Sign in to follow this  
Followers 0
elind

Newbie spam tech questions

17 posts in this topic

I've browsed trying to find answer to a few minor questions that I would be interested to hear explanations for, if not too complex, but couldn't see anything specific in the posts.

I'll put these together here since a separate topic for each will probably just clutter up messages. If anyone has answers I'd appreciate reading them.

1: Sometime in the past year spammers started using random sender names instead of dumb fake ones. I'm not sure why, since it identifies spam more easily to me, but I guessed that they might be individually coding each spam so they could trace reporting. But if they did bother to trace reporting, what is the point of never removing reporters from their lists? I would think they would be more effective if they purged the lists of serious spam reporters.

2: I sometimes get completely blank spam, and sometimes it is faked to come from spamcop. What's the point to the spammers?

3: China is spam heaven as we all know (along with their cousins) but why is SPRINT included with just about every spam report sent to China, and why does it have NO effect on Sprint?

4: In browsing the Spamcop statistics graphs, there appears to be a dramatic dropoff in volume from a year ago, and then a very dramatic spike in this month. My level, as an individual stays relatively constant from day to day (about a screen full per day, some 14000 in the past few years). How can one draw any kind of conclusion from the spamcop statistics? Is there an interpretation posted anywhere?

Thanks in advance for any replies.

Share this post


Link to post
Share on other sites

Moved from the Reporting Help Forum to the Lounge.

1. See the FAQ ot the Pinned item in the Lounge .. "Spammer Rules"

Then understand that there are a fair number of these folks that aren't totally brain dead, spending countless hours of the day working at getting around all the blocks, filters, tools being put into place around the world to stop their spew.

2. This is a source of some confusion. Some folks talk of blank spam pointing to an HTML encrusted item that doesn't render in their e-mail app. Some talk about a blank e-mail that actually is a bit of garbage data that is nothing more than a partial snippet of an e-nail header. Some folks talk about a blank e-mail and are actually telling the truth. Some folks don't have a clue as to what I've just typed here. Your "sometimes faked to be from SpamCop" would seem to be another topic of discussion, in fact there are several discussions ...

3. In a lot of cases, Sprint is seen as providing bandwidth for these various China based hosts ... simple example, Sprint owns the fiber-optic cable that runs between continents. Normal practice for a non-responsive ISP is to advise the upsream of that ISP about the issue. The reality of Sprint actually being able to reach down and unplug a particular spammer just isn't there at this level of traffic. Although at times it may be hard to believe, there is actually traffic coming out of China that isn't spam <g> From Sprint's point of view (not that I'm speaking for Sprint) ... They are charging for the bandwidth consumed .. so let's play with numbers a bit ... take your 10Gig a second cable line .. out of that 10Gig, let's say 1Meg is spam. What's the value of actually trying to track down and locate that 1Meg worth of traffic as compared to simply letting ot flow and sending out the bill every week? And along the same line, Sprint isn't going to give up that flow of money by simply cutting off those China hosts. Not justifying here, just answering the question.

4. There are also previous discussions about those statistical charts. I'll put it this way ... those chart reflect the things that Julian has set up to track. What those items are, why they are added in one day ..removed on another day is Julian's call .. and the specifics of the details behind the charts are not for public discussion. For the "rest of us" .. just consider those charts as an indication that the system is alive and running .. a possible indicator that things have gone terribly wrong in some instances ... but nothing more ....

Share this post


Link to post
Share on other sites

I have been a spamcop subscriber for several years now, and dutifully report every single spam received, and I read this and that article about spam, but I still don't understand the whole issue, or why we still have a problem.

I don't understand why 99% of all reputable ISPs can't have verified accounts that are allowed to send to mail lists, and stop all others that send anything looking like a mass mailing before it gets out the door.

I don't understand why the biggest offenders, Chinese, Korean, Brazilian etc., are not simply blocked by all the others who want to be civilized (anyone who says the Chinese can't stop it overnight are ....).

I don't understand why spam reporting seems to have no effect. I do it because I "have faith", I suppose, but it has made no difference to my volume, unless constancy is considered a good thing.

I don't understand why the spammers keep sending to addresses that end in "spamcop.net", or why they don't remove reporters from their lists.

I don't understand why they suddenly started using random letter names on their forged emails instead of fake names.

I don't understand why they don't totally make up the forged email address, instead of using what mostly seems like real domain names (except for the stupid sender name).

I don't understand if there is any point in reporting anymore, since it's been a long time that I saw a reply saying that such and such account had been closed down.

I don't understand how companies like Sprint can totally ignore the spam traffic that the Chinese pay them for, and still pretend to be be part of the civilized internet.

Has anyone published a thorough, not excessively technical, document on these issues and the ones I haven't listed?

Thanks

Edited by elind

Share this post


Link to post
Share on other sites

to elind

No, no one has published anything in layman's language to educate the general public end user that spam is easily avoided and that the *sender* as you point out can control the sending of spam. Also, that end users have a responsibility to choose responsible, competent ISPs to send their email or they, too, are part of the spam problem.

And it is because the people who are ISPs have to make a living that they do not use blocking more extensively because, for some reason they can't (or are afraid to try) explain to their customers why they don't get email from yahoo or cousin Minnie. If they did and all those customers deluged yahoo (and maybe even Sprint) with complaints and wrote letters to the editor, etc., then probably yahoo and sprint would act. As it is, they are making more money by not doing more to stop spam from being sent so why bother? Perhaps that is also why there is no layman's version, people don't want to lose advertising money from the guys who are making money selling content filters and otherwise exploiting the spam problem.

Miss Betsy

Share this post


Link to post
Share on other sites
I don't understand why 99% of all reputable ISPs can't have verified accounts that are allowed to send to mail lists, and stop all others that send anything looking like a mass mailing before it gets out the door.

Most spam is sent by trojaned home machines connected to either DSL or cable serveice, not through the IPS's mail servers (and jumping ahead, most spam originates in the U.S).

I don't understand why the biggest offenders, Chinese, Korean, Brazilian etc., are not simply blocked by all the others who want to be civilized (anyone who says the Chinese can't stop it overnight are ....).

Many people do block by country (look at xxx.blackholes.us); But... some of us get valid email from those countries also.

I don't understand why spam reporting seems to have no effect. I do it because I "have faith", I suppose, but it has made no difference to my volume, unless constancy is considered a good thing.

Just console yourself with the fact that the problem would be *even worse* if noone did report.

I don't understand why the spammers keep sending to addresses that end in "spamcop.net", or why they don't remove reporters from their lists.

Look for a copy of the "Spammer Rules" (many variations abound) - but a common one is "Most Spammers are stupid" (it is the exceptions who are dangerous).

I don't understand why they suddenly started using random letter names on their forged emails instead of fake names.

It prevents a person receiving bouces from forwarding a large number of messages to the FTC or other goverment agencies (e.g. your state's Attorney General).. Also, the CAN-spam penalties increase as the number of messages sent increases.

I don't understand why they don't totally make up the forged email address, instead of using what mostly seems like real domain names (except for the stupid sender name).

Reverse DNS blocking - Invalid domains are *too* easy to filter out.

I don't understand if there is any point in reporting anymore, since it's been a long time that I saw a reply saying that such and such account had been closed down.

Many ISPs will cite "privacy" concerns - check and see and you'll find many accounts do get shut.

I don't understand how companies like Sprint can totally ignore the spam traffic that the Chinese pay them for, and still pretend to be be part of the civilized internet.

See above (i.e. valid Chinese traffic) - also money talks, Sprint (and many other bandwidth providers) get a lot of cash for providing high bandwidth services to questionable parties.

Has anyone published a thorough, not excessively technical, document on these issues and the ones I haven't listed?

Not that I've ever seen (though technical content abounds).

Share this post


Link to post
Share on other sites
I have been a spamcop subscriber for several years now, and dutifully report every single spam received, and I read this and that article about spam, but I still don't understand the whole issue, or why we still have a problem.

23487[/snapback]

For many users it is not that much of a problem. If you have a competent network administrator or postmaster, over 80% and up to 95% of the incoming spam can be rejected with out the risk of rejecting real e-mail, and that is before the spam ever leaves the sending machine.

This is by using the conservative DNSbls. Note that the spamcop.net DNSbl is not a conservative DNSbl.

This is not only the most effective way of blocking most of the spam, it is also the cheapest thing for a network operator to use. And in the rare case that a real e-mail is rejected, the sender gets notified by their ISP. While occasionally there have been errors with the conservative DNSbls, they are very rare.

If you then apply the state of the art in content filtering to the mail that makes it through the conservative DNSbls, almost all of the spam can be eliminated with out risk of a real e-mail being rejected.

The problem is that only SpamAssasin 3.0 is known to have those features, and not all mail servers can use SpamAssasin.

Just about all the mail servers can use the conservative DNSbls though to lower their oprating costs by reducing the incoming spam.

Also, even though the most accurate spam detection algorithm in SpamAssasin 3.0 has been known to the public internet for well over a year, it appears that none of the commercial spam filter vendors have adopted it.

Instead they seem to concentrate on spam filtering algorithms that have proven to be easily bypassed by spammers several years ago.

It is basically because the average ISP user does not understand this, they can end up paying more for bad service.

The other argument in favor of doing incompetent spam filtering is that filtering is censorship. The people making such statements are never the ones willing to pay the entire cash costs of what they are asking for. Instead they want it spread over thousands of users.

It appears that all of the mail servers that I get e-mail on now use at least some conservative DNSbls,

so the amount of spam I have to report is low, and mainly new zombie computers that have not yet made it into the sbl-xbl.spamhaus.org.

If my mail server operators systems could analyze the content of suspected spam before the SMTP transaction was over, and check the I.P. addresses of the URLs in them against the same I.P. addresses that they refuse e-mail from, then I would have almost no spam to report through spamcop.net.

What is know to work to remove the majority of spam has been known for a while, and what has been known to reliably remove the majority of the spam that gets though the blocking lists has also been known for over year.

I don't understand why 99% of all reputable ISPs can't have verified accounts that are allowed to send to mail lists, and stop all others that send anything looking like a mass mailing before it gets out the door.

23487[/snapback]

That authentication is only useful for e-mail sent through the ISP's mail servers.

Most spam is sent directly from computers that have been infected with a remote control program and does not go through the ISP's mail servers.

So your next question would logically be why do not ISP's block mail from coming from those I.P. addresses?

First it would require the ISP's to keep track of what I.P. addresses are running servers and which are not. Of course many broadband ISP's prohibit all services on their home user I.P. addresses so that should not be an issue.

So the typical answer is that it would require all the mail servers that allow access to them from outside of their local network, which is a typical company mail server, to properly secure their mail servers for that type of access. And it appears that many companies still use insecure methods to have their remote users access their mail server.

Spammers look for those insecure servers and probe them with common username/password combinations. They seem to get into a large number of them that way. It is one of the most common ways for a real mail server to get listed on spamcop.net.

I don't understand why the biggest offenders, Chinese, Korean, Brazilian etc., are not simply blocked by all the others who want to be civilized (anyone who says the Chinese can't stop it overnight are ....).

23487[/snapback]

As stated by another poster, some networks do that, and only white list mail servers in those countries by request of a one of their customers. Of one mail server operator I know that blocks by country, the rejection message text that accompanies the SMTP reject code explains how to request a whitelisting.

The last report I saw from that postmaster several years of operation with an international population of users, no one internal or external has requested an exception be made in a country specific block.

And there are many people who do not understand network management that would consider such blocks censorship.

So many ISP's do block e-mail from those countries, but instead of blocking it outright, they block the network segment that they received spam from. Ususally none of their customers ever notice.

I don't understand why spam reporting seems to have no effect. I do it because I "have faith", I suppose, but it has made no difference to my volume, unless constancy is considered a good thing.

23487[/snapback]

If your mail server operator is not using at least the conservative DNSbls, and has only a content style filter for spam, then your reporting probably will not affect the amount of spam that you get.

spam reporting does have an effect. At least one ISP who understands that every second a zombie computer on their network is present is costing them operating cash has stated that they have set up automated processing to handle spamcop.net reports to verify the report and isolate the infected machine. See the costs of spam pinned topic.

And from the last report of one of my postmasters, spamcop.net is only catching 3% of the spam delivery attempts, because it is only applied after the conservative blocking lists.

Based on reports on an internal user forum for by broadband ISP, anytime that any measurable quantity of spam is relayed through the ISP's mail servers instead of zombies, at least two major ISP's put those I.P. addresses on local blocking lists until they are convinced to remove them.

So a smart ISP realizes that a spam report from anywhere is something that needs immediate investigation.

My broadband ISP has stated on some forums that they are now receiving near realtime updates for several major blocking lists and looking for their I.P. addresses, so that they can act on spam/virus problems before they get a spam report.

And I do not just report spam through spamcop.

Most spam is now sent through open proxies, so I submit them to the MAPS-OPS and BOPM for processing. You have to get permission from the BOPM folks to submit to them, but MAPS-OPS just wants you to confirm that you will follow their rules for the first submission. The BOPM and MAP-OPS will accept reports in the same format.

To get permission to submit to the BOPM, you must read their FAQ and follow their instructions to the letter to show that you can understand basic instructions, and have a clue as to what you are doing.

The BOPM is part of the xbl.spamhaus.org, and these are considered conservative blocking lists and are used by far more mail servers than the spamcop.net blocking list because of that.

The spamcop.net parser also gives me the rDNS of the spam source, and if it is not an open proxy, the spamcop.net parser lets me know if it is in the SORBS dynamic list. And if the spam makes it through on one of my e-mail addresses, then I know that the source is not in the NJABL dynablock list.

So then if the rDNS has "pool", "dhcp","dyna","ppp", or "dial", in the name, this indicates that the spam came from a dynamic pool that is not known to one of the lists. When I am in a hurry, I only submit it to the dynamic list that mail server it went through was using. When I have time, I check NJABL, SORBS and MAPS-DUL and submit it to the ones that it is missing from.

MAPS-DUL requires a spam sample for them to consider an I.P. address. SORBS wants the rDNS to indicate that the I.P. address is clearly dynamic, and NJABL has not yet acknowledged any of my submissions, but I do not recall seeing any repeat spam from an I.P. block that I have submitted.

I don't understand why the spammers keep sending to addresses that end in "spamcop.net", or why they don't remove reporters from their lists.

23487[/snapback]

They also do not remove "abuse" or "postmaster" from their lists, or even better "blockme" and "listme" which are common spamtrap e-mail addresses for some of the more aggressive DNSbls.

It appears from several investigation that the money is not in spam or the reponses to spam, but in selling spamware to victims that think they are going to get rich spamming.

Typically the victim spends their last $150 to over $1000 for a spammning kit, and a promise of payment on commisions. Then they spam like crazy until they either lose their ISP connection or finaly realize that they are never going to make back more than 10% of the money that they spent.

And every time some newspaper or TV show profiles the spammers that claim to be making money (with out verifying any of the claims), more victims line up to by spamming kits.

So basically much of the spam is being sent by people who have paid a lot of money to put a program on their computer that they have no idea of what it will do, and no way to determine if they will ever get paid. And even if they can find the con-artist that sold them the useless kit, in order to collect damages, they would have to admit that they bought it to make money by breaking the law.

And I have made many posts with serveral imaginary top level domains. Some of them showed up in the CC: list of spam that made it through to me as other intended recipiants because the first part of the e-mail name was the same. I have not seen any of them show up since my broadand ISP added DNSbls to their spam filtering which removed over 90% of the spam that their expensive content filter was not able to detect.

So the spamware is not even smart enough to remove top level domains that do not exist.

Other postmortems of captured spam databases show that the spammers harvest.anything.with.an[at]inside.ofit and that sample there will eventually show up in a spam database, and so will aaa.proof.of[at]us.canspam.violation eventually, hopefully alphabetized in a file entered into court evidence.

I don't understand why they suddenly started using random letter names on their forged emails instead of fake names.

23487[/snapback]

Suddently?

You must have just been picked up on by a new group of spammers. Spammers have been using the random letter names for years.

The spammer is trying to avoid content filters, and this technique has been known to get through one of the most popular ant-spam defense that mail programs and spam filter vendors provide.

Now it has been well know for at least the past 8 years by anyone with a clue about filtering spam that filtering by alleged incoming e-mail address does not work, but it is still the most offered anti-spam solution. Either the companies offering such options are clueless, or they are just selling placebos to make it look lke they really care about their customers, even though they know it does not work.

I don't understand why they don't totally make up the forged email address, instead of using what mostly seems like real domain names (except for the stupid sender name).

23487[/snapback]

Some poorly implemented spam filters operate on the forged sender name, so spammers will usually chose an ISP name that they think will usually be whitelisted.

Some mail servers will now probe the sending domain to see if the sending e-mail address exists prior to accepting the e-mail, if they have not seen e-mail from that user before.

Again, it is all something to bypass a spam filtering algorithm that should have been totally discarded almost a decade ago, but is still one of the most popular one to sell for money.

For the e-mail providers that I get most of my e-mail from, I can not whitelist by domain name. I have to request whitelisting by I.P. address, which is something that the spammers can not forge. And then I may have to explain why the sending I.P address is likely to be in a ranged blocked by that provider.

I don't understand if there is any point in reporting anymore, since it's been a long time that I saw a reply saying that such and such account had been closed down.

23487[/snapback]

Use your favorite search engine for "Bedbug letter".

Spamcop.net by default suppresses automatic responses from the ISPs. Only a few ISP's actually right a personal reply when they kill an account.

The ones from Outblaze are the most interesting to read, but because of the anti-spam attitude of them, it is rare to get one. When Suresh fixes a problem it is seems to stay fixed.

I don't understand how companies like Sprint can totally ignore the spam traffic that the Chinese pay them for, and still pretend to be be part of the civilized internet.

23487[/snapback]

Sprint appears to be just one of many backbones that the Chinese have to connect in from. It appears to be one that is accepting reports. What they do with those reports, I do not know.

Steve Linford of spamhaus.org reports in news.admin.net-abuse.email that the situation in Chiina is improving as far as spam even though it might not look that way. And according to Chinese government press releases, just providing hosting for some of the types of web sites that I see advertised in spam can result in life imprisonment. But that asside, I have seen no change in the amount of spamvertised web sites that are in China.

Has anyone published a thorough, not excessively technical, document on these issues and the ones I haven't listed?

23487[/snapback]

Are you volunteering to be a FAQ editor moderator :D

It also looks like it could be useful to have a topic that lists the various spam filtering methods in use, and discusses their strenghts and weaknesses. There have been various discussions about them on these forum, but not distilled down, especially for non-techies.

It could be used as a guide for those purchasing spam filtering software, so they could make an informed evaluation.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites

Whew! Good answer! <g> Another damn fine FAQ entry for sure, once I figure out how the Title it <g> ... Thanks for the time and effort involved in this response. And another Wow! for emphasis <g>

Share this post


Link to post
Share on other sites
I don't understand why 99% of all reputable ISPs can't have verified accounts that are allowed to send to mail lists, and stop all others that send anything looking like a mass mailing before it gets out the door.

*

That authentication is only useful for e-mail sent through the ISP's mail servers.

Most spam is sent directly from computers that have been infected with a remote control program and does not go through the ISP's mail servers.

I am most grateful for these answers and the time it took to make them, although some are more technical than my current expertise allows me to fully appreciate. Perhaps this can be placed in a FAQ area for others to view?

I would however like to ask one followup question, which is on the above point.

Don't ALL emails have to get out via an ISP somewhere, even if they are hijacked PCs? Why would ISPs of hijacked PCs be less (or more) dishonest than any others? If so it still seems that a simple limit on volume implemented as a feature within the main server software packages would eliminate almost all of it. That assumes of course that they don't have so many hijacks that they can spread the volume dramatically so as not to trigger alarms, but somehow the premise that most spammers are stupid (one of the rules?) would seem to discount that kind of sophistication.

Thanks again.

PS. If anyone who works for Sprint reads this, please note that you have lost one customer for life in any of the services you offer; just on principle of course, but it is nevertheless something that you can take quite a few thousand dollars of your revenues for. Small pleasures.

Edited by elind

Share this post


Link to post
Share on other sites

When you "connect" to the Internet, you are just one more computer hooked to that network. You then start talking about something I'll call "services" ... perhaps then splitting that down to "servers" ... Your ISP offers you connectivity and most likely has rules about just what you can use that connectivity for. Let's point out the obvious that spammers, virus/trojan writers, hijackers, don't care what your ISP says about "you" can or cannot do.

So all that's needed is entry to 'your' system, install a small SMTP engine (service for handling e-mail), and remotely feed it with the the needed data to have the spew sourced from "your" computer. The general user just has no clue, perhaps possibly noticing the hard drive working harder, the system is running slower, but again, back to the no-clue condition .. "all computers do that" <g>

I get spam tracked back to "your" computer, "your" ISP gets my complaint. Maybe that ISP will disconnect your system. Maybe that ISP will "talk" to you about "your" problem. Maybe that ISP will drop you an e-mail suggesting something. Maybe that ISP won't do a damn thing except continue to take your monthly payment.

Your question deals strictly with e-mail going through that ISP's e-mail server. This discussion is about e-mail traffic that flows from an end-user's computer to the "net" ... As far as the ISP is (generally) aware, "your" computer is passing traffic to/from the 'net' ... You may read about "Port 25 blocking" which is basically blocking traffic along a"standard SMTP" 'channel' used for e-mail processing. This is one of those things that stops the clueless, screws up a lot of 'normal' folks, but is just another little speed-bump for those that spend their time working around these stop-the-spam efforts.

I'm going to repeat the oft-made statement here ... I've placed a number of "other places" to go do some research for a lot of this type of stuff ... Please check out the Forum FAQ ....

Share this post


Link to post
Share on other sites
Don't ALL emails have to get out via an ISP somewhere, even if they are hijacked PCs? Why would ISPs of hijacked PCs be less (or more) dishonest than any others?

It is a different technical problem and also involves customer relations. The hijacked computers do not usually use the normal 'port' for email (and since I am technically non-fluent also, if I explained what a 'port' is, none of the experienced people would be able to answer posts for a while because they would be laughing so hard!). However, since they don't use the normal port, it is not obvious that large amounts of email are being sent.

Like viruses, the cause is some customer of the ISP who has not been responsible in their web browsing and has 'caught' an infection. If the ISP does notice an increase in volume from looking at the other ports or some other way of checking various lists or if spam is reported (and you are correct - spammers do rotate them so the extra volume is not noticeable), then he has to notify the customer and try to convince the customer to have his computer fixed. Some ISPs will cut that customer's connectivity until the problem is fixed, others give the customer several days to get it fixed, and other combinations of policies. While some, like Comcast did, ignore the problem for a long time, others are slower to fix the problem because of consideration for their 'innocent' user.

If end users as well as ISPs were held responsible, then perhaps the problem would be solved more quickly. However, that would mean many more people being denied internet access which means fewer customers for ISPs and less online sales. And, of course, there would always be those who would allow anything just to have customers or sales.

Miss Betsy

Miss Betsy

Share this post


Link to post
Share on other sites
When you "connect" to the Internet, you are just one more computer hooked to that network.  You then start talking about something I'll call "services" ... perhaps then splitting that down to "servers" ...  Your ISP offers you connectivity and most likely has rules about just what you can use that connectivity for.  Let's point out the obvious that spammers, virus/trojan writers, hijackers, don't care what your ISP says about "you" can or cannot do.........

I see. Not email, just data transfer....and an excuse to not look too hard.

Thanks

Share this post


Link to post
Share on other sites
I see. Not email, just data transfer....and an excuse to not look too hard.

In all fairness, not necessarily true. If you look at your 'normal' traffic, then factor in the peer-to-peer stuff of the original Napster ilk, of even the legitimate iTunes stuff, and lord only knows how much porn stuff downloaded via the newsgroups, whereas some folks are downloading megabytes of data, that flow of e-mail'd spam is pretty insignifcant. Pretty much the same scenario I first offered in the China/Sprint connection. What resources would "you" pit into place to analyze all that traffic to try looking for a 2k e-mail (that looks like spam) amongst that 100+ Megabyte traffic flow into the pipe (and I'm definitely sidestepping the privacy issues involved with that analysis <g>)

Share this post


Link to post
Share on other sites

Everyone in this thread has also ignored the cases of swip'd address blocks (i.e. directly assigned by ARIN or another controlling organization), where the spammer directly controls the address space and no ISP is involved. Examples abound - the spammers tend to look like ISPs themselves and usualy have at least a few legitimate customers along with the spam operations running from those netblocks; Look on Spamhaus at the various listings for the ROSKO spammers and see how many are attributed to ARIN - these all fall in that catagory (though there is always still a "bandwidth provider" who supplies the routing/BGP4 services to these cases).

Also, everyone has ignored the cases of "hijacked" IP space also - see the pages at www.completewhois.com for avery good explaination of these.

Neither of these cases involves *any* ISP (though some bandwidth providers are also ISPs, not all are).

Share this post


Link to post
Share on other sites
It is a different technical problem and also involves customer relations.  The hijacked computers do not usually use the normal 'port' for email (and since I am technically non-fluent also, if I explained what a 'port' is, none of the experienced people would be able to answer posts for a while because they would be laughing so hard!).  However, since they don't use the normal port, it is not obvious that large amounts of email are being sent. 

23511[/snapback]

Replace port with route or path and your answer will be more correct. ;)

E-mail is what is known as a store and forward protocol. For the normal home user, their computer sends an e-mail to their own ISP's mail server, regardless of of where the message is eventually going to go. That mail server is the one that figures out how to get the message to it's ultimate destination is and report back with a new e-mail message any problems that it gets.

This process can be quite time consuming in the background, while normally in this day and age, an e-mail will go out in seconds, the process can actually take several days. This also means that anyone who has a business model dependent on instaneous delivery of e-mail is going to either be very lucky, or eventually they will be disapointed.

The process of sending an e-mail directly to a remote server can take much longer than a dialup connection would allow, and while a broadband connection is on all the time, if the computer is off before the e-mail gets accepted by the remote server, then it will be silently delayed until the computer is powered up again.

While a mail server program could be on a home broadband connection, as there is on the computer I am using, it is not practicle for me to use it on a DHCP connection. Very few other mail servers will accept e-mail from a DHCP address. The ones that do are drowning in spam.

A port is a number assigned to an outgoing message fragement on the internet so that the receiving computer knows what program on it to send it to. There is an internet convention of what ports are used for what programs, and those ports also have names.

Now a port can be blocked at a router. One of the issues with that is that routers need to be fast for an ISP, and for a router to have to decide as to block a port based on the sending I.P. address can induce a speed penalty.

SMTP uses port 25 for normal connections.

There is also an SMTP port 587 for connections to a private mail server. When I am sending e-mail though other mail server other than my ISP's I send it through port 587.

Like viruses, the cause is some customer of the ISP who has not been responsible in their web browsing and has 'caught' an infection.

23511[/snapback]

Just one of many ways that an infection can be caught. A fully html enabled or scri_pt enabled e-mail program can easily pick up an infection. Lately all e-mail clients have scripting off, but many will still automatically open external links.

Not having a firewall on some types of computers is all that is needed to get an infection.

And of course opening attachments on some types of computers will instead of "opening" the attachment, will actually run it as a program.

Most users of those system do not know the difference, and why that behavior is extremely bad, and makes those types of computers extremely vulnerable to viruses.

If the ISP does notice an increase in volume from looking at the other ports

23511[/snapback]

The ability to alert on network traffic levels and indicate which I.P. addresses are generating excessive traffic is a standard feature on most network monitoring stations.

Of course that requires the network not to be always running at capacity.

And it should be possible for an ISP to pay who ever supplies their auto-answer software for their abuse mail box to have that scri_pt queue up a security scan for any of that ISP's I.P. addresses that are contained in it, and take action if a problem is found.

or some other way of checking various lists or if spam is reported (and you are correct - spammers do rotate them so the extra volume is not noticeable), then he has to notify the customer and try to convince the customer to have his computer fixed.  Some ISPs will cut that customer's connectivity until the problem is fixed, others give the customer several days to get it fixed, and other combinations of policies.  While some, like Comcast did, ignore the problem for a long time, others are slower to fix the problem because of consideration for their 'innocent' user.

23511[/snapback]

When an ISP verifies that a customer is sending spam or viruses:

The responsible ISPs will lock that I.P. address to the customer, and then block it from sending email until that system passes their security scan.

That whole process can be automated to save costs where the customer can request a rescan to verify that they are fixed.

The ISPs that wait days to cut off the machine if it is not fixed are hurting themselves and a large number of their customers.

In some areas, it only takes one zombie computer to knock out several small towns internet connections for all practical purposes while a spam run is in progress. In other areas it may take a few more before outages start being noticed.

At one time, apparently before my broadband ISP started near real time monitoring of selected DNSbls, there were quite a few users complaining about bad connectivity in their area. I looked up their subnet address from their posts, and then checked news.admin.net-abuse.sightings, and the spamcop.net evidence which was still available back then for anyone to look at.

I was able to find in most cases one or more active zombie computers on their network segment and usually the dates in the .sightings and in the spamcop.net evidence indicated that there should have been several days of abuse reports identifying the specific zombie computers.

This basically shows that if the ISP gives the owner days to take action, or only acts on such problems from 9 to 5, 5 days a week, then there will be large amout of paying customers impacted badly and in many cases the ISP is issuing refunds for a problem that should have been solved days earlier.

Of course the ISP eventually covers that cost by either raising rates, or cutting services.

Part of the issue with fighting spam is educating the average user to understand how badly spam problems on their ISP affect them, and just how doing "Just hit delete" both costs them significantly more, and also increases the possibility that real e-mail will be lost in the noise of spam.

There is also a new increasing risk to all users of a network that permits spam to reach their non-technical users.

Some of those users may implement extremely abusive anti-spam measures that will cause other mail servers to block that networks mail servers to stop the mail bombing.

The traditional stupid anti-spam trick of sending a bounce of a challenge to the usually forged address was good enough for that, but many times no one at the abuser's network ever needed to get e-mail from the forgery victim's network, so the blocks were not noticed.

That stupid trick has been superceeded by a new product (if it is still available) It abusively sends a spam notification to the registered domain owner of every domain name found in the spam or the headers, including those placed there by the local network's mail server.

When I last looked there were two DNSbls that are listing any user of the product that is brought to their attention.

Note that almost all mail servers can be configured to block I.P. addresses that are mail bombing them. Only a few can be configured to just block an offending user. So all you need is one other user doing something abusive with the spam that they receive to find many networks refusing your e-mail, or silently deleting it.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
Everyone in this thread has also ignored the cases of swip'd address blocks (i.e. directly assigned by ARIN or another controlling organization), where the spammer directly controls the address space and no ISP is involved.

23518[/snapback]

I left that detail and your other one out on purpose as I was already quite wordy, but those ranges are generally covered by the "conservative" DNSbls which get them mapped out rather quickly. As you say they end up in the sbl.spamhaus.org.

From the statistics that I have seen, they are only a small percentage of the spam origin. These are the locations that the spammer's web sites are generally located at.

Most of the spammers seem to realize that those address blocks are useless for sending spam.

in this thread we are trying to be non-technical.

But a newbie may be interest in reading the FAQ at http://www.spews.org for a different view of handling spam than either spamcop.net or spamhaus.org.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
Everyone in this thread has also ignored the cases of ......

I'm not sure I want to agree with "ignored" .... it seemed to me that going that far would be a bit of over-load for the original poster ... But thanks for jumping in and pointing out that there are more levels, more issues, more players ....

and along that line, a number of your previous postings have dealt with your doing research on tracking things down, looking things up, comparing results ..... might you have the time to do up a primer or two for the "How to ..." Research Tools Forum?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0