Jump to content
Hoot Fluegelhorn

Are we losing the battle?

Recommended Posts

I've been reporting a fair bit of recent spam the last couple of weeks.

What strikes me as odd, is that pretty much all reported IP addresses are not listed in any RBL

Statistics:

169.54.129.19 not listed in bl.spamcop.net
More Information..
169.54.129.19 not listed in cbl.abuseat.org
169.54.129.19 not listed in dnsbl.sorbs.net

Are these all 'fresh' IP's on which no wrongdoings are reported ever?

I haven't quite found the rule behind spamcop placing an IP into its BL's, how many times a report on this ip needs to come in, etc. If you can shed some light on it, I'd be grateful.

It seems to me we're lagging behind already.

Spamcop and others, compile (RDNS)BL's that security conscious sysadmins can decide to query.

It all revolves on IP addresses, and most of the time DNS lookup as search tool.

Enter IPv6.

34vintimillion possible combinations. More addresses than atoms in the universe.

I can imagine obtaining thousands of IP addresses, and use existing tooling to:

scri_pt an smtp host, assigning a different ip addy on its interface, add an associated Quad-A and PTR records in my dns, and hammer away.

If I cycle this interface IP, no BL will be able to keep up; or at the least the user community that now uses spamcop/cloudmark/knujon etc will lag behind greatly.

So yeah. The huns are on the horizon. What's our play?

Bye,

Hoot

Edited by Hoot Fluegelhorn

Share this post


Link to post
Share on other sites

I refuse to give up my server, do you hear that Amazon SES spammers and Google and Microsoft bounce magic spammers?

Share this post


Link to post
Share on other sites

I've been reporting a fair bit of recent spam the last couple of weeks.

What strikes me as odd, is that pretty much all reported IP addresses are not listed in any RBL

Statistics:

169.54.129.19 not listed in bl.spamcop.net

More Information..

169.54.129.19 not listed in cbl.abuseat.org

169.54.129.19 not listed in dnsbl.sorbs.net

Are these all 'fresh' IP's on which no wrongdoings are reported ever?

I haven't quite found the rule behind spamcop placing an IP into its BL's, how many times a report on this ip needs to come in, etc. If you can shed some light on it, I'd be grateful.

It seems to me we're lagging behind already.

Spamcop and others, compile (RDNS)BL's that security conscious sysadmins can decide to query.

It all revolves on IP addresses, and most of the time DNS lookup as search tool.

Enter IPv6.

34vintimillion possible combinations. More addresses than atoms in the universe.

I can imagine obtaining thousands of IP addresses, and use existing tooling to:

scri_pt an smtp host, assigning a different ip addy on its interface, add an associated Quad-A and PTR records in my dns, and hammer away.

If I cycle this interface IP, no BL will be able to keep up; or at the least the user community that now uses spamcop/cloudmark/knujon etc will lag behind greatly.

So yeah. The huns are on the horizon. What's our play?

Bye,

Hoot

Would help if you showed a Tracking Url means nothing without one

Here is your TRACKING URL - it may be saved for future reference:

https://www.spamcop.net/sc?id=z6223651099z24aec3a1a171a7531dd9af87bfae28eaz

Share this post


Link to post
Share on other sites

> Are we losing the battle ?

Yes

> Would help if you showed a Tracking Url

Since Spamcop stopped doing email services we no longer get the bulk reports of spam reported with tracking URLs.

Now we must manually save them -- a huge problem if you're reporting hundreds of spams a day.

But soon you can just give up.

There will be no use trying to fight the deluge of cybercrime.

Obama is giving the NS system anad DNS to a band of international rogues,

mainly Chinese and Russians. At that point, it won't matter. You'll be

innundated with spam and nobody cares.

At that point, I'm probably throwing in the towell.

I have over 9,000 documented spam "Kills" as recorded by Knujon.

I've reported over 96,000 spams in the past decade.

It's time for me to get off the grid and take my boat to the islands

to live out my final days in unconnected bliss.

:-)

Share this post


Link to post
Share on other sites

Hi Showker,

I hear you.... "White sails in the sunset" paints a much kinder picture than facing the challenge of 9K Spamcop/ 96K Knujon reports coming at you in the next handful years.

There are multiple (voluntary, non-profit and commercial) cybercrime fighting organisations trying to deal with the issue from their own context.

Projecthoneypot.org, spamcop, cloudmark, spamhaus, caida.org, knujon and many more.

I would like to think we're not lost yet, but the defending team is too dispersed. I don't have a clue how to increase a much needed cohesion.

Equally, in the traditional sense, the end user depends on the maintainer of the mailbox to keep him safe.

From that same traditional context, the mail server used to be better equipped than the end users' workstation to interrogate (RDNS)BL's, but over the years the tables have turned on this.

With the current on-board horsepower, a PC should be able to query those blacklists & drop lists all by itself. However, the home-team seems to be stuck in old paradigms and methods.

If the good guys could tap into this wealth of computational power, we could strike a serious blow. A conscious opt-in defense network so to speak.

Just venting some thoughts.. I bet you have a handful of your own, what, would you care to share those?

Share this post


Link to post
Share on other sites

Network Reputation:

Some networks wouldn't be on "my" preferred internet; it's just not individual "dirty" IPs but whole networks that are dirty with corresponding admins that control/maintain a dirty network.

I say bolden the dirty label of the dirty networks. Too many people don't know the dirty network ecosystems vs the cleaner networks.

Those people that know the "dirtiness" of networks--some network dirtiness instances--take a look at it's public reputation and it's often "clean" and "green".

I've been going by the Senderbase.org verbage of 30-day spam period rating of individual IP addresses, "medium", "very high", "critical", blank (no rating) as one indicator of the overall "dirtiness" of how a network want's to maintain a clean/dirty network. Or, take a look at the SpamCop BL for a dirty IP (maintained by the network) that is dirty for more than say 5 days; how many days does a dirty network need before the network itself is culpable?

Another effort that trys to keep track of network reputations is sitevet.com/hosts / hostExploit.

I'd like to see more use of send the report to "clean" caretakers / abuse#isp.net[at]admin.spamcop.net (these reports get forward to secret addresses specificly set up to handle SpamCop reports) and more indication on the SpamCop submission page of "dirty" networks that aren't even worth the time to submit a report directly to the dirty network (instead sending the report to clean caretakers).

Edited by SpamSpam

Share this post


Link to post
Share on other sites

One IP address example:

www.spamcop.net/w3m?action=checkblock&ip=61.144.230.213

"In the past 89.8 days, it has been listed ... for a total of 72.5 days".

I'm against sending typical reports to an ISP that hasn't cleaned up an IP address in 72 days..

www.senderbase.org/lookup/ip/?search_string=61.144.230.213

In the last month the IP address has a "spam level" of "critical", sending out "critical" number of spam.

I'm against sending typical reports to an ISP that hasn't cleaned up an IP in 30 days and is sending "critical" numbers of spam from that same IP address.

Edited by SpamSpam

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×