Jump to content


  • Posts

  • Joined

  • Last visited

About hadaso

  • Birthday 03/05/1963

Contact Methods

  • Website URL
  • ICQ

hadaso's Achievements


Member (2/6)



  1. I was wondering if the same can be applied to those who hire the spammers to do their advertising, either directly or indirectly. I've been following an Israeli spammer that seems to be botnet-based (statistics show that 270 messages I got from them over more than a year came from 268 different IP addresses in 40 different countries + 26 US states, and different networks within each country.). The reason I follow this particular spammer is that this spammer is that they are very successful in marketing their product to what people call "kegitimate businesses", and that the service they sell is the use of people's computers without the owner's knowledge). I was trying (still am) trying to get positive evidence that the different IP addresses actually represent infected machines and so I include with every spamcop report on this particular spammer a request to the ISP to check and confirm if it is actually an infected PC used without the owner's permision. I had only one ISP respond. It was a local ISP in Oklahoma the sent a reply to my SpamCop report saying he believed that this was an infected PC, that the IP address got complaints about other spam, and had open ports sending out binary traffic. Now the particular spam sent from the said machine advertised government loans being offered by an Israeli government agency, that has already sent spam using the services of this spammer in the past. So the story here is that an Israeli government agency has spent Israeli taxpayer money to hire a criminal to provide them a service by using hijacked private machine in Oklahoma and its network resources (probably thousands of hijacked machines but we know for sure only one of them was hijacked). I went with this info (list of IP addresses, copy of the above quoted correspondence and some more email) to the Israeli police computer crime unit, and they said they were interested, that they would investigate, that they would very much like to stop the spammers but there's very little they can do with what I brought them and with the way the law limits them (and of course they are severely understaffed and have to deal with lots of other things, fraud, child porn etc.). I also filed a complaint with the State Comptroller about the use of taxpayer's money to hire criminals. Anyway what I see is "legitimate" businesses such as several academic colleges (real ones, not the "get whatever degree you like" type), an investment house offering to handle your portfolio if it's worth $100000 or more (would you let a botnet spammer do that for you? Apparently people do because they hired the spammer several times) and many more businesses selling "legitimate" products. So I think there should be some way to take those that hire these services to criminal court. Several times I saw complaints about companies that advertise through this spammer, and the replies were usually of the sort "we don't directly work with them, we use a marketing agency that hired them" and "we made sure to ask that there would be a removal link". If they would have to pay a price because they purchased stolen goods (or stolen services) they would check more carefully what they are getting before they give their money to the criminal!
  2. That's a problem that needs to be solved. What the FBI really needs from the ISP is not personal info of a subscriber. What they need is information about the type of traffic going out of that computer that is not the subscriber's personal info. They need to have details of the kind of trojan on that machine, the kind of activity the trojan conducts and the spam going out of the particular machine (that would carry information leading directly to whoever paid money to use that trojan). So there's a need for a way that law enforcement can ask for this info and get it without the ISP providing private information of the subscriber. I have been following a particular Israeli spammer that seems to be sending using zombies. In every spamcop report of spams I get from this spammer I now include a request to the ISP that they inform me if they can positively identify that it really is a compromised PC. Only one ISP replied. It was a local ISP in Oklahoma. They checked the traffic out of the (dynamic) IP address that received several reports and saw that it was sending out spam and also some binary data thru some open ports, and said it was definitely an infected PC. With that I went to the Israeli police. They said they cannot do anything with spam, but using a compromised PC is a different thing, and they would investigate. Anyway, reporting spam from zombie PCs is quite frustrating. It seems that most ISPs do not care too much since it is not affecting their mail servers and thus not affecting their subscribers' outgoing mail. What is needed is that each such IP address that can be assciated with a real spam email from an identified spammer (or advertiser) be checked for abuse and then if it can be posotively verified that spam advertising a product or service has been sent using a trojan horse on a PC criminal charges would be brought against the advertiser. I don't want to argue with anyone who thinks that businesses should be allowed to legally hire a spammer to send spam (I don't think they should). They certainly should not be allowed to hire a botnet to send their spam, since that is not much different from purchasing stolen goods (hiring botnet based services is purchasing stolen services and resources) so they should be punished if they do. If some advertisers go to jail for hiring botnet-based services we would see much less of that since most advertisers would be much more careful in choosing their service previders.
  3. An email provider should not block a user's incoming email without letting the user opt-out or adjust the settings (well, there are exceptions. Very conservative BLs such as those listing known open relays/proxies can be used, as they block almost no legitimate email, and not blocking them exposes an email system to possible denial of service attacks. SpamCop is not such a BL. IP addresses listed on SpamCop often send much more legitimate mail then spam, so it's senseless to block them. But it's a very good indicator that some other spam tests should be applied). If they would not let you receive all your email and you really need to receive your email then you should probably host your email elsewhere. If they are good webhosts you might want to keep them as webhosts and host your email separately. Webhosts are professional webhosts, and not necessarily very professional mail hosts. SiteGround's response certainly shows they are not very competent as email providers. It is possible to host email for a domain and website for a domain at different hosts (actually you can also host different subdomains at different hosts, independently for web and for email). What's possible is only limited by your host. If your webhost insists on hosting your email and your DNS then you have no choice (except changing webhost). I they don't insist on hosting your DNS than you can host your DNS elsewhere (e.g., at Zoneedit.com) and point your MX (mail server) record to any mail provider. If they insist on hosting your DNS they might allow pointing the MX record elsewhere. There are other considerations: e.g., they might not insist on hosting DNS for you but still be running chacks to verify that you point your MX record at their mail servers. EmailDiscussions.com has lots of threads discussing different comfigurations of using separate web/mail/dns hosts (and also multiple mailhosts for redundancy and all sorts of strange comfigurations...)
  4. Two kinds:The kind that doesn't read the faq, and just blocks any listed IP (e.g. your recipient's email host). The kind that reads the faq and feeds the listed/unlisted info into a filter that gives it appropriate weight (e.g. my email host, using Spamassassin). If your email was blocked and whoever blocked it claims it was blocked because it was listed on SpamCop BL then the cause of the blocking is at list one of two: whoever implemented the blocking either haven't read SpamCop's recommendations before using the BL, or chose to ignore it, and your provider received (or chose not to receive) complaints about spam going out of the IP address you used and haven't done enough to prevent these complaints. The combination of these two causes your email to be bounced. If one of these causes is avoided your mail would get through.
  5. Not really. Their biggest problem (related to this SC listing issue) is stopping spam sent from their servers. FastMail.FM had a similar problem with SpamCop listing and now the problem is practically non-existent, without listing the IP addresses of http clients. The real solution is comprised of monitoring many aspects of the system and catching the spammers when they try to send (and includes things like scanning outgoing mail for spam, monitoring outgoing rates, bounce rates, and more), and then acting fast (disabling spammers accounts as fast as possible). The best way to fight spammers is to get rid of them when they're "young" ("Children, watch out for the baobabs!" from The Little Prince by Antoine de Saint Exupéry).
  6. But then if Gmail revealed the IP address of the web-client used to access their web server by the user it would not be shared by hundreds of email addresses, but would be an IP address allocated to exactly one person working on one machine, and if that person happened to work on that one machine in a country that doesn't value free speech or human rights, thae person can be easily located and sent to jail (or elsewhere).
  7. Honesty is good! I only had time to read all these posts because it was in portions over several months. As much as we like to hate M$, they're not that bad, and I don't think they'd stoop so low. What an exaggeration! What do you compare it to? Hotmail and Yahoo? there's lots of basic email functionality that's unavailable in Gmail, and thaere are lots of email providers that you may never have heard of offering functionality you don't have with Gmail. There is no such thing as a "best e-mail provider" since email is very complex, and what is "good" depends on how you are using it. SpamCop listings are not based on email addresses. They are based on parsing email headers to locate the machine that originally sent the email message. So it's not so easy to get SpamCop to generate false listings, but actually it's probably possible to forge email headers in a way that fools SpamCop into accepting false reports. So it's actually an interesting question: what mechanisms does SpamCop has to detect and avoid false reports? SpamCop blocks no email: SpamCop only publishes a list of IP addresses, and those are IP addresses that sent several email messages that produced complaints by their recipients. Some email providers or users refuse to receive email from these sources so they block them. SpamCop advises against using the list in this way and advises a more subtle approach that uses several parameters to decide what to do with a received message. The main cause of this long thread is not SpamCop or Gmail but rather stupid email admins that apply the SpamCop list without reading the manual.
  8. Spamcop listing should not depend on other listings. SpamCop listing is based on different criteria, so there's no reason why anything that is listed on SpamCop should be listed on anther list that employs different criteria, and vice versa. Nobody forces you to refuse all email from sources listed on SpamCop BL. SpamCop doesn't recommend doing it. It recommends using the listing as data to be fed to a more comprehensive solution such as SpamAssassin (that gives it appropriate weight among other criteria used to decide what should be discarded or diverted from users' inboxes). You mean if you send from a Gmail account to your server and your server bounces? If Gmail can detect that the cause of the "554 Service Unavailable ...etc..." message is a SpamCop listing then they might treat it as a "45x blah blah ..." and reschedule the email to be sent later, as a SpamCop listing is a transient condition (24 hours) and your server would accept the email once the listing is removed after 24 hours or less.
  9. This is becoming dangerously close to language that the average sysadmin of a small ISP (or junior staff at a major ISP) would not understand and does not care about. How about "SpamCop lists IP addresses that recently either sent a predetermined relative amount of email messages to some secret addresses or generated a significant relative amount of complaints about spam received. It doesn't list IP addresses that send only spam."... Simple language that makes every reader understand immediately that the list means that the IP generated email that has some spam but is not all spam, with a link to the details in the faq is best, in that a reader that understands nothing about email should be able to understand immediately upon reading the message that the fault is with the recipient's ISP not doing their homework, and then the reader can learn more if the reader wants to learn more. One problem is that ISPs sell ineffective filtering services. If mosti ISPs would have to learn how to filter spam more effectively (because users learn about it and demand it) then Spammers would have a real problem.
  10. Sometimes outgoing mail from gmail is blocked and tSpamCop is cited as the cause of blocking. SpamCop is not the cause of blocking. Gmail is not the cause of blocking. The cause of blocking are some stupid postmasters at some ISPs that use blocklists without understanding what they mean: SpamCop lists IP addresses that sent some spam. It doesn't list IP addresses that send only spam. So using SpamCop listing as the sole criterion for blocking is very bad and would result in lots of legitimate email being blocked. On the other hand SpamCop BL is an excelent resource when used in conjuction with other methods of filtering spam, as it it constantly updated and never contains old info. Some ISPs happily collect their $2/month for blocking spam and don't care if their users don't get all their email, and most email users don't understand much and would accept that losing some email is a technical problem that cannot be solved unless they want lots of spam. The problem is how to educate these ISPs about correct spam filtering. One way to do it is that if a bounce message contains a link to spamcop as explanation to why the message was blocked, the spamcop page reached would clearly say that this list is not appropriate for direct blocking, and is very good as input of a comprehensive filtering system, such as SpamAssassin or others. This would avoid most complaints about "SpamCop blocks my email" since anyone whose email is blocked would immediately get the explanation that the reason is the ISP that uses SpamCop incorrectly. And this would have another good effect in generating public demand for better spam filtering (as in: "My dearly beloved ISP: I pay you $2/month for spam filtering. Why do you supply me wih only basic and incorrectly implemented blocking when there are better tools that you can download freely and use in your server?").
  11. If Gmail forged "Received" headers like Hotmail and Yahoo do then spamcop reports about "source of spam" would go to the sender's ISP (or internet cafe or whatever...) that would certainly not close the sender's Gmail account. The way Gmail does it spamcop reports get to Gmail's abuse team that can act on it. And the way Gmail explains it to email admins might make them read spamcop's faq and perhaps use SCBL correctly (through spamassassin or something similar). When I receive spam sent from a Hotmail account and try to report it to Hotmail, I cannot do it using SpamCop because spamcop sends to a connectivity provider that cannot close the sender's email account that they do not control. I have to manually send a report to Hotmail's abuse that can then close the spammer's Hotmail account.
  12. Not really. The actual sending IP would be the one getting listed instead of the intermediate IP. The main difference would be the reduction of legitamate mail being affected.33772[/snapback] Not the sending IP. The IP of a machine that runs an interface controling the machine that sends the message. In webmail the user's machine is only an I/O device that controls an MUA running on a different machine (on the web server). Those services recording the web session in a "Received" header as if it was a transmision of an email message are just not following RFCs. SpamCop's logic would require that if I telnet a UNIX host and send mail by using the "mail" command in a UNIX shell like I did in the good old days before spam then a "Received" header should be added recording the IP address of the telnet client. What's the difference between controling an MUA using telnet or using http as the communications protocol that sends instructions to the MUA? The main difference between recording the IP address of the control mechanism and not recording it is not the reduction in legitimate mail blocked, but the reduction of the blocking of all mail, because that way the IP addresses getting listed doesn't run any kind of software that transmits email. What you are saying that the way to avoid legitimate email being blocked using SCBL is to fool spamcop by providing an IP address of a machine that does not transmit email. There are two sides to blocking legitimate email: the recipient loses the email too. And the main difference is that the recipient has no idea what email is not received. If the recipient is a business it means lost business. If the recipient needs info it means they'll have to live without that info. If they expect a job offer they'll have to find another job. So I guess Gmail counts on those recipients that need to have their incoming email to make their mail service stop blocking them. Edit: 2005/10/06 01:03 EDT -0400 Jeff G. fixed the quoting. Edit: lots of typos...
  13. ... and then they won't have any urgent reason to deal with any abusers of their system. So everybody's happy, except for those receiving the spam... But once a list of spamtraps is compiled, using it doesn't show any weakness in any other system. Any email system that allows signups using credit cards can be used to send a few hundred messages before being blocked. spam can only be recognized after it has been sent, and spammers look like any other email user before they start spamming. Being able to send a few hundred copies of a message before being stopped shows nothing about the ability to send tens of thousands or millions of messages.
  14. One possible reason to send email to spamtraps is to generate SpamCop listings. One possible reason to generate SpamCop listings is to cause the blocking of legitimate email and indirectly cause email providers to stop using SCBL. You seem to believe that spamtrap addresses used to by SpamCop are unknown to anyone but spamcop. However there are easy ways to extract those from mailing lists, because SpamCop responds to email sent to them by creating SCBL listings that spammers can access. It is not too difficult to take a mailing list and extract from it a sublist of addresses that have high probability of generating SCBL listing. At least it's not to difficult if you have access to a botnet of a few thousands compromised PCs that can relay email for you from different IP addresses and a list of a few millions addresses scraped of the net that you can purchase for a reasonable price on the web. Anyway, I've seen evidence that spammers have some knowledge of spamcop spamtraps. This post made early this year on emaildiscussions shows a SpamCop spam source report with an unreasonable percentage of spamtrap vs. user reports on one IP address compared to another. -- spam SOURCE REPORT -- IP Address Start/Duration Trap User Mole Simp Additional comments Jan 12 19h/0 0 11 1 0 Jan 10 15h/0 0 1 0 0 Jan 17 17h/4 210 13 1 0 There is no way that this "just happened". You don't have to be a statistician to see that this cannot be explained by chance. But anyway I did make a statistical comparison using this online chi-square calculator and the result is Trap vs. User comparison Trap User Total IP 1 0 11 11 IP 2 210 13 223 Total 210 24 234 Degrees of freedom: 1 Chi-square = 100.997757847534 p is less than or equal to 0.001. The distribution is significant. This means that the probablity of getting this unusual ratio of spamtrap vs. user reports without any real cause is less than one in a thousand. It looks like someone made the effort and got a list of spamcop "secret adresses" and spammed them. If spamtraps are not discarded weekly and replaced by new spamtraps they cannot be considered "secret" and cannot be used to reliably estimate the volume of spam sent to real people. Not if SpamCop responds to them by listing IP addresses.
  • Create New...