Come on, people! John Dvorak will say ANYTHING to get people to read him. "Overcoverage"? Who is he trying to kid? Media writers aren't biased toward the Mac or Apple. Take a look at all the negative press the iPod Nano got. Also, isn't the media saying what a huge FLOP the video iPod is going to be?\
Let's do a quick check of Google News:
"Microsoft" Results 1 - 10 of about 46,900 for Microsoft. (0.30 seconds)
"Apple" Results 1 - 10 of about 24,700 for Apple. (0.31 seconds)
Just over half as many news articles covering "Apple" as covering "Microsoft".
Apple is currently flying high, and so, in spite of it's burgeoning reputation as a near-universal evil, is Microsoft.
Spammers change domains the way normal people change underware. The fact that within a few days of Blue Security sending their malcious complaints to a spammer's website (which is set up on a throw-away account at a Chinese ISP, registered through a reseller for one of the minor registrars, who will, in three days, cancel the domain registration ANYWAY), is not evidence of ANYTHING.
Correlation is not causation!
Spammers have been rotating through domain names for years now. You can watch it on a week-by-week basis, as a whole series of domains with the same nameservers takes responses for the same spam months on end. Even when the spammers change nameservice, they tend to do it in predictable ways.
In one week's time Blue Security has manages to slightly ruffle the feathers of a total of THREE distinct spam operations. Big whoop.
"Other anti-spam workers" is none other than John Levine, Ph.D, co-author of the BEST SELLING INTERNET BOOK OF ALL TIME (I kid you not) "The Internet for Dummies" (Now in its ninth edition). Some of you cretins need to read it.
Take a good look at Blue Security's product. I think you'll see that it's little more than an HTTP DDoS tool. BlueSecurity claims that it's okay to DDoS spammers, and that they make very sure that only spammers are DDoS'd (although their careful not to call what they do a DDoS).
I'm given to understand that they moved their hosting to Israel when Verio terminated their service for violations of Verio's acceptable use policy. Verio doesn't allow folks to host denial of service tools on their network (nor will any normal ISP do so).
Someone should ask BlueSecurity about their legal threats against Everyone's Internet for attempting to do the same.
These are not nice people. The only difference between them and the normal crop of script-kiddie miscreants, is that they have found venture capital.
This is a a stupid idea which must be the grandfather of all stupid ideas! Doesn't ANYONE remember Canter and Siegel, and the numerous DDoS attacks on their ISPs back in 1995?
It's been a decade, and a DDoS attack is the best thing they can come up with in response to spam?
People flag list traffic for which they subscribed as spam all the time. What is so special about putting up a financial bond that will cause people not to flag mail they requested in March as spam in May, or accidently marking mail from aunt Mildred as spam. I just don't see it.
This fails every test of an anti-spam proposal I can think of, including the most important: It doesn't stop spam.
--Og
Re:"Spam Kings" is Crap
on
Spam Kings
·
· Score: 2, Informative
You would imagine correctly. Nor am I willing to discuss details of private conversations.
"Spam Kings" is Crap
on
Spam Kings
·
· Score: 5, Interesting
I'm sorry, but many of my friends, colleagues, associates, and fellow anti-spammers (as the case may be) who were "profiled" by Brian McWilliams for his book, were dealt a raw deal by this putative "reporter".
The resulting book does not only not tell the full story, but engages in several rounds of make-believe, inventing situations and supposing events and circumstances which could not have been known by the author.
His focus on Susan Gunn after she explicitly asked NOT to be included in his book has done naught but damage to her.
The reader will not know this, however, and think that they are getting a front-row seat on what's really going on out there. McWilliams has done a massive disservice in this.
Far from telling a true story, this book contains much that is fabricated from the whole cloth.
I should note that while he was writing this book, I had several contacts with Mr. McWilliams. I am thankful that he chose not to include me in it, but rather disgusted at what he managed distort of what others told him.
John Levine had the last word on sender-pays/e-postage systems quite some time ago. Apparently some people (ESJ) haven't been listening.
http://www.taugh.com/epostage.pdf
All such systems rely on whitelists to pass "wanted" mail, and inevitably, when no one antes up the "postage", devolve into whitelists. In the end, sender-pays offers NOTHING that a whitelist doesn't.
I have it on good authority that this TRO has been dissolved as of this morning. Dovuments from Pacer should be available shortly.
--Og
Check your ISP's Terms and Conditions
on
Paid To Spam
·
· Score: 2, Informative
Using VirtualMDA almost certainly is a direct violation of the terms and conditions you signed when you first purchased your DSL or cable modem connection.
In addition, Atriks' own policy insures that they will NEVER pay you.
Believe me, this news hits slashdot late. The folks at your ISP almost certainly are aware of Atriks, and its owner Brian Harberstroh by now, and if not, you can point them to THIS. Spamhaus does not add listings to ROKSO until after a spammer has had three documented terminations. In fact it often takes several before one can get three which are documented, as most ISPs don't announce when they've terminated a spammer.
Once all/most/many of the relays that they can use without *overtly* breaking the law close up, spammers will simply turn to *overtly* breaking the law, as in creating zombie networks. And as soon as those poorly maintained computers are cleaned up, they will simply use the same virus/worm/exploit to 0wn more poorly maintained computers (These computers will coincedently tend to be crawling with malware already).
You're behind the curve. Spammers have actually already run out of machines they can use without *overtly* breaking the law, and starting about TWO YEARS ago, began exploiting security vulnerabilitys and employing professional virus-writers in Russia and the Ukraine.
There have now been four or five generations of proxy-trojan backdoor worms, with features such as randomized port listening, making them next to impossible to detect until the spam begins.
Several dozen "zombie networks" already exist, along with hijacked netblocks of companies which went under during the "dot-bomb" in 2001.
In fact, there are places on the web where you can buy lists of exploited machines.
As someone who investigates spam for a living, it's been nearly two years since I've seen spam through an open relay mailserver. Almost everything now comes from infected home PCs on cable or DSL lines.
Though any such move would doubtlessly be controversial, I suggest writing a "white hat" virus what would:
This "white-hat" in particular disagrees with your use of the word "controversial" and suggests you substitute "liable to land one in prison for 10 years". Recommendations of "hacking the hackers" and "spamming the spammers" are sophmorish, unprofessional, and when implemented, tend to attract the attention of law enforcement onto your ass rather like sticking a lightning rod up it.
Happily, spammers still don't know how to write a proper SMTP client. Most spamware only approximates a real SMTP transaction (usually well enough to work). Without going into detail (for obvious reasons), this can be detected.
See the Composite Block List as an example of the practical application of passive detection of spammer malware.
Here's a hint for those running their own mailservers: Spamware tends to time out very quickly. Add a short delay before your MTA presents an SMTP banner (oh, 30 seconds is fine). Most spamware will start behaving as if you don't even exist. The SMTP RFCs say clients should wait for the initial banner for five minutes before timing out .
4.5.3.2 Timeouts
Initial 220 Message: 5 minutes
An SMTP client process needs to distinguish between a failed TCP connection and a delay in receiving the initial 220 greeting message. Many SMTP servers accept a TCP connection but delay delivery of the 220 message until their system load permits more mail to be processed
There are a few places which set their timeouts ridiculously short, like Yahoo, and UUNet, and if you do a lot of business with them you'll need to whitelist. Otherwise, go to town.
Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.
1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):
http://www.itsecurity.com/asktecs/jun1901.htm h ttp://www.iss.net/security_center/advice/Exploits/Ports/1234/default.htm
There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.
UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.
Check out http://www.neohapsis.com/neolabs/neo-ports/
I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.
Here's the full dope on Eddy Marin, spammer, and why South Florida (especially Boca Raton) is now a haven for spammers.
Eddy uses a front company, "PG&C Leasing Inc." (aka lauderdale.net) to disguise his activity. This company buys the bandwidth for him to spam through. He then sets up dummy companies to act as "customers" of PG&C. If the heat gets too hot he'll "terminate" a "customer". Of course the spam just continues under another name.
He's operated like this since 1998. He's had a long time to develope a reputation among his spamming pals, and since he brings money into the local economy, Boca Raton loves him.
Here's just ONE of his netblocks:
http://www.senderbase.com/search?searchBy=ipaddr es s&searchString=209.203.192.0%2F19
The bulk of the spam from that netblock is from "OmniPoint Marketing". If you've been paying good attention. Spam also goes out from "justdous.com, prefersavings.com, dealstwoyou.com, and tlck.net". These are registered to things like "M.M.COMMERCE,INC", and "OptIn LLC" (which is Terry Williams, another Eddy Marin flunkie)
The trouble is that you, as an end user, can't possibly SEE how big the problem is. In addition, filters, while protecting you, the end user, only MASK the extent of the problem.
The costs incurred by spam are incremental, and are spread out among all the various parties who must decide whether to transmit, or block each spam message. These parites include far more than the sender and the recipient.
The first doesn't bear on this issue, but the second one was a presentation given at the recent meeting of the IRTF's Anti-Spam Research Group. Those are real-life figures based on what real Internet providers are seeing.
Slashdot Mirror
Come on, people! John Dvorak will say ANYTHING to get people to read him. "Overcoverage"? Who is he trying to kid? Media writers aren't biased toward the Mac or Apple. Take a look at all the negative press the iPod Nano got. Also, isn't the media saying what a huge FLOP the video iPod is going to be?\
Let's do a quick check of Google News:
"Microsoft" Results 1 - 10 of about 46,900 for Microsoft. (0.30 seconds)
"Apple" Results 1 - 10 of about 24,700 for Apple. (0.31 seconds)
Just over half as many news articles covering "Apple" as covering "Microsoft".
Apple is currently flying high, and so, in spite of it's burgeoning reputation as a near-universal evil, is Microsoft.
Why does Dvorak have a problem with this?
Spammers change domains the way normal people change underware. The fact that within a few days of Blue Security sending their malcious complaints to a spammer's website (which is set up on a throw-away account at a Chinese ISP, registered through a reseller for one of the minor registrars, who will, in three days, cancel the domain registration ANYWAY), is not evidence of ANYTHING.
Correlation is not causation!
Spammers have been rotating through domain names for years now. You can watch it on a week-by-week basis, as a whole series of domains with the same nameservers takes responses for the same spam months on end. Even when the spammers change nameservice, they tend to do it in predictable ways.
In one week's time Blue Security has manages to slightly ruffle the feathers of a total of THREE distinct spam operations. Big whoop.
I for one, welcome our cybernetically-enhanced geriatric overlords, and their leader, the life-like Philip K. Dick android.
Sheesh! Slashdot has gotten really lame.
"Other anti-spam workers" is none other than John Levine, Ph.D, co-author of the BEST SELLING INTERNET BOOK OF ALL TIME (I kid you not) "The Internet for Dummies" (Now in its ninth edition). Some of you cretins need to read it.
In Commonwealth of Virginia v. Jeremy Jaynes Dr. Levine served as an expert witness for the prosecution. His testimony helped send Jaynes to prison for nine years.
At the second annual Conference on Email and Spam Levine presented a technical paper on his experiences with greylisting.
Dr. Levine is the chair of the IRTF Anti-Spam Research Group. He's a founding member of the Coalition Against Unsolicited Commercial Email. He runs the Network Abuse Clearinghouse.
"Other Anti-Spam Worker" indeed.
Take a good look at Blue Security's product. I think you'll see that it's little more than an HTTP DDoS tool. BlueSecurity claims that it's okay to DDoS spammers, and that they make very sure that only spammers are DDoS'd (although their careful not to call what they do a DDoS).
I'm given to understand that they moved their hosting to Israel when Verio terminated their service for violations of Verio's acceptable use policy. Verio doesn't allow folks to host denial of service tools on their network (nor will any normal ISP do so).
Someone should ask BlueSecurity about their legal threats against Everyone's Internet for attempting to do the same.
These are not nice people. The only difference between them and the normal crop of script-kiddie miscreants, is that they have found venture capital.
This is a a stupid idea which must be the grandfather of all stupid ideas! Doesn't ANYONE remember Canter and Siegel, and the numerous DDoS attacks on their ISPs back in 1995?
It's been a decade, and a DDoS attack is the best thing they can come up with in response to spam?
--Og
I for one, welcome our robotically-enhanced geriatric overlords and their leader, the life-like Philip K. Dick android.
Right.
People flag list traffic for which they subscribed as spam all the time. What is so special about putting up a financial bond that will cause people not to flag mail they requested in March as spam in May, or accidently marking mail from aunt Mildred as spam. I just don't see it.
This fails every test of an anti-spam proposal I can think of, including the most important: It doesn't stop spam.
--OgYou would imagine correctly. Nor am I willing to discuss details of private conversations.
I'm sorry, but many of my friends, colleagues, associates, and fellow anti-spammers (as the case may be) who were "profiled" by Brian McWilliams for his book, were dealt a raw deal by this putative "reporter".
The resulting book does not only not tell the full story, but engages in several rounds of make-believe, inventing situations and supposing events and circumstances which could not have been known by the author.
His focus on Susan Gunn after she explicitly asked NOT to be included in his book has done naught but damage to her.
The reader will not know this, however, and think that they are getting a front-row seat on what's really going on out there. McWilliams has done a massive disservice in this.
Far from telling a true story, this book contains much that is fabricated from the whole cloth.
I should note that while he was writing this book, I had several contacts with Mr. McWilliams. I am thankful that he chose not to include me in it, but rather disgusted at what he managed distort of what others told him.
John Levine had the last word on sender-pays/e-postage systems quite some time ago. Apparently some people (ESJ) haven't been listening.
http://www.taugh.com/epostage.pdf
All such systems rely on whitelists to pass "wanted" mail, and inevitably, when no one antes up the "postage", devolve into whitelists. In the end, sender-pays offers NOTHING that a whitelist doesn't.
And end-users don't like whitelists.
--Og
I have it on good authority that this TRO has been dissolved as of this morning. Dovuments from Pacer should be available shortly.
--Og
In addition, Atriks' own policy insures that they will NEVER pay you.
Believe me, this news hits slashdot late. The folks at your ISP almost certainly are aware of Atriks, and its owner Brian Harberstroh by now, and if not, you can point them to THIS. Spamhaus does not add listings to ROKSO until after a spammer has had three documented terminations. In fact it often takes several before one can get three which are documented, as most ISPs don't announce when they've terminated a spammer.
--Og
I do believe the actual number of spammers covered by the suits is upward of 150+.
There have now been four or five generations of proxy-trojan backdoor worms, with features such as randomized port listening, making them next to impossible to detect until the spam begins.
Several dozen "zombie networks" already exist, along with hijacked netblocks of companies which went under during the "dot-bomb" in 2001.
In fact, there are places on the web where you can buy lists of exploited machines. As someone who investigates spam for a living, it's been nearly two years since I've seen spam through an open relay mailserver. Almost everything now comes from infected home PCs on cable or DSL lines.
This "white-hat" in particular disagrees with your use of the word "controversial" and suggests you substitute "liable to land one in prison for 10 years". Recommendations of "hacking the hackers" and "spamming the spammers" are sophmorish, unprofessional, and when implemented, tend to attract the attention of law enforcement onto your ass rather like sticking a lightning rod up it.Happily, spammers still don't know how to write a proper SMTP client. Most spamware only approximates a real SMTP transaction (usually well enough to work). Without going into detail (for obvious reasons), this can be detected.
See the Composite Block List as an example of the practical application of passive detection of spammer malware.
Here's a hint for those running their own mailservers: Spamware tends to time out very quickly. Add a short delay before your MTA presents an SMTP banner (oh, 30 seconds is fine). Most spamware will start behaving as if you don't even exist. The SMTP RFCs say clients should wait for the initial banner for five minutes before timing out .
There are a few places which set their timeouts ridiculously short, like Yahoo, and UUNet, and if you do a lot of business with them you'll need to whitelist. Otherwise, go to town.--Og
Well, since I'm not only an abuse guy in a previous life, but also a present and future abuse guy (for big networks, even), I can give some further insight into this sort of thing.
h ttp://www.iss.net/security_center/advice/Exploits /Ports/1234/default.htm
e nc efile=2493
s p=apnic
s o?isp=arin
s o?isp=ripe
1234 seems appallingly close to one of the ports sub-7 uses (1243). I would suspect some sort of back-door root-shell, and BEHOLD (through the power of Google):
http://www.itsecurity.com/asktecs/jun1901.htm
There are MANY trojans which use this port. "Ultors Trojan", is perhaps best known. There's also "SubSevenJavaclient". Nasty, nasty.
UDP traffic on port 1234 is indicative of "Infoseek Search Agent", which is the legit use for this port. The trojans do not produce UDP traffic.
Check out http://www.neohapsis.com/neolabs/neo-ports/
I would think that your experience predates the current round of spammer-specific trojans. This is, however, only the tip of the iceberg. Spammers are now creating entire zombie IP address allocations from abandoned or otherwise unused network space. A spammer with his own ASN and spammer-controlled BGP can create ENDLESS havok.
Zombies on the Register of Known Spam Operations:
http://www.spamhaus.org/rokso/search.lasso?evid
Below are the lists of DIRECT ASNs owned or pirated by spammers, including many of the zombie netblocks:
APNIC zombies
http://spamhaus.org/sbl/listings.lasso?i
ARIN zombies and spammer allocations
http://spamhaus.org/sbl/listings.las
RIPE zombies and spammer allocations
http://spamhaus.org/sbl/listings.las
--Og
He's already suing personal friends of mine, why NOT me?
--Og
Here's the full dope on Eddy Marin, spammer, and why South Florida (especially Boca Raton) is now a haven for spammers.
r es s&searchString=209.203.192.0%2F19
Eddy uses a front company, "PG&C Leasing Inc." (aka lauderdale.net) to disguise his activity. This company buys the bandwidth for him to spam through. He then sets up dummy companies to act as "customers" of PG&C. If the heat gets too hot he'll "terminate" a "customer". Of course the spam just continues under another name.
He's operated like this since 1998. He's had a long time to develope a reputation among his spamming pals, and since he brings money into the local economy, Boca Raton loves him.
Here's just ONE of his netblocks:
http://www.senderbase.com/search?searchBy=ipadd
The bulk of the spam from that netblock is from "OmniPoint Marketing". If you've been paying good attention. Spam also goes out from "justdous.com, prefersavings.com, dealstwoyou.com, and tlck.net". These are registered to things like "M.M.COMMERCE,INC", and "OptIn LLC" (which is Terry Williams, another Eddy Marin flunkie)
stealthemail.com ??? Give me a break!
--Og
Spam is a VERY big problem.
The trouble is that you, as an end user, can't possibly SEE how big the problem is. In addition, filters, while protecting you, the end user, only MASK the extent of the problem.
The costs incurred by spam are incremental, and are spread out among all the various parties who must decide whether to transmit, or block each spam message. These parites include far more than the sender and the recipient.
There's an interesting whitepaper at
http://word-to-the-wise.com/whitepapers.htm
The first doesn't bear on this issue, but the second one was a presentation given at the recent meeting of the IRTF's Anti-Spam Research Group. Those are real-life figures based on what real Internet providers are seeing.
The numbers, when you add them up, are scary.
--Og
Not at all high, considering their customer base of 30 million. That averages two and a half emails per customer, per day. --Og