Jump to content
Sign in to follow this  
brucewagner

Mailblocks.com

Recommended Posts

Mailblocks.com is THE solution to spam!

Would someone please remove the Mailblocks.com servers from your spammers lists.

By including Mailblocks.com servers on your "blacklist", you are recommending that subscribers to your list NOT accept email from these servers.

Your recommendation is causing damage to all the legitimate users of Mailblocks.com who are simply TRY TO AVOID AND DEFEAT spam!

Your recommending that organizations not accept email from Mailblocks.com users is an ABUSE of the responsibility you claim to promote.

If someone at spamcop does not correct this problem by removing legitimate servers from your "blacklist" of recommendations, the result WILL be....

The organizations are going to continue to hear a fury of backlash against the use of the flawed Spamcop lists, and your "blacklists" will become irrelevent.

You owe it to the cause of defeating spam, if that is your real intention and motivation at all....., to correct this fatal flaw in your system.

Bruce Wagner

President

Bold Funding, Inc.

Chicago, Illinois

312-951-7960

bred[at]mailblocks.com

Share this post


Link to post
Share on other sites
Mailblocks.com is THE solution to spam!

Would someone please remove the Mailblocks.com servers from your spammers lists.

By including Mailblocks.com servers on your "blacklist", you are recommending that subscribers to your list NOT accept email from these servers.

Your recommendation is causing damage to all the legitimate users of Mailblocks.com who are simply TRY TO AVOID AND DEFEAT spam!

Your recommending that organizations not accept email from Mailblocks.com users is an ABUSE of the responsibility you claim to promote.

If someone at spamcop does not correct this problem by removing legitimate servers from your "blacklist" of recommendations, the result WILL be....

The organizations are going to continue to hear a fury of backlash against the use of the flawed Spamcop lists, and your "blacklists" will become irrelevent.

You owe it to the cause of defeating spam, if that is your real intention and motivation at all....., to correct this fatal flaw in your system.

Bruce Wagner

President

Bold Funding, Inc.

Chicago, Illinois

312-951-7960

bred[at]mailblocks.com

I think you must sit down and think about what is happening with Mailblocks. It is not the solution to spam with it's flaws.

;) I think you would agree with me that everyone is tired of receiving mortgage quotes, penis enlargement, breast enhancement, weight loss, nude 40 year old teenage sluts, Viagra, vacation, lottery, prescription drug, business opportunities, genealogical, university degrees, gambling, get rich quick, MLM, pyramid schemes, Web Cams, Russian brides, work from home, stock scams, pirated software and everything else that is force fed into our inboxes.

<_< When spammers send this crap they never use their real address in the "From" they pick addresses out of their list at random and use them in the "From" or the "ReplTo" address. When you receive one of these your Mailblocks system say's I have not heard from this person so I will send a challenge and wait for a reply. Well it sends the challenge not to the spammer but an innocent victim. That poor victim never asked for this and should never have to reply to this. In effect you are in turn spamming this innocent victim. This is not the way email is supposed to work! This is like handing your trash out to someone else and asking them to determine whether or not it's trash.

:unsure: Now this victim does not reply what does mailblocks do? They send another challenge saying that this victim did not reply to the first challenge. Makes a lot of sense doesn't it. :huh:

:angry: This is more than a flaw, this should never happen!

:( Now lets say this challenge was sent to a totally different challenge system and challenge system(2) sends a challenge back to Mailblocks. What happens then when they both start challenging each other wondering why neither one of them are responding to each others challenges?

:blink: Beside the above suppose that PersonA sends an email to PersonB, and PersonB is using CR. PersonB’s computer sends a challenge message back to PersonA and waits for a response. This challenge message had better get through to PersonA because if it doesn’t, the whole scheme breaks down. If PersonA is using anti-spam technology that blocks the challenge message, then they will never see the challenge -- PeronnA's original message won’t get through to PersonB, and PersonA won’t know what went wrong.

B) The problem can be fixed by making sure that PersonA’s anti-spam technology has a loophole for challenge messages, to make sure they are never blocked. (Note that although PersonB is the one using Challenge Response, it is PersonA who has to create the loophole.) If Challenge Response is going to succeed, most of the PersonA's out there will have to open the loophole. Messages with certain “challenge-ish” attributes will be mostly immune from spam controls.

<_< At this point, the bad guys’ response is obvious: create spam that can exploit the loophole, spam that looks like a challenge message. If they can do this, then Challenge Response will have made things worse – spam will pour in through the loophole.

:huh: We might try to solve this problem by narrowing the loophole, requiring the challenge messages to be so narrowly stylized that they cannot carry a spam. This too creates an opportunity for the spammers. If the challenges are so predictable, then the spammers will be able to develop computer programs that spot the challenges and auto-send the required responses. If they can do this, then the spammers can just add automated Challenge Responses to their automated email-sending software, and continue to pollute our inboxes.

<_< When you have an environment where users become accustomed to frequently acknowledging an automated e-mail, this environment becomes highly susceptible to abuse. Challenge-response forgery will soon become prevalent because of this. In the coming months we will begin to see spam e-mails that appear to be challenge-response emails, however when you click on the link, it will direct you to the spammer's website, or even worse a website that pretends to be a challenge response confirmation page which prompts you for personal information.

:huh: What Challenge Response does do, is give your ISP yet another lock-in hold over you by owning your whitelist. What's your assurance of being able to recover this on demand?

:angry: I will not answer challenge responses because a record of my correspondence is being maintained by a third party who has no business knowing of the transaction.

:angry: Challenge Response systems can be used intentionally or otherwise in a denial-of-service or "Joe Job" attack on an innocent third party. In fact, this is likely to start happening shortly as Challenge Response becomes more widespread.

:( How? Simply: Spammer spoofs a legitimate sending address (this is already commonplace). Challenge Response systems then send out a challenge to this address. With only 1% penetration of Challenge Response, the victim of the Challenge Response/spam attack is deluged with 100,000 challenge emails. This could likely lead to lawsuits or other legal challenges. As an example, one large California university campus email system received over 500,000 copies of Sobig.F, an email-borne virus which spoofs its headers. Had these triggered Challenge Response challenges, the university would have effectively have transmitted a half-million spam mails, to innocent bystanders spoofed by the Sobig.F virus.

<_< Challenge Response thus offers unauthorized access to user and system-level accounts, for the purposes of transmittign mail.

:o Even in its less severe form, the number of Challenge Response challenges received by users from spoofed mail -- spam, viruses, and the like -- will likely cause C-R challenges to be viewed as a major annoyance.

:ph34r: I believe it is time for you to find another way to fight spam as Challenge Response systems are doomed to failure.

Share this post


Link to post
Share on other sites

Oy Mama!

Where do I start!!!???

It is not all that complicated.....

First, you have to admit that challenge-response messages are no more of a "threat" to the internet than auto-reply messages are.

If a spammer forges a real email address in the FROM line, all of those recipients who are sending out auto-reply messages, ala "I''m out of the office until Tuesday..." ......

......results in the SAME EXACT thing.

So where is the fight against auto-reply messages?

It's insane.

I bet if I send an email to your company's main email address, I will get an informational auto-reply. If I send an email to the support department of ANYTHING, I will get an informational auto-reply. If I send an email to the order status department of ANY online retailer, I will get an informational auto-reply.

The list of email addresses which will result in an autoreply...... is ENDLESS.

These messages result in the SAME EFFECT if a spam with a forged FROM address is sent to them.... And you know that these addresses are receiving TONS of spam....

Any address beginning info[at].... or support[at]... or sales[at].... They ALL will generate an autoreply.

If challenge-response is the internet's worst enemy, then auto-reply messages are AN EQUAL CRISIS.

However, auto-reply messages are as old as email iteself....

And, NO ONE thinks that they present a problem.

If everyone used challenge-response no one would ever receive spam. And therefore, spam would become as obsolete as the typewriter.

By the way, in your example, it was obvious that you have never used a challenge-response system..... like mailblocks.com

First, c-r messages are ONLY sent ONCE, to people whom you have never sent a message TO, and who you have never approved of a message FROM....

Therefore, it is impossible that your c-r message would not be delivered to me. ....unless I never sent a message to you in the first place.

You see, if I sent you a message, your address is AUTOMATICALLY approved. Therefore, anything that comes from you gets through. (Unless I later decide to block you.)

If I did NOT send you a message, your c-r message will NOT get through to me.

Of course, when a message does not get through to me, it is placed in a "Pending" folder for 14 days. Of course, every user periodically skims through this folder checking for anything important.... like a real message from someone who is too clueless to respond to the c-r message...., or an automated newsletter they subscribed to... Upon finding something the user WANTS, he simply moves it to his Inbox.... thereby automatically adding that email address to their approved list.

And, no, the ISP has absolutely NO access to my whitelist.

My whitelist resides within my account on Mailblocks servers..... just like your email does.... and your addressbook does.....

And, of course, there is a totally simple facility to back all that info up... locally as well.

SO, have I addressed all of your unfounded fears with regard to auto-reply messages and c-r messages ???

Share this post


Link to post
Share on other sites

No. And the challenge is sent twice, not once.

Share this post


Link to post
Share on other sites

If a REAL address is used in a spammer's FROM line....

Responses WILL come back to that real address....

99.99% of those responses will be one of the following three types:

(1) An auto-reply. i.e. "I'm out of the office til Thursday...."

(2) An actual typed reply i.e. "Take me off of your G** D*** list!!!!!"

or

(3) A return-to-sender message i.e. "Message Undeliverable..."

I would be willing to guess that, currently, less than 0.01% of the responses would consist of Challenge-Response messsages.

THEREFORE, BEFORE defaming Challenge-Response technology......, you might be most EFFECTIVE to concentrate on the 99.99%, and....

FIRST eliminate all auto-replies from the internet, and

FIRST elimitate all actual typed replies to spam from the internet, and

FIRST eliminate all Message Undeliverable messages from the internet.

Once you've eliminated all of these evils.....

Then we can tackle eliminating challenge-response messages as well....

Yes, BOTH of those nasty challenge-response messages.... damn those systems...

Share this post


Link to post
Share on other sites

First of all, you are assuming that the listing of mailblocks was for the challenge response messages. According to evidence previously posted, there was 419 scams and other spam being mailed from the mailblocks.com servers. Actual spam, not challenges.

One of the spams that was sent near Jan 23 was a 419 scam that a mail blocks user tried to convince the abuse desk for a U.K. ISP to take part in.

Sending I.P. = 140.174.9.104, a mailblocks.com mail server.

And http://www.google.com shows that 419 scammers seem to like using mailblocks.com, both for sending, or as a drop box.

Use the "GROUPS" tab, and search for "sightings mailblocks.com".

Another Nigerian 419 scam was sent today from an I.P. address that does not appear to be assigned to anyone asking for philipwilliams at mailblocks.com be the contact infomation to help them smuggle money out of their country illegally.

http://www.google.com shows that 419 scammers seem to like using mailblocks.com, and have a history of using it since October 2003.

The people that use the spamcop.net DNSbl to reject know full well that it will sometimes list real mail servers, but have chosen to do so anyway.

They know that they can exempt any domain or I.P. address from having the spamcop.net or any other DNSbl from reject mail.

So after this amount of time since the initial listing of mailblocks, if any of them are still rejecting mailblocks e-mail, then they have indicated who they trust more.

Especially if they have received 419 scams from a mailblocks server in the past.

There has been no explanation seen for the report recent spam in news.admin.net-abuse.sightings seen by anyone that posts in the spamcop forums, let alone anyone from mailblocks. Instead a bunch of people showed up assuming that it was challenge response issues, and requesting special treatment for mailblocks.

Since there has been no explanation on what mailblocks is going to do to keep 419 scammers from using their networks, it may be a hard time convincing network operators to trust mailblocks more than spamcop.net.

Paid spamcop.net members used to have the option of Challenge-Repsonse spam protection.

It was dropped because it caused a lot of problems as been explained in previous posts.

Many people on this forum may not have been on spamcop.net long enough to remember that.

Also many people who sent real messages assumed that when they received a challenge that they were being accused of spamming.

Out of Office and Vacation messages to unknown receivers is a known security hole that identity thieves and con artists have exploited. This has been admitted to in many interviews with convicted criminals. No secure network will allow them sent out side of their company. Nor will they allow voicemail to admit how long it will be before someone will be back.

One of the best known convicted hackers has stated that Out of Office/Vacation notices were one of the keys ways to know what to say to spoof people in to giving access to confidential material. In some cases he was able to get them to actually ship things he wanted to steal.

Other auto-responders are better protected than a challenge response system, or they are abusive and other networks will stop accepting mail from them.

The auto-responding virus scanners are currently another problem on the internet, and there appears to be at least one DNSbl that is listing them.

The only way that I would implement challenge/response could be done with out causing abuse is for the challenge to be embedded in a 5xx SMTP code that the orginal message would be terminated. If it is from spam, it will be discarded.

If it is a real e-mail, the sender's own mail server will deliver the challenge information in a non-delivery report.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
Oy Mama!

First, you have to admit that challenge-response messages are no more of a "threat" to the internet than auto-reply messages are.

No one has said threat besides you (at this point) .. But, both are a severe pain in the behind in almost all cases.

If a spammer forges a real email address in the FROM line, all of those recipients who are sending out auto-reply messages, ala "I''m out of the office until Tuesday..."  ......

......results in the SAME EXACT thing.

So where is the fight against auto-reply messages?

All over the place, especially when things go wrong. Idiots that sign up for a mailing list, for instance, so that for every new list message received, everyone else on that list gets hit with the out-of-office message.

I bet if I send an email to your company's main email address, I will get an informational auto-reply.   If I send an email to the support department of ANYTHING, I will get an informational auto-reply.   If I send an email to the order status department of ANY online retailer, I will get an informational auto-reply.

Well, I don't recall SpamCop having any of those, other than the routine of subscribing. For your info, if you send mail to any of the sites I support, you get nothing but an hand-typed response from a real live person.

Any address beginning info[at]....  or support[at]...   or sales[at]....    They ALL will generate an autoreply.

Much too broad of a generalization .. Sorry From my end of the stick, most of the mail coming to these addresses of late get a hand typed spam complaint submitted actually <g>

If challenge-response is the internet's worst enemy, then auto-reply messages are AN EQUAL CRISIS.

However, auto-reply messages are as old as email iteself....

And, NO ONE thinks that they present a problem.

Maybe in your neighborhood, but certainly not in a lot of others. Again, specially when things aren't working as intended.

If everyone used challenge-response no one would ever receive spam.   And therefore, spam would become as obsolete as the typewriter.

By the way, in your example, it was obvious that you have never used a challenge-response system.....  like mailblocks.com

And for your info, way back on the good old days (actually a number of years ago), SpamCop did indeed use the C/R mode. Due to problems, complaints, and exactly these types of issues, this method was dropped. So in contrast, been there, did that, dumped it in the garbage.

First, c-r messages are ONLY sent ONCE, to people whom you have never sent a message TO, and who you have never approved of a message FROM....

Therefore, it is impossible that your c-r message would not be delivered to me.   ....unless I never sent a message to you in the first place.

You've lost site of the current issues. I gave you an example a while back of the problems with the latest types of virii floating around. Apparently you either skipped it, missed it, or are just too focused on getting "me/us" to understand your point that you can't see the rest of the story ...

You see, if I sent you a message, your address is AUTOMATICALLY approved.  Therefore, anything that comes from you gets through.  (Unless I later decide to block you.)

If I did NOT send you a message, your c-r message will NOT get through to me.

Of course, when a message does not get through to me, it is placed in a "Pending" folder for 14 days.    Of course, every user periodically skims through this folder checking for anything important....    like a real message from someone who is too clueless to respond to the c-r message...., or an automated newsletter they subscribed to...  Upon finding something the user WANTS, he simply moves it to his Inbox....  thereby automatically adding that email address to their approved list.

And none of this reflect my example posted before .... again, it's the meesage sent to "you" that has a forged From: address ... the poor soul that has the address forged into something he/she did NOT send gets the C/R e-mail that needs to be replied to, in order to be approved by "you", so that the e-mail he/she NEVER SENT can be delivered. Again, I'll ask, how much more clarification do you need? That you're sitting there, "protected" from all the spam, is nice to know, but it's these other "innocents" that are paying the price for your contentment.

And, no, the ISP has absolutely NO access to my whitelist.

My whitelist resides within my account on Mailblocks servers.....   just like your email does....   and your addressbook does..... 

huh? No idea why you want to drag your ISP into this, but trust me, if they wanted access, it ain't that hard. As far as my addressbooks, mine don't exist (as you suggest) anywhere but my systems. I'd say again, too broad of a characteriztion there.

SO, have I addressed all of your unfounded fears with regard to auto-reply messages and c-r messages ???

Unfounded fears? No fears here. I'd suggest that you've not got the other side of the story understood yet.

And just to belabor the point, it wasn't only the C/R complaints that have mailblocks listed, it's also that real, honest, actual spam has been seen coming from the mailblocks server IP, in addition to hits to spamtraps ....

Edited by Wazoo

Share this post


Link to post
Share on other sites
And none of this reflect my example posted before .... again, it's the meesage sent to "you" that has a forged From: address ... the poor soul that has the address forged into something he/she did NOT send gets the C/R e-mail that needs to be replied to, in order to be approved by "you", so that the e-mail he/she NEVER SENT can be delivered.

Perhaps you have hit on the proper response to these challenge requests? Maybe we should try and get everyone who receives a challenge (especially if you did NOT send the message) to respond. Then, we would also be approved to complain to that user (as long as we sent our message before they closed the hole again) about receiving unrequested challenge messages. Then they would not be so protected behind their great wall of ignorance.

I know, don't fight abuse with abuse, but it just seems so RIGHT :D

Share this post


Link to post
Share on other sites

(1) Spammer A sends out a zillion spam messages.

(2) One of the recipients is a challenge-response person, Person B.

(3) That spam message contains a forged FROM address of a real user, User C.

(4) Therefore, Person B's inbox generates a challenge-response message which is then sent to User C (the FROM address).

(5) If User C is also a challenge-response user, then Person B's challenge-response message would NEVER BE RECEIVED by User C. (It would be blocked since User C has never actually sent a message to Person B before... and therefore, Person B is NOT on User C's 'whitelist' of approved correspondants.)

(6) Also, next, User C's inbox would generate and send a challenge-response message back to Person B... But since Person B never sent a real message TO User C, User C's challenge-response message would never get through to Person B either...

Therefore.... The net result would be...

NO ONE WOULD RECEIVE THE spam, AND

NO ONE WOULD RECEIVE A CHALLENGE-RESPONSE MESSAGE.

Make sense?

If everyone uses challenge-response.... No more spam.

Simple.

Share this post


Link to post
Share on other sites
(5) If User C is also a challenge-response user

If everyone uses challenge-response.... No more spam.

Those are VERY big if's. We could say the same about everyone using a more secure form of SMTP, but it's not going to happen, at least for quite a while.

And as it is RIGHT NOW, your system IS spamming user C (who does not use C/R) for every message sent to a user of system B. That is what is being complained about.

And even if system B only sends one challenge for the whole system) to user C, user C did not solicit that message and it is spam for him to report. If user D also gets the same unsolicited spam and reports it, system B is on the block list and user C and D (and E-Z) do not see that (C/R) spam.

C/R might work if you can get the entire world to switch to it. Good luck with that fight and let me know how it works out for you. I will stick with SpamCop which works for me now AND does not spam other innocent users.

Steve

Share this post


Link to post
Share on other sites

Now that everyone is using challenge response [Hypothetically],

At 1:00 a.m. spammer creates a bunch of throwaway e-mail accounts with a scri_pt as is happening now with one well known free e-mail provider.

At 1:01 a.m. the spammer starts their spam run through open proxies with a robot monitoring the free e-mail account for challenges.

As the challenges com in, the robot answers them to permit the spam through.

If the account that is answering the challenges gets nuked, the robot shifts to another account. But historically it has taken at least a business day to get a drop box account killed, and for some free providers, even longer.

Spammers are already targetting one popular free forum in this manor, and if challenge response becomes mainstream, they would have no problem using the same techniques to defeat it.

Spammers are also using free e-mail mail boxes to confirm receipts of their spam automatically, and it can take several days to get the provider to shut them down.

So even though Challenge Response appears to be giving you a breather from spam and viruses, it will only continue to work if most networks do not adopt challenge response.

And also if Challenge Response becomes mainstream, the virus writers will modify the self mailiers to answer the challenges.

The challenge response solution does not scale because it is easily defeated by spammers.

A CAN-spam compliant spammer can set up their mail server to automatically answer the challenges, and this is still permitted by law.

In the end, you would be reduced to using whitelists or blacklists.

Also a large e-mail provider pays a metered rate for their internet connection, for one of mine, the bill is over $2,300 per month for the legitimate e-mail.

For them to switch to a challenge response system would require them to accept the spam, and send out challenges. This would at least double their bandwidth bill.

That would put their costs over their revenue, and they would have to shutdown.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
As the challenges com in, the robot answers them to permit the spam through.

How is a robot going to read those squiggly twisted blurry numbers and letters and type them in......?

Share this post


Link to post
Share on other sites
How do you communicate with blind people?

Mostly be telephone, or in person... But if we must use email... I either send them an email first, or add them to my addressbook. In either case, they are automatically added to my addressbook, and will never receive a cr message.

Share this post


Link to post
Share on other sites

By the way, dear Reader...

Check out mailblocks.com

They have JUST been named Editors Choice by PC Magazine...

It won't be long...... before EVERYONE is using cr, as I predicted....

http://www.pcmag.com/article2/0,4149,1477389,00.asp

and....

http://www.mailblocks.com

Share this post


Link to post
Share on other sites
By the way, dear Reader...

Check out mailblocks.com

They have JUST been named Editors Choice by PC Magazine...

It won't be long......    before EVERYONE is using cr, as I predicted....

http://www.pcmag.com/article2/0,4149,1477389,00.asp

and....

http://www.mailblocks.com

Check out mailblocks.com

They have JUST been named Editors Choice by PC Magazine...

Doesn't PC Magazine also like Mailwasher? Who has a similar feature of "bouncing" spam messages - not so that the spammer is hurt, but essentially sends the spam message to a lot more people who have to delete or report it.

I repeat, there is NO reason for anyone to dump their email garbage in my inbox. There are easily managed whitelists of several kinds; there are lots of filters if you want to be sure there are no emails from strangers that you miss (sales to some people).

Why would anyone pay good money to have a c/r system? There are so many other more effective, less selfish, more responsible, easier, more polite ways to do the same thing.

Miss Betsy

Share this post


Link to post
Share on other sites
How is a robot going to read those squiggly twisted blurry numbers and letters and type them in......?

It posts them on porn sites stating that entering the code shown will allow access to uncensored versions of the pictures.

It could even advertise them as an unsubscribe procedure for spam sent to others.

See comp.risks Digest 23.17 "Porn viewers work for hackers"

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
Why would anyone pay good money to have a c/r system?  There are so many other more effective, less selfish, more responsible, easier, more polite ways to do the same thing.

Please tell me.... How else can you achieve the same result... without c/r...?

I need to be able to post my email address in my company's web site.

I receive unsolicited emails from tons of people who are potential new clients... I need to receive these emails...

I also receive tons and tons and tons of spam sent to my email address every day... which I don't want to even see...

I absolutely refuse to spend even 10 seconds of my time each day skimming through them.... just to determine which messages are critical to my business... and which ones are trying to sell me penis enlargement pills....

So, tell me, how can I achieve all of these objectives with some system other than c/r?

Share this post


Link to post
Share on other sites
I absolutely refuse to spend even 10 seconds of my time each day skimming through them....  just to determine which messages are critical to my business... and which ones are trying to sell me penis enlargement pills....

But you'll gladly force all of these people whose messages are critical to your business to spend more than 10 seconds of their time to get their email to you.

JT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×