Seeking help on anti-spam project

am 01.12.2006 20:33:23 von Jem Berkes

The project I'm writing about (www.wpbl.info) is totally non commercial. It
has now been operating for 3 years, already with the help of some of you!

WPBL is a real time list of IP addresses that are currently sending us spam
(a lot like the CBL project). The list is dynamic and hosts around the
world ranging from small servers to very major ISPs want to query our
database. The challenge is serving this list with limited resources :(

I recently set up a DNSBL service, which uses (simplified) DNS software to
answer queries. Our existing 3 nameservers answer about 130,000 queries per
day in total but the load is guaranteed to rise. So I am seeking your help!
This is a perfect place for co-operation, as in parallel we could serve a
tremendous load even from relatively weak hosts. You would need:

- Static IP (DHCP that lasts a month is ok) on a Linux/UNIX host you run
- Will only use 10 MB/day total data transfer! Trivial bandwidth.
- You're in a pool (ns1, ns2, ns3, ...) so downtime is ok
- Open source rbldnsd software, safe, solid, very efficient DNSBL server
(used by many ISPs, runs chroot, reduced privileges)
- The software uses < 1 MB of RAM, nil CPU
- You would have to rsync to me every 30 minutes, transfers < 20 KB each
- Easy to setup and revoke your involvement at any time!

Since rbldnsd sits on port 53, you can not do this if you already run BIND
or djbdns.

If you have a host from which you could serve UDP port 53 (DNS) lookups,
please let me know or reply in the group so I can contact you. Resource
demands on your node are practically nil for the forseeable future.

- Jem
feedback at wpbl dot info

Re: Seeking help on anti-spam project

am 01.12.2006 23:51:07 von Peter Pearson

["Followup-To:" header set to comp.os.linux.security.]
On Fri, 01 Dec 2006 13:33:23 -0600, Jem Berkes wrote:
> The project I'm writing about (www.wpbl.info) is totally non commercial. It
> has now been operating for 3 years, already with the help of some of you!
>
> WPBL is a real time list of IP addresses that are currently sending us spam
> (a lot like the CBL project). The list is dynamic and hosts around the
> world ranging from small servers to very major ISPs want to query our
> database. The challenge is serving this list with limited resources :(

Are you sure you want to get into this business? How will
your list improve upon those many lists already available
through the spam-check function at www.dnsstuff.com?

--
To email me, substitute nowhere->spamcop, invalid->net.

Re: Seeking help on anti-spam project

am 02.12.2006 08:26:41 von Alan Connor

On comp.mail.misc, in
, "Jem Berkes"
wrote:

Another blacklisting of IPs project.

> The project I'm writing about (www.wpbl.info) is totally non
> commercial. It has now been operating for 3 years, already with
> the help of some of you!
>
> WPBL is a real time list of IP addresses that are currently
> sending us spam (a lot like the CBL project). The list is
> dynamic and hosts around the world ranging from small servers
> to very major ISPs want to query our database. The challenge is
> serving this list with limited resources :(

So some spammer finds a way to use someone's server/computer and
they get blocklisted and suddenly they and maybe their clients
won't be able to send mail to anyone.

Or the IP addresses on the spam may be _forged_.

This is a lazy, crude, and unfair approach to fighting spam.

It assumes that everyone who is sending or relaying spam is doing
it willfully.

Even if you notified the server/computer that the spam was coming
from or being relayed through, (and I saw no mention of this in
your article) and they fixed the problem in a jiff, there is no
guarantee that everyone would update their blocklist in a timely
fashion, if ever. And that IP-domain would have its reputation
tarnished.

The ISPs facilitate spam. There's no doubt about that. And you
can't beat them at their own game. They control the nameservers
in most ways and the gateways and routers and mailservers, either
directly or by setting policy.

The only solution is for the individual to say no to spam and
use a version of Challenge-Response system.

http://home.earthlink.net/~alanconnor/cr.html

But most people don't really want to get rid of spam. They just
_say_ they do. They think they are going to get lucky. They read
spam and enough of them go to the websites in the spam and enough
of them buy stuff to make it profitable.

And spammers are good customers for the ISPs. They buy a lot
of accounts. And the companies they are spamming for buy a lot
of accounts.

I repeat: You either take care of the problem yourself or you
won't ever get rid of spam.

No solution like this will work. No traditional spam filter
will work. The ISPs aren't going to fix it.

I don't get any spam. And no stinking troll can send mail to me.

Anyone who whines about having to take a couple of simple steps
once in a lifetime to contact me is a punk that I don't want to
know.

Alan

--
http://home.earthlink.net/~alanconnor

Re: [kook] Re: Seeking help on anti-spam project

am 02.12.2006 08:26:48 von Alan Connor FGA

Thanks for your kookfart, Beavis.

--

Info about "Alan Connor"

Alan "The Usenet Beavis" Connor is a good friend of Bigfoot:
http://tinyurl.com/23r3f

A couple of years ago he was kidnapped and raped by Xena,
the Warrior Princess: http://tinyurl.com/2gjcy

Beavis believes that the MSBlast virus of yesteryear was explicitly
targeting him, for some inexplicable reason: http://tinyurl.com/ifrt

Beavis belongs to a UFO cult: http://tinyurl.com/2hhdx
Beavis's life in a UFO cult: http://tinyurl.com/24jqm
Beavis knows all about network security: http://tinyurl.com/5qqb6
And he's also a search engine expert: http://tinyurl.com/9pjnt

<1164724734.389844@nnrp2.phx1.gblx.net>
"But if you must know, Alans' name is Bruce Burhans, and he lives in
Bellingham WA. To his hippie friends he calls himself "Tom Littlefoot"
**Google Tom Littlefoot, Bruce Burhans and "Wildwood"**.

Bruce has some serious mental problems and spends a lot of time as an
in-patient at the big mental hospital in Bellingham, when he's not
hospitalized, he posts to usenet. In every group he posts to he comes off as
some sort of expert in the subject at hand, and when anyone disagrees (and
they will, he sees to that) he starts in on his trollery.

Again, Bruce is a true Professional Usenet Troll. It is his entertainment
and it's what he lives for."

http://www.pearlgates.net/nanae/kooks/ac/fga.shtml
http://groups.google.com/groups/profile?enc_user=MQ9uxRYAAAA X2tAp-itjMPAOxLgFwCc3_gRbb05PKyTO4L-MEqh3HQ&hl=en
http://www.pearlgates.net/nanae/kooks/ac/
http://linuxmafia.com/faq/Mail/challenge-response.html
http://www.spamcop.net/fom-serve/cache/329.html#CR
http://www.gatago.com/authors_pgs/13650.html
http://blog.bananasplit.info/?p=84
http://tinyurl.com/ifrt
http://tinyurl.com/3h6a5
http://tinyurl.com/ys6z4

Also in the headers for alan to read.

Re: Seeking help on anti-spam project

am 02.12.2006 09:07:17 von Alan Connor

On comp.mail.misc, in ,
"Alan Connor" wrote:

> On comp.mail.misc, in
>, "Jem Berkes"
>wrote:
>
> Another blacklisting of IPs project.
>
>> The project I'm writing about (www.wpbl.info) is totally non
>> commercial. It has now been operating for 3 years, already
>> with the help of some of you!

One of the biggest faults of projects like this is that the
spammers can access the blocklist as easily as anyone else.

Oh. That one is blocklisted so I'll use another one. Let's
see, I have millions to choose from....

Alan

--
http://home.earthlink.net/~alanconnor/cr.html

Re: [kook] Re: Seeking help on anti-spam project

am 02.12.2006 09:07:24 von Alan Connor FGA

Thanks for your kookfart, Beavis.

--

Re: Seeking help on anti-spam project

am 02.12.2006 09:19:42 von Jem Berkes

> So some spammer finds a way to use someone's server/computer and
> they get blocklisted and suddenly they and maybe their clients
> won't be able to send mail to anyone.

If individual IP addresses are blocked, the collateral is very minimal.
If a PC is compromised (virus, zombie, etc.) it is a source of internet
wide abuse and there are many admins who would legitimately block it.

The one situation I am unhappy about is when some bad apples relay mail
through the ISP's server and it looks like the ISP's mail server is a
spam source. I try very hard to fix that problem, but it's a downside.

> Or the IP addresses on the spam may be _forged_.

No, not on modern TCP stacks (which thwart sequence attacks). SMTP
requires a two way conversation so if the data is flowing back to the
other IP, it is not forged. If the IP was fake then the two way
conversation is impossible. When you receive a TCP connection from an IP
address, that is the real IP address you are talking with ... and those
are the IPs we use. The crap in the headers is often added to confuse,
though the real IP address is in there too if you look in the right spot.

> It assumes that everyone who is sending or relaying spam is doing
> it willfully.

If your PC is compromised by a virus, relaying spam, or severely
misconfigured and flooding networks, your host is responsible for abuse
and your host will be seen unfavourably by others. What is unfair about
this? A community frowns upon a member (host) acting irresponsibly.

> Even if you notified the server/computer that the spam was coming
> from or being relayed through, (and I saw no mention of this in
> your article) and they fixed the problem in a jiff, there is no
> guarantee that everyone would update their blocklist in a timely
> fashion, if ever. And that IP-domain would have its reputation
> tarnished.

Alan, I don't think you're a bad guy by any means. But I am not running
after the hundreds of thousands of hosts who spam me daily, asking them
politely to fix their problems. They may be malicious, they may be not, I
really DO NOT CARE. Most of the IP addresses that spam me are bots,
zombies, running custom spamming/flooding software. They operate in
distributed networks, remote controlled, on stolen resources.

I am just listing the IP addresses which send me and my members spam,
nothing more, nothing less.

I am not telling anyone to block those IPs. I'm not claiming these are
bad people. I am not making a statement about their business practices or
motivations, or religion. All I am saying is: THIS IP SENT ME SPAM.

--
Jem Berkes
www.sysdesign.ca

Re: Seeking help on anti-spam project

am 02.12.2006 09:52:07 von Alan Connor

On comp.mail.misc, in
, "Jem Berkes"
wrote:

>> So some spammer finds a way to use someone's server/computer
>> and they get blocklisted and suddenly they and maybe their
>> clients won't be able to send mail to anyone.
>
> If individual IP addresses are blocked, the collateral is very
> minimal. If a PC is compromised (virus, zombie, etc.) it is
> a source of internet wide abuse and there are many admins who
> would legitimately block it.

The owner of the computer should be notified first and given
a chance to fix the problem.

> The one situation I am unhappy about is when some bad apples
> relay mail through the ISP's server and it looks like the ISP's
> mail server is a spam source. I try very hard to fix that
> problem, but it's a downside.

Indeed.

>
>> Or the IP addresses on the spam may be _forged_.
>
> No, not on modern TCP stacks (which thwart sequence
> attacks). SMTP requires a two way conversation so if the data
> is flowing back to the other IP, it is not forged.

> If the IP was fake then the two way conversation is
> impossible. When you receive a TCP connection from an IP
> address, that is the real IP address you are talking with ...
> and those are the IPs we use. The crap in the headers is often
> added to confuse, though the real IP address is in there too if
> you look in the right spot.

There could be a proxy between the two, re-writing the
IP to make it look as if it came from the proxy. It would
only be forwarding in two directions.

>> It assumes that everyone who is sending or relaying spam is
>> doing it willfully.
>
> If your PC is compromised by a virus, relaying spam, or
> severely misconfigured and flooding networks, your host is
> responsible for abuse and your host will be seen unfavourably
> by others. What is unfair about this? A community frowns upon a
> member (host) acting irresponsibly.

Sure. But again, that person should be notified before
blocklisting.

>> Even if you notified the server/computer that the spam was
>> coming from or being relayed through, (and I saw no mention
>> of this in your article) and they fixed the problem in a
>> jiff, there is no guarantee that everyone would update their
>> blocklist in a timely fashion, if ever. And that IP-domain
>> would have its reputation tarnished.
>
> Alan, I don't think you're a bad guy by any means.

Thanks for that, Jem.

> But I am not running after the hundreds of thousands of
> hosts who spam me daily, asking them politely to fix their
> problems.

That many?!

Holy _____!!

> They may be malicious, they may be not, I really
> DO NOT CARE. Most of the IP addresses that spam me are bots,
> zombies, running custom spamming/flooding software. They
> operate in distributed networks, remote controlled, on stolen
> resources.

That's my understanding. I don't bother trying track them down
myself, actually. If it's spam it gets dumped.

I've done the basic host and whois checks on a couple of spams
and sent complaints to the domains and received no responses.

> I am just listing the IP addresses which send me and my members
> spam, nothing more, nothing less.

So it would be a very good idea for _everyone_ to check the
blocklists for their own IP on a regular basis?

> I am not telling anyone to block those IPs. I'm not claiming
> these are bad people. I am not making a statement about their
> business practices or motivations, or religion. All I am saying
> is: THIS IP SENT ME SPAM.

Okay. Thanks for the clarification.

At least you are trying.

I'll do it my way. I am actually even harder in this regard
than you are. Though I don't block by IP/FQDN.

http://home.earthlink.net/~alanconnor/cr.html

---------------------------------------------------------

Now you could do me a big favor and explain how it is that
spam can arrive in my box without my address in any of the
addressing headers. I have been _told_ that there isn't a
long list of addresses in the Bcc header.

Alan

Re: [kook] Re: Seeking help on anti-spam project

am 02.12.2006 09:52:14 von Alan Connor FGA

Thanks for your kookfart, Beavis.

--

Re: Seeking help on anti-spam project

am 02.12.2006 14:21:27 von Landmark

Jem Berkes wrote:

>If individual IP addresses are blocked, the collateral is very minimal.
>If a PC is compromised (virus, zombie, etc.) it is a source of internet
>wide abuse and there are many admins who would legitimately block it.

Often the damage is non-existant. A great deal of the spam I see is
coming out of zombied PCs which are sending mail direct to me rather
than via their ISP's mail server or via some other properly configured
mail server. In those cases, blocking the IP will block only the spam,
not any legitimate mail that the user is trying to send using Outlook
etc. There are dnsbls which attempt to list all such dynamic IPs,
dial-up IPs, residential IPs etc and I find those to be very effective
in blocking spam.

>The one situation I am unhappy about is when some bad apples relay mail
>through the ISP's server and it looks like the ISP's mail server is a
>spam source. I try very hard to fix that problem, but it's a downside.

If dnsbls are used in conjunction with whitelists of known contacts,
that too is rarely a problem. If I get a mail from an ISP I have never
had legitimate dealings with before and if it is also on a temporary
blacklist then there is a very high probability that it is indeed
spamming me.

Also, as you point out, WPBL should not be used in isolation so I'd be
taking other factors into account too, such as the country of origin,
clues in the subject, etc. No one factor might be conclusive, but if
someone I have never heard of is mailing me from Argentina telling me
about viagra and they are listed on a dnsbl which indicates spam
activity in the last 5 days then to me it is pretty conclusive, and I
certainly will not lose any sleep about deleting it unread.

I also think it is not so much of a problem because you are using some
form of weighting algorithm in WPBL, so that the amount of legitimate
mail received from an IP is taken into consideration, and you don't
just list on the basis of isolated reports of spam.

Perhaps a good development of WPBL would be to send out automated
notifications to the postmaster of IPs that are not known to be in
dynamic or residential space, i.e. the ones which are likely to be
legitimate mailserver where the spamming has been performed by one of
their customers rather than by a nameless bot. Not sure how practical
that would be but if it was then a nice touch would be to mail the ISP
when their score reaches 50% of the threshold value needed for listing
and warn them that spam reports are coming in and if they take action
to stop it now then they will likely avoid being listed in WPBL.

I suppose you could also change the weighting algorithm slightly so
that reports concerning dynamic IPs had a lower threshold for listing,
whilst reports concerning legitimate mail servers had a higher
threshold for listing.

I think distinguishing between dynamic IPs and mailservers would also
be a good thing in your delisting screen. I can see an argument for
immediate delisting of an ISP's mailserver, but not for the immediate
delisting of a dynamic IP address. Yes, there are sure to be some
cases where the user is running a legitiamte mail server on a DSL
connected PC which looks suspect but isn't, but if you are running a
private mail server then you should take more care to ensure it is not
used for spamming and you don't have the argument of "we are innocent,
it was someone else on the same IP". Maybe in those cases, the request
to have it delisted shouldn't be actioned for 24 hours.

I am assuming of course that ISPs who just routinely delist themselves
every day and never take action to stop a persistent spammer will find
it harder and harder to get themselves delisted, or that instead of
being delisted immediately, the delist time gets progressively longer
and longer.

>> Or the IP addresses on the spam may be _forged_.
>
>No, ...

You answerd the clueless one's objection far more comprehensively than
I ever could.

>I am not telling anyone to block those IPs. I'm not claiming these are
>bad people. I am not making a statement about their business practices or
>motivations, or religion. All I am saying is: THIS IP SENT ME SPAM.

And I, for one, would stand by your right to make factual observations
like that but some people will always accuse you of trying to censor
them and in some cases people have dragged list operators through the
courts to gag them. Perhaps it might be better if DNSBL operators
stopped using the word Block. You could call your list something like
PWIL, Private Weighted Incident List for example. What people do with
your list of incidents is up to them.

Re: Seeking help on anti-Beavis project

am 02.12.2006 16:18:21 von Sam

Re: Seeking help on anti-Beavis project

am 02.12.2006 16:18:48 von Sam

Re: Seeking help on anti-Beavis project

am 02.12.2006 16:19:00 von Sam

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-4143-1165072740-0003
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Usenet Beavis writes:

> Please ignore everything I post on this topic. I'm just a Beavis, and
> I'm only pretending that I know what I'm talking about.

Yes, you do.

>> If the IP was fake then the two way conversation is
>> impossible. When you receive a TCP connection from an IP
>> address, that is the real IP address you are talking with ...
>> and those are the IPs we use. The crap in the headers is often
>> added to confuse, though the real IP address is in there too if
>> you look in the right spot.
>
> There could be a proxy between the two, re-writing the
> IP to make it look as if it came from the proxy. Not that I really
> understand what a proxy is. Mentioning something about a proxy makes
> me look smart, which I'm not.

Right.

>> If your PC is compromised by a virus, relaying spam, or
>> severely misconfigured and flooding networks, your host is
>> responsible for abuse and your host will be seen unfavourably
>> by others. What is unfair about this? A community frowns upon a
>> member (host) acting irresponsibly.
>
> Sure. But again, that person should be notified before
> blocklisting. That's what Bigfoot told me is the right thing to do.

Speaking of ol' Sasquatch, what has he been up to, lately?

>> Alan, I don't think you're a bad guy by any means.
>
> Thanks for that, Jem. I'm not a bad guy, I'm just stupid.

It's not your fault, Beavis. Blame the society.

>> They may be malicious, they may be not, I really
>> DO NOT CARE. Most of the IP addresses that spam me are bots,
>> zombies, running custom spamming/flooding software. They
>> operate in distributed networks, remote controlled, on stolen
>> resources.
>
> That's my understanding. Of course, keep in mind that whatever
> my understanding is, on any technical subject, the correct
> answer always lies 180 degrees to the opposite.

That's a very good rule of thumb to follow.

> I've done the basic host and whois checks on a couple of spams
> and sent complaints to the domains and received no responses.

That's because you don't know what you were doing. You still can't figure
out Earthlink's wildcard DNS entry.

> So it would be a very good idea for _everyone_ to smack me
> upside the head on a regular basis?

Yup.

> Okay. Thanks for the clarification.
>
> At least you are trying to help a Beavis.

It's a thankless task. No way I'd do it.

> I'll do it my way. Because I'm a kookbag, that's why.
>
> http://www.pearlgates.net/nanae/kooks/ac/

We know.

> Now you could do me a big favor and explain how it is that
> spam can arrive in my box without my address in any of the
> addressing headers. I have been _told_ that there isn't a
> long list of addresses in the Bcc header.

Beavis, the E-mail expert.

> Beavis

--=_mimegpg-commodore.email-scan.com-4143-1165072740-0003
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFcZlkx9p3GYHlUOIRAo4TAJoD0KNhYPHNCP1DMkREyPYxcjNhqACf ZUFP
K+yBeZAvN71Gnz4QrAtwevg=
=BwXQ
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-4143-1165072740-0003--

Re: Seeking help on anti-spam project

am 02.12.2006 16:31:03 von Alan Clifford

On Sat, 2 Dec 2006, Jem Berkes wrote:

JB>
JB> The one situation I am unhappy about is when some bad apples relay mail
JB> through the ISP's server and it looks like the ISP's mail server is a
JB> spam source. I try very hard to fix that problem, but it's a downside.
JB>

I used to use a mail forwarder. This works by, for instance, mail to
sardines@purse-seine.net being forwarded to my mail box at big mail
provider such as hotmail.

So the mail forwarder is forwarding everything, just as their customers
have requested. Including spam. Just as their customers have requested.
So what happens? The mail forwarders ip addresses are blacklisted as
sources of spam by the inept, big mailbox providers.

Please make sure you know what you are doing otherwise you become part of
the problem rather than the solution.

--
Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

Re: Seeking help on anti-spam project

am 02.12.2006 18:22:30 von Jem Berkes

> I used to use a mail forwarder. This works by, for instance, mail to
> sardines@purse-seine.net being forwarded to my mail box at big mail
> provider such as hotmail.
>
> So the mail forwarder is forwarding everything, just as their
> customers have requested. Including spam. Just as their customers
> have requested. So what happens? The mail forwarders ip addresses are
> blacklisted as sources of spam by the inept, big mailbox providers.
>
> Please make sure you know what you are doing otherwise you become part
> of the problem rather than the solution.

I understand what you are saying. One of the services that taught me this
lesson was the bigfoot.com forwarder. Now I'm always on the lookout for an
IP address that appears to be the 'source' of many sightings.

--
Jem Berkes
www.sysdesign.ca

Re: Seeking help on anti-spam project

am 02.12.2006 18:29:38 von Jem Berkes

> If dnsbls are used in conjunction with whitelists of known contacts,
> that too is rarely a problem. If I get a mail from an ISP I have never
> had legitimate dealings with before and if it is also on a temporary
> blacklist then there is a very high probability that it is indeed
> spamming me.
>
> Also, as you point out, WPBL should not be used in isolation so I'd be
> taking other factors into account too, such as the country of origin,
> clues in the subject, etc. No one factor might be conclusive, but if
> someone I have never heard of is mailing me from Argentina telling me
> about viagra and they are listed on a dnsbl which indicates spam
> activity in the last 5 days then to me it is pretty conclusive, and I
> certainly will not lose any sleep about deleting it unread.

That's a big factor here. I believe you can't go wrong by querying our
list in something like a SA configuration because it's no longer a black
and white connection blocking - something which I discourage of, because
it leaves no margin of error.

> I also think it is not so much of a problem because you are using some
> form of weighting algorithm in WPBL, so that the amount of legitimate
> mail received from an IP is taken into consideration, and you don't
> just list on the basis of isolated reports of spam.

Right, all non-spam we receive is taken into consideration. This isn't a
perfect solution, but in conjunction with the whitelisting of known ISPs
this really goes a long way to preventing false positives.

> Perhaps a good development of WPBL would be to send out automated
> notifications to the postmaster of IPs that are not known to be in
> dynamic or residential space,

Perhaps, but I dislike the idea of automatically creating new mail
traffic. For example, some mailer gateways send out 'virus scan reports'
to other sites. These might have been cool at first, now they are a
nuisance.

> I suppose you could also change the weighting algorithm slightly so
> that reports concerning dynamic IPs had a lower threshold for listing,
> whilst reports concerning legitimate mail servers had a higher
> threshold for listing.

Yes, there are some possible improvements here. For instance if the
reverse hostname for an IP existed, for one, or contained a string that
might indicate being an MTA (mail, smtp, mta) then the thresholding could
change. I'm looking into that, definitely.

> And I, for one, would stand by your right to make factual observations
> like that but some people will always accuse you of trying to censor
> them and in some cases people have dragged list operators through the
> courts to gag them.

Thanks, yes I know there could be accusations. That's why I try to be
very clear on my home page about what I'm doing (listing IPs that sent us
spam) and what I'm NOT doing (judging sites or telling people to deny
mail).

--
Jem Berkes
www.sysdesign.ca

Re: Seeking help on anti-spam project

am 03.12.2006 03:54:35 von Steve Baker

On Sat, 02 Dec 2006 08:52:07 GMT, Alan Connor
wrote:

>On comp.mail.misc, in
>, "Jem Berkes"
>wrote:
>
>>> So some spammer finds a way to use someone's server/computer
>>> and they get blocklisted and suddenly they and maybe their
>>> clients won't be able to send mail to anyone.
>>
>> If individual IP addresses are blocked, the collateral is very
>> minimal. If a PC is compromised (virus, zombie, etc.) it is
>> a source of internet wide abuse and there are many admins who
>> would legitimately block it.
>
>The owner of the computer should be notified first and given
>a chance to fix the problem.

How would you do that?

>> The one situation I am unhappy about is when some bad apples
>> relay mail through the ISP's server and it looks like the ISP's
>> mail server is a spam source. I try very hard to fix that
>> problem, but it's a downside.
>
>Indeed.
>
>>
>>> Or the IP addresses on the spam may be _forged_.
>>
>> No, not on modern TCP stacks (which thwart sequence
>> attacks). SMTP requires a two way conversation so if the data
>> is flowing back to the other IP, it is not forged.
>
>> If the IP was fake then the two way conversation is
>> impossible. When you receive a TCP connection from an IP
>> address, that is the real IP address you are talking with ...
>> and those are the IPs we use. The crap in the headers is often
>> added to confuse, though the real IP address is in there too if
>> you look in the right spot.
>
>There could be a proxy between the two, re-writing the
>IP to make it look as if it came from the proxy. It would
>only be forwarding in two directions.

Only two directions? Heh. Hey, Beavis, the packets *would* be coming
from the proxy, "re-writing" makes no sense in this context.

>>> It assumes that everyone who is sending or relaying spam is
>>> doing it willfully.
>>
>> If your PC is compromised by a virus, relaying spam, or
>> severely misconfigured and flooding networks, your host is
>> responsible for abuse and your host will be seen unfavourably
>> by others. What is unfair about this? A community frowns upon a
>> member (host) acting irresponsibly.
>
>Sure. But again, that person should be notified before
>blocklisting.

Again, how would you do that? Use the Microsoft Messenger that so many
spammers like to use? There's no way for a third party to notify the
owner of a spam zombie, and there's no reason to coutinue to accept spam
from one of the millions of spam zombies prior to notifying them of their
problem even if there was a way to notify them.

>>> Even if you notified the server/computer that the spam was
>>> coming from or being relayed through, (and I saw no mention
>>> of this in your article) and they fixed the problem in a
>>> jiff, there is no guarantee that everyone would update their
>>> blocklist in a timely fashion, if ever. And that IP-domain
>>> would have its reputation tarnished.
>>
>> Alan, I don't think you're a bad guy by any means.

Alan is a crazy dingbat. He's also a "bad guy" in the sense that he's
an abusive asshole.

>Thanks for that, Jem.
>
>> But I am not running after the hundreds of thousands of
>> hosts who spam me daily, asking them politely to fix their
>> problems.
>
>That many?!
>
>Holy _____!!

Beavis, there are hundreds of thousands of new spam zombies entering
service every day.

>> They may be malicious, they may be not, I really
>> DO NOT CARE. Most of the IP addresses that spam me are bots,
>> zombies, running custom spamming/flooding software. They
>> operate in distributed networks, remote controlled, on stolen
>> resources.
>
>That's my understanding. I don't bother trying track them down
>myself, actually. If it's spam it gets dumped.
>
>I've done the basic host and whois checks on a couple of spams
>and sent complaints to the domains and received no responses.

Based on the 'net competence you've demonstrated, you probably sent
your reports to the spammers themselves.

>> I am just listing the IP addresses which send me and my members
>> spam, nothing more, nothing less.
>
>So it would be a very good idea for _everyone_ to check the
>blocklists for their own IP on a regular basis?

Yeah, you chould check your IP address. It's on many blocklists.

>> I am not telling anyone to block those IPs. I'm not claiming
>> these are bad people. I am not making a statement about their
>> business practices or motivations, or religion. All I am saying
>> is: THIS IP SENT ME SPAM.
>
>Okay. Thanks for the clarification.
>
>At least you are trying.
>
>I'll do it my way. I am actually even harder in this regard
>than you are. Though I don't block by IP/FQDN.
>
>http://home.earthlink.net/~alanconnor/cr.html
>
>---------------------------------------------------------
>
>Now you could do me a big favor and explain how it is that
>spam can arrive in my box without my address in any of the
>addressing headers. I have been _told_ that there isn't a
>long list of addresses in the Bcc header.

Ah, what a great ending to a Beavis post. After blabbing a bunch of
bullshit he admits that he doesn't even understand how email works.
That's just perfect. :-)

--
Steve Baker

Re: Seeking help on anti-spam project

am 04.12.2006 10:51:24 von Peter Peters

On Sat, 02 Dec 2006 11:22:30 -0600, Jem Berkes wrote:

>> I used to use a mail forwarder. This works by, for instance, mail to
>> sardines@purse-seine.net being forwarded to my mail box at big mail
>> provider such as hotmail.
>>
>> So the mail forwarder is forwarding everything, just as their
>> customers have requested. Including spam. Just as their customers
>> have requested. So what happens? The mail forwarders ip addresses are
>> blacklisted as sources of spam by the inept, big mailbox providers.
>>
>> Please make sure you know what you are doing otherwise you become part
>> of the problem rather than the solution.
>
>I understand what you are saying. One of the services that taught me this
>lesson was the bigfoot.com forwarder. Now I'm always on the lookout for an
>IP address that appears to be the 'source' of many sightings.

As I understand it the bigfoot.com forwarder would also be a source of
non-spam and thus would likely not end up in the blacklist.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe

Re: Seeking help on anti-spam project

am 04.12.2006 21:28:49 von Jem Berkes

>>I understand what you are saying. One of the services that taught me
>>this lesson was the bigfoot.com forwarder. Now I'm always on the
>>lookout for an IP address that appears to be the 'source' of many
>>sightings.
>
> As I understand it the bigfoot.com forwarder would also be a source of
> non-spam and thus would likely not end up in the blacklist.

That's right (ideally) except the address was so old, late 1990s, it became
a source of pure spam.

--
Jem Berkes
www.sysdesign.ca

Re: Seeking help on anti-spam project

am 07.12.2006 21:05:58 von John Thompson

["Followup-To:" header set to comp.os.linux.security.]
On 2006-12-03, Steve Baker wrote:

> On Sat, 02 Dec 2006 08:52:07 GMT, Alan Connor
> wrote:
>>
>>Now you could do me a big favor and explain how it is that
>>spam can arrive in my box without my address in any of the
>>addressing headers. I have been _told_ that there isn't a
>>long list of addresses in the Bcc header.

> Ah, what a great ending to a Beavis post. After blabbing a bunch of
> bullshit he admits that he doesn't even understand how email works.
> That's just perfect. :-)

Now, isn't Alan the guy who's been promoting the undefeatable and
perfectly effective challenge/response method fighting spam? Is this an
admission that C/R doesn't work even for him?

--

John (john@os2.dhs.org)

Re: Seeking help on anti-spam project

am 08.12.2006 10:46:06 von nico

Alan Connor wrote:

> The only solution is for the individual to say no to spam and
> use a version of Challenge-Response system.
>
> http://home.earthlink.net/~alanconnor/cr.html

Oh, my. I start a new job in another country, and I get to see old,
broken ideas being hawked again.

Go take a look at http://www.craphound.com/spamsolutions.txt to see why
any particular solution proposed here will probably not work.