Suspect Arrested In Spamhaus DDoS Attack

New submitter apenzott writes "According to the BBC, a Dutch citizen has been arrested by Spanish police who suspect he was behind the recent Spamhaus DDOS attack, one of the biggest such attacks ever. 'The man arrested is believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker that has been implicated in the attack.' According to a press release from the Dutch Public Prosecutor (Google translation of Dutch original), the 35-year-old man's computers and other devices have been seized as evidence. The man will be transferred from Spain to the Netherlands shortly. 'Spamhaus is delighted at the news that an individual has been arrested and is grateful to the Dutch police for the resources they have made available and the way they have worked with us,' said a Spamhaus spokesman."

considering

there was no copyright infringement, I'm surprised anything happened with this.

It Took Them Long Enough

Wasn't he boasting that they were trying to get into his bunker, but couldn't, about a month ago?

Well it took them long enough, but they got him. Hopefully the SpamHaus DDoS is over.

Re:It Took Them Long Enough

He couldn't keep his mouth shut so they came to get him. He was very vocal about requesting Anonymous to help attack Spamhaus for deciding what should and shouldn't be on the internet.

I bet he shuts his trap now.

Re:It Took Them Long Enough

[sabri]

for deciding what should and shouldn't be on the internet.

Spamhaus does not decide what should and what should not be on the internet. Spamhaus merely maintains an advisory list which network administrators choose to implement. If you don't like what your network administrator chooses to filter, you are free to host your own mailserver and accept whatever spam you wish.

I don't necessarily agree with Spamhaus and their policies, and I operate my own mailservers. However, your statement is simply not true.

Re:It Took Them Long Enough

[Dan541]

Let's not forget the blatant hypocrisy of launching a DDoS in response to perceived censorship.

Re:It Took Them Long Enough

Apparently this spam king decided that they were damaging his business and that spam filters shouldn't be on the internet. Luckily this isn't how it works.

Hangin's too good for him

[soundguy]

I hope they hang this piece of shit up to dry and his scummy, criminal "hosting company" fades into history.

Re:Hangin's too good for him

[BasilBrush]

I wonder just how much of the world's spam went through this scumbag. I'm hoping for a downturn in spam volume as this outfit is closed down.

Re:Hangin's too good for him

I think mother nature already gave him justice, google for his photo

Re:Hangin's too good for him

[DougOtto]

Holy mother of god.

Re:Hangin's too good for him

Holy crap, it's like his forehead has a beard!

Re:Hangin's too good for him

I think mother nature already gave him justice, google for his photo

Oy my ... that's one hell of a unibrow. Doesn't he send out spam that specifically addresses that issue? He should click on some of them.

Re:Hangin's too good for him

It takes a bunker to contain those brows.

Re:Hangin's too good for him

LOL. Spot the difference.

Re:Hangin's too good for him

I think mother nature already gave him justice, google for his photo

LOL http://preview.tinyurl.com/cq3n546 it's the pirate flag that makes it work, should go over well in court as well :}

Re:Hangin's too good for him

[gandhi_2]

An infected machine in my network got our company on the XBL the morning the DDOS started.

But all I knew was I was blacklisted by spamhaus. Didn't know why.

And couldn't find out for 3 days during the attack. Couldn't apply for de-listing either.

And to top it all off, /. was too busy talking about sxsw to mention the ddos until it was over.

Amazing times we live in, gentlemen!

Re:Hangin's too good for him

[Seumas]

You said "hosting company", where I think you meant to say "spamhaus".

In this case, everyone's a dick.

Re:Hangin's too good for him

Heh.... not with providers like Dimenoc, Volumdrive, and friends up...

Re:Hangin's too good for him

[Ossifer]

I've already had a big downturn--the news item elicited me to investigate my settings, and I found I wasn't using spamhaus properly... Now I am... Kind of an analogue to the Streisand effect...

Re:Hangin's too good for him

[1s44c]

Fuck you.

The Internet needs organizations like CyberBunker.

...Like it needs another hole in the head.

Re:Hangin's too good for him

[1s44c]

Improve your setup. The only machines on my network that can send anything out to port 25 on the internet are dedicated mailers.

Re:Hangin's too good for him

[Trolan]

Uhm... http://www.spamhaus.org/lookup/ If you're in the XBL, it'll tell you which list comprising the XBL you're in. Usually that means the CBL, which has a fairly instant delist process for listings, unless the problem keeps coming back.

Re:Hangin's too good for him

WHY DID YOU DO THAT??? Posting a link to that ... madness do you hate your fellow slashdotters that much or should we bow to the King of the Trolls?

Re:Hangin's too good for him

[Curunir_wolf]

I hope they hang this piece of shit up to dry and his scummy, criminal "hosting company" fades into history.

Are you talking about the guy running the hosting service that helped host Wikileaks, or the guy running the SpamWhores protection racket?

Re:Hangin's too good for him

[Curunir_wolf]

You forgot to pay your protection money to the organization that allows you to send emails.

Re:Hangin's too good for him

[hazah]

And why is that, exactly?

Re:Hangin's too good for him

[dissy]

An infected machine in my network got our company on the XBL the morning the DDOS started.

Please stop being lazy and inconsiderate, add the two firewall rules to your router to stop attacking the internet.

Allow outbound dest port 25 from your mail servers IP.
DENY outbound dest port 25 (from everything else)

You wouldn't have that problem, that infection wouldn't be attacking all of our systems, and you wouldn't be making such stupid comments about a blacklist that rightfully listed you.

Re:Hangin's too good for him

[gandhi_2]

Unless their whole domain is under DDOS.

In which case you can't check the website or use the delist process!

Re:Hangin's too good for him

I've already had a big downturn--the news item elicited me to investigate my settings, and I found I wasn't using spamhaus properly... Now I am... Kind of an analogue to the Streisand effect...

Can you elucidate? What were you doing incorrectly and how did you fix it? I'm doing this in my sendmail config.mc:
FEATURE(dnsbl,`sbl-xbl.spamhaus.org', `"Blocked by mydomain.com due to spamhaus listing"')dnl
Am I using spamhaus properly?

Re:Hangin's too good for him

[Inf0phreak]

Sometimes I wish we lived the Schlock Mercenary universe where people could be executed for grand spamming.

Re:Hangin's too good for him

[gandhi_2]

An infected machine being seen talking to a botnet is enough to get you on the XBL.

We were blocked for THAT. Not for any spamming. We DO block all port 25 except from the SMTP servers.

Maybe instead of being an insulting douche, know what the fuck you are talking about.

http://www.spamhaus.org/faq/section/Spamhaus%20XBL#37

It turned out to be an infected machine on a WIFI AP. I learned to send the WIFI traffic out a separate WAN interface so it's problems didn't affect my smtp outbound ip.

Re:Hangin's too good for him

[sgt+scrub]

zen.spamhaus.org replaces sbl-xbl.spamhaus.org in most configurations. If you are currently using sbl-xbl.spamhaus.org you should replace sbl-xbl.spamhaus.org with zen.spamhaus.org.

http://www.spamhaus.org/zen/

Re:Hangin's too good for him

[sgt+scrub]

It needs another shithead that thinks the net should be unregulated except for free services that block unwanted content?

Re:Hangin's too good for him

An infected machine in my network got our company on the XBL the morning the DDOS started.

But all I knew was I was blacklisted by spamhaus. Didn't know why.

And couldn't find out for 3 days during the attack. Couldn't apply for de-listing either.

And to top it all off, /. was too busy talking about sxsw to mention the ddos until it was over.

Amazing times we live in, gentlemen!

It sounds like Spamhaus did its job by protecting people from spam that was originating from a machine on your network. Why are you blaming Spamhaus and Slashdot? Have you fixed the core problem by insuring that infected machines on your network can't do outbound SMTP and do you now have some monitoring in place so that you can see for yourself why you're on a Spamhaus blacklist without having to wait for them to tell you?

If I ever find my IP range on a distributed blocklist, the very first thing I will think is that the hundreds of thousands of people that rely on the list are glad that I've been dropped into it. The second thing I will think is that something happened that got me on the list, and I will use the type of list to tell me where to start looking for something to fix. The very last thing I would think is that the list itself is at fault, or even that the list has any obligation whatsoever to helping me find a problem with my own network.

Re:Hangin's too good for him

You said "hosting company", where I think you meant to say "spamhaus".

In this case, everyone's a dick.

No, he was definitely referring to cyberbunker. Spamhaus is awesome. I subscribe to Spamhaus because they do an excellent job of listing and delisting spammers and people who are too stupid to run networks. Don't blame Spamhaus because a lot of people voluntarily use them to filter their inbound email. Blame the people using Spamhaus. Blame me for being one of so many that have granted Spamhaus the power that they wield by using them. I'll tell you where to shove it.

Re:Hangin's too good for him

[soundguy]

Sell your computer immediately. You are too stupid to be on the internet without adult supervision.

Re:Hangin's too good for him

I honestly think you don't know what you're talking about.

Re:Hangin's too good for him

Haha, I can smell the bullshit in your post from here. You obviously have zero clue.

Re:Hangin's too good for him

[dissy]

I certainly do know what I am talking about. As for being insulting, short of a complete and utter mistake on the part of spamhaus for incorrectly listing you (I'm not going to pretend any automated system is perfect), most would agree I said nothing that wasn't deserved.

Proper filtering would have prevented that unfortunate problem. It's not like I blamed you personally for the infection or made some stupid comment about windows or something.
Just having an infection reaching out to a C&C server isn't enough to get listed, the botnet has to be seen getting commands and/or controls from you in order to get listed.

I'm sorry you couldn't get yourself delisted quickly, but attacking spamhaus just makes you sound like the douche.
Neither the DDoS against them nor the infection on your network were their fault!

Regarding being listed, their spam and C&C lists are kept quite separate, and use different technologies as well - mail servers rarely if ever speak BGP to see if an IP is on the C&C-BL.

My mail server uses the CBL DNS list as one weighted metric to block incoming email from IPs listed for sending spam.
My edge routers use the C&C BGP list to null route IPs listed as hosting C&C servers.

To get listed for C&C activity, a trojan would need to be able to connect with you to something hosting a C&C server.

This either happens by having an infected webserver that trojans are connecting on to get commands from, or from being a supernode of a botnet P2P network.
These both result from lack of proper filtering, just allowing inbound connections instead of outbound to port 25

Other than the DDoS preventing you from telling them you got rid of the infected machine, everything still worked as intended.

You need to understand that attacking spamhaus only makes it sound like you either don't understand the reason they list IPs, or that you have some grudge against them because the rest of us choose to protect our networks against exactly this type of thing.

Re:Hangin's too good for him

You just have no Idea, ?

Im guessing you not running a Mail server, however anybody who has has been flagged by this white list gangsters who will help you not be flagged
for a price, I think that's as close to mafia as your able to get, if you want to sent out emails your self you have to PAY.

Barracuda, Spamhause they the same not any more a none profit open sources org as was 10 years ago....

Re:Hangin's too good for him

[CBravo]

Robtex says that Dimenoc contains part of an anti-spam outfit too.

Re:Hangin's too good for him

[heypete]

That doesn't make any sense: Spamhaus only charges money to services that subscribe to their lists (that is, actual customers). They don't charge anything for de-listing.

Re:Hangin's too good for him

[gandhi_2]

Oh for fucks sake.

I wasn't attacking Spamhaus. I think they are great.

I was bemoaning the perfect storm that got me blocked for 3 days because of the block and DDOS.

http://www.spamhaus.org/zen/

We were blocked for XBL. Not SBL or CSS. It REALLY was because a machine was observed talking to a botnet C&C server.

But it took me days to find out it was XBL and not because of spamming. I spent those days thinking it was because of spamming, wasting time chasing smtp ports and pooring over capture traffic for clues of spamming.

Is it not a little scary that under DDOS the functions that get you blocked work fine, but the functions that tell you why do not? Like a car who's failure mode is full throttle.

Re:Hangin's too good for him

You should also replace sendmail with postfix. I used sendmail back when I had to edit it myself because early implementations were weird. And it was good for that. Now it's just an exercise in masochism. I've always imagined that's what the M in m4 stands for.

Bwahah, captcha: impotent

Re:Hangin's too good for him

Even better: b.barracudacentral.org. I use barracudacentral as my primary rbl and zen.spamhaus as the secondary/backup. Barracudacentral bears the brunt of my spam rejecting (a few thousand rejects per week), and only 100 or so per week by spamhaus. They are both fine rbls with low false positive rates, but I find barracudacentral is a bit better. bl.spamcop is also a good option, it used to be my secondary/fallback before I started using barracuda. Between the three tiers of barracuda/spamhaus/spamcop rbls, very few spams ever reach spamassassin. I don't think I've had a false positive in a very, _very_ long time.

This is a small domain with only a few active accounts, historically no more than 3 or 4 at any given time. The oldest still valid email address is my own and it's about 12 years old, and is plastered accross the internet on dozens of mailing list archives and whatnot. Google reports this: "About 5,100 results (0.35 seconds)", most of them from botched lkml archives. I'd say well over 90% of the spam I get on that domain is directed towards my account.

Re:Hangin's too good for him

But all I knew was I was blacklisted by spamhaus. Didn't know why.

Sucks, I can relate.

But Spamhaus is not for your comfort and protection, but for that of e-mail users world-wide. You had an infected machine. It did its job.

Re:Hangin's too good for him

[Curunir_wolf]

PBL

Re:Hangin's too good for him

[radarskiy]

"most would agree I said nothing that wasn't deserved"

You referred to his organization as "lazy and inconsiderate" for not doing things which they actually did do. That's pretty undeserved.

Re:Hangin's too good for him

[dissy]

If he actually did any of those things, he wouldn't have ended up on the black list.
I've repeatedly explained the lists do not work in the manor he has claimed.
He even posted URLs that confirm everything I said.

It's not my job to convince anyone otherwise, so I'm finished with that conversation.

Re:Hangin's too good for him

[arth1]

You should also replace sendmail with postfix. I used sendmail back when I had to edit it myself because early implementations were weird. And it was good for that. Now it's just an exercise in masochism. I've always imagined that's what the M in m4 stands for.

Any sysadmin with experience wouldn't touch the .m4 (or the newer .mc) files with a ten foot patch cable. Instead, one would put in place a known good .cf file and adjust it to fit the host.

Looks like the answer was yes.

http://tech.slashdot.org/story/13/03/30/0251236/is-eccentric-sven-olaf-kamphius-to-blame-for-spamhaus-ddos

Is the Netherlands going to pay for his trial?

Or are they gonna go Dutch?
yeeeeeeaaaaaaaaaaaaaaahhhhhhhhhh

Captcha: halved

Re:Is the Netherlands going to pay for his trial?

[K.+S.+Kyosuke]

Or are they gonna go Dutch?

The sentence will be stoning to death.

Re:Is the Netherlands going to pay for his trial?

[DuranDuran]

Or are they gonna go Dutch?

The sentence will be stoning to death.

It's always good to see law enforcement working together in a joint investigation.

Re:Is the Netherlands going to pay for his trial?

[Impy+the+Impiuos+Imp]

Or are they gonna go Dutch?

The sentence will be stoning to death.

It's always good to see law enforcement working together in a joint investigation.

I hear they just tracked his Twitter hash tag.

Re:Is the Netherlands going to pay for his trial?

[1s44c]

Or are they gonna go Dutch?

The sentence will be stoning to death.

Actually the Dutch criminal justice system is known to hand out very light sentences. Hopefully they will make an exception here.

Yeah I know you were trying to pun on 'stoned'.

shocker

[WGFCrafty]

You mean the guy who ran stophaus and posted diatribes about the evil of blacklisting spam providers is behind it? I'm speechless.

Re:shocker

[bfandreas]

Please let me join your absolute shock and amazement that the guy who gloated the most about this has been identified as the prime suspect.
Also why was he nabbed in sunny Spain instead of being holed up in his SWAT-repellant yet slightly less sunny anti-everything bunker? Fighting the good fight against evil Spamhaus at the side of every Legitimate Businessman propably was a bit of a hassle? He must have brought a note from his mother as the dark dampness disrupted the punctuality of his often broadcasted latest bowel movement.

Let me be your complete lack of surprise situated just north of your favourite kidney.

Re:shocker

[1s44c]

That bunker and the name 'cyberbunker' are just marketing. He doesn't actually have any presence in that bunker and hasn't for years.

The guy is a lying con-man as well as a DDOS scumbag.

Re:shocker

[bfandreas]

Did he get evicted from a bunker? Don't you need grenades, flamethrowers and lots of cannonfodder for this?
The anecdote of him ignoring a stern knock at the door by the police is true even if the foto on the webpage is fake.

Re:shocker

Cyberbunker was based in that bunker but moved out after a fire in 2002. More info on the bunker and the company that has been based there since 2010: http://www.bunkerinfra.com/press/PERSBERICHT_Cyberbunker_niet_in_Kloetingse_bunker_29maart2013.pdf (in Dutch).

Hang him!

[mendax]

Ah, but not by the neck but by his gonads. More painful and less permanent.

But on a more serious note, no one has the right to do a DDoS attack regardless of whether a good guy or a bad guy is being attacked (and spam and the phishing that comes with it is bad). This kind of private cyber warfare is only counterproductive in the long term. The Internet is only successful because of cooperation between parties. When there is distrust it stops working. Maybe the governments will figure *that* out one of these days.

Re:Hang him!

Yeah and who's to say that Spamhaus has the right to dictate what ISPs should or should not be blacklisted based on their customers' behavior? They're not just content blocking spam, they're on a vigilante mission to force entire internet service providers offline that won't terminate accounts.

The double-standard here is that Spamhaus doesn't even attempt to block Yahoo, Google, etc., even though that's where most spam comes from. I work at a very large social network. We found out that they're secretly working with Yahoo & Gmail behind the scenes and sharing blacklists. Frankly, I'd say they should be sued for anti-trust. Spamhaus is leveraging a monopoly to force people into those services and kill the small-email shops.

Spamhaus is promoting cyber-warfare, so they got and will get what they ask for.

Ultimately, if things don't change, email will just die out as a standard and we'll all switch to Facebook messages.

Re:Hang him!

[Curunir_wolf]

Color me shocked. Money and power attracts money and power. This whole sordid episode is an exercise in trying to determine which scumbag is the least scumbaggy.

Re:Hang him!

Yeah and who's to say that Spamhaus has the right to dictate what ISPs should or should not be blacklisted based on their customers' behavior?

They have the right to dictate what ISP's should be on their blacklist and everyone has the choice of whether to use that information or not.

The double-standard here is that Spamhaus doesn't even attempt to block Yahoo, Google, etc., even though that's where most spam comes from.

Citation needed. Not according to my logs.

I work at a very large social network.

You are a dumbshit.

email will just die out as a standard and we'll all switch to Facebook messages.

Keep telling yourself that so you think you have job security.

Re:Hang him!

[CBravo]

He does have a point (besides the other BS he is making). It is getting harder and harder to deliver email from valid sources to valid receivers with valid content. Example: We have a web application and it generates reports with a notification to our users. The emails just started to get dropped this December at Hotmail (no bounce, nothing). Until we send the emails from our production IP addresses (which sends high volume mail). Then the mail is accepted and delivered. We solved the issue by 'optimizing' the html.

We see more and more people coming to us (ESP) for application mail delivery. I kidd you not.

Re:even as an armchair Linux enthusiast

[QuasiSteve]

I think you were looking for this story, Fuddy:
http://ask.slashdot.org/story/13/04/26/2115256/ask-slashdot-how-do-you-assess-the-status-of-an-open-source-project

Re:even as an armchair Linux enthusiast

wrong thread maybe? What's this have to do with arresting a spammer?

Re:even as an armchair Linux enthusiast

--destdir? Did I just find a fellow Slackware fanboy? :-)

Dibs...

I call dibs on the bunker!!

Free speach

[Dynamoo]

Cyberbunker are trying to paint themselves as proponents of free speach (sic) and through some magic PR they've got Anon worked up into a frenzy. But I don't really equate being able to blast out pharma spam and hosting malware as a freedom that I cherish. Blocking traffic to and from 84.22.96.0/19 is pretty effective IMO.

Hehe, happened to me years ago

[SmallFurryCreature]

I was talking to some smalltime hosters and they were bitching about how much spamhaus was hurting them by blocking ip's they had rented out to these high paying east europeans... basically it was one long sales pitch FOR spamhaus because as a non-spammer and hosting with reputable companies, spamhaus is for me a savior and provides zero hassle.

It is basically like listening as a non-smoker to smokers bitch about how all the anti-smoking laws are making their lives miserable. Wheee! So the laws do work after all! Yahoo! Come on smoker, make my day, tell me how you have to stand outside in the bitter cold and rain, give me a reason to smile. Because I remember the days when every office had gray-blue air.

And I remember the days when your mailbox was overflowing with spam and it still continues, try to find a forum or such where there aren't constant attempts with "I made money working from home". Spamhaus wrecked your hosting business? Cry me a fucking river smokey. Outside in the rain with you.

REMEMBER THIS when you see someone bitch that Spamhaus blacklisted their ip (range). It has ZERO effect on non-spammers. Spamhauses blocklists are ONLY used for email. If I go with a hosting party that was blocked and put a web server on a blacklisted IP. IT HAS NO EFFECT. My webserver will be fully accessible to anyone!

NOBODY but mass mailers are affected by spamhaus lists. Want to host with a disreputable hosting company AND send a small amount of emails to users? Send your "legit" emails as most reputable parties do, through 3rd party mail services. The ONLY reason to send mail from server hosted at a disreputable hosting party is because you are a filthy spammer or a very cheap ass bastard.

And no doubt some asswipe will come with his needs to force everyone to waste their bandwidth on HIS essential marketing message and I say to him, OUTSIDE IN THE RAIN YOU CANCER STICK BURNER.

By the way, were are all the kiddies who claimed the bunker hosting meant the guy was untouchable because he could life for years inside it? Wake up kiddies, people like that do not want to spend all their life holed up in a bunker. Spammer 0, The world 1

Re:Hehe, happened to me years ago

REMEMBER THIS when you see someone bitch that Spamhaus blacklisted their ip (range). It has ZERO effect on non-spammers. Spamhauses blocklists are ONLY used for email. If I go with a hosting party that was blocked and put a web server on a blacklisted IP. IT HAS NO EFFECT. My webserver will be fully accessible to anyone!

Understand this, Spamhaus has NO oversight, and yet everybody trusts them. If you think this is totally awesome and acceptable collateral damage to reduce spam, then let me give you a real example: an ISP whom I have a range with once sold an adjacent block to a spammer, who got it listed on Spamhaus. Spamhaus blocked the /27, which included the top end of my range on the subnet boundary. If you read the complaint it is quite apparent that the spammer IP addresses in question have a completely different PTR from mine.

Does Spamhaus care after I contacted them? Nope.

Does everybody now believe that I've done something wrong because Spamhaus says so? Yup.

Re:Hehe, happened to me years ago

[HJED]

That's actually incorrect if you are using shared hosting you tend to get hurt every now and then by spamhaus and other such lists as they block IP address not domain names. It is very easy for one user (who is then usually removed by the hosting company) to get a large number of domains blocked.
I have domains hosted with Jumba an Australian hosting provider and whilst they seem to be constantly improving there security to stop this (to the point where it is extremely annoying) it still keeps happening and means that I am unable to send emails from my domain to people using services such as hotmail.

Re: Hehe, happened to me years ago

Understand this, Spamhaus has NO oversight, and yet everybody trusts them.

> Spamhaus is overseen by all of the people that use it. What do you think happens to block lists that cause too many false positive issues for their users?

If you think this is totally awesome and acceptable collateral damage to reduce spam, then let me give you a real example: an ISP whom I have a range with once sold an adjacent block to a spammer, who got it listed on Spamhaus. Spamhaus blocked the /27, which included the top end of my range on the subnet boundary. If you read the complaint it is quite apparent that the spammer IP addresses in question have a completely different PTR from mine.
Does Spamhaus care after I contacted them? Nope.
Does everybody now believe that I've done something wrong because Spamhaus says so? Yup.

> unfortunately they don't believe that you have done anything wrong (except fail to do due diligence when choosing your ISP) maybe the ISP keeps moving their spammers around to avoid blocks, maybe the previous occupants of that range were spamming? Who knows? If I buy a house in a REALLY bad estate I can't moan if they won't deliver pizza.

Re:Hehe, happened to me years ago

[BasilBrush]

Find yourself a better provider. Most people have never been blocked, and you've been collaterally damaged multiple times? Why would you stick with those cowboys?

Re: Hehe, happened to me years ago

[Ash-Fox]

Cool story, spammer.

Re:Hehe, happened to me years ago

[nukenerd]

AC @ 6:40 wrote :-

an ISP whom I have a range with once sold an adjacent block to a spammer, who got it listed on Spamhaus. Spamhaus blocked the /27, which included the top end of my range

Change your ISP

Re: Hehe, happened to me years ago

[Dan541]

So what you're saying is.... Spamhaus works!

Re:Hehe, happened to me years ago

[Karl+Cocknozzle]

AC @ 6:40 wrote :-

an ISP whom I have a range with once sold an adjacent block to a spammer, who got it listed on Spamhaus. Spamhaus blocked the /27, which included the top end of my range

Change your ISP

That's not a practical option for a great many locations... If you're in a data center your choices are whatever telcos they have available, or you can pay out of pocket to "build-in" somebody else, but that's usually cost prohibitive.

The problem I have with spamhaus is that they do shit like this all the time. All. The. Time. We took on a client who switched to a well-known, Tier 1 ISP from their "cruddy" local service because their "low-life" ISP couldn't give them enough IP space. They got assigned a /24. As luck would have it, their /24 was part of a /28 that was listed by spamhaus. When they switched to the Tier-1 ISP from the local "scummy" operator they started off having a very-high rate of acceptance at destination servers. After the switch? They started getting about 50% rejects. When we investigated we found that spamhaus was blocking a fucking /28, seemingly to "punish" the Tier 1 ISP for having any spam coming from any of their IPs.

Getting a single IP unlisted as "false-positive" is nearly impossible: Getting a /28 delisted from their blocklist? Good fucking luck. The client ended up demanding (and receiving) a /24 assignment from another part of the provider's inventory to get out of it, but it cost them plenty: The delay ballooned their bill from our original estimate to a significantly higher amount, and all because some jack-ass in Denmark is so obsessed with junk mail (does he not have Spam Assassin or Barracuda running?) that he has declared a multi-decade jihad against spam, and indicates he gives not shit zero what collateral damage he causes.

That's my beef: His motives are admirable, but his methods are fucking fascist.

Re:Hehe, happened to me years ago

[Karl+Cocknozzle]

Find yourself a better provider. Most people have never been blocked, and you've been collaterally damaged multiple times? Why would you stick with those cowboys?

This advice is condescending and stupid. The problem isn't the provider: They're using shared IPs for hosted accounts, just like everybody else on earth. Where is he going to find a provider that doesn't use shared IPs? Please don't say "IPv6"--there are a host of other problems that go along with that "solution" to make it a non-starter.

How about, instead, spamhaus takes a little care and due dilligence when it lists addresses? Maybe put in a system so that providers who are policing their environments can easily get their IPs and ranges delisted? THAT ALONE would make dealing with them less-brutal for the honest sys admins who have clients using shared hosting to send legitimate email. If you think "it only happens at bad ISPs" you obviously haven't been around the block enough times to know how ignorant that statement paints you to be.

Re:Hehe, happened to me years ago

[BasilBrush]

This advice is condescending and stupid. The problem isn't the provider: They're using shared IPs for hosted accounts, just like everybody else on earth.

Then why, in the last 15 years of having a domain, have I never been blocked, hmm? When he's been blocked multiple times. Don't have an answer for that, do you? Idiot.

Re:Hehe, happened to me years ago

[Karl+Cocknozzle]

This advice is condescending and stupid. The problem isn't the provider: They're using shared IPs for hosted accounts, just like everybody else on earth.

Then why, in the last 15 years of having a domain, have I never been blocked, hmm? When he's been blocked multiple times. Don't have an answer for that, do you? Idiot.

Stupid people usually have the least creative insults. Certainly, I doubt I'll be able to craft a response as pithy and intelligent as yours was childish and asinine, and I could certainly never hope to reach the level of condescension you seem to exist at.

But I might suggest you've simply been lucky. In truth, you have zero control over what other people choose to do with their hosting accounts on the shared server where yours is. And, in fact, contrary to your asinine, childish attitude, that somehow, it is impossible for a "good" ISP to open an account for somebody intent on doing wrong I'd say "You're naïve."

A good ISP is monitoring what you do, and watching for spikes in traffic on certain ports (among other things) but even with that monitoring in place, and even with an engine in place to automate shutting down accounts that appear to be spamming without human intervention, somebody has to actually break the TOS (or at least, appear to break it) for the ISP to figure out they're doing it. That means that at least some spam would have to be actually sent somewhere prior to the ISP being able to do anything about it. ...And if that recipient happened to be a Spamhaus honeypot mailbox, or somebody who reflexively reports all spam because they're, you know, pathetic and obsessed, then yes, Virginia, it is completely possible for somebody hosting at a "good ISP" to get painted with the same brush because somebody on the same server did something inappropriate.

But hey, man, whatever: Keep believing you're immune to their arbitrary hammer just because it has never hit you. Keep believing there's magic that allows a "good ISP" to see into the future and know who is going to violate TOS before they do it. Most of all, keep thinking that "trust-us-we-know-best!" model of zero-oversight spam prevention is best--it will make the day when Spamhaus does screw you over (or one of your customers) that much sweeter for those of us living in the real world.

Re:Hehe, happened to me years ago

[BasilBrush]

This advice is condescending and stupid....
Stupid people usually have the least creative insults.

Hoist on your own petard. Idiot.

I haven't been "lucky". I have a reputable ISP. I've had the service I can reasonably expect. Now of course it is possible to be unlucky, and get blocklisted. But not to be unlucky and get blocklisted as a regular occurrence, as the original poster had.

If you've also been as "unlucky" as him, then you also have a shit ISP. And it may be making you cranky. Or perhaps considering this: "or somebody who reflexively reports all spam because they're, you know, pathetic and obsessed" you are a spammer yourself, and that's why you're being a jerk.

Re:Hehe, happened to me years ago

[Karl+Cocknozzle]

Or perhaps considering this: "or somebody who reflexively reports all spam because they're, you know, pathetic and obsessed" you are a spammer yourself, and that's why you're being a jerk.

LMFAO! "She's a witch!" If it makes me a jerk to expose your opinionated nonsense for the tripe it is, then so be it.

No, dipshit: I manage a very-large email hosting environment comprising >15,000 domains and >150,000 mailboxes. My public MXs accept roughly 2 million messages per weekday, and reject about 10 times that amount. I completely understand the problem of spam, to a depth that would leave you in tears if I could reveal it all to you in one breath.

My point here is this: Spam sucks, but a certain amount of it is also a fact of life. People who obsess over it, get pissed off about it, or who start personal jihads to "destroy spam" or "destroy spammers" are delusional. Yes, we'd all love to shove it up their arse just once, but that's an unproductive path to pursue due the relative unlikelyhood of it ever happening. Just like the pathetic conspiracy theorists, just like the Alex Jones acolytes, just like the "Moon landing was a hoax" wackadoos, they're delusional, pathetic individuals seeking personal validation in a quixotic "battle" that, in many cases, can't be won because it exists only in their mind, or just can't be won because the way they're fighting is fucking stupid.

Spam will NEVER be solved with individual humans reporting individual messages. For that matter, even if we somehow achieve an environment where 100% of all email is either personally addressed by a human or from a 100% opt-in (triple-safety) sender, there will always be "junk" mail--from that web-site you bought a gift for your mom on three years ago with the sticky mailing list (triple out-out too!) to the Facebook profile you haven't visited in six month.

What users receive in their mailboxes is usually a function of their own stupidity--to protect customers from themselves involves striking a balance: If we used Spamhaus and their ridiculous, indiscriminate, quasi-fascist block-lists we'd lose half our customers overnight--they're mostly small businesses communicating with individuals and small-businesses and many of their customers either 1) Use shared web-hosting email 2) Use yahoo/hotmail/gmail or 3) Use a Windows Small-business-server on a cable modem. If we don't accept messages from them, our customers lose access to their customers, and we quickly lose access to them. True, we could attempt to sell services to companies we block, but that seems 1) Exceptionally self-serving--to the point where customers would be turned off. We know, this was tried once or twice by predecessors of mine... It did not go well. and 2) Exceptionally pointless. Companies either are comfortable with email hosting in the cloud or they aren't. And the ones who aren't won't generally accept being arm-twisted into the cloud so they can communicate with a vendor--they'll just find another vendor, and the original vendor (my customer) will find another email provider.

You need software analysis of content if you plan to get anything useful done. I'll say it again: Spamhaus is a guy with a good intention who has become obsessed with branding IPs as "spammers" indefinitely, even when the problem is demonstrably temporary because the ISP has terminated the person sending spam's account.

It is ultimately about methodology and mindset: Wouldn't you rather proactively recognize spam and drop it rather than reactively waiting for somebody to "report" individual IPs or IP blocks to the blacklist you trust totally blindly? That's a cat-and-mouse game that will last for-ev-er. If that's your bag? Run with it and make it your own: But you can have it. I only use DNS blacklists based on factual information, and use IP blocking sparingly (with a few notable exceptions, but even most of those aren't being done by our spam solution, but a our router...)

I'll stick to content-analysis, thanks, and leave the arbitrary, ham-fisted blocking to the hacks. If you're running some private mail server for 25 people you might be able to justify such a choice, but there is no way in hell that I can.

Re:Hehe, happened to me years ago

[Karl+Cocknozzle]

I have a reputable ISP.

Here's another meme from the "Your ISP sucks" asswipes: That somehow John Q. Air Conditioner Repairman Company has any idea how to tell if his ISP is "reputable" or not. They know nothing about email: They're buying a service and expect it to work, they have no frame of reference to even guess at the issues we're discussing here. ...And I'm an idiot ? Puh-lease.

Run along now, junior: Your 25-user exchange 2003 box is calling. I think your backup failed.

Re:Hehe, happened to me years ago

[BasilBrush]

I manage a very-large email hosting environment comprising >15,000 domains and >150,000 mailboxes.

So I guessed right. You are a spammer.

Re:Hehe, happened to me years ago

[BasilBrush]

As a developer, I'm quite amused at a spam hosting admin trying to be patronising. Maybe if you'd done better at school...

Will somebody think of the rabbits?

Who will feed them now that Evil Bert is in jail?