But even if each zombie can send out 10,000 messages/day instead of 10,000,000, that slows them down enough that you can detect them and kill them (or at least blacklist them...)
Anything that reduces the speed of zombies is a good thing. You don't need a 1000-fold reduction to get good results. For instance, here are my numbers:
I get around 500 spam/junk messages per day. My filters let a few per week through. I expect most of the junk comes from zombies (or is backscatter from zombie mail that forges me as sender), so if we could cut their productivity by a factor of 10, I'd rarely see any. Cutting it from 10,000,000 to 10,000 would essentially solve the zombie problem.
All the people running 200 MHz mail servers are only going to be able to send 10 legitimate emails per day and spammers will hijack more unpatched 3 GHz machines and do distributed computations and send out more spam than ever that gets through because it's passed the computation test.
Do the arithmetic. If a 200 MHz machine can only send 10 per day, then a 3Ghz zombie can only send 150 per day. There are a lot of zombies, but there are far more recipients, so if the zombie is only sending 150 messages per day, you're not going to get much spam.
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
All they have to do is change each of those 92 million usernames. The easiest way to do this is for AOL to make the change. For example, they could change your fembots@AOL.com address to fembots@SOL.com.
RBLs only work against honest admins, getting them to clean up the holes in their security. Spammers aren't honest, and as you say, will just use worms to invade machines to create proxies.
RBLs have been around for years, but the amount of spam Spamassassin catches on its way in to me is ever-increasing. If RBLs worked, the spam problem would have been solved years ago.
On the other hand, the amount of spam getting past Spamassassin to me is pretty steady. I guess that indicates it's getting better. Mostly what gets past is what the article calls "backscatter": delivery failure messages caused by spammers forging my email address.
Should systems that send backscatter be blacklisted? I'd tend to say yes: they should only send failure notices to senders who pass some sort of verification like SPF. Putting them in an RBL really would encourage them to do that.
I still think you're making a mistake. If CJB.net goes out of business, what have you got? Domain names are pretty cheap (around $10-$15 per year), you can prepay for up to 10 years, and they'll be around at least as long as CJB.net.
Don't trust a free service like weblogs.com, but don't trust a small commercial service either.
You probably can't trust ICANN to act in your best interest, but you can probably trust them or their descendant to leave your name in basically the same form.
Which is why redirect URLs are handy, especially for cheapskates like me. I host my website on various free services, but I've kept the same CJB.net URL for some time now. That's what I link to, that's where people go even if I move to another domain (so long as I update the forwarding, of course).
So you're protected from one of your free web hosts from shutting down, because you use a free redirection service to get to them?? What happens when CJB.net closes shop?
You should register a domain. Then you're safe until some big company decides to challenge you for it.
The main problem is that Windows tends to ship insecure. Linux or OSX on the other hand requires you to turn on stuff that may go bad.
I use about 10 different computers. I administer 4 Windows computers (98, Me, XP times 2), and am a user on a few Linux boxes and a couple of FreeBSD systems.
The Linux boxes are the only ones that have been broken into, on two separate occasions. In one occasion it was likely because one of the users was careless with his password; we don't know where the other break-in came from. As far as we know in both cases the attackers got root access. Once they had that, they immediately had access to a large number of other computers through public-key logins.
It's harder to break in to Linux than to Windows, but it's worth more, so it happens more often than you'd like to think.
The real problem is compliance, until 99% of mail servers provide this data, I can't reject mail from non SPF listed domains.
There aren't many tests which are perfect spam identifiers with no false positives. You should use the SPF compliance as part of a scoring scheme. Messages that fail SPF are more likely to be spam than messages that pass, so they get a higher spam score. If the score exceeds a threshold, mark it as possible spam. If it exceeds a higher one, delete it unread.
This is the strategy Spamassassin allows, and it works really well, especially if you let the scoring be adaptive (i.e. use "Bayesian tests").
This page gives instructions on turning a dead hard drive into a clock case. Not only do you get a clock that works, but you get to keep the magnets from the motor for other fun.
It's a little lame (the hard drive doesn't do anything, you attach a clock movement to the back), but it's better than throwing the drive in the trash.
Surely Usenet is a better place if replies are posted back to the newsgroup, rather than just the individual. My newsreader lets me search by posts I've appended to.
That depends. Often people mention things in their post that aren't really relevant to the newsgroup, so an offline discussion is better.
For instance, just the other day someone spotted my name and emailed me to let me know that a distant relative had died, and left tons of money, which is probably mine to claim. Soon I'll be rich.
That patch also broke R (the open source stats package). We tracked it down to the fact that after installing the patch, the HOMEPATH environment variable is no longer set properly.
If we don't like the GIMP interface why are we relying solely on the GIMP team to change it? Why don't we form a team and fork a project specifically to redesign the UI to a more professional standard?
Because it's hard. User interface design is just as hard as other aspects of programming, but when you do a crap job of it, everybody knows.
You Americans thing everything is so easy, yeah. If I am connected using the ONLY privider here I effectively cannot press him to do anything. Granted, I have a choice: to be connected, or not.
You can use your provider to get a connection to Hotmail, or Yahoo, or any of hundreds of email providers. You don't need to use your provider for email.
Registrars do have the right to cancel registrations when fake contact information is given. Perhaps your friend wanted to avoid being spammed, and didn't give his correct name, address and email when he registered.
The "change ISPs if you don't like it" argument is weak - most ISPs don't advertise what their policy (which may be fickle) regarding spam filtering is.
Most don't --- but some do. So use one of those.
The ones with good technical information probably aren't the cheapest, but they're probably more reliable than the cheap ones in many ways, including this one.
You aren't tied to a single provider, even if there's only one high-speed provider that services your area. Use them to connect to someone else.
Which emphasizes the effectiveness of blacklisting large blocks so the paying corporate customers suffer
The problem is that an RBL that aims for too much collateral damage isn't going to be used enough that the damage will matter. It's a really fine balancing act: you want to be reliable as a filter, so that lots of mail servers do blocking based on what you say, but you also want to push the limits a little bit, so that ISPs are encouraged to fix their spam problems.
SPF will probably be helpful eventually, but it's going to take a while, and it's going to cause a lot of trouble for people like me.
I have email addresses on about 5 different domains, registered with 4 different registrars. One domain does SPF; two are under my control, but I don't see anything on the registrar's pages about SPF, and the last two are academic domains, which means whether they do it or not depends on who is handling DNS this week.
So I'll have trouble using 4 of my domains for sending, because they're not SPF registered. I'll have trouble setting up SPF on the two domains I control, and who knows when the academic domains will get it.
I'll also have trouble because my academic addresses forward mail offsite. My reading of the SPF information says that forwarding is not supported. So I'll have to change that.
I'll have trouble setting up SPF, because the SPF page is poorly written, and lots of owners of small domains like me won't know how to go through their "wizard" to figure out the best setup. (For example, it asks me "Do you want to just approve any host whose name ends in my.domain?" What's that supposed to mean?)
In the meantime, I get dozens to hundreds of bounces coming to my mailboxes.
I can appreciate that. Your priorities change however, when you are paying for the servers and the bandwidth.
But I do pay for the servers and bandwidth. Not the whole shot, but I don't get what I use for free. The costs are passed on to me.
Your argument isn't that valid anymore. Most spammers are no longer hijacking legitimate mail relays.
If that's the case, then being blacklisted isn't a disincentive any more either. RBLs that list DSL systems are good to use in filters; they're no good at all for putting pressure on ISPs. To do that, you need to harass the ISP in some other way, but that's hard, and frankly, not worth the trouble.
I think the "putting pressure on ISPs" stage is done. It worked on everyone it's ever going to work on.
When I installed TMDA, I watched the "pending" folder for 6 months, to ensure that everybody confirmed their mail. And they do.
That makes it sound like it's not practical for someone who gets a lot of mail.
I have a number of public email addresses for various roles. I get about 500 spams/viruses/garbage challenges/etc. per day. If I were to install a challenge response system, presumably I'd want to keep my "pending" box for a day or two before I deleted it: so then every day I'd be manually checking through 500-1000 messages, looking for that needle in a haystack that corresponds to a real message that hasn't been confirmed.
I honestly don't think I could stand to do that.
What I do instead is the following: I use Spamassassin as a content filter to classify incoming mail. Anything over a certain score gets held for a few days and then deleted unseen. Things that are at an intermediate score get put in a folder for manual checking. Low scores are treated as clean.
With this system I need to manually check around 20-30 messages per day (mostly automatic response crap from systems like yours, or virus checkers), and a few spams get through. I've probably filtered real email at some time, but I've never heard of complaints from senders, and I've never noticed my intermediate scoring messages to contain anything that I'd really want to keep.
Authentication is to be expected these days. You have to confirm mailing list subscriptions. You have to be granted authorization on IM (Jabber). Why should email between individuals be any different?
Those other systems have been abused: forged subscriptions to mailing lists used to be a common way for kiddies to flood each other's mailboxes.
On the other hand, it's far more likely that an email "from" me to you is faked than real, so why do you offload the filtering burden from your own system to mine? You're adding to my pollution because you're too inconsiderate to deal with your incoming mail yourself.
When I get a challenge from a system like yours, usually I don't see it (since your systems are fooled so often, my Bayesian filter is trained to treat your challenges as spam). If I do see it, I generally only send the confirmation if I really, really want to contact the person. If I were thinking about buying something from you, your "kiss my ass" message would likely make me change my mind.
Slashdot Mirror
Why would you let non-admins boot from anything other than the hard drive?
But even if each zombie can send out 10,000 messages/day instead of 10,000,000, that slows them down enough that you can detect them and kill them (or at least blacklist them...)
Anything that reduces the speed of zombies is a good thing. You don't need a 1000-fold reduction to get good results. For instance, here are my numbers:
I get around 500 spam/junk messages per day. My filters let a few per week through. I expect most of the junk comes from zombies (or is backscatter from zombie mail that forges me as sender), so if we could cut their productivity by a factor of 10, I'd rarely see any. Cutting it from 10,000,000 to 10,000 would essentially solve the zombie problem.
All the people running 200 MHz mail servers are only going to be able to send 10 legitimate emails per day and spammers will hijack more unpatched 3 GHz machines and do distributed computations and send out more spam than ever that gets through because it's passed the computation test.
Do the arithmetic. If a 200 MHz machine can only send 10 per day, then a 3Ghz zombie can only send 150 per day. There are a lot of zombies, but there are far more recipients, so if the zombie is only sending 150 messages per day, you're not going to get much spam.
In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".
All they have to do is change each of those 92 million usernames. The easiest way to do this is for AOL to make the change. For example, they could change your fembots@AOL.com address to fembots@SOL.com.
That should do it.
RBLs only work against honest admins, getting them to clean up the holes in their security. Spammers aren't honest, and as you say, will just use worms to invade machines to create proxies.
RBLs have been around for years, but the amount of spam Spamassassin catches on its way in to me is ever-increasing. If RBLs worked, the spam problem would have been solved years ago.
On the other hand, the amount of spam getting past Spamassassin to me is pretty steady. I guess that indicates it's getting better. Mostly what gets past is what the article calls "backscatter": delivery failure messages caused by spammers forging my email address.
Should systems that send backscatter be blacklisted? I'd tend to say yes: they should only send failure notices to senders who pass some sort of verification like SPF. Putting them in an RBL really would encourage them to do that.
I still think you're making a mistake. If CJB.net goes out of business, what have you got?
Domain names are pretty cheap (around $10-$15 per year), you can prepay for up to 10 years, and they'll be around at least as long as CJB.net.
Don't trust a free service like weblogs.com, but don't trust a small commercial service either.
You probably can't trust ICANN to act in your best interest, but you can probably trust them or their descendant to leave your name in basically the same form.
Which is why redirect URLs are handy, especially for cheapskates like me. I host my website on various free services, but I've kept the same CJB.net URL for some time now. That's what I link to, that's where people go even if I move to another domain (so long as I update the forwarding, of course).
So you're protected from one of your free web hosts from shutting down, because you use a free redirection service to get to them?? What happens when CJB.net closes shop?
You should register a domain. Then you're safe until some big company decides to challenge you for it.
I've had more stability and success with netgear by far. Luckily I'm not using this particular router.
Do you trust them not to have the same flaw in their other equipment? Why?
The main problem is that Windows tends to ship insecure. Linux or OSX on the other hand requires you to turn on stuff that may go bad.
I use about 10 different computers. I administer 4 Windows computers (98, Me, XP times 2), and am a user on a few Linux boxes and a couple of FreeBSD systems.
The Linux boxes are the only ones that have been broken into, on two separate occasions. In one occasion it was likely because one of the users was careless with his password; we don't know where the other break-in came from. As far as we know in both cases the attackers got root access. Once they had that, they immediately had access to a large number of other computers through public-key logins.
It's harder to break in to Linux than to Windows, but it's worth more, so it happens more often than you'd like to think.
The real problem is compliance, until 99% of mail servers provide this data, I can't reject mail from non SPF listed domains.
There aren't many tests which are perfect spam identifiers with no false positives. You should use the SPF compliance as part of a scoring scheme. Messages that fail SPF are more likely to be spam than messages that pass, so they get a higher spam score. If the score exceeds a threshold, mark it as possible spam. If it exceeds a higher one, delete it unread.
This is the strategy Spamassassin allows, and it works really well, especially if you let the scoring be adaptive (i.e. use "Bayesian tests").
Clearly Microsoft is reeling under the impact of Linux, and is regrouping for a last stand.
This page gives instructions on turning a dead hard drive into a clock case. Not only do you get a clock that works, but you get to keep the magnets from the motor for other fun.
It's a little lame (the hard drive doesn't do anything, you attach a clock movement to the back), but it's better than throwing the drive in the trash.
If one isolated hacker is worth $5m,
You need to RTFA again. The payment was $250k. The fund is $5m.
Surely Usenet is a better place if replies are posted back to the newsgroup, rather than just the individual. My newsreader lets me search by posts I've appended to.
That depends. Often people mention things in their post that aren't really relevant to the newsgroup, so an offline discussion is better.
For instance, just the other day someone spotted my name and emailed me to let me know that a distant relative had died, and left tons of money, which is probably mine to claim. Soon I'll be rich.
That patch also broke R (the open source stats package). We tracked it down to the fact that after installing the patch, the HOMEPATH environment variable is no longer set properly.
Details here.
By the way, we had a patch out to work around this bug within a couple of days. Open source is good.
If we don't like the GIMP interface why are we relying solely on the GIMP team to change it? Why don't we form a team and fork a project specifically to redesign the UI to a more professional standard?
Because it's hard. User interface design is just as hard as other aspects of programming, but when you do a crap job of it, everybody knows.
You Americans thing everything is so easy, yeah. If I am connected using the ONLY privider here I effectively cannot press him to do anything. Granted, I have a choice: to be connected, or not.
You can use your provider to get a connection to Hotmail, or Yahoo, or any of hundreds of email providers. You don't need to use your provider for email.
Registrars do have the right to cancel registrations when fake contact information is given. Perhaps your friend wanted to avoid being spammed, and didn't give his correct name, address and email when he registered.
I get all of my 419ers from Hotmail and Yahoo and they do the shit about them.
I doubt if that's true. The 419ers generally don't send from Hotmail or Yahoo, though they often set up return addresses there.
You can't trust the "From:" address to be truthful, you know.
The "change ISPs if you don't like it" argument is weak - most ISPs don't advertise what their policy (which may be fickle) regarding spam filtering is.
Most don't --- but some do. So use one of those.
The ones with good technical information probably aren't the cheapest, but they're probably more reliable than the cheap ones in many ways, including this one.
You aren't tied to a single provider, even if there's only one high-speed provider that services your area. Use them to connect to someone else.
Which emphasizes the effectiveness of blacklisting large blocks so the paying corporate customers suffer
The problem is that an RBL that aims for too much collateral damage isn't going to be used enough that the damage will matter. It's a really fine balancing act: you want to be reliable as a filter, so that lots of mail servers do blocking based on what you say, but you also want to push the limits a little bit, so that ISPs are encouraged to fix their spam problems.
SPF will probably be helpful eventually, but it's going to take a while, and it's going to cause a lot of trouble for people like me.
I have email addresses on about 5 different domains, registered with 4 different registrars. One domain does SPF; two are under my control, but I don't see anything on the registrar's pages about SPF, and the last two are academic domains, which means whether they do it or not depends on who is handling DNS this week.
So I'll have trouble using 4 of my domains for sending, because they're not SPF registered. I'll have trouble setting up SPF on the two domains I control, and who knows when the academic domains will get it.
I'll also have trouble because my academic addresses forward mail offsite. My reading of the SPF information says that forwarding is not supported. So I'll have to change that.
I'll have trouble setting up SPF, because the SPF page is poorly written, and lots of owners of small domains like me won't know how to go through their "wizard" to figure out the best setup. (For example, it asks me "Do you want to just approve any host whose name ends in my.domain?" What's that supposed to mean?)
In the meantime, I get dozens to hundreds of bounces coming to my mailboxes.
I can appreciate that. Your priorities change however, when you are paying for the servers and the bandwidth.
But I do pay for the servers and bandwidth. Not the whole shot, but I don't get what I use for free. The costs are passed on to me.
Your argument isn't that valid anymore. Most spammers are no longer hijacking legitimate mail relays.
If that's the case, then being blacklisted isn't a disincentive any more either. RBLs that list DSL systems are good to use in filters; they're no good at all for putting pressure on ISPs. To do that, you need to harass the ISP in some other way, but that's hard, and frankly, not worth the trouble.
I think the "putting pressure on ISPs" stage is done. It worked on everyone it's ever going to work on.
When I installed TMDA, I watched the "pending" folder for 6 months, to ensure that everybody confirmed their mail. And they do.
That makes it sound like it's not practical for someone who gets a lot of mail.
I have a number of public email addresses for various roles. I get about 500 spams/viruses/garbage challenges/etc. per day. If I were to install a challenge response system, presumably I'd want to keep my "pending" box for a day or two before I deleted it: so then every day I'd be manually checking through 500-1000 messages, looking for that needle in a haystack that corresponds to a real message that hasn't been confirmed.
I honestly don't think I could stand to do that.
What I do instead is the following: I use Spamassassin as a content filter to classify incoming mail. Anything over a certain score gets held for a few days and then deleted unseen. Things that are at an intermediate score get put in a folder for manual checking. Low scores are treated as clean.
With this system I need to manually check around 20-30 messages per day (mostly automatic response crap from systems like yours, or virus checkers), and a few spams get through. I've probably filtered real email at some time, but I've never heard of complaints from senders, and I've never noticed my intermediate scoring messages to contain anything that I'd really want to keep.
Authentication is to be expected these days. You have to confirm mailing list subscriptions. You have to be granted authorization on IM (Jabber). Why should email between individuals be any different?
Those other systems have been abused: forged subscriptions to mailing lists used to be a common way for kiddies to flood each other's mailboxes.
On the other hand, it's far more likely that an email "from" me to you is faked than real, so why do you offload the filtering burden from your own system to mine? You're adding to my pollution because you're too inconsiderate to deal with your incoming mail yourself.
When I get a challenge from a system like yours, usually I don't see it (since your systems are fooled so often, my Bayesian filter is trained to treat your challenges as spam). If I do see it, I generally only send the confirmation if I really, really want to contact the person. If I were thinking about buying something from you, your "kiss my ass" message would likely make me change my mind.