Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses?

An anonymous reader writes: I have, for a while now, been collecting IP addresses from which email spam has been sent to, or attempted to be relayed through, my email server. I was wondering if I should publish them, so that others can adopt whatever steps are necessary to protect their email servers from that vermin. However, I am facing ethical issues here. What if the addresses are simply spoofed, and therefore branding them as spamming addresses might cause harm to innocent parties? What if, after having been co-opted by spammers, they are now used legitimately? I wonder if there's a market for all the thousands of webmail addresses that send Slashdot nothing but spam.

No

I think you answered your own question. The only situation might be to share it privately with others, but publicly, no!

Re:No

You've got the right to do so if you want to.

Re:No

Why not? Though personally I think it would be useless. Companies like Cisco maintain a senderbase registry for exactly this purpose, addressing many of your concerns, and even it has limited effectiveness at stopping new infected hosts.

What sort of a question is this?

[ma++i+ude]

As is, nobody cares about your list. Use an adaptive blacklist and join Project Honey Pot.

Re:What sort of a question is this?

[Spazmania]

Exactly, he's about 20 years too late to the IP address blacklisting game.

Publish your own, or join in

There are hundreds of blacklists out there: https://mxtoolbox.com/problem/blacklist/

Go talk to Spamhaus

[Penguinisto]

No, really, go talk to them... they've been doing just that as a community for a lot longer, and probably have nearly all the stuff on your list and then some.

Re:Go talk to Spamhaus

[Stan92057]

Ya know ive been reporting spam to the FTC for years and nothing and i mean nothing happens. I don't see any spammers getting arrested,fined by the FTC. I also send an email asking a congressman just what the FTC is doing with all the reported spam and all he did was send me a personal info form to sign and release. which i laughed at since ya have to give the very same info when ya send an email to them.

Re:Go talk to Spamhaus

[rubycodez]

Hey, it's not all clouds and doom, remember that corpse of Russian spam king who was found beaten to death with hammers? that was pretty cool

Re:Go talk to Spamhaus

I trust Spamhaus one hell of a lot less since they effectively blackmailed the company I worked for.

Basically they blacklisted tens of thousands of domains (with no advance warning or contact) and refused to remove the listing until we stopped hosting a domain they unilaterally decided they didn't approve of. The domain wasn't spamming, it didn't even have any email accounts set up.

There was no reasoning with the guy at Spamhaus I spoke with, who came across like some kind of rabidly insane cult member. Hardly a glowing endorsement of their business.

I've been inclined to trust blacklists a lot less ever since, and have started taking the stock "they would say that, they're a dirty spammer" response to complaints with a metric tonne of salt. As far as I see it, both extremes are as bad as each other.

Re:Go talk to Spamhaus

[TheCarp]

If its any consolation, I was once involved in keeping a mail server under heavy spam load working and shutting down the incoming spew.... which did actually result in someone being taken away by the police and the last words the network engineer heard as they walked away was "you are lucky you are not in handcuffs".

Admittedly it has nothing to do with the FTC and actually involved someone at the University who was intentionally misusing resources to spam in the most bone headed way (from his own desktop in his own assigned office!)....but....it still makes me smile.

Re:Go talk to Spamhaus

tens of thousands of domains

Nobody blacklists "domains", every spam comes from a fake email address. No, they blacklist IP blocks.

it didn't even have any email accounts set up.

And? If you didn't block outbound SMTP it's trivial to write an SMTP client in just about any language. PHP even has mail functions built in to send mail. It's trivial to write up a PHP script that you upload a CSV file to and have it email everyone on it without an "email account".

Re:Go talk to Spamhaus

[Stan92057]

That,s a great story, nice to here the bad guy getting his due for once.

Re:Go talk to Spamhaus

[Stan92057]

Well i must have missed that story but I,m not that extreme.Public shame, jail,prison, fines sure. Killing them a bit much to me.

Re:Go talk to Spamhaus

[mwvdlee]

What actionable material have you been sending them?
IP's are next to useless (mostly zombie hardware and outside whatever jurisdiction you report it to).
Email addresses are nearly 100% fake, so useless. Same for sender domain names.
Domain names and hosting is recycled within minutes (literally!) and paid for with stolen credit cards.

Re:Go talk to Spamhaus

[chispito]

The domain wasn't spamming, it didn't even have any email accounts set up.

You might want to check outbound traffic anyway. There's this stuff called malware...

Re:Go talk to Spamhaus

[Stan92057]

Ive been sending my spam to spamcop for almost 10 years. The full headers, body of email to collect the link address, but thing is like i said these are big name company's paying big time money to their ISP,host,email providers. Ive been doing this for a very long time.

Re:Go talk to Spamhaus

[TheCarp]

Well you know, its nice when they actually sign their name to it. No really.... the fantastically brilliant marketing campaign for his personal consulting business was to use the school network to email a joke to a massive list of his closest friends, with his ad as the email signature.

Oh totally fooled me, you must really just have a million friends that you never emailed before this day....right..... I am sure they all opted in too.

Re:Go talk to Spamhaus

[sims+2]

I got a canned letter back from them once informing me I had the right to sue. They did not however tell me which report they were talking about.

Re:Go talk to Spamhaus

[mr_mischief]

The specific host that sent it to your mail server is the only one in the email headers that can really be trusted to be real, and that's because of your own mail server logging that it received the connection from there. Let them defend themselves to Spamhaus, SpamCop, or whoever else. There are methods established for them to do that. They then provide logs showing how it got through their servers and explain what they are doing to minimize that sort of traffic.

Re:Go talk to Spamhaus

[mr_mischief]

Anti-spam blacklists do blacklist the domain and the IP thats host the web sites within that domain when a domain is advertised in spam messages. It's known in the industry as "spamvertising". It can get a domain kicked off of hosting if the email is clearly spam and advertises the domain even if the spam was sent through another company.

Re:Go talk to Spamhaus

[msauve]

Your congresscritter accepts email? None of mine do - it's all web forms which they incorrectly call "email." But, that doesn't stop them from requiring my email address, and then sending me spam.

Re:Go talk to Spamhaus

[rubycodez]

it was goons who killed him, not any legal venue, so no worries

http://archive.wired.com/wired...

Re:Go talk to Spamhaus

[Stan92057]

Well the form was at his web site ya know for the initial question, but i had to give Full name, address, zip code, email address and phone number so I,m like WTF just get a stink n answer. But nope, have to mail in a written form with the same info so i said F it. He lost my vote.

Re:Go talk to Spamhaus

[Stan92057]

Why should we have to sue when its a law they are breaking? just saying.

Re:Go talk to Spamhaus

[Cramer]

I've worked with Spamhaus many times over the eons. I have NEVER seen them escalate a listing without cause, and without any attempt to contact the operator. I guess you have no one watching your abuse@ or postmaster@ mailboxes, or blocked the messages as "spam", etc.

A former employer was a host for a rather large (and stupid spam operation -- spamming hostmaster@ your new ISP, literally seconds after the link was turned up) and we were never listed at all. Of course, *I* told spamhaus of their contract when it crossed my desk -- they were blacklisted before they even knew their address block. The address block we requested for them (because ARIN knows better) was listed before it appeared in whois.

Re:Go talk to Spamhaus

[Coren22]

When I was working IT for a small company, we ended up being blacklisted because a workstation had a virus. The fact that the workstation had 0 chance of actually spamming didn't matter to them, they required the workstation to be rebuilt. Proper network design is to not allow outgoing email connections from anywhere but the email server, but that just isn't good enough for the rabid anti spam groups.

Re:Go talk to Spamhaus

Sending emails to FTC and congressmen ... how cute ... Maybe add Santa to the list. You have a higher probability of hearing back from Santa.

Re:Go talk to Spamhaus

I call bs on this. They do not scan for viruses and black list the results. They get a spam report and check the header which will reference the work station ip. Or in other words, there is no way they would know about the infection if the machine had 0 chance.

  I had a system become infected and all i had to do was report the problem fixed. About 4 hours later, the domain was off the list. It was a pain to track it all down and do it but it wasn't hard outside of the time involved.

Re:Go talk to Spamhaus

There is a massive problem with this. No evidence and no accountability.

This is a sure-fire method to destroy any domain you don't like. Perhaps you're a competitor, perhaps you're a disgruntled user or ex-employee. Find a spammer to spam out the domain enough to get it listed, then just wait for a popular RBL to blackmail the hosting company for you, job done.

Re:Go talk to Spamhaus

And? If you didn't block outbound SMTP it's trivial to write an SMTP client in just about any language.

Really? You don't say! No email was sent out. But hey, don't let it worry your two-bit dumb ass "I have linux install somewhere so suddenly I'm an expert" vibe.

Re:Go talk to Spamhaus

[Coren22]

They had taken over the DNS record for the command and control servers. So they saw the computer going out and checking for the next set of addresses to spam, but the computer could not actually send mail.

You can call bullshit, but that doesn't make what you say right.

Re:Go talk to Spamhaus

[mr_mischief]

RBLs generally aren't used to outright block mail. A responsible mail host will assign a score (using something like SpamAssassin) to different traits. Presence on a particular blacklist is worth a certain number of points on that score. Other things like what's in the subject line, whether the server connecting to your server is following the RFCs strictly, the Bayesian analysis of the message vs. spam received in the past, and stuff like that feeds into the score.

This will mostly make messages from your domain or about your domain score higher in these spam filter.

The decision to actually kick a domain off of hosting is a final and drastic step taken by actual people. It will involve the hosting company notifying the domain's owner a number of times about the spamvertising if the spam isn't coming directly from them. The hosting company will check the WHOIS for where the spam is coming from to see if it's something obvious like the same company or the same physical postal address as the site being advertised. They'll contact the admin of the IP range sending the spam and get the IP range added to IP RBLs along the way, too, so just spamming from one place won't keep the site being spamvertised.

If there's a pattern of this happening and it's not the site owner doing it, then there's a strong paper trail about who is doing it. Getting to the point of kicking someone off is pretty rare, but it is an option in the end for the hosting company if it keeps happening. The hosting company can't afford to get all of its IPs blacklisted, after all, because of a few problem users. Usually this does turn out to be the site owner's own doing, but if it isn't and they still get kicked, it sucks but there are always other hosting companies.

Re:Go talk to Spamhaus

Preaching proper network design while you can't be bothered to practice proper security and malware removal. What IT firm was that again?

Re:Go talk to Spamhaus

I understand what you're saying, but unfortunately the scenario you describe is an ideal world that doesn't exist in practise.

RBLs generally aren't used to outright block mail.

Certainly it's recommended you only use individual RBLs as weightings. My own experience has been that there are enough sites out there using some of the major RBLs (Spamhaus certainly) for outright blocking. Enough for customers to raise hell should you ever find a listing for an IP in your range.

They'll contact the admin of the IP range sending the spam and get the IP range added to IP RBLs along the way, too, so just spamming from one place won't keep the site being spamvertised.

When the spam is originating from one of the millions of IPs in Microsoft outlook protection range, good luck with that! Strangely the RBLs avoid blacklisting the big players when they send out spam.

If there's a pattern of this happening and it's not the site owner doing it, then there's a strong paper trail about who is doing it.

Sorry, I don't see that. There's no paper trail at all. Neither the hosting company nor the RBL have any access to anything concrete other than the sender IP. You could certainly try contacting the postmaster, hope the range is owned by someone reputable, and ask for details, but good luck getting that. For example, in Europe data protection law would prevent that company giving out details of a customer they've hosted that was spamming to a third party (even if they are spammers, they can terminate them certainly, but you won't get the info you need).

Re:Go talk to Spamhaus

[mr_mischief]

Sorry, I don't see that. There's no paper trail at all. Neither the hosting company nor the RBL have any access to anything concrete other than the sender IP. You could certainly try contacting the postmaster, hope the range is owned by someone reputable, and ask for details, but good luck getting that. For example, in Europe data protection law would prevent that company giving out details of a customer they've hosted that was spamming to a third party (even if they are spammers, they can terminate them certainly, but you won't get the info you need).

Europe doesn't have subpoenas and courts? If there's a sustained campaign to interfere with your business and defame it unfairly that's not punishable by civil and criminal penalties?

Asked then answered: journalism 101

[ihtoit]

If there's a yes/no in the headline, the answer is invariably "NO".

Apart from that, considering how easy it is to spoof an IP, then you might actually be breaking the Law by enabling targetted attacks on private computer systems which is covered under the Computer Misude Act (in England) and on public systems, potentially you could be engaging the Official Secrets Act and the Terrorism Act.

Re: Asked then answered: journalism 101

I don't know much about what is taught in journalism schools, but I do know that human beings are social animals, and how we communicate cannot be reduced to trite formulas, especially of the sort you're suggesting.

Rhetoric 101
https://en.m.wikipedia.org/wiki/Rhetoric

Re:Asked then answered: journalism 101

Spoken like a true wannabe Security Pro.... spoofing a TCP connection??

Re:Asked then answered: journalism 101

[ihtoit]

fuck off AC, I don't need to justify myself to anybody.

Re: Asked then answered: journalism 101

I don't think justification would help with cluelessness

Re:Asked then answered: journalism 101

Now all reading definitely think you need to after that statement ihtoit.

RBL's

[mu51c10rd]

There are plenty of RBL's out there already. I would suggest talking to one of them and contributing your list.

How often are the addresses re-validated?

[QuietLagoon]

If you publish a list, you then obligate yourself to keep that list up-to-date, not only by adding new addresses, but also by removing old addresses that no longer spam.

.
Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually. Are you planning to ban those IP addresses permanently?

So I ask the question, how frequently do you plan top re-validate the addresses that are on your list as still spamming?

Re:How often are the addresses re-validated?

[NatasRevol]

I'm not sure you're obligated to do anything.

Should do something, perhaps. Definitely not obligated.

Re:How often are the addresses re-validated?

[NatasRevol]

Your opinion is just that. An opinion.

Re:How often are the addresses re-validated?

Sure, mod me down. Spammers severely wounded email, but overzealous anti-spammers killed it. Moderation abuse is just what I expect of you guys.

Re:How often are the addresses re-validated?

I'm not sure you're obligated to do anything.

Whether or not putting out that info is actionable, if you don’t maintain an update for it as information changes, then just putting it out there makes you an asshole.

Re:How often are the addresses re-validated?

Strong words for someone who calls his own opinion definite. The wannabe-blacklister AC better consult a lawyer, or he'll quickly find out how hot the water can get when you wrongly accuse someone who has a legal department. BTW, spammers are a vindictive bunch. Step on their toes and a day with just a cease and desist letter from an innocent victim of yours is a good day. But as you said, this is just an opinion. If the asking AC feels like a vigilante, he should go for it. There are definitely not enough of that type in the anti-spam war.

Re:How often are the addresses re-validated?

[mysidia]

Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually.

My mail servers IPs have been hijacked for spamming many times, probably about 3 or 4 times a month, but as far as I know, they are generally cleaned up within a few hours, and usually the volume is restricted by message rate controls.

The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that look spammy.

Also, the RBLS have destroyed mutual cooperation between operators against spam.... we all just have our blacklists, and then we start having equally huge whitelists that represent the hundreds of thousands of legitimate mail transactions that blacklists have incorrectly interfered with.

Nobody really sends detailed abuse complaints anymore or provide any data that could be meaningfully used for reliable spam content identification without false positives. They just put IP addresses straight to blacklist

. Heck, the abuse@ contact address and IP address space WHOIS abuse contacts get no messages at all from humans for the most part, except (ironically) marketing attempts, DMCA letters, and DoS amplification reports.

So the "eventually" part, is because noone's even bothering to lend a hand against the spammers. Perhaps everyone is just overwhelmed and desensitized.

You'll just wake up after some sneaky spammer has been abusing your mail server starting at 4am, and after you find your IP with a bad reputation on a bunch of blocklists with not a single actionable abuse complaint. You will have most RBLs that tell you "their spam traps are secret," and you need to wait 3 days before requesting removal, so they won't even reveal what the spam message looked like, or enough information to identify the abuser on a multi-tenant mail server.

Then there are 'fascist' blacklists who decide, they want to blackmail you and force you to pay a fee for removal. In a number of cases, we have referred those guys to our lawyers, to see if we can do anything about them. Hopefully, law enforcement will eventually lay down the criminal charges against paid-removal blacklists for racketeering.

Then there are reputation services such as Cisco's which has no remediation or contact to resolve the listings at all, And they are highly secretive about how they even work.

Then there are RBLs that insist on blacklisting you for 48 hours, or 5 days, because some spammer managed to go to town for a few hours one night.....

Most often: it is some customer mailboxes whose password has been guessed by spammers who then proceed to abuse the account.

Or a mailbox on a customer mail server relaying off of ours.

It is not so easy to tell when it has happened, because there are plenty of customers running legitimate "newsletters" off their mailbox. We limit each customer to an average rate of 1200 messages per day for some domains, and 250 messages per day for others, but "legitimate" bulk mailers using their normal account to e-mail blast frequently hit the limits and complain about it, Meanwhile, there are spammers who are relentless and send a trickle of messages just below the limits sometimes.

Then there are spammers who use IP addresses of non-mail servers such as workstations..... by co-opting random systems and running random malware that pretends to be a SMTP server, Or they install a local SMTP server and relay off of it.

The latter are frequently short-lived attacks. By the time anything is in a RBL: the spammer has already probably moved on to the next batch of IP addresses to disrupt.

Re:How often are the addresses re-validated?

[NatasRevol]

BWHAHAHAHA

Damn that's funny. I'm sure Spamhaus is just quivering about getting a cease-and-desist letter.

Re:How often are the addresses re-validated?

[postbigbang]

If someone's breaking into your server 3-4x/month, then you have major problems. If you have clients whose accounts are compromised, then SHUT THEM THE FUCK OFF AND MAKE THEM CLEAN THEIR MACHINES.

Spoofing user names and using their lists is old hat. I have one ex-friend who greets me weekly with something new and exciting in an attachment. Luckily, I never open *anything*.

But seriously, if your server's getting broken into that frequently, you need lessons. Numerous ones.

Re:How often are the addresses re-validated?

[geminidomino]

Once a week? The only solution is thermite. Lots and lots of thermite.

Re:How often are the addresses re-validated?

Remember the topic? Spamhaus has removal policies. Anyway, do what you want. Spammers and anti-spammers are the same kind of people: They don't care about the damage as long as they achieve what they want.

Re:How often are the addresses re-validated?

[mysidia]

If you have clients whose accounts are compromised, then [...]

It's not the same users over and over again. It's a different user almost every time.
The couple users that DID get re-compromised, after we unlocked their account, were cancelled as a customer after the 3rd incident, and their computer was legitimately infected ---- It is just totally not our job as ISP to help them clean up their infection for free.
There are about 3,000 hosted and ISP mailboxes and 500 domains.

We do incoming and outgoing mail relay for by last count several thousand private mail servers as well.

We deactivate the account immediately when we find them, and delete all their queued messages.

The problem is finding them, because spammers are not always calling attention to themselves.

Generally, found issues come from accounts that the spammer gained access to through brute force. We have many defense mechanisms against brute force, including password policy for new passwords, not all digits, not all lower, not all upper, banning any IP after 10 successive failed logins, and lockout if more than X IP addresses detected active on an account over Y minutes.

And nevertheless, there are still users that fall for phishing or get their password guessed. It seems like these come in waves, like the spammers are saving them up and acting upon them at an "opportune" time.

Some spam events areinfected systems if they are relaying off of us, since we provide a free SMTP relay host for our ISP customers. We're damned if we don't do that, because we publish end users' dynamic IP address ranges in the Spamhaus PBL, and we always get blamed by customer if a customer's private mail server on their own premises gets blacklisted or has other issues, because "It's our IP address".

It is not straightforward at all to look at an outgoing mailflow and determine if account(s) are compromised. Often something will appear to be outgoing spam, But then turn out just to be an ISP user's free e-mail account that they set to forward all their e-mail to example@gmail.com, OR Out-of-Office responses sent from Microsoft Exchange.

In the past we even got auto-generated spam complaints about forwarded mail, based on the recipient's own forwarding rules!

Re:How often are the addresses re-validated?

[postbigbang]

You need inline filtration. You're screwed unless you do. A carrier-grade filter ought to do it. Until then, you face a lot of slime.

Your users are handily making mincemeat out of you. You get to control your SMTP, not them. Without a pipe to stanch the flow yourself, you're part of the problem, and not the solution. I know that sounds insulting, but it's true.

Your knowledge of how RBLs and blocks work means you're spending way too much time dealing with the aftermath in firecontrol, rather than gently reminding your users that they forgot to use data condoms. Your frequency of spam volcanoes means a lot of work. There is a better way: make your users pay attention.

Re:How often are the addresses re-validated?

[markdavis]

>"The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that look spammy."

Is there a difference? Spam includes UCE (Unrequested Commercial Email). Unrequested marketing junk *is* spam. I report it as such and ban most mail servers that send such stuff to my users. When I first started doing that many years ago, the very first to be banned, permanently, was Constant Contact. And boy were they pissed! They actually tried to tell my users we were doing something wrong and went over my head to try and be removed (and the CEO laughed at them). Now I ban several hundred such marketing houses.

>"Nobody really sends detailed abuse complaints anymore or provide any data that could be meaningfully used for reliable spam content identification without false positives. They just put IP addresses straight to blacklist"

The word "nobody" is pretty strong. I report *every* spam I get, in detail, to spamcop. Thankfully it is only a few messages a week that slip through, but I take the time to do it.

You might not like RBL's, but they are a keystone to our anti-spam. We don't do automated content examination or even ratings at all. Just greylisting, country banning, several RBL's, dropping messages with improper headers, checking that the domains on the Email server and sender are actually valid, and our own blacklist (coupled with a whitelist for both filtering and greylisting for those places that we consider mission important).

Re:How often are the addresses re-validated?

Now I ban several hundred such marketing houses.

Either this is bullshit or you have a total of 10 users. Try running an ISP, even a small one with just a few hundred users, and watch how much bitching you have to deal with when you block ConstantContact, MailChimp, SendGrid, etc...

Re:How often are the addresses re-validated?

[markdavis]

>Either this is bullshit

Nope

> or you have a total of 10 users.

I have 171 users.

>Try running an ISP, even a small one with just a few hundred users, and watch how much bitching you have to deal with when you block ConstantContact, MailChimp, SendGrid, etc..

We get some rare/occasional bitching, and we explain why we do what we do, and they are then appreciative of our very low spam rate and find some work-around.

One can't do that as an ISP, since it is like censorship. But we are not an ISP and can do what we want. Most people *like* getting rid of all the marketing **** Email. Rarely it is an issue with some newsletter or whatnot that we can't get, and if it is important, the sender can send it directly from their own domain (and usually they are cooperative in such cases).

The reality is the reputation of a sender can be VERY tarnished by using a third-party mailing system. Not my problem. They are free to use a third-party, I am free to block those third-parties.

Re:How often are the addresses re-validated?

[mysidia]

was Constant Contact. And boy were they pissed! They actually tried to tell my users we were doing something wrong ...

We used to block ConstantContact on the inbound indirection, because we found them (1) Using more than half a dozen IP addresses to contact our mail servers AND putting high stress on our mail servers, and apparently defeating our 5-Messages-per-Second per-IP-Address rate limits; instead they were sending hundreds upon hundreds of messages per second, And (2) Frequently being a source of mail that generated complaints from our users about getting too much spam. It ended very badly: when a couple state governmental agencies started using ConstantContact for various newsletters between related org, we literally got state IT officials and district attorneys breathing down our necks. Management required we whitelist them, AND since ConstantContact munges the sender address on all mail to in.constantcontact.com, instead of using a return path matching the internal header From: domain, We have no way of separating the newsletters in question and only whitelisting those.

Therefore, we are essentially required to maintain a whitelisting for ConstantContact.

Unrequested marketing junk *is* spam.

The industry has come to the conclusion that opt-in marketing newsletters are not Unsolicited, and if it's not unsolicited, there have been cases where providers were successfully sued over blocking the messages.

We're not part of the 'request' transaction, so if the user did or didn't Opt in to the marketing bulletin: we have no direct way of knowing.

Re:How often are the addresses re-validated?

[markdavis]

> It ended very badly: when a couple state governmental agencies started using ConstantContact for various newsletters between related org

I can completely understand your situation. That is what caused us some issues too- some national organizations, ones we actually PAID to be a part of, decided to use those scumbags (Constant Contact) and some of my users were affected. But we stood fast and explained in detail to the organization sending them and the users exactly what was going on and why. Most of those organization still uses CC, but several now they also have a SEPARATE mailing list from their own domain to send my users important things. And it turns out WE WERE NOT THE ONLY ONES BLOCKING CC.

>The industry has come to the conclusion that opt-in marketing newsletters are not Unsolicited, and if it's not unsolicited, there have been cases where providers were successfully sued over blocking the messages.

Well, that is correct- opt-in marketing junk isn't spam. But the issue is that 100% of what I personally get from such marketing firms I *NEVER* requested. So all of it was spam to me. If I looked at ALL the Email coming in from most of those firms, 99+% of it was never opt-in by anyone, so it was spam.

Of course, by blocking those firms, it also blocks the very tiny part of non-spam marketing that a few of my users *did* request. But in those cases:

1) Most of it was not work related
2) Most of it that was work related was not important
3) We decided, as a facility, that the blocking of the marketing houses which stopped 99% of their spam was more important than allowing a very, very tiny portion of non-spam through with questionable value.

Again, we are not an ISP, so we can do whatever we want. I don't think an ISP should block such places unless they have permission from each customer.

Not doing it right

[macraig]

http://www.projecthoneypot.org...

Re:Not doing it right

[Stan92057]

Ya know Ive been reporting facebook and office depot 2 sites among a long list of spammers i have never used an email address on ever. So there is no question they got the email address from a spam-bot or bought a spammers email address dvd. Ive been reporting both to their host/isp/email provider and guess what? they do nothing, nada nit. I get spam from both every single day 365 days a year i report it to spamcop,gmail the FTC and still get spammed. So it really doesn't help if no ones going after the hosting company/spammer/product supplier who is ignoring the complaints, what to do. Honey pots are not going to stop the flow of spam if complains are ignored and our government office in charge of taking care of spammers done nothing.

Re:Not doing it right

Of course individual complaints get pretty much ignored, use some common sense. You may be sure that you never gave a particular organisation permission to email you, but how can any authority that you report to be sure that at some point you didn't tick a box somewhere giving permission? They can't just take your word for it and send in the SWAT teams. Maybe someone with a similar email address to yours made a typo, and gave your address by mistake. Maybe at some point you inadvertently left that "allow us to pass your details to selected partners" box.

At best, your complaints will go into a database, and if a particluar company stands out as having a lot of complaints against it, someone might look into it. But to imagine that any action is going to result directly from your complaints is just silly.

Re:Not doing it right

[macraig]

You forgot to mention the case that he might have an axe to grind against an organization and satiates his desire for revenge by filing fake spam complaints against them. I know, I know, that never actually happens, and the spam blacklists never got populated with poisonous lint from people doing that....

Re:Not doing it right

[macraig]

What the Anonymous Coward said at 9:40am.

Time

[Phunction]

A better way would be to collect the ip's over time, those ip's that keep reoccurring over a period of say a few months are most likely dedicated spamming addresses. Although most large spammers probably keep shifting address and spoofing as you said since it would be to easy to stop them if they always used the same address. Unfortunately, a simple list of ip address won't really do much as they are not likely used more than a couple times each.

Start a blacklist

Well don't... cause there are already lots out there. These lists keep track of spamming ips and it is usually pretty annoying to get off the lists if you do spam. This means that if a server was compromised and used for spamming the innocent person can usually have the server up and sending legitimate email within a week or so after blacklists accepted that they fixed their issue. MXToolbox has a nice tool to see if a domain or ip is already blacklisted https://mxtoolbox.com/blacklists.aspx

No.

[CaptainDork]

There are professionals who do this for a living. Keep your day job.

Re: No.

Exactly, see spamhous project, and other existing services you could integrate with.

Yes

[Gunfighter]

Yes. Publish them through a DNS Blacklist similar to others or add them to an existing one. Establish rules and guidelines for removal procedures.

Gmail, Outlook, Yahoo, etc?

[david.emery]

What about the spam sent by the big email providers? It's a really interesting question what to do when you get -recurring- spam from these. (I get an offer for "Sun Microsystems User Lists" once a month from a chronic spammer sent either through Gmail or now Outlook. I report them to the abuse@xxx, but they keep on coming.) Do you blacklist a chronic spam source, that also has legitimate users? Do you quarantine everything from them, placing the burden on users/administrators to inspect and release legitimate mail from quarantine?

There are certainly lots of IP addresses that can be 'safely' rejected. Unfortunately, the growth of outsourced email makes it increasingly hard to depend on DNS information for sanity checks (e.g. there's an MX or SPF record that associates the "From" domain with the domain actually establishing the SMTP connection.)

Re:Gmail, Outlook, Yahoo, etc?

[Killall+-9+Bash]

cloud hosted email lets you still control SPF records. Big providers will list this as part of the setup process. Office365 will even warn you that DNS isn't properly configured if it detects you skipped this.

Some SaaS resellers don't know what SPF records are. These are the same guys who took your website offline when the switched your mail provider, and they have no idea how that happened because websites have nothing to do with email (DERP), so then you had to call your OTHER IT guys. Those resellers shouldn't be selling email... but they are.

Blacklists

[elistan]

There are plenty of such blacklists already published.

https://en.wikipedia.org/wiki/...

You can compare your list to others to see if you have anything unique, and if you do I guess your options are either publishing your list on your own, or seeing if any of the other list would like to merge in your list. Some of the lists allow sites to remove themselves. Some of the lists appear to only have "recently" spamming addresses. Some lists specifically exclude residential ISP connections. There are probably other methods of addressing your ethical issue too.

Comments should be closed on this thread!

As I type there are twelve, TWELVE!, comments on this thread. Comments should have been closed after 3 comments.

Q: Should I Publish My Collection of Email Spamming IP Addresses?

Comment 1: Yes.
Comment 2: No.
Comment 3: Maybe.

No other comments are necessary. Close the comments for this thread!

re blacklist

[freddieb]

I also have my own blacklist. I thought about publishing them however, I expect If you publish them you may be subject to some kind of retaliation.

You just don't get it.

[freeze128]

This is more of an individual asking a yes/no question than a publication asking an inflammatory question just to get clicks.

Also, Yes, you can spoof an IP, which means that you can make packets that you send look like they came from another IP address than they actually did. This may be fine for the one-off UDP packet or such, but email is sent using SMTP, which requires a TCP connection. If your return IP address is spoofed, the 3-way handshake cannot be completed, and therefore, the TCP connection will never be made. If the TCP connection is never completed, then certainly the SMTP email will never be sent.

While the poster's list may contain IPs that were spoofed, none of the spoofed IPs actually SENT any email.

Re:You just don't get it.

[TheCarp]

This. Spoofing is so overblown. Spoofing is generally not the real issue with almost anything.

The bigger issue is that people don't need to spoof, they just use someone else's machine. Getting malware installed on a machine is easy, getting it installed on hundreds or thousands of machines is easy.

FFS my mother gets calls on the phone from people halfway across the world trying to trick her into giving them access to her machine (I find them fun, she hands them to me now...trick is to act very concerned and play along, pretend to have system issues, and keep asking them to hold while you "try to fix it")

This list of IPs is like a "list of IPs of home machines that are or once were infected, and may not even be assigned to the same machine anymore"

Re:You just don't get it.

[dkman]

I would be somewhat interested in seeing some charts done. How many IPs fall into ARIN, LACNIC, APNIC, etc? In the US how many fall into Comcast, Time Warner, business ranges? Just out of curiosity.

I also wonder if the list keeps track of a First Received On and Last Received On date, maybe a counter of Mails Received.

Someones new to the internet...

A 1 person maintained blacklist!! Sign me up!

Re:Someones new to the internet...

Someone who doesn't know the existence of official blacklists really shouldn't be running a mail server.

Re:Someones new to the internet...

[jakimfett]

This is all that needed to be said.

Re:Someones new to the internet...

A 1 person maintained blacklist!! Sign me up!

I run one. It's technically "public", but I don't advertise it. It actually works rather well for very small operators. You get your own RBL, tuned to your threat profile. Mine also mines the "big" RBL's I also query, and incorporates the results. This offloads repeat lookups, and allows me to maintain my own delisting policy. I also track ASN's, and get a larger scale picture that allows me to pre-emptively block CIDR blocks of no value to my half-dozen users.

Yeah, can spoof the header, not the connecting IP

[raymorris]

Exactly, if the submitter is talking the IPs of machines that connected to their mail server, that can't be spoofed. The "received from" headers for servers on previous hops CAN be spoofed, and often are.

As you said, while a _single_ packet can be spoofed, that wouldn't allow an SMTP connection to be established, so the IP which connected to their machine is reliably known. Their mail server adds a "received from" header with that known IP.

yeah right

Whatever. Unless you are high up in management, you do not know everything that is going on at your company.

Anyway, I think you are full of shit.

There are no innocent companies that are accused of spamming - they are either doing it themselves or allowing.

Verdict : guilty.

Don't like it? Fix your problems and stop bitching because your stupidity.

Please no

[silas_moeckel]

If you think you can spoof a TCP connection you have no business running a RBL.

Re:Please no

[Alomex]

I can. It involves taking momentary control of a router upstream from you. First I need to find a non-secured router (i.e not running secure BGP and allowing arbitrary BGP updates), spoof a hole in the BGP table using a /30 routing prefix containing the purported sender during transmission, then revert to original configuration.

Re:Please no

Wait, whom the heck are you to dictate such a thing..
get off your HIGH-WHORSE and pul your head out..
It's because of people like you that repel people like the originator of this article...
Lonely Much,??

Re:Please no

[silas_moeckel]

Sure it's possible it's not that probable. Even very big providers tend to clear their filters once you have enough prefixes being announced. Problem is I've heard the somebody must have spoofed my IP which was at least incorrect if not a lie thousands upon thousands of times more than it actually happening. That did not involve BGP but rather ARP and was back in the 90's. Most of the spoofing I see is CPE gear without uRPF, on ISP's without egress filtering connected to ISP's with no ingress filtering and running a tiny tunneling agent on the actual box (often some PHP injected code). I would still call that reason to RBL the source IP it's infected with that agent even if the traffic does not actually originate there.

PS First you have to have a BGP session with a poorly secured router with their upstream provider or some provider close to where your spamming, unless your going to break into it you will probably need to use at least a /24 and now your ASN is going to be all over the attack as poorly secured routers don't tend to have BGP communities setup. I say this as even a very poorly managed ISP tends to figure out a /24 filter to stop some of the stupidity coming from there clients. If you're in control of an ISP's router there are much more profitable things you can do than spam.

Re:Please no

[yetiman]

"If you're in control of an ISP's router there are much more profitable things you can do than spam."
 
...Go Onnnnnnnnnnnnn

No

[EvilSS]

There isn't much of a point to doing it. Most of this stuff is sent via botnets now so most of those IPs are probably DHCP addresses from ISP pools for home users. Maybe if there are addresses that constantly keep popping up, that might be somewhat useful, but those are probably on the existing blacklists already.

New servers

And getting your new VPS servers IP out of the god damn IP blacklists is a shit job. Took 6 months to clear them out for my servers.... except from microsoft blacklists, which still put anything sent from my servers to trash.

It's a waste of time

[JustAnotherOldGuy]

Spammers mint, use, and then abandon email addresses so quickly that a list of (outdated) addresses wouldn't be of much use to most people.

Already been done

[JustAnotherOldGuy]

This has already been done by numerous places. One that I've found especially good for stopping bots from using signup forms is http://botscout.com./ The free daily limits are a little low but for us they're very, very effective. Using them dropped our bogus signups from 200/day to about 1 or 2 per day, sometimes zero.

Do you want the responsibility?

If you aren't willing to make maintenance of the blacklist your full time job, don't bother. You will cause more problems in the world than you solve. I speak from 20 years of experience as a sys admin dealing with mail systems. The last thing the world needs is a poorly-maintained blacklist.

STOP B*tching and solve this problem !!!

Everyone here seems to be looking for "the other guy" to fix the SPAM(tm) problem.
The SPAMmers know all the tricks, they were trained the same as the rest of us.

The big question is, What can be done, now or in the future.

Re:STOP B*tching and solve this problem !!!

[ebvwfbw]

Get politicians to understand that this is a problem. Care about it. Otherwise, they'll say pass the sweet and sour sauce.

When we can show someone is doing it, let's put 'em in jail, for a long time. No white collar place either, place like Chino or Attica.

When they get out, if they go back to doing spam, cut their head off.

Wasted so much frickin' time over the past couple of decades dealing with their BS. Way too much time.

ACK

[xororand]

My virtual server apparently used to be owned by spammers before I rented it. Several web sites ban its IPv4 due to alleged proxies and/or spam.
Thinking it might be a one-off false positive, I cancelled the server and got a new one within the same network, to no avail.

So I contacted the admin of one of the websites that banned it. Turns out they blacklisted the whole network of cheap virtual servers years ago.
IP blacklists should have expiration dates. Apparently most don't.

Short answer

[Zontar_Thing_From_Ve]

1) You don't want the legal ramifications of publishing this, especially if you live in the USA. I am American, so I know what I warn of.
2) Black lists are so old as an anti-spam approach I don't know that anybody takes them seriously any more.
3) Related to #1, do you really want the responsibility for situations where someone on your list was there due to ignorance and they fixed the open relay problem that led to the spam, they are no longer spamming at all, and yet there they are on your list? I thought about going into details, but on my previous job I know of cases where this actually happened and it's one of the reasons that many of us stopped taking Spamhaus and similar services seriously. It was almost impossible to get off the black list, even if you fixed the problem that got you there or were put there by mistake.

Re:Short answer

I have had the opposite experience with spamhous. Twice I have found my companies mailserver blacklisted and twice I have been able to square it away within a day. (2 different companies, 2 different relays, none of which I had setup) The secret is not to be a dickhead. In fact, this method works wonders when applied to all sorts of situations.

Definitely Publish

Definitely publish Timothy's email address. He has been a source of spam on the front page of Slashdot for a long time now.

one website

Dsheild.org

Look at it use it and have fun..
Why is this posted on /.??

What?

[hduff]

What could possibly go wrong?

Trust?

[mo0n_sniper]

Why should anyone trust YOUR list?

Oh great!

I have many times tries to report spam and website breakins to the abuse address of the IP address owner. A great percent of the abuse email addresses are fakes. The reporting effort just causes the email to get stuck in my server's mailq. Then I have to go back in and delete that.