Finally, I wouldn't doubt that these spammers have at least one techie who read Slashdot. Posting "Here's my honeypot" to this guy is simply going to get your hostname blacklisted among other spammers.
I doubt it. If that were true they wouldn't keep testing my mail server, I report it often enough.
I don't know, we only have solid temperature data for a bit more than a century (but lots of circumstantial data for periods before that). It could be a cold period with man-made global warming, it could be a warm period.
in the 70's, many of today's Global Warming researchers were claiming that the Earth was falling into an Ice Age.
A frigthening thought is that we actually might be living during an Ice Age, the warmest Ice Age ever. There are billions of people now; we started burning lots of wood and peat a few centuries ago; when we had exhausted those, we turned to coal, oil and natural gas.
You can't change the MXes for example.com to those IP addresses unless you are the owner of example.com (otherwise you'd have to hack into someone's DNS server).
So: that means that you're the owner of example.com.
The costs to register a domain are less than $10.
But if you list an open relay as an MX for your domain and start sending spam from it, your domain suddenly gets put on a blacklist and people start dropping all your email from that domain on the floor, legitimate or not.
Unfortunately, that doesn't happen suddenly. Otherwise, we could just list the open relays and open proxies and be done with it.
In fact, the number of possible IP addresses (just over 4 billion) is far less than the number of possible domain names.
And as a spammer, that means that you're either out of business or you have to shell out another $10-$15 for a new domain. This eats into your profits because it costs you both time and money.
It is easier to automate the registration of domain names than to find machines with the latest proxy exploit.
Yes, $10 is money, but not much. Spammer pay more to find bullet proof web hosting.
More importantly, we would lose the ability to forward email.
A simple solution is replacing the broken SMTP with something that requires authentication and doesnt give you the ability to modify the headers unless you run the server.
The hundred (or so) big time spammers who send 50% of all spam already run their own servers.
But even if the open relay doesn't do this, the system it tries to deliver email to will -- and the open relay will not be listed as an MX for the domain associated with the spam message, so the mail will be dropped on the floor by the receiving system.
I am afraid it won't work. Imagine I am a spammer who just found an open relay at (say) 10.11.12.13 and an open proxy at (say) 192.168.1.2. I change the MX-es for example.com to those IP addresses and start pumping spam through those machines.
They are so shady that there are no records of anything.
They aren't, they publish rather extensive proof why they list an IP address or range.
I could show you unanswered emails, but they would be too easily faked to be relevant.
From the SPEWS FAQ:
Q41: How does one contact SPEWS?
A41: One does not. SPEWS does not receive email
I am surprised your mailserver didn't inform you that spews.org does not answer at port 25.
The fact that you suggest booting a client AT ALL due to a technical error goes to show how ignorant you are. If a client is intentionally spamming we give them the boot right away. If they are an open relay, even if due to incompetence, they fix it or we fix it. Suspending their account would be stupid. We would lose the client.
Not suspending the client means you are spamming lots of people. My clients don't like spam, hence I use SPEWS to stop the spam from your IP range(s).
No, we kindly inform them of the problem, like people over the age of 15 interested in making money and retaining good business relationships.
That decision is rather bad for your relationship with other providers. The Internet is a collection of networks, if you only care about your income and knowingly and willingly allow open servers to send spam, don't expect others to spend bandwidth and CPU time to filter the few legitimate messages from the flood of spam.
Once again, I remind you that I am not listed by SPEWS, just like 99.8% of the Internet.
You sir, are an Idiot. Not to mention entirely uninformed.
Well, at least I am an uninformed idiot whose mailserver isn't an open relay.
There are no "spam reports". There is no/32s growing to a/24. They just bury the whole block. Not that they bother to check ARIN for the actual block boundaries.
As a satisfied user of SPEWS, I would like to see some proof. When you accused SPEWS of ignoring phone calls, you made a factual error: SPEWS can not be called, so they can't ignore phone calls.
As for an ISP booting clients for having an unintentional open relay for an hour, well, such a stupid idea isn't so surprising from an idividual as stupid as yourself. Go start an ISP, go try it.
May I remind you that I am not listed? Perhaps I am not as stupid as you think. For example I did not suggest booting clients on the first incident, I suggested suspending their connection until they fixed the problem.
Not quite. If qmail's control/rcpthosts file is missing, it behaves as expected, but acts as an open relay with no warnings whatsoever. (eyeroll) this has burned me a few times.
In one case, it got my block listed in SPEWS
The lax reaction by the ISP which ignored the spam reports, caused the listing to be expanded from your/32 to a wider block.
Now, let me give a small rant about SPEWS. SPEWS has to be one of the biggest disservices on the entire Internet. They don't bother to only blacklist hosts that are known open relays. They don't bother to only blacklist blocks. Oh no. They just blacklist the/24. So if you are on a/26 or/28 (VERY common colo assignments) and your neighbor gets buried, you get it up the ass too.
Only if you have a lazy provider (like yours) which allows morons (like you) who repeatedly open their relay. If your provider would have acted promptly (suspending you the first time until you found someone qualified to operate as root; kicking your sorry ass the second time), the listing would not have grown to a/24.
They are very difficult to get off of. They ignore email and telephone calls.
They don't ignore email (but they only have spamtraps: if the spam stops, the listing goes away). They don't have a telephone number, so they can't ignore telephone calls.
[snip]
Seriously, please boycott them. Use a heuristic spam detector like spamassassin which tags messages instead of throwing them away.
If I use SPEWS, I don't have to throw messages away, I refuse to accept them. Almost invariably this means the spammer could not steal bandwidth and diskspace); if the email was legitimate the sender will immediately know that the email was not accepted, which is much than an email which will end up in a spam folder.
but is [the spammer] going to do that for all 60,000 emails he just sent out?
Probably not, but not for the reason you are suggesting. The spammer won't do it because those 60,000 bounces have just overflown the mailbox of some poor shmuck whose email address was forged.
Change to something like IM2000, spam vanishes in a poof.
Could explain the difference between
"There is a message for you at im2000://$URL1"
and
"Visit http://$URL2"?
What's worse, you can't read your email off-line unless you prefetch your im2000 email, thus verifying the im2000 mailbox is read.
Else what would stop people from hiring an offshore spammer to send out fake spam from a competitor?
The same laws that stop them from ordering stuff in their competitor's name: if caught their competitor will own their company, and they will be Bubba's new toyboy.
we told everyone why they got our mail (because they signed up at the website)
How did you know they signed up at the website? For your information, almost all pr0n spammer claim the spammee signed up at a website.
Anyone else been a 'victim' of crazy blacklist providers?
Sure, lots of people who think they can use any mail address they can lay their hands on, as a dump for their advertisements. You did not ask for permission to fill those mailboxes, you did not even know whether you were spamming minors with your pr0n.
I was wondering how many large corporation are using SpamAssasin. And if not, why not?
Reasons for not using SpamAssassin are the CPU and bandwidth costs. Refusing e-mail from known spam sources is cheaper and (more importantly) does not give away information about which addresses are valid.
After checking the source IP address against lists such as Wirehub, Osirusoft
(despite its name not only a list of open relays) and/or some other lists, almost no spam will be accepted.
IP space is finite and, even better, allocated in ranges. Continued spam from (or spamvertizing a website on) an IP address is a very good indicator for more spam from the IP range.
Well, I am not sure. The description of the symptoms is eerily accurate.
My experience fits: A1, A2, most of B2 (visual control, terror of presence, undecidable presence watching, auditory "hallucination" of breathing, visual "hallucination" of eyes as only distinct feature), and two of B3 (continuity of conscious experience, distortions of body image).
My own explanation after I woke up seems rather reasonable, though. The site on which I slept, meant I looked away from the window, the cat sat before my face (reflecting the dim morning light with its eyes) and woke me during REM sleep.
The feeling of distortion of body image is normal when I wake up during REM sleep, the "hallucinations" are explained by the cat, and the terror is explained by the combination of fear of something watching and sniffing, and the inability to move.
The dread was extreme at that moment, however; even worse than when I woke up from gastroesophageal reflux with stomach acid in my lunges, my body used all air to cough, and I saw the colour of my face go through red and purple to blue.
Much of global Internet traffic on the intercontinental level is routed through the USA, even though the origin or destination may be totally outside the USA. For instance, traffic between Asia-Europe, or South America-Australia will almost always pass through the US, because most of those "hubs" are, as the article mentions, in the USA.
It is not USA centricity per se, it is more a result of economy of scale. If a lot of people are connected to a hub, one gets connectivity to all those people by connecting to that hub.
I live less than 1 mile from a rather large exchange and more than 100 miles from a larger exchange, but when electricity in Amsterdam failed, my connection dropped to a crawl, even though the nearby exchange still had lots of capacity.
Redundancy costs much more money than a few extra diesel generators in Amsterdam.
I believe more work should also be done on interconteninental links that do not go through the USA as well.
A 10 Gbps link from Europe to Asia went life more than 5 years ago, but traceroutes from me (the Netherlands) to India still (almost?) always go through the USA. If the bandwidth isn't used, no one will invest in more bandwidth.
The earth is a globe, but the Internet has mostly a star topology.
I believe this computing facility hosted a Debian mirror.
security.debian.org is now hosted at klecker.debian.org. However, according to Debian's security list:
We expect the next security advisories to be sent out on Monday, since all packages that were already prepared for release on Wednesday are lost and need to be rebuilt.
Kmail has a "bounce" option. Why more email clients do not is beyond me.
Most people do not want to add to the mailbomb of the victim whose address was forged.
If (and that's a big if) the spammer owns that address you will just confirm that your address is actively read.
Maybe it's time to set up some infrastructure for Internet Mail 2000
How does that differ from please click at
http://spammer.com?a=your.address@example.org,
other than that you probably would not click on that link (and tell the spammer he found a fresh address).
The only way to deal with spammers is with a shotgun.
Your ISP was knowingly and willingly aiding and abetting the spammers. Why do you lay the blame at the people who defended their systems against the onslaught of spam by dropping mail from your ISP and not at your ISP which kept ignoring spam reports?
Does this have to do with the DDOS attacks that happened a couple weeks ago?
Possibly, a and j.root-servers.net are now in different netblocks, making a DDoS a bit more difficult.
Why else would they not make an announcement?
Because nameservers use the "hints" zone as a hints zone, i.e. they will fetch the authoritative nameservers using the IP addresses in the "hints" zone to find an answering nameserver.
Since j.root-servers.net will continue to answer at the old address, no one will notice the change.
j.root-servers.net did not change hands.
on
Root Zone Changed
·
· Score: 4, Informative
j.root-servers.net was 198.41.0.10 in 198.41.0.0/22, owned by VeriSign Global Registry Services.
j.root-servers.net is 192.58.128.30 now, in
192.58.128.0/24, owned by VeriSign Global Registry Services.
Having both a and j in the same netblock was not a good idea (remember what happened to Microsoft when they had all nameservers in the same netblock?).
See ARIN and ARIN again.
Slashdot Mirror
I doubt it. If that were true they wouldn't keep testing my mail server, I report it often enough.
I don't know, we only have solid temperature data for a bit more than a century (but lots of circumstantial data for periods before that). It could be a cold period with man-made global warming, it could be a warm period.
in the 70's, many of today's Global Warming researchers were claiming that the Earth was falling into an Ice Age.
A frigthening thought is that we actually might be living during an Ice Age, the warmest Ice Age ever. There are billions of people now; we started burning lots of wood and peat a few centuries ago; when we had exhausted those, we turned to coal, oil and natural gas.
So: that means that you're the owner of example.com.
The costs to register a domain are less than $10.
But if you list an open relay as an MX for your domain and start sending spam from it, your domain suddenly gets put on a blacklist and people start dropping all your email from that domain on the floor, legitimate or not.
Unfortunately, that doesn't happen suddenly. Otherwise, we could just list the open relays and open proxies and be done with it.
In fact, the number of possible IP addresses (just over 4 billion) is far less than the number of possible domain names.
And as a spammer, that means that you're either out of business or you have to shell out another $10-$15 for a new domain. This eats into your profits because it costs you both time and money.
It is easier to automate the registration of domain names than to find machines with the latest proxy exploit.
Yes, $10 is money, but not much. Spammer pay more to find bullet proof web hosting.
More importantly, we would lose the ability to forward email.
The hundred (or so) big time spammers who send 50% of all spam already run their own servers.
I don't think IM2000 can do anything against spam like "please this link", since reading IM2000 mail basically is the same as clicking on a link.
I am afraid it won't work. Imagine I am a spammer who just found an open relay at (say) 10.11.12.13 and an open proxy at (say) 192.168.1.2. I change the MX-es for example.com to those IP addresses and start pumping spam through those machines.
They aren't, they publish rather extensive proof why they list an IP address or range.
I could show you unanswered emails, but they would be too easily faked to be relevant.
From the SPEWS FAQ:
Q41: How does one contact SPEWS?
A41: One does not. SPEWS does not receive email
I am surprised your mailserver didn't inform you that spews.org does not answer at port 25.
The fact that you suggest booting a client AT ALL due to a technical error goes to show how ignorant you are. If a client is intentionally spamming we give them the boot right away. If they are an open relay, even if due to incompetence, they fix it or we fix it. Suspending their account would be stupid. We would lose the client.
Not suspending the client means you are spamming lots of people. My clients don't like spam, hence I use SPEWS to stop the spam from your IP range(s).
No, we kindly inform them of the problem, like people over the age of 15 interested in making money and retaining good business relationships.
That decision is rather bad for your relationship with other providers. The Internet is a collection of networks, if you only care about your income and knowingly and willingly allow open servers to send spam, don't expect others to spend bandwidth and CPU time to filter the few legitimate messages from the flood of spam.
Once again, I remind you that I am not listed by SPEWS, just like 99.8% of the Internet.
Well, at least I am an uninformed idiot whose mailserver isn't an open relay.
There are no "spam reports". There is no /32s growing to a /24. They just bury the whole block. Not that they bother to check ARIN for the actual block boundaries.
As a satisfied user of SPEWS, I would like to see some proof. When you accused SPEWS of ignoring phone calls, you made a factual error: SPEWS can not be called, so they can't ignore phone calls.
As for an ISP booting clients for having an unintentional open relay for an hour, well, such a stupid idea isn't so surprising from an idividual as stupid as yourself. Go start an ISP, go try it.
May I remind you that I am not listed? Perhaps I am not as stupid as you think. For example I did not suggest booting clients on the first incident, I suggested suspending their connection until they fixed the problem.
If those bad IPs are open relays or open proxies you can nominate them to the Distributed Server Boycott List by sending email through them.
Not quite. If qmail's control/rcpthosts file is missing, it behaves as expected, but acts as an open relay with no warnings whatsoever. (eyeroll) this has burned me a few times.
/32 to a wider block.
/24. So if you are on a /26 or /28 (VERY common colo assignments) and your neighbor gets buried, you get it up the ass too.
/24.
In one case, it got my block listed in SPEWS
The lax reaction by the ISP which ignored the spam reports, caused the listing to be expanded from your
Now, let me give a small rant about SPEWS. SPEWS has to be one of the biggest disservices on the entire Internet. They don't bother to only blacklist hosts that are known open relays. They don't bother to only blacklist blocks. Oh no. They just blacklist the
Only if you have a lazy provider (like yours) which allows morons (like you) who repeatedly open their relay. If your provider would have acted promptly (suspending you the first time until you found someone qualified to operate as root; kicking your sorry ass the second time), the listing would not have grown to a
They are very difficult to get off of. They ignore email and telephone calls.
They don't ignore email (but they only have spamtraps: if the spam stops, the listing goes away). They don't have a telephone number, so they can't ignore telephone calls.
[snip]
Seriously, please boycott them. Use a heuristic spam detector like spamassassin which tags messages instead of throwing them away.
If I use SPEWS, I don't have to throw messages away, I refuse to accept them. Almost invariably this means the spammer could not steal bandwidth and diskspace); if the email was legitimate the sender will immediately know that the email was not accepted, which is much than an email which will end up in a spam folder.
Probably not, but not for the reason you are suggesting. The spammer won't do it because those 60,000 bounces have just overflown the mailbox of some poor shmuck whose email address was forged.
Could explain the difference between "There is a message for you at im2000://$URL1 " and "Visit http://$URL2 "?
What's worse, you can't read your email off-line unless you prefetch your im2000 email, thus verifying the im2000 mailbox is read.
The same laws that stop them from ordering stuff in their competitor's name: if caught their competitor will own their company, and they will be Bubba's new toyboy.
How did you know they signed up at the website? For your information, almost all pr0n spammer claim the spammee signed up at a website.
Anyone else been a 'victim' of crazy blacklist providers?
Sure, lots of people who think they can use any mail address they can lay their hands on, as a dump for their advertisements. You did not ask for permission to fill those mailboxes, you did not even know whether you were spamming minors with your pr0n.
Reasons for not using SpamAssassin are the CPU and bandwidth costs. Refusing e-mail from known spam sources is cheaper and (more importantly) does not give away information about which addresses are valid.
After checking the source IP address against lists such as Wirehub, Osirusoft (despite its name not only a list of open relays) and/or some other lists, almost no spam will be accepted.
IP space is finite and, even better, allocated in ranges. Continued spam from (or spamvertizing a website on) an IP address is a very good indicator for more spam from the IP range.
Anyone else on Slashdot have it?
Well, I am not sure. The description of the symptoms is eerily accurate.
My experience fits: A1, A2, most of B2 (visual control, terror of presence, undecidable presence watching, auditory "hallucination" of breathing, visual "hallucination" of eyes as only distinct feature), and two of B3 (continuity of conscious experience, distortions of body image).
My own explanation after I woke up seems rather reasonable, though. The site on which I slept, meant I looked away from the window, the cat sat before my face (reflecting the dim morning light with its eyes) and woke me during REM sleep.
The feeling of distortion of body image is normal when I wake up during REM sleep, the "hallucinations" are explained by the cat, and the terror is explained by the combination of fear of something watching and sniffing, and the inability to move.
The dread was extreme at that moment, however; even worse than when I woke up from gastroesophageal reflux with stomach acid in my lunges, my body used all air to cough, and I saw the colour of my face go through red and purple to blue.
It is not USA centricity per se, it is more a result of economy of scale. If a lot of people are connected to a hub, one gets connectivity to all those people by connecting to that hub.
I live less than 1 mile from a rather large exchange and more than 100 miles from a larger exchange, but when electricity in Amsterdam failed, my connection dropped to a crawl, even though the nearby exchange still had lots of capacity.
Redundancy costs much more money than a few extra diesel generators in Amsterdam.
I believe more work should also be done on interconteninental links that do not go through the USA as well.
A 10 Gbps link from Europe to Asia went life more than 5 years ago, but traceroutes from me (the Netherlands) to India still (almost?) always go through the USA. If the bandwidth isn't used, no one will invest in more bandwidth.
The earth is a globe, but the Internet has mostly a star topology.
security.debian.org is now hosted at klecker.debian.org. However, according to Debian's security list:
Most people do not want to add to the mailbomb of the victim whose address was forged. If (and that's a big if) the spammer owns that address you will just confirm that your address is actively read.
$ date --rfc-822; time lynx -dump www.utwente.nl | wc
Sat, 23 Nov 2002 02:38:31
183 551 7907
real 0m0.182s
user 0m0.090s
sys 0m0.010s
How does that differ from please click at http://spammer.com?a=your.address@example.org, other than that you probably would not click on that link (and tell the spammer he found a fresh address).
Your ISP was knowingly and willingly aiding and abetting the spammers. Why do you lay the blame at the people who defended their systems against the onslaught of spam by dropping mail from your ISP and not at your ISP which kept ignoring spam reports?
Possibly, a and j.root-servers.net are now in different netblocks, making a DDoS a bit more difficult.
Why else would they not make an announcement?
Because nameservers use the "hints" zone as a hints zone, i.e. they will fetch the authoritative nameservers using the IP addresses in the "hints" zone to find an answering nameserver.
Since j.root-servers.net will continue to answer at the old address, no one will notice the change.
j.root-servers.net was 198.41.0.10 in 198.41.0.0/22, owned by VeriSign Global Registry Services.
j.root-servers.net is 192.58.128.30 now, in 192.58.128.0/24, owned by VeriSign Global Registry Services.
Having both a and j in the same netblock was not a good idea (remember what happened to Microsoft when they had all nameservers in the same netblock?).
See ARIN and ARIN again.