has a clue and recognises the potential DISASTER of blocking legit emails, and the other side who don't have anything important being emailed to them so can't see the fuss.

      --
      If you mod me down, I will become more powerful than you can imagine....
    3. Re:This is the next escalation in the spam war by TheRaven64 · · Score: 1

      CEOs don't need to understand the technical details. Any CEO that doesn't understand the value of reputation isn't going to stay a CEO for very long.

      --
      I am TheRaven on Soylent News
    4. Re:This is the next escalation in the spam war by dodobh · · Score: 1

      The problem is that the scorched earth approach is the only one that truly works. You don't block by domain, you block by client IP. You whitelist regular correspondents, and large mail farms like Hotmail, or Yahoo!.

      You end up with very few false positives and large bandwidth savings, especially from an ISP perspective where Bayesian filtering doesn't scale.

      --
      I can throw myself at the ground, and miss.
  9. Re:I have a fine idea by X0563511 · · Score: 4, Interesting

    I think a better idea...

    Stop filtering spam at all. For a whole week.

    Let the spammers break the system.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  10. No, greylisting won't help by Anonymous Coward · · Score: 2, Informative

    Greylisting won't help against any competent snowshoe spam operation.

    Greylisting is useful against ad-hoc connections from botnet hosts that are unlikely to try to resend a message within in an appropriate interval. Managing resending in the botnet environment is challenging.

    Snowshoe spamming is, in some small part, probably a response to the decreasing likelihood that random, compromised, home machines will be able to deliver much spam -- a decrease that is probably partially attributable to greylisting. The snowshoe approach is very different from the malware/botnet approach. The spammer buys bulk hosting from a colo facility and set up real honest-to-god email servers on dozens to hundreds of IP addresses. Then the spammer dribbles messages in relatively low volume from these large number of IP addresses. If one of the spam servers encounters a host with greylisting, it requeues the messages to retry later just like a normal email server will because it's a normal email server. The spammer merely maintains and manages a large number of these servers on commercially hosted connections, and distributes his spam payload across them. Distributing the spam load across these many servers reduces the likelihood that any particular server will be quickly blacklisted, and if it if is blacklisted it may go dormant until automatically delisted, then start spamming again.

    Many of the bulk "bandwidth providers" don't seem to give a fuck if this kind of thing is taking place on their networks, although in the end it will pollute and devalue or render useless large swaths of IP space at these providers. I'd name names, but am not in any mood to get sued.

    Greylisting is useless for most snowshoe spam. Take it from someone who has been watching these tactics for the last couple months.

    1. Re:No, greylisting won't help by stevey · · Score: 2, Interesting

      Then the spammer dribbles messages in relatively low volume from these large number of IP addresses. If one of the spam servers encounters a host with greylisting, it requeues the messages to retry later just like a normal email server will because it's a normal email server.

      I agree with everything that you say, however greylisting does have value in this situation.

      The delay imposed by greylisting means there is more chance that the sending host's messages have been flagged as spam by razor, pyzor, or dns blacklists.

      That is the value of greylisting these days, rather than the fact that it drops mail from badly written spambots.

  11. Keyword is STATIC IP sources. by WoTG · · Score: 1

    I actually browsed the article... it refers to static IP's in ranges that have no "history" on the Internet. I.e. it's not zombie'd home PC's on ADSL or Cable from dynamic IP address ranges.

    I'm not sure I understand it, though, wouldn't those be easy to track down to real people?

    1. Re:Keyword is STATIC IP sources. by mcrbids · · Score: 1

      Wha?

      You think I didn't block home PCs and dynamic IP address ranges via DNS RBL? I'm talking about what got *past* those obvious filters...

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  12. The way to stop it... by Killer+Eye · · Score: 1

    As expected, spammers keep becoming smarter.

    The way to stop spam is to eliminate its value, not its source. Spammers send this crap to make money. So who pays them?

    If it's a business, then that business is doing a pretty poor job of analyzing its marketing success rates. Just because you can "reach" the whole world, doesn't mean it's worth the money: everyone will delete your "flyer" and make a mental note to hate your brand for eternity (and tell their friends). So, one step is to convince businesses that spam not only won't win any customers, but it will most definitely lose some.

    The other likely payer is the receiver, when receiving scam spam. Scammers aren't paying anyone to send spam, they're expecting a payoff when some idiot gives them what they "legitimately" asked for. Again, the solution is education, but a different kind: people need to be informed about how to recognize E-mail scams (apparently some people really can't). Even if one guy in a million sends his life savings, it justifies the effort of spammers.

    Maybe novice computer users need a license to drive their mail client, as if it were a car, and I'm only half kidding. They can harm at least themselves if they don't know what they're doing. This education would solve other problems as well.

    --
    "Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
    1. Re:The way to stop it... by u38cg · · Score: 1
      You don't need a brand to run a business model, in certain segments. Lonely, desperate men with no self esteem are sitting ducks for an anonymous promise of cheap, easy, self-medicated improvement.

      Your other point is well made - at the moment, law enforcement can't legally respond to a spam email, pay for the product, and then follow the money trail. There are sound legal reasons for this but I reckon there is a good case for narrow legislation to deal with this specific problem. The answer isn't educating users: at the end of the day, you need a certain IQ level to recognise a given example of spam, and for any given IQ level, there will be a certain percentage of the population below that, no matter what you do to try and raise their awareness.

      --
      [FUCK BETA]
  13. Buyer beware = fraud and crime by mcrbids · · Score: 2, Interesting

    I don't think you realize just how protected you are from fraud and similar crimes by the fact that they are crimes. You can knock our justice system for being imperfect, but you can't knock it for being ineffective. ('cepting the "war on drugs", of course)

    The truth is that we have a first-rate police force and criminal investigation system that is quite effective at enforcing laws of commerce - protections that provide you with a refund if the item purchased didn't work out, etc - that you use so casually, you hardly know they are there.

    And that leaves a population terribly unprepared for the wild wooly Internet, where those protections so painstakingly put into place mean almost nothing. You can talk all you want about education and eliminating the source of the problem, but it's never worked before and all of social commerce is set up to work the other way.

    So, good luck with that.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  14. balkanization by reiisi · · Score: 1

    The spammers are in cahoots with those who want to balkanize the internet.

    We have to come up with new e-mail standards that avoid balkanization before they can push their next attempt.

    One thing is to refrain from requiring all e-mail traffic to use whatever tech we invent to ID the sender effectively.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
  15. Hacked accounts too by weave · · Score: 1

    I've seen a huge increase of phishing emails to my users to get their credentials, then use those credentials to send out spam through our email server.

    It's a real pain, and we send out repeated notices to our 50,000 users that we'll never ask them for their password, but inevitably there's always a few that respond anyway.

    And since our system can handle 400 errors just fine, it gets past greylisting -- but sites that greylist actually help us out because I can look at the outgoing mail queue and catch many stuck waiting and then work backwards to figure out the compromised account and whack it.

  16. We catch a lot of this via greytrapping by badger.foo · · Score: 2, Informative

    The Spamhaus article really describes one of the most frequently encountered behaviors we see by looking at our spamd logs. Each machine does not necessarily send a large number of messages (although some do, hanging on for weeks on end in extreme cases), but once a machine has tried to deliver mail to one of our published trap addresses (see the list at http://www.bsdly.net/~peter/traplist.shtml ), we keep them occupied and publicly shamed (see http://www.bsdly.net/~peter/nameandshame.html as well as the exported blacklist) for 24 hours, or longer if they keep coming. I wrote about these things in some blog posts earlier that were /.ed, and of course the generated lists are free to use, see the URLs and the blog posts.

    --
    -- That grumpy BSD guy - http://bsdly.blogspot.com/
  17. What's the problem by labnet · · Score: 1

    Hmm something seemed to change a few years ago. Spam used to be overwhelming.
    Since we use the free Msf spam plug in for exchange, and I can't even rememember the last time I got genuine spam.
    Same with my gmail account.

    Are the filters just that effective, or are the spammers giving up?

    --
    46137
    1. Re:What's the problem by ErikZ · · Score: 2, Informative

      I'm getting 1000+ spam messages a day going to my Gmail spam folder.

      Spammers are not giving up.

      --
      Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
  18. spread spectrum spam by cats-paw · · Score: 1

    Here is a rehash of my subject to beat the lameness filter.

    --
    Absolute statements are never true
  19. Yeah, but most of my spam is coming from Yahoo... by jafo · · Score: 1

    The vast majority of the spam that makes it into my normal mailboxes is not this snowshoe spam. In fact, it's been quite a long time since I saw spam from one of those xhkjauts.com domains (which I believe is one of the examples of this snowshoe spam).

    My biggest problem, by probably close to 10x, is the Nigerian scams, usually coming from Yahoo, Hotmail, and gmail, in order of descending frequency.

    I've been thinking of forcing addresses from these domains which are not in our whitelist to bounce with a "release" URL in it. I already have the bounce+release URL implemented, so I guess I just need to turn it on for these domains, with an appropriate message. The biggest problem I've run into is that I bounce at SMTP time, not after receipt, and most users don't seem to read any part of those messages. I think that the less technical senders see it as just being computer-generated BS, and don't even try. Because I bounce at SMTP time, my message is usually buried under a lot of boilerplate generated by the remote system.

    Sean

  20. Re:I have a fine idea by toddestan · · Score: 1

    What exactly will this accomplish? It will certainly piss off Joe Internet User, but to whom will he be able to direct his anger, and how?