Jump to content


  • Content count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About WB8TYW

  • Rank
    Advanced Member
  1. The first thing that you should realize is that the bl.spamcop.net is an aggresive blocking list and will on occasions list real mail servers. A real mail server is typically listed for the following reasons in order of probaility: 1. Weak passwords on SMTP auth. 2. Mail server auto-responding or bouncing spam/viruses to the known forged addresses. 2. A multi-hop exploit where spamcop.net does not detect that it is only a relay. (Spamcop.net tries not to list muti-hop outputs) 3. A different security hole where spammers have control of the server. 4. A user of that mail server reports their own mail server. A paying spamcop member can see if there is a past history for those I.P. addresses. So if you are using b.spamcop.net, you are going to have noticable false positives from time to time. The second thing is that it is bad to silently delete detected spam, but not quite as bad as to bounce it to the forged address that it came from. Detected viruses should be sent to a human to determine where to notify the proper network owner if you can not reject them in the SMTP transmission. When a mail server is not going to deliver a message, it should end the SMTP session with a 500 series code like 550 to indicate such, and supply a brief text message as to why. This is part of the SMTP protocol. If it is a mail server that is a gateway to other mail servers, if it can not determine that the end mail server can accept the message, then it should reject the SMTP session with a 400 series code like 440 with a text message. Then a real mail server will retry later. spam and viruses will usually not retry. The 500 series code or too many 400 series codes will cause the sender's mail server (if it is a real e-mail) to send a notice to the original sender so that they know what happened. That way when a real message is mis-classified as spam, the sender will be notified, and when you have intermittent network issues, the mail will eventually get through. Since a real mail server usually is not on the bl.spamcop.net list long, some mail server operators reject mail from those listing with a 400 series code, so the real e-mail is only delayed by a little bit. A mail server or spam filter that can not issue the 4xx or 5xx codes for detected spam or non-existant users is not robust enough for the current internet e-mail system as it has no way to non-abusively notify senders of real mail that gets mis-classified. -John Personal Opinion Only
  2. WB8TYW

    Gmail's server blocked

    A lot of ifs. If you have a Microsoft based operating system that can be spammed with the messenger service, it usually means that the spammer and unknown others have easy access to your system through many known exploits. Shutting off the messenger service does not stop the serious exploits that receiving a messenger spam indicates are available. All that is done by shutting off the messenger service is to disable the most visible and harmless exploit of the set. This is documented in the Microsoft bulletin on the issue. Only the use of a firewall will block the more serious exploits which include full access to your harddrive under the right conditions, and as a side effect it totally blocks the minor messenger spam exploit. Since you are implying that you have a firewall, if it is properly configured, the onlything that shutting off the messenger service is doing is likley preventing you from being notified of remote printing jobs, assuming that you have a separate computer for spooling print jobs. For anyone to make the claim that shutting off the messenger service is a solution to messenger spam is an indicator that they do not have enough of a background in computer security to even understand what is given away by activities over a network. It is quite possible and even likely that gmail is encoding the originating IP in the headers and in a form that with only a little work a human could decipher. That seems to be a standard procedure for webmailers so that they do not have to depend on historical records to track a complaint. It just apparently is not a format that spamcop.net knows how to decipher. Gmail is aparrently going through a learning curve, and if they want their service to succeed, they will need to make it impossible for spammers to use it. A search of news.admin.net-abuse.sightings will show what spam has been seen coming from google servers. -John Personal Opinion Only
  3. The first thing that you need to do is find out why those I.P. addresses are being listed. A listing is usually a strong indication that there is a severe misconfiguration of that network. When that many I.P. addresses are listed it usually indicates that there has been a security problem and criminals have control of your systems. Criminals scan for improperly secured machines and when they find them they will either use them or sell the information on how to exploit them to other criminals. Let's start with : As has been pointed out, it does not have rDNS, which you said you are getting fixed. Now what is recommended is that the rDNS name indicate what the I.P. address is being used for and who is using it. If this is an outgoing mail server, it is a very good ideal to put the text "smtp" or "mail" in the name, which it will make it easier to convince remote administrators to whitelist it from one of their local blocks. For I.P. addresses that are DHCP assigned, put the text "dhcp" or "dynamic" in them, and forget about ever putting a mail server on them. Most of the mail adminstrators I know will not accept any e-mail from a known or suspected DHCP pool. Sending to spam traps means either two things: 1. Criminals have control of that system and are sending spam. 2. The mail server is generating new mail messages in response to spam. The second case is when a mail server is either mis-configured to bounce detected spam or viruses which should never be done, or it is accepting all e-mail and bouncing what can not be delivered. Such a mail server is participating in a denial of service attack against other mail servers, as almost all non-deliverable messages are either spam or viruses with forged addresses. The only non-abusive method that a mail server can use to notifiy of non-delivery is to signal this with an SMTP reject code before the SMTP transaction is complete. So let's see if more information can be found: drbcheck - www.moensted.dk/spam lookup Much can be found in that page. A SPEWS listing generally indicates that the owner of a network is either actively assisting spammers and network abuse or is generally ignoring such abuse. I can not find anything for that specific I.P. address, but because this is in China, it means that many networks will not accept e-mail from that range, especially a range with no rDNS at all. This is because of years and years of Chinese ISPs allowing spammers to host web pages or not acting on abuse complaints. Usually this means that you will have to contact the Deputies to find out more details of why the I.P. address is listed. In the past where followups have been posted, and only spamtraps hits exist the two most common causes are: A: There is one or more accounts on the server with either no password or one that is easy to guess. In this case, it means that the spammers may have full control of that server and a full clean up is needed. B: The server is auto-responding to spam and viruses instead of using SMTP reject codes. As pointed out earlier, it means that system is participating in a denial of service attack against networks that spammers have forged in their attempts to evade poorly written spam filters. Sending to a spam trap means that your server sent an e-mail to an e-mail address that has never ever sent an e-mail. A properly configured and secure mail server will not do that. Now for an example of why there are country wide blocks, it is a matter of economics. A large e-mail server operator pays a metered rate for each message that comes into their server. Currently 75 percent of all e-mail delivery attempts are spam. To attempt to sort out the good mail from an I.P. block from the spam is too expensive, because it means paying for 75% more bandwidth than the server operator would normally need. The only way for a mail server operator to contain their costs is to not accept I.P. addresses that the owner has allowed spam ot be sent from. These avoided costs can be in the thousands of U.S. dollars per month. And when an network owner allows spam to be sent from a lot of I.P. addreseses, then the mail server operators will start blocking all e-mail from that network, and only open up an I.P. address if they have a user that needs it. If a number of network owners in a country allow spam to be sent, then to save costs, mail server operators will start blocking all e-mail from that country. China is one of a small list of countries that many mail server operators have given up on taking a chance that a real e-mail will come from it. Now look at the listings from the Moensted list. It is not normal for any ISP to have a SPEWS listing. The SPEWS listing is showing spammers that are buying access from your ISP and that have been reported to your ISP. If you look at the SPEWS listing, it has several comments of "may have to add". This usually indicates that who ever runs SPEWS thinks that nothing is being done to remove the spammers that SPEWS is showing as being customers of that ISP. Generally to get a SPEWS listing, it appears that a network has to ignore spam and abuse complaints for a very long time. It also means that by that time, many other networks have given up accepting any packets from that network. It is only recently that there has been any indication that your government seems to have realized how much damage that this has done to the Chinese reputation and that it is affecting Chineses participation in e-commerce. Here outside of China, all that is seen about this anti-spam push is press releases. The amount of spam being reported to Chinese ISP's that are hosting web sites for products that are illegal to sell in most parts of the world has still been increasing. And most of the reporting addresses that the ISP should be paying attention to are showing up as non-functional. Think of spam as a toxic desease that is being quarantined. Expect that the longer that spam is allowed to come from an I.P. address, the more I.P. addresses around it will be considered contaminated and the longer it will take before people will take a chance that the I.P. address is clean. If a network has ever provided any services to what spamhaus.org lists as a ROSKO spammer, those I.P. ranges are probably useless for e-mail for at least the next decade. Ask your ISP about the SPEWS listings and why SPEWS is saying that they need to be expanded. As near as anyone can tell, SPEWS would only be expanding the listings if your ISP is still hosting spammers which you say is against the law in your country. The people that are blocking your IP because it is in China or because of your ISP will not change, and there is nothing that either you or I can type here that is going to change what they are doing. All the people here can do is let you know how bad the problem that you have is. It does not do any good to complain to the rest of the world how unfair it is. Your network provider and other network providers in your country caused the problem, and only when it is hard to find a spam site hosted in China or a spam delivery attempt from China, do I expect your problems with e-mail to start to diminish. Until that happens, most network owners will not believe that your country or ISPs are doing more than issuing press releases. Now I do not control any mail servers or blocking lists, so there is nothing that I can do other then type this. You can find and stop the spam e-mail that is coming from your netblock. If your mail servers are properly configured to use SMTP rejects, and your security is intact, then unless you sign up a spammer as a customer, your network should never be affected by spamcop.net. For the other blocking, that is in the hands of your network provider. As long as they are doing any business with a spammer, any at all, you can expect to find other networks refusing all e-mail from any IP address assigned to that ISP. And most of the world seems to think that China has one single ISP run by your government. So if any ISP in your country is willing to sell any service to a spammer, you can be affected. And right now, it is no problem at all to find spam samples of web pages being hosted in China posted in news.admin.net-abuse.sightings. If your country was serious about enforcing the anti-spam laws it would have no trouble locating the Chinese I.P. addresses that are being used by spammers. -John Personal Opinion Only
  4. WB8TYW

    Any way I can help?

    When an ISP gets a complaint about a compromised computer, they should perform a scan and if it fails then quarantine that computer to immediately stop the spam/viruses from it. The scan is needed to prevent GWF or GW spamfilter type reports from triggering a false positive, but it should only take one valid complaint for an ISP to take action. They may not get any more before they are in local and public blocking lists all over the internet. Giving the user time to react allows too many viruses or spam to be sent, and spammers will target ISPs that delay taking action, as they know that they can get a specific amount of spam through those ISPs. Also, on a broadand ISP, a compromized machine being used in a spam run or actively spewing viruses is enough in some areas to cause outages to hundreds if not thousands of customers because it is saturating a common link. DSBL has a set of free open source tools that can be used to scan a machine, and at least one ISP has posted that they have set up a program on their abuse e-mail box to start the scan for a zombied machine. From monitoring posts on my current broadband ISP's internal forum, at least two major U.S. ISPs will quicly put any virus or spam source in their local blocking lists, and that includes the mail servers of other ISPs. As they tend to block only one or two of the apparent 14 outgoing mail servers, it is hit or miss if a mail to those ISPs gets through, and it seems to take about 48 hours to get the blocks removed. Also when the spamcop.net listing information was availalbe to the public, for a period of a couple of weeks, I was able to map every user complaint about extreme performance problems or outages to active zombie computers operating in their vicinity. Since I.P. addresses were obtained from news.admin.net-abuse.sightings, and then checked with spamcop.net reports, it all cases, it appeared that the ISP would have received the complaint identifying zombie computer's IP address for days before the users were complaining about the outages. It appears that my broadband ISP no longer feels that warning periods are appropriate for owners of compromized machines, and about the time of that change in policy, the amount of user complaints about poor speed dropped considerably. It is interesting that many broadband ISPs try to discorage their users from using hardware firewall routers when should be encouraging them. But an ISP is really limited in requiring specific software to be installed. Many systems are not prone to viruses or malware, so there is no market for scanners for them, and what scanners are available may not be cheap. I can not find a free virus scanner for my computer in a ready to use binary format from a trusted source. The most that an ISP can really do is to scan an IP to determine if it has ports that are typically used by malware open, or that they can relay through it. And most can not be continually running such a scan on their IP address. An ISP could set up a system where a user could be automatically quarantined when a scan fails, and leave the user with access to download fixes, and also request a rescan where if they pass the quarantine would be removed automatically. -John Personal Opinion Only
  5. WB8TYW

    This service really sucks

    http://ops.mail-abuse.com/cgi-bin/nph-ops-sview? From January of this year, hopefully fixed since then: Bouncing undelivered e-mail to forged addresses. Effectively means that the mail server is participating in a denial of service attack against the forged domains/e-mail addresses that spammers and viruses use. For every real message coming in, statistics are indicating that a mail server is receiving about 3 viruses or spam delivery attempts. And almost all undeliverable messages are from viruses or spam using forged addresses. Using SMTP rejects is the only way to non-abusively and most reliably notify a real sender that their message was not delivered. Usually the only way that the victims of such a denial of service attack can protect themselves from having to pay for the bandwidth from the abusive bounces is to block all e-mail from that mail server. There is a possiblity that the unknown people that reported that data to MAPS also got the I.P. put in a local blocking list to protect their own mail servers. Who knows if that was an administrator for a major ISP, and who knows if they are using that local list to silently delete all e-mail instead of rejecting it? -John Personal Opinion Only
  6. WB8TYW

    Confusion of e-mail providers

    http://ops.mail-abuse.com/cgi-bin/nph-ops-... Shows that last November, the mail server was bouncing spam to forged addresses when the spam victim's mail box was full. Not good. Mailservers should be using SMTP rejects when they can not accept e-mail as that is the only non-abusive method of notifying a real sender that their mail was not accepted. Mail to a full mail box should be rejected with a 4xx series error. Bouncing messages instead of using SMTP rejects assists spammers and virus writers in using the bouncing mail server to conduct a denial of service attack against another spam victim's mail box. While the protocol for sending messages allow such bounces, they are an artifact from when independent third pary open relays were routinely used to route e-mail. The end point mail server would issue an SMTP reject, and the open relay would convert it to a bounce. Now open relays are blocked on sight, and mail is sent from mail server to mail server, so the use of bounce messages is effectvely obsolete. And since well over 99% of undeliverable e-mail is either spam or viruses with forged addresses, bouncing is now very abusive. Especially considering that current statistics show that for each real e-mail coming into a mail server, 3 spams or viruses are also being delivered. Anyone's whos mail server provider is bouncing instead of using SMTP rejects is going to eventually find that there are many other networks that will refuse all e-mail from them, and worse, that even more that are just silently deleting all e-mail from them. And this has nothing to do with spamcop.net, it is just a matter that those networks doing the blocking do not want to incur additional costs on their side to deal with a misconfigured mail server. While you may pay a fixed rate for your internet connection, a mid-size or larger service pays by the amount of messages times their size. A mail server abusively bouncing to forged addresses can run up a significant cost on the receiving side in a small amount of time if they try to sort the real e-mail from the forged bounces. Most mail servers only have the ability to protect themselves from spam/viruses or other DOS attacks by rejecting all e-mail from the attacking I.P. address, and that can not be easily changed. And why should the users on the receiving side pay more to compensate for a configuration problem on the sending side? -John Personal Opinion Only
  7. WB8TYW

    Newbie spam tech questions

    I left that detail and your other one out on purpose as I was already quite wordy, but those ranges are generally covered by the "conservative" DNSbls which get them mapped out rather quickly. As you say they end up in the sbl.spamhaus.org. From the statistics that I have seen, they are only a small percentage of the spam origin. These are the locations that the spammer's web sites are generally located at. Most of the spammers seem to realize that those address blocks are useless for sending spam. in this thread we are trying to be non-technical. But a newbie may be interest in reading the FAQ at http://www.spews.org for a different view of handling spam than either spamcop.net or spamhaus.org. -John Personal Opinion Only
  8. WB8TYW

    Newbie spam tech questions

    Replace port with route or path and your answer will be more correct. E-mail is what is known as a store and forward protocol. For the normal home user, their computer sends an e-mail to their own ISP's mail server, regardless of of where the message is eventually going to go. That mail server is the one that figures out how to get the message to it's ultimate destination is and report back with a new e-mail message any problems that it gets. This process can be quite time consuming in the background, while normally in this day and age, an e-mail will go out in seconds, the process can actually take several days. This also means that anyone who has a business model dependent on instaneous delivery of e-mail is going to either be very lucky, or eventually they will be disapointed. The process of sending an e-mail directly to a remote server can take much longer than a dialup connection would allow, and while a broadband connection is on all the time, if the computer is off before the e-mail gets accepted by the remote server, then it will be silently delayed until the computer is powered up again. While a mail server program could be on a home broadband connection, as there is on the computer I am using, it is not practicle for me to use it on a DHCP connection. Very few other mail servers will accept e-mail from a DHCP address. The ones that do are drowning in spam. A port is a number assigned to an outgoing message fragement on the internet so that the receiving computer knows what program on it to send it to. There is an internet convention of what ports are used for what programs, and those ports also have names. Now a port can be blocked at a router. One of the issues with that is that routers need to be fast for an ISP, and for a router to have to decide as to block a port based on the sending I.P. address can induce a speed penalty. SMTP uses port 25 for normal connections. There is also an SMTP port 587 for connections to a private mail server. When I am sending e-mail though other mail server other than my ISP's I send it through port 587. Just one of many ways that an infection can be caught. A fully html enabled or scri_pt enabled e-mail program can easily pick up an infection. Lately all e-mail clients have scripting off, but many will still automatically open external links. Not having a firewall on some types of computers is all that is needed to get an infection. And of course opening attachments on some types of computers will instead of "opening" the attachment, will actually run it as a program. Most users of those system do not know the difference, and why that behavior is extremely bad, and makes those types of computers extremely vulnerable to viruses. The ability to alert on network traffic levels and indicate which I.P. addresses are generating excessive traffic is a standard feature on most network monitoring stations. Of course that requires the network not to be always running at capacity. And it should be possible for an ISP to pay who ever supplies their auto-answer software for their abuse mail box to have that scri_pt queue up a security scan for any of that ISP's I.P. addresses that are contained in it, and take action if a problem is found. When an ISP verifies that a customer is sending spam or viruses: The responsible ISPs will lock that I.P. address to the customer, and then block it from sending email until that system passes their security scan. That whole process can be automated to save costs where the customer can request a rescan to verify that they are fixed. The ISPs that wait days to cut off the machine if it is not fixed are hurting themselves and a large number of their customers. In some areas, it only takes one zombie computer to knock out several small towns internet connections for all practical purposes while a spam run is in progress. In other areas it may take a few more before outages start being noticed. At one time, apparently before my broadband ISP started near real time monitoring of selected DNSbls, there were quite a few users complaining about bad connectivity in their area. I looked up their subnet address from their posts, and then checked news.admin.net-abuse.sightings, and the spamcop.net evidence which was still available back then for anyone to look at. I was able to find in most cases one or more active zombie computers on their network segment and usually the dates in the .sightings and in the spamcop.net evidence indicated that there should have been several days of abuse reports identifying the specific zombie computers. This basically shows that if the ISP gives the owner days to take action, or only acts on such problems from 9 to 5, 5 days a week, then there will be large amout of paying customers impacted badly and in many cases the ISP is issuing refunds for a problem that should have been solved days earlier. Of course the ISP eventually covers that cost by either raising rates, or cutting services. Part of the issue with fighting spam is educating the average user to understand how badly spam problems on their ISP affect them, and just how doing "Just hit delete" both costs them significantly more, and also increases the possibility that real e-mail will be lost in the noise of spam. There is also a new increasing risk to all users of a network that permits spam to reach their non-technical users. Some of those users may implement extremely abusive anti-spam measures that will cause other mail servers to block that networks mail servers to stop the mail bombing. The traditional stupid anti-spam trick of sending a bounce of a challenge to the usually forged address was good enough for that, but many times no one at the abuser's network ever needed to get e-mail from the forgery victim's network, so the blocks were not noticed. That stupid trick has been superceeded by a new product (if it is still available) It abusively sends a spam notification to the registered domain owner of every domain name found in the spam or the headers, including those placed there by the local network's mail server. When I last looked there were two DNSbls that are listing any user of the product that is brought to their attention. Note that almost all mail servers can be configured to block I.P. addresses that are mail bombing them. Only a few can be configured to just block an offending user. So all you need is one other user doing something abusive with the spam that they receive to find many networks refusing your e-mail, or silently deleting it. -John Personal Opinion Only
  9. WB8TYW

    Newbie spam tech questions

    For many users it is not that much of a problem. If you have a competent network administrator or postmaster, over 80% and up to 95% of the incoming spam can be rejected with out the risk of rejecting real e-mail, and that is before the spam ever leaves the sending machine. This is by using the conservative DNSbls. Note that the spamcop.net DNSbl is not a conservative DNSbl. This is not only the most effective way of blocking most of the spam, it is also the cheapest thing for a network operator to use. And in the rare case that a real e-mail is rejected, the sender gets notified by their ISP. While occasionally there have been errors with the conservative DNSbls, they are very rare. If you then apply the state of the art in content filtering to the mail that makes it through the conservative DNSbls, almost all of the spam can be eliminated with out risk of a real e-mail being rejected. The problem is that only SpamAssasin 3.0 is known to have those features, and not all mail servers can use SpamAssasin. Just about all the mail servers can use the conservative DNSbls though to lower their oprating costs by reducing the incoming spam. Also, even though the most accurate spam detection algorithm in SpamAssasin 3.0 has been known to the public internet for well over a year, it appears that none of the commercial spam filter vendors have adopted it. Instead they seem to concentrate on spam filtering algorithms that have proven to be easily bypassed by spammers several years ago. It is basically because the average ISP user does not understand this, they can end up paying more for bad service. The other argument in favor of doing incompetent spam filtering is that filtering is censorship. The people making such statements are never the ones willing to pay the entire cash costs of what they are asking for. Instead they want it spread over thousands of users. It appears that all of the mail servers that I get e-mail on now use at least some conservative DNSbls, so the amount of spam I have to report is low, and mainly new zombie computers that have not yet made it into the sbl-xbl.spamhaus.org. If my mail server operators systems could analyze the content of suspected spam before the SMTP transaction was over, and check the I.P. addresses of the URLs in them against the same I.P. addresses that they refuse e-mail from, then I would have almost no spam to report through spamcop.net. What is know to work to remove the majority of spam has been known for a while, and what has been known to reliably remove the majority of the spam that gets though the blocking lists has also been known for over year. That authentication is only useful for e-mail sent through the ISP's mail servers. Most spam is sent directly from computers that have been infected with a remote control program and does not go through the ISP's mail servers. So your next question would logically be why do not ISP's block mail from coming from those I.P. addresses? First it would require the ISP's to keep track of what I.P. addresses are running servers and which are not. Of course many broadband ISP's prohibit all services on their home user I.P. addresses so that should not be an issue. So the typical answer is that it would require all the mail servers that allow access to them from outside of their local network, which is a typical company mail server, to properly secure their mail servers for that type of access. And it appears that many companies still use insecure methods to have their remote users access their mail server. Spammers look for those insecure servers and probe them with common username/password combinations. They seem to get into a large number of them that way. It is one of the most common ways for a real mail server to get listed on spamcop.net. As stated by another poster, some networks do that, and only white list mail servers in those countries by request of a one of their customers. Of one mail server operator I know that blocks by country, the rejection message text that accompanies the SMTP reject code explains how to request a whitelisting. The last report I saw from that postmaster several years of operation with an international population of users, no one internal or external has requested an exception be made in a country specific block. And there are many people who do not understand network management that would consider such blocks censorship. So many ISP's do block e-mail from those countries, but instead of blocking it outright, they block the network segment that they received spam from. Ususally none of their customers ever notice. If your mail server operator is not using at least the conservative DNSbls, and has only a content style filter for spam, then your reporting probably will not affect the amount of spam that you get. spam reporting does have an effect. At least one ISP who understands that every second a zombie computer on their network is present is costing them operating cash has stated that they have set up automated processing to handle spamcop.net reports to verify the report and isolate the infected machine. See the costs of spam pinned topic. And from the last report of one of my postmasters, spamcop.net is only catching 3% of the spam delivery attempts, because it is only applied after the conservative blocking lists. Based on reports on an internal user forum for by broadband ISP, anytime that any measurable quantity of spam is relayed through the ISP's mail servers instead of zombies, at least two major ISP's put those I.P. addresses on local blocking lists until they are convinced to remove them. So a smart ISP realizes that a spam report from anywhere is something that needs immediate investigation. My broadband ISP has stated on some forums that they are now receiving near realtime updates for several major blocking lists and looking for their I.P. addresses, so that they can act on spam/virus problems before they get a spam report. And I do not just report spam through spamcop. Most spam is now sent through open proxies, so I submit them to the MAPS-OPS and BOPM for processing. You have to get permission from the BOPM folks to submit to them, but MAPS-OPS just wants you to confirm that you will follow their rules for the first submission. The BOPM and MAP-OPS will accept reports in the same format. To get permission to submit to the BOPM, you must read their FAQ and follow their instructions to the letter to show that you can understand basic instructions, and have a clue as to what you are doing. The BOPM is part of the xbl.spamhaus.org, and these are considered conservative blocking lists and are used by far more mail servers than the spamcop.net blocking list because of that. The spamcop.net parser also gives me the rDNS of the spam source, and if it is not an open proxy, the spamcop.net parser lets me know if it is in the SORBS dynamic list. And if the spam makes it through on one of my e-mail addresses, then I know that the source is not in the NJABL dynablock list. So then if the rDNS has "pool", "dhcp","dyna","ppp", or "dial", in the name, this indicates that the spam came from a dynamic pool that is not known to one of the lists. When I am in a hurry, I only submit it to the dynamic list that mail server it went through was using. When I have time, I check NJABL, SORBS and MAPS-DUL and submit it to the ones that it is missing from. MAPS-DUL requires a spam sample for them to consider an I.P. address. SORBS wants the rDNS to indicate that the I.P. address is clearly dynamic, and NJABL has not yet acknowledged any of my submissions, but I do not recall seeing any repeat spam from an I.P. block that I have submitted. They also do not remove "abuse" or "postmaster" from their lists, or even better "blockme" and "listme" which are common spamtrap e-mail addresses for some of the more aggressive DNSbls. It appears from several investigation that the money is not in spam or the reponses to spam, but in selling spamware to victims that think they are going to get rich spamming. Typically the victim spends their last $150 to over $1000 for a spammning kit, and a promise of payment on commisions. Then they spam like crazy until they either lose their ISP connection or finaly realize that they are never going to make back more than 10% of the money that they spent. And every time some newspaper or TV show profiles the spammers that claim to be making money (with out verifying any of the claims), more victims line up to by spamming kits. So basically much of the spam is being sent by people who have paid a lot of money to put a program on their computer that they have no idea of what it will do, and no way to determine if they will ever get paid. And even if they can find the con-artist that sold them the useless kit, in order to collect damages, they would have to admit that they bought it to make money by breaking the law. And I have made many posts with serveral imaginary top level domains. Some of them showed up in the CC: list of spam that made it through to me as other intended recipiants because the first part of the e-mail name was the same. I have not seen any of them show up since my broadand ISP added DNSbls to their spam filtering which removed over 90% of the spam that their expensive content filter was not able to detect. So the spamware is not even smart enough to remove top level domains that do not exist. Other postmortems of captured spam databases show that the spammers harvest.anything.with.an[at]inside.ofit and that sample there will eventually show up in a spam database, and so will aaa.proof.of[at]us.canspam.violation eventually, hopefully alphabetized in a file entered into court evidence. Suddently? You must have just been picked up on by a new group of spammers. Spammers have been using the random letter names for years. The spammer is trying to avoid content filters, and this technique has been known to get through one of the most popular ant-spam defense that mail programs and spam filter vendors provide. Now it has been well know for at least the past 8 years by anyone with a clue about filtering spam that filtering by alleged incoming e-mail address does not work, but it is still the most offered anti-spam solution. Either the companies offering such options are clueless, or they are just selling placebos to make it look lke they really care about their customers, even though they know it does not work. Some poorly implemented spam filters operate on the forged sender name, so spammers will usually chose an ISP name that they think will usually be whitelisted. Some mail servers will now probe the sending domain to see if the sending e-mail address exists prior to accepting the e-mail, if they have not seen e-mail from that user before. Again, it is all something to bypass a spam filtering algorithm that should have been totally discarded almost a decade ago, but is still one of the most popular one to sell for money. For the e-mail providers that I get most of my e-mail from, I can not whitelist by domain name. I have to request whitelisting by I.P. address, which is something that the spammers can not forge. And then I may have to explain why the sending I.P address is likely to be in a ranged blocked by that provider. Use your favorite search engine for "Bedbug letter". Spamcop.net by default suppresses automatic responses from the ISPs. Only a few ISP's actually right a personal reply when they kill an account. The ones from Outblaze are the most interesting to read, but because of the anti-spam attitude of them, it is rare to get one. When Suresh fixes a problem it is seems to stay fixed. Sprint appears to be just one of many backbones that the Chinese have to connect in from. It appears to be one that is accepting reports. What they do with those reports, I do not know. Steve Linford of spamhaus.org reports in news.admin.net-abuse.email that the situation in Chiina is improving as far as spam even though it might not look that way. And according to Chinese government press releases, just providing hosting for some of the types of web sites that I see advertised in spam can result in life imprisonment. But that asside, I have seen no change in the amount of spamvertised web sites that are in China. Are you volunteering to be a FAQ editor moderator It also looks like it could be useful to have a topic that lists the various spam filtering methods in use, and discusses their strenghts and weaknesses. There have been various discussions about them on these forum, but not distilled down, especially for non-techies. It could be used as a guide for those purchasing spam filtering software, so they could make an informed evaluation. -John Personal Opinion Only
  10. WB8TYW

    General Questions

    By not using blocking lists, you are actually increasing the chances that you will miss an important e-mail either because it is lost in a flood of spam, or your mail server/ account quota is full. Statistically, you will lose more e-mail from human error than from use of conservative blocking lists. In general if you are concerned about false positives, just use the conservative DNSbls for blockiing, sbl-xbl.spamhaus.org - This is an aggregate list lincluding the following: sbl.spamhaus.org - I.P. addresses under the total control of spammers. xbl.spamhaus.org - I.P. addressses confirmed to be compromised, the xbl comprises of the cbl.abuseat.org and opm.blizted.org. cbl.abuseat.org - spamtraps that have been filtered to remove abusive bounces from misconfigured mail servers. opm.blitzed.org - I.P. addresses confirmed to have a vulnerability that allows spam to be relayed through them. This is a base line blocking, and if you tag for a year, it is unlikely that you will ever find any real e-mail coming from any I.P. address listed in the sbl-xbl.spamhaus.org. And because of that, many people are using the sbl-xbl.spamhaus.org as one of their baselines. Basically as long as you reject e-mail from any sane open proxy or open relay list, you have no risk of ever getting a real e-mail rejected. Now to further refine your spam filtering: The next highest source of spam is from DHCP allocated ranges, known as dialup pools or DHCP addresses. Most mail server operators that I know block them, and this stops well over 50 percent of the spam delivery attempts. This may stop a real e-mail, but it will be rare. After an I.P. address has passed those tests, there is yet one more test. RFCs require all servers to have a valid rDNS assigned to them. If the I.P. address connecting to your mail server does not have an rDNS assigned to it, then there is a high probability of it being spam. This will cut out most of the spam, but not all, and will perform better than any of the commercial content filters that I have seen, and yet, has not looked at the content of the message. All these checks can be done before your mail server has committed you to pay for the bandwidth used by the e-mail. Now if you consider the I.P. on a dynamic list or having no rDNS too risky to consider it spam, or if you find the I.P. address on an aggressive list such as a multi-hop list or the spamcop.net list, then there is a simple test that will further screen out most of the spam. But you will have to accept the body of the mail to do the test. If the I.P. address of a URL in the e-mail does not resolve, or resolves to be in the sbl-xbl.spamhaus.org, then the message is spam, provided that you found something suspicious about the source I.P. address. SpamAssassin 3.0 has the ability to make this check. I have not seen it in any other anti-spam product. Note that applying content filtering on an I.P. address that is not listed in any DNSbl and has a good rDNS is more likely to cause a real e-mail to be flagged as spam than it is to find any more spam than what would otherwise be detected. In general, a system that rejects what it considers spam at the SMTP with a diagnositic for the exact reason lets the users of the sending system know that they have a problem. With systems that tag or divert spam, the sender is not notified that delivery is delayed, and if the message is accidentally deleted, then no one knows. -John Personal Opinion Only
  11. WB8TYW

    General Questions

    The amount of data that spamcop.net has fed them has been too much for them at least once, and required Cyveillance to beef up what ever is receiving the reports. -John Personal Opinion Only
  12. WB8TYW

    General Questions

    John has never been a moderator of this forum unless someone did that to him with out his knowledge. -John Personal Opinion Only
  13. WB8TYW

    General Questions

    Some ignore them. The well run ISPs or network operators understand that a spam report that indicates spam is being sent means that serious money is being lost by them through bandwidth theft, and they start a security scan to verify how that theft if being done and stop it. Many have that step automated, so by the time the human gets involved, all they have to do is confirm that the problem system is now isolated. The less clueful ISPs check to see if it is one of their mail servers and if not, issue a warning to the owner to get their machine fixed, and then if they are still getting reports in a week then they take action. The spammers really love those ISPs and favor stealing bandwidth from them. Note that if you are on one of those ISPs that gives one week warnings, you will find that you have intermittant network quality issues, because while one of the spam runs are in progress, they will utilize almost all of the ISP's bandwidth for the segment that the compromised system is on. So inaddition to the less clueful ISP losing money on the bandwidth stolen, they are also losing money because they are issuing refunds to their other customers because they are allowing their network to be overloaded. Of course all that is passed back on to the other users of that ISP in added costs and or poor performance. See the pinned item on the "cost of spam". Usually the only response to a spamcop.net report is an auto-ack from an robot. Only a few ISPs actually repspond with termination notices. The feedback that is important how many times that ISP shows up in spamcop.net reports that you send. If it shows up a lot, it indicates that they really do not care about dealing with spam, and prefer to just pass the costs on to their paying customers. Only those ISPs know what they do with them. Many mail server operators will no longer accept any e-mail from several networks and countries that are spam friendly unless prior whitelisting for specific mail servers has been done. While you may have a fixed monthly cost, it is likey that your mail server operator at some level is paying a metered rate. So any spam that is let into the mail server that could have been blocked by a DNSbl is a needless expense. You will generally find that when the bandwidth costs comes out of the server operator's profit and they are aware of it, they will protect their profit and block e-mail from any IP range that shows up as a chronic source of spam. Blocking lists make spam the problem and expense of the sending network. Was that supposed to be 4? I am not seeing any spam originating from any Turkish ISPs, and have not for quite some time. There are many sources of spam statisitics on the Internet. If they are not known to the people in authority it is only because those people are choosing not to look at them. Several people claiming to operate networks have posted in the various forums that they use the reports to keep zombie computers on their networks from stealing bandwidth from them and abusing others. At least one lawsuit, which was settled out of court and resulted in no change is spamcop.net's operation. Several attempts to DDOS it out of service. Attempts to send forged reports through spamcop.net to get the wrong I.P. addresses listed. Attempts to forge sign up e-mail addresses harvested from the spamcop.net on opt-out mailers that do not confirm subscriptions. But spamcop.net is not the worst thing for the spammers. Based on one of my mail mail server operator's statistics, it is only blocking about 2% of the spam attempted to be delivered to them. The local blocks handle most of the spam, followed by the DYNAMIC IP DNSbls block the majority of the spam, followed by the open proxy blocking lists. Then the spamhaus list and the open relays lists catch most of the rest. Essentially the spamcop.net list is most useful for catching new spam sources, which are mostly zombie machines that have not yet been caught by the open proxy lists. -John Personal Opinion Only
  14. WB8TYW

    Innocent parties pay the penalty

    Confusion only results when the I.P. is not known because this is a public forum, and all sorts will start answering with either guesses, or their own rants. With the I.P. it can usually be determined what evidence there is on the many public archives on the internet. If someone posts an I.P. and the only thing that can be found is a spamtrap hit, then the only people that can determine the cause of listings is a deputy. But if a search on the I.P. shows up in news.admin.net-abuse.sightings and in other places, then it shows a different story. Many times once the participants in the forum have been given the blocked I.P. address, the public evidence shows that the ISP has been ignoring a spam problem for a week or longer that they should have been receiving reports about it. Most of the time that I see posters showing up complaining about a real mail server being listed, that mail server has a serious misconfiguration that is allowing unauthorized users to either send or bounce e-mail from it. Spamcop.net used to make more evidence public but the spammers were using that information to target their spam run. The evidence was showing what ISPs had poor spam control, and it was also letting the spammers know when to hop to a new server to keep spamming. When that missing evidence used to show is that in most cases were some like you shows up complaining about a block is that the block did not occur until after spam complaints had been sent to the owner for the listed I.P. for about a week before enough reports came in to cause it to become listed. Once the listed I.P. is posted, usually the server misconfiguration can be deterimined by inspecting the publically available information, and the problem gets fixed so that server never gets on the spamcop.net DNSbl again. With out the I.P. address, also no one can confirm if the security problem has really been fixed. When spammers find an insecure mail server, they tend to use it until it is listed, and then wait a week to a month to let the listing age off, and then they spam through it again. So if an ISP changes nothing, then eventually that server will be listed again. So while you may be stating what you know to be the facts, with out the I.P. address, no one can tell if they agree with the public evidence. With the I.P. address you have a chance of getting verifyable facts instead of relying on your ISP to tell you what is really happening. -John Personal Opinion Only
  15. WB8TYW

    Yahoo! Mailservers Blocklisted

    For one of the posters in news.admin.net-abuse.sightings, it is a violation of the terms of service for their e-mail provider for them to unsubscribe from something that they did not subscribe to. It is also the case for one of my e-mail providers. -John Personal Opinion Only