Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses?

Posted by timothy on from the for-all-the-good-it'll-do-ya dept.

An anonymous reader writes: I have, for a while now, been collecting IP addresses from which email spam has been sent to, or attempted to be relayed through, my email server. I was wondering if I should publish them, so that others can adopt whatever steps are necessary to protect their email servers from that vermin. However, I am facing ethical issues here. What if the addresses are simply spoofed, and therefore branding them as spamming addresses might cause harm to innocent parties? What if, after having been co-opted by spammers, they are now used legitimately? I wonder if there's a market for all the thousands of webmail addresses that send Slashdot nothing but spam.

21 of 106 comments (clear)

  1. No by Anonymous Coward · · Score: 2, Informative

    I think you answered your own question. The only situation might be to share it privately with others, but publicly, no!

  2. What sort of a question is this? by ma++i+ude · · Score: 5, Insightful

    As is, nobody cares about your list. Use an adaptive blacklist and join Project Honey Pot.

    --
    You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
    1. Re:What sort of a question is this? by Spazmania · · Score: 2

      Exactly, he's about 20 years too late to the IP address blacklisting game.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  3. Publish your own, or join in by Anonymous Coward · · Score: 5, Insightful

    There are hundreds of blacklists out there: https://mxtoolbox.com/problem/blacklist/

  4. Go talk to Spamhaus by Penguinisto · · Score: 4, Insightful

    No, really, go talk to them... they've been doing just that as a community for a lot longer, and probably have nearly all the stuff on your list and then some.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
    1. Re:Go talk to Spamhaus by Stan92057 · · Score: 3, Interesting

      Ya know ive been reporting spam to the FTC for years and nothing and i mean nothing happens. I don't see any spammers getting arrested,fined by the FTC. I also send an email asking a congressman just what the FTC is doing with all the reported spam and all he did was send me a personal info form to sign and release. which i laughed at since ya have to give the very same info when ya send an email to them.

      --
      Jack of all trades,master of none
    2. Re:Go talk to Spamhaus by rubycodez · · Score: 2

      Hey, it's not all clouds and doom, remember that corpse of Russian spam king who was found beaten to death with hammers? that was pretty cool

    3. Re:Go talk to Spamhaus by TheCarp · · Score: 2

      If its any consolation, I was once involved in keeping a mail server under heavy spam load working and shutting down the incoming spew.... which did actually result in someone being taken away by the police and the last words the network engineer heard as they walked away was "you are lucky you are not in handcuffs".

      Admittedly it has nothing to do with the FTC and actually involved someone at the University who was intentionally misusing resources to spam in the most bone headed way (from his own desktop in his own assigned office!)....but....it still makes me smile.

      --
      "I opened my eyes, and everything went dark again"
    4. Re:Go talk to Spamhaus by Anonymous Coward · · Score: 2, Informative

      tens of thousands of domains

      Nobody blacklists "domains", every spam comes from a fake email address. No, they blacklist IP blocks.

      it didn't even have any email accounts set up.

      And? If you didn't block outbound SMTP it's trivial to write an SMTP client in just about any language. PHP even has mail functions built in to send mail. It's trivial to write up a PHP script that you upload a CSV file to and have it email everyone on it without an "email account".

    5. Re:Go talk to Spamhaus by mwvdlee · · Score: 2

      What actionable material have you been sending them?
      IP's are next to useless (mostly zombie hardware and outside whatever jurisdiction you report it to).
      Email addresses are nearly 100% fake, so useless. Same for sender domain names.
      Domain names and hosting is recycled within minutes (literally!) and paid for with stolen credit cards.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    6. Re:Go talk to Spamhaus by rubycodez · · Score: 2

      it was goons who killed him, not any legal venue, so no worries

      http://archive.wired.com/wired...

  5. How often are the addresses re-validated? by QuietLagoon · · Score: 4, Insightful
    If you publish a list, you then obligate yourself to keep that list up-to-date, not only by adding new addresses, but also by removing old addresses that no longer spam.

    .
    Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually. Are you planning to ban those IP addresses permanently?

    So I ask the question, how frequently do you plan top re-validate the addresses that are on your list as still spamming?

    1. Re:How often are the addresses re-validated? by mysidia · · Score: 2

      Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually.

      My mail servers IPs have been hijacked for spamming many times, probably about 3 or 4 times a month, but as far as I know, they are generally cleaned up within a few hours, and usually the volume is restricted by message rate controls.

      The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that look spammy.

      Also, the RBLS have destroyed mutual cooperation between operators against spam.... we all just have our blacklists, and then we start having equally huge whitelists that represent the hundreds of thousands of legitimate mail transactions that blacklists have incorrectly interfered with.

      Nobody really sends detailed abuse complaints anymore or provide any data that could be meaningfully used for reliable spam content identification without false positives. They just put IP addresses straight to blacklist

      . Heck, the abuse@ contact address and IP address space WHOIS abuse contacts get no messages at all from humans for the most part, except (ironically) marketing attempts, DMCA letters, and DoS amplification reports.

      So the "eventually" part, is because noone's even bothering to lend a hand against the spammers. Perhaps everyone is just overwhelmed and desensitized.

      You'll just wake up after some sneaky spammer has been abusing your mail server starting at 4am, and after you find your IP with a bad reputation on a bunch of blocklists with not a single actionable abuse complaint. You will have most RBLs that tell you "their spam traps are secret," and you need to wait 3 days before requesting removal, so they won't even reveal what the spam message looked like, or enough information to identify the abuser on a multi-tenant mail server.

      Then there are 'fascist' blacklists who decide, they want to blackmail you and force you to pay a fee for removal. In a number of cases, we have referred those guys to our lawyers, to see if we can do anything about them. Hopefully, law enforcement will eventually lay down the criminal charges against paid-removal blacklists for racketeering.

      Then there are reputation services such as Cisco's which has no remediation or contact to resolve the listings at all, And they are highly secretive about how they even work.

      Then there are RBLs that insist on blacklisting you for 48 hours, or 5 days, because some spammer managed to go to town for a few hours one night.....

      Most often: it is some customer mailboxes whose password has been guessed by spammers who then proceed to abuse the account.

      Or a mailbox on a customer mail server relaying off of ours.

      It is not so easy to tell when it has happened, because there are plenty of customers running legitimate "newsletters" off their mailbox. We limit each customer to an average rate of 1200 messages per day for some domains, and 250 messages per day for others, but "legitimate" bulk mailers using their normal account to e-mail blast frequently hit the limits and complain about it, Meanwhile, there are spammers who are relentless and send a trickle of messages just below the limits sometimes.

      Then there are spammers who use IP addresses of non-mail servers such as workstations..... by co-opting random systems and running random malware that pretends to be a SMTP server, Or they install a local SMTP server and relay off of it.

      The latter are frequently short-lived attacks. By the time anything is in a RBL: the spammer has already probably moved on to the next batch of IP addresses to disrupt.

    2. Re:How often are the addresses re-validated? by postbigbang · · Score: 2

      If someone's breaking into your server 3-4x/month, then you have major problems. If you have clients whose accounts are compromised, then SHUT THEM THE FUCK OFF AND MAKE THEM CLEAN THEIR MACHINES.

      Spoofing user names and using their lists is old hat. I have one ex-friend who greets me weekly with something new and exciting in an attachment. Luckily, I never open *anything*.

      But seriously, if your server's getting broken into that frequently, you need lessons. Numerous ones.

      --
      ---- Teach Peace. It's Cheaper Than War.
  6. Not doing it right by macraig · · Score: 2

    http://www.projecthoneypot.org...

  7. You just don't get it. by freeze128 · · Score: 2

    This is more of an individual asking a yes/no question than a publication asking an inflammatory question just to get clicks.

    Also, Yes, you can spoof an IP, which means that you can make packets that you send look like they came from another IP address than they actually did. This may be fine for the one-off UDP packet or such, but email is sent using SMTP, which requires a TCP connection. If your return IP address is spoofed, the 3-way handshake cannot be completed, and therefore, the TCP connection will never be made. If the TCP connection is never completed, then certainly the SMTP email will never be sent.

    While the poster's list may contain IPs that were spoofed, none of the spoofed IPs actually SENT any email.

    1. Re:You just don't get it. by TheCarp · · Score: 2

      This. Spoofing is so overblown. Spoofing is generally not the real issue with almost anything.

      The bigger issue is that people don't need to spoof, they just use someone else's machine. Getting malware installed on a machine is easy, getting it installed on hundreds or thousands of machines is easy.

      FFS my mother gets calls on the phone from people halfway across the world trying to trick her into giving them access to her machine (I find them fun, she hands them to me now...trick is to act very concerned and play along, pretend to have system issues, and keep asking them to hold while you "try to fix it")

      This list of IPs is like a "list of IPs of home machines that are or once were infected, and may not even be assigned to the same machine anymore"

      --
      "I opened my eyes, and everything went dark again"
  8. Someones new to the internet... by Anonymous Coward · · Score: 5, Funny

    A 1 person maintained blacklist!! Sign me up!

    1. Re:Someones new to the internet... by Anonymous Coward · · Score: 4, Insightful

      Someone who doesn't know the existence of official blacklists really shouldn't be running a mail server.

  9. Please no by silas_moeckel · · Score: 4, Insightful

    If you think you can spoof a TCP connection you have no business running a RBL.

    --
    No sir I dont like it.
    1. Re:Please no by Alomex · · Score: 2

      I can. It involves taking momentary control of a router upstream from you. First I need to find a non-secured router (i.e not running secure BGP and allowing arbitrary BGP updates), spoof a hole in the BGP table using a /30 routing prefix containing the purported sender during transmission, then revert to original configuration.