Is it really doing any good?

[wb23]

What's up with SpamCop? Has it become dead or useless?

Been a member for 5 years. I still [waste] time reporting stuff, thinking it's good for the "collective" and will help me & everyone else fend off the crap.

But a couple years ago, you laxed the duration of blacklisting. Now, I report something and check the list status, and it's not listed. I search my logs for stuff blocked via spamcop and there is LITTLE or NONE. What's the fu**ing point? Has this thing just died on the vine?

Please offer me some indicator that this is still relevant; but I'm no longer going to waste time reporting anything without some compelling argument that there is SOME POINT.

[Wazoo]

Yet another "merged" post .... yeah, PM sent ....

What's up with SpamCop? Has it become dead or useless?

Absolutely "great" first post, obviously made with absolutely no time spent looking around to see if you coukl "find an answer" .... oh yeah, the attempted profanity really helps a lot.

Been a member for 5 years. I still [waste] time reporting stuff, thinking it's good for the "collective" and will help me & everyone else fend off the crap.

Your reports feed the SpamCopDNSBL ... do you use it? That various ISPs don't 'react' to these complaints can't actually be laid at SpamCop.net's door.

But a couple years ago, you laxed the duration of blacklisting. Now, I report something and check the list status, and it's not listed.

And your "single" report factors into the math formula just how? The last time this came up, the numbers were something like 3 reports over the last 90 days for an IP address shooting out a few thousand e-mails a day. That is not enough for a listing ....

I search my logs for stuff blocked via spamcop and there is LITTLE or NONE. What's the fu**ing point? Has this thing just died on the vine?

Many previous discussions on this subject. In general, answers seem to point to "your" spam spew sourcing, "your" list of BLs/tools and their checking sequence, etc., etc., etc.

Please offer me some indicator that this is still relevant; but I'm no longer going to waste time reporting anything without some compelling argument that there is SOME POINT.

Check the other Forum areas here to see "your signs" .... plenty of evidence ... one recent is a tale of woe from a user that had her ISP shutting down her e-mail access due to her computer being infected ... specifically, her computer('s IP address) got listed on the SpamCopDNSBL and her ISP used that BL ... she couldn't send e-mail until the SpamCopDNSBL listing disappeared. When "we" started looking, her system was seen to be spewing out 4-5,000 e-mails a day that she "knew nothing about" .... are you going to continue with the "it don't work" viewpoint?

[Miss Betsy]

...Unless (if I understand correctly), there is a "catch-all" account.

I considered mentioning that. It may be why he gets so much spam - all those deleted addresses now collecting in the catchall account. But since he said that he was not technically fluent, I decided to stick to one idea - the difference between bounces. After all, if he is bouncing from Mailwasher, he needs to understand that he is just as bad as a spammer.

Miss Betsy

[g4mby]

I'm now using "MailWasher Pro 5.2" but it doesn't really help neither. I only use it to bounce spam but the

I think a lot of us did that until we realised it was never going to do any good. As others have posted, don't bounce spam when there's little chance of the bounce going back to the sender. I can't believe that Mailwasher is still being advertised with that feature. It's presence on their web-site is not so prominent as it was but it's still there. If it worked we'd all be using it.

May be the bounce facility helps sales a little?

[Farelf]

...I can't believe that Mailwasher is still being advertised with that feature. ...

It is indeed incredible. But the message may be filtering out in other places - recalling John Mahlmberg's post in Exchange 2000 non-delivery report and spam - together with the previous and subsequent posts in that topic. Then, just the other day, How to install and configure an Edge Transport server for Exchange 2007 (hope I snagged the public version there¹). Which, judging by terms like "... Exchange Server embeds a rejection message into the SMTP non-delivery report ..." appears to be the real deal, NDR back to the sending server. Hmmm .... only seven years, not bad.

¹ If not, the abstract is

An Edge Transport server is a hardened Exchange 2007 server that sits between your Exchange Server organization and the outside world. Its job is to filter and sanitize incoming and outgoing email messages to remove spam, viruses and unauthorized content. In this tutorial, Exchange MVP Brien Posey will walk you step-by-step through the process of installing and configuring an Edge Transport server for an Exchange 2007 environment.

Posey begins with a general overview of how Edge Transport security works. He then provides step-by-step instructions on how to install an Edge Transport server and configure communication with Active Directory and the Hub Transport server. Finally, he explains how to set up and customize Edge Transport antispam and antivirus features like content filtering, recipient filtering, IP filtering, Sender ID and attachment blocking.

... and, anyway, registration is free (I hope).

[Rimmel]

I've been with spamcop at least 3 years now and it always been very good, however over the last few months I have had more spam than ever. Most notably are the Viagra ones that have managed to spoof a valid email address on of mine and no matter how many times I report it it appears again.

Are spamcop losing the fight?

I have to be honest and say I've always recommended spamcop to people who complain of spam problems, but recently I haven't really been able to do that.

Thinking about the Viagra spam, couldn't spamcop add a word filter? so people could block all mail with Viagra in the title/To Line? and even the Viagra spelled with the special ansi codes like Viagr© (cant remember the exact code they used)

any thoughts?

[Miss Betsy]

Are you talking about a spamcop email account?

I don't have an email account myself, but from various discussions, it appears that you can configure your filters on an email account so that almost no spam is in your inbox and no false positives in your held mail. Since I don't have an email account, I can't go into details. However, if you do, then you might get more responses in the spamcop email forum.

If you don't have a spamcop email account, you will have to say how you are using spamcop so that others who use it the same way can respond with their experiences. Most people who use the spamcop blocklist, use it in conjunction with other filters. Even the spamcop email service also offers spamassassin and at least one other blocklist.

Spammers work all the time to evade filters. That's the reason for the various spellings of Vi[at]gra. Different filters look for different things. Spamcop blocklist is dynamic so that it takes a couple of reports for an IP address to be listed. When spam stops (as when the spammer rotates to another zombie), the IP address drops off the list. Other blocklists don't drop the IP address as quickly or content filters will look at various aspects, like spamassassin. The user can set spamassassin at whatever level works for them. Higher levels may catch good mail (if someone forgets and uses all caps, for instance). Some people use 'country filters' if they never receive good mail from Russia, for instance, they block all email from .ru.

Miss Betsy

[turetzsr]

I've been with spamcop at least 3 years now and it always been very good, however over the last few months I have had more spam than ever.

<snip>

...Moving this into Is it really doing any good?. I think you'll find your question addressed there, Rimmel.

...Done! PM sent to advise of this action.

[showker]

YES IT DOES WORK... but is simply not enough to make a "trend" change.

It would WORK A LOT BETTER if someone would throw some money

at the problem. (Keep reading.... )

WHAT DOES INDEED WORK:

I administrate a number of online forums and response forms, and

always attempt to 'report' those spammers -- since they're really

out side of the SpamCop / Knujon sphere.

These crooks find "FREE" online forums and blogs, where anyone can

sign up and start a 'thread' -- but where the admins weren't watching,

and would basically let anything go.

The spammer

* builds a post with links to "affiliate" pages (eg "google-search.info")

* goes to the unwatched forum

* posts a whole page of links -- that redirect (eg "canadian-pharmacy")

Sometimes there are multiple 'hijacked' forums.

I report each and every one to the admins of the sites where the spammer

has set up shop. Sometimes I post to their "CONTACT" form, and others

to the admins of the site, ISP, pipeline provider.

I also include the IP of the "sender" because my forums and response

forms includ the 'writer' IP:

example:

> 125.14.1.190

> 84.161.30.238

EACH AND EVERY TIME I get a "Thank You" from the site owner, and

the pages have been removed. They are very thankful.

Last week's episode used these links:

http://www.lyricsday.com/forum/viewtopic.php?p=8638 - viagra

http://scripts.mit.edu/~bgsa/phpBB/viewtopic.php?t=165 - celebrex

http://payson.tulane.edu/techeval/forums/v...opic.php?t=7258 - zyban

NOTE they even use esteemed sites like MIT and Tulane.

I run a HIGH shut-down rate except when they hijack foreign sites

where I cannot read the web pages to find contact names and addresses.

So, when you ask "DOES IT WORK" ... the answer is:

with the right kind of reporting, yes, it does work.

But it takes a little time. Most people aren't willing to put out a little effort.

The sad fact is, there aren't enough people reporting and fighting back.

The top organization in the world -- could stop spam completely in about

a week. Unfortunately that organization has been turned over to an

international band of flakes and bureaucrats. ICANN.

You can thank the Clinton administration.

The second truly SAD fact is that INDUSTRY people who could actuall DO SOMETHING

about spam and online crime, (for the most part) are not interested because

they're making too much money off it.

Any entity with deep pockets and a global reach could END spam tomorrow

if they would/wanted to. They're too busy making money to be bothered

about it. (MSN, Google, Yahoo, FaceBook, MySpace, AOL)

You'd think that an entity worth 6-BILLION would pony up a couple of

million to set up a Squash spam task force. But for some reason they don't.

My highest regards go out to SPAMCOP and all involved for putting up

such a HEROIC fight all these years.

But unfortunately there is NO automated reporting system that will

ever work to 100% satisfaction. It takes human action...

and money to pay the humans well.

I would do it if someone would listen.

... and that's all I have to say about that.

Fred

[Miss Betsy]

IMHO, you have hit the nail on the head about reporting. It is my belief that people running zombies would also like to know. (though I have met a couple of people who have simply given up on the internet because they didn't understand how to be secure) And that the people who could stop spam easily don't do so because they don't have an economic reason to do so. And that their customers would be appalled if they knew their provider was allowing spam - particularly porn and phishes - to be spewed because they don't want to spend the money on educating customers or closing down zombies.

Although ICANN has to be careful not to do anything that could, at some point, be used for censorship, I do think that some policy about unsolicited bulk email could be enforced.

OTOH, you left out the value of blocklists that reject at the server and the ignorance of the end user on how email works.

If enough end users demanded the use of blocklists that return email to the sender and refused to have content filters that drop email except as controlled by the end user and also used SPF, there would soon emerge a network of email providers that were 'spamfree' and where email was more reliable - only breaking down when someone made a mistake (for instance, the current problem with the new spamcop servers or an errant backhoe) and only a momentary interruption. If one wanted to communicate with someone using an irresponsible email provider, one would have to use another irresponsible email provider.

Again, blocklists are not used to block mail because providers don't want to spend the money to educate customers.

Thank you for taking the time to report to people who need to know. Every little bit helps - both in stopping the spam and in educating end users.

Miss Betsy

[showker]

IMHO, you have hit the nail on the head about reporting. It is my belief that people running zombies would also like to know.

Thank you Miss Betsy.

But let me add another aspect to this discussion.

One person said:

paid $15 for the SpamCop Service, and I donated $25 (EUR) to Martijn for his awesome efforts on OR Filter. But if these crooked, self-centered, pricks can just spoof their IP to look like it is mine, then what is the point in going through all of this hassle? Within the next 5-10 years, 95% the IP Addresses in the world will be on one Blocking list or another. So again, I ask.... Is it REALLY Worth it???

There are hundreds, possibly thousands of people who really

do not understand what's actually going on. Additionally, I'm

continually surprised that no one is really addressing the facts.

There SHOULD be a pinned post that explains to people.

The only reason I can figure why the "industry" is keeping users

in the dark is that they're making too much money off the

anti-spam industry.

Let's share -- and hopefully spread some undeniable facts:

1) Do NOT expect any filtering or black hole efforts to "stop" spam.

This is one of the great myths perpetrated on the computer-using

public. Filters do not stop spam, they will NEVER stop spam, no

matter how good or expensive they are. Hundreds of thousands

of people have bought into this myth.

Filters merely "hide" the spam from the user.

The spam is still there in ever-growing numbers.

2) No automated spam prevention method will EVER work

SpamCop is an automated system.

It does NOT stop spam, nor does it claim to. It doesn't even make

spam less, nor does it claim to. SpamCop merely reads each reported

spam, attempts to make the best guess of where it came from and

then pops out a complain to the assumed "spammer". In return you

get "filtered" mail based on the numbers. (Read point #1 above)

The SpamCop "machine" doesn't have the slightest clue as to who

to report to nor if reporting is actually getting where it's going.

(We have tracked dozens and dozens of SpamCop reports to addresses,

and find most of the addresses SpamCop reports to have been turned

off long ago. They bounce -- or go to another robot.) SpamCop merely

attempts to report to the admins at the source of the email. 100% of the

sources of spam are forged or simply don't exist. An automated

system cannot know this. Else the practice of "reporting" would have

ended long ago.

The percentage of SpamCop complaint reports that do get through are

generally acted upon by the abuse admin involved. Unfortunately, the

life of a spam site is now an average 8 hours. So, SpamCop complaints

that do indeed fall on a 'live' address, are too late. The admin shuts down

the account, feeling good about himself, but the spammer is already THREE

account ahead... or is long gone.

Automation doesn't work, cannot work, and will NEVER work. Period.

Get over it.

3) Cutting off the revenue flow is the ONLY solution

Until you interrupt the link between the message in the spam and the

point of income for the advertiser, you are wasting you time and

money. This translates to : shutting down the spamvertised site.

Domain Kiting, and Rogue Registrars sanctioned by ICANN automatically

launch hundreds of thousands of web pages to accept the results of

spam ecommerce, or to gather search engine rankings and "affiliates"

links. The spammers send a burst of spam, then harvest the income

in the first 4 to 8 hours, then close the accounts -- only to open them

again later. They use stolen identities for a very brief time to set up new

accounts and points of payment.

By the time anyone catches up, they're gone, untrackable.

However, the spammer generally has only one or two portals where the

income actually is rendered. All the other 'fake' sites merely redirect and

funnel users back to that point of payment.

The only way to combat this onslaught is to go after that point of payment.

Automation cannot do this. It takes human intervention. And then, since the

criminals are outside the U.S., the only way is to actually stop them is to:

A) direct a DDOS against the ecommerce point of payment

Convince the payment mechanism to shut them down

C) Convince the upstream provider to close down the IP block.

In reality, only "A" would be effective since :

A) they're usually too stupid to understand what they've done wrong

They don't speak English

C) They're making too much money off it

D) They're afraid of reprisals from crime cartels and the mob.

4 Reporting to SpamCop is a valuable practice

Even though SpamCop will NEVER stop spam (in it's present state)

it does feed data and statistics which can be utilized in pursuit of

'real' criminals. (Aside from the 5% or so spammers that SpamCop

is actually able to get shut down.)

5. Entities like "CAUCE" and "Antiphishing Organization" are null

These entities exists ONLY as lip service to the industry, and to

fulfill their own gratification. They have no effective part in ending

or even curtailing spam in any way, shape or form. Period.

You are wasting your time reporting to them.

6. Entities like FCC, FTC, and FBI are bean-counters only

Any reports to them become only a statistic in tracking databases.

They are never even opened by machine nor human beyond

primitive parsing for statistical tracking only. They even admit to this

in their documentation.

You are wasting your time reporting to them

6. Entities like Knujon are effective and do work

Primarily because there's a human parsing the spam, finding the

correct place to complain, and pushing to get the spamvertised

sites, zombies, botnets, and compromised machines shut down.

Sadly, only about 2 in 1,500 actually do get shut down. So that

effort, regardless of how valiant, is not nearly enough.

So, now that we've established the facts -- any questions?

We can only hope that some day, someone at SpamCop will

figure out how to parse the email to find and respond to each

and every reported spamvertised site.

At that point SpamCop would be a major force in ending spam.

However, reprisals from the organized online crime community

would then probably end SpamCop's existence. You'll recall

the events surrounding the demise of Blue Frog.

There's no solution unti IPv6 is finally established as the norm.

Until then some of us will continue to fight the real fight...

and everyone else will continue to block, filter and bellyache

about spam.

:-)

[Farelf]

... some of us will continue to fight the real fight...

and everyone else will continue to block, filter and bellyache about spam. :-)

Alas Fred, as you said before that, most everyone else won't even know what the fuss is all about - Regardless of the overall spam attempts, David Daniels, vice president of Jupiter Research, predicts the number of spam messages that actually reach a typical inbox will remain roughly flat over the next three years. And for most people, that's what really matters. - from Spammers Giving Up? Google Thinks So (HA!). My own mail service provider effectively prevents me reporting spam by email, having figured out their optimim approach and concluding that the vast majority of users just want a minimum spam experience (and they can stay out of trouble with the Aus regulatory authority by the simple expedient of blocking and silently dropping anything that looks remotely like spam - inwards and outwards). I believe I trust them to know their own customers well enough for their assessment to accurate (if only they didn't lie about it). They've been doing it for months, to both private and corportate customers, without a "peep" of complaint in public - well, apart from me.

But good for you in carrying on the good fight. It certainly is worth doing though it takes knowledge to do it effectively, as you say.

[rooster]

Miss Betsy;

If enough end users demanded the use of blocklists that return email to the sender...

...am I reading you right? I've been labouring under the (mis?)perception that the "From" in my spam is forged/hijacked. Perhaps I need to re-educate myself on the mechanics of "bouncing".

[Miss Betsy]

Miss Betsy;

...am I reading you right? I've been labouring under the (mis?)perception that the "From" in my spam is forged/hijacked. Perhaps I need to re-educate myself on the mechanics of "bouncing".

There are two kinds of 'bounces' - the first is to reject at the server level that returns the email to the IP address from which it comes. the second is to accept the email and then determine that it is no good and return the email to the return-path (the From) which is usually forged by spammers. The second kind of 'bounce' - at one time was useful - you could send an email from one provider with the return-path being another and receive answers at another email address. I don't know all the ins and outs, but even spamcop, at one time, did not allow reporting of these bounces because they thought the use of this kind of bounce was valuable. As you know, it is no longer valuable - just as catchall is no longer valuable either because of what the spammer uses it for.

At the server level, however, email can be filtered using blocklists. Most server admins won't use rejection because there are too many 'false positives' and most end users do not understand that it is not 'their' email that is being rejected, but because the IP address has spam coming from it. That's why most responsible server admins have gone to blocking outgoing email except through a specific mail server and making sure that no spam goes through that server (IP address). And that's why Comcast customers can have so many zombies - the mail doesn't go through the Comcast email server and server admins whitelist the servers (punch holes, I think the term is, in the blocklist) so that their customers can always get email from their correspondents who use Comcast. All the rest of the Comcast owned IP range is blocked. Of course, if you don't use an email provider that blocks (or you are using your own server or you use after acceptance spam filters to tag the spam), you will get all the spam from Comcast zombies. I am sure I read once that a server admin left the computer that filtered his incoming spam, open for outgoing email, and that all the zombies on his network used that computer to send the spam. It didn't matter to him because that computer never /sent/ legitimate email so if it was permanently blocked by other server admins, it was ok.

My contention is that spam can only be stopped by the *sender* - the email service provider. The only way to force email service providers to stop zombies (or allowing spammers accounts to send spam) is to let legitimate email senders know when their email service is irresponsible. However, marketing does not want to lose any customers to a misunderstanding on the customer's part about why their email was rejected. Also, server admins can't seem to explain how email works to customers - they don't have anyone who can explain it in layman's terms. What they have done is to put 'junk' or 'spam' buttons so that end users can identify spam and use all kinds of content filters to reduce the amount of spam that reaches inboxes - which all have to be used after the email is accepted. Therefore any email that flunks the test, has to be dropped. Then nobody (either sender or recipient) knows that the email was sent, but not received.

It is a 'Big Nanny' approach. If end users (consumers) knew about blocklists, they would want providers to use them at the server level so that the legitimate *sender* would know that their email service provider had a problem. Glitches will always occur, but providers can stop spam quickly - and would do so, very quickly, if it were a customer complaining, rather than a non-customer (receiver/reporter). The beauty of spamcop is that the provider also gets a report so that they can fix the problem quickly - maybe before any blocklist lists them. However, other blocklists are more conservative and IP addresses that get on their lists are usually there because the provider hasn't fixed the problem - whether it is a spammer they allow or an open relay or zombie on their network. Then, if a legitimate *sender* gets a rejection based on those blocklists, they would soon find out that their provider is not reliable and leave. Those who have only one choice of internet provider, might have to buy webmail service like spamcop email service to be able to send email reliably.

The end result would be a network of reliable email providers where one would always know if an email didn't make it and next to no spam in inboxes.

Miss Betsy

[rconner]

Miss Betsy;

...am I reading you right? I've been labouring under the (mis?)perception that the "From" in my spam is forged/hijacked. Perhaps I need to re-educate myself on the mechanics of "bouncing".

Let's see whether I can confuse matters: When a mail host is offered incoming mail that is undeliverable (or unwanted, as with spam), it has two choices:

1. Reject it immediately, which forces the offering host to deal with the uncompleted delivery. I think this is what Miss Betsy means by "returning the mail to the IP address from which it comes." It isn't strictly returning the mail (since it hasn't even seen the message at that point), it is simply REJECTING it.
   
2. Accept the mail and pass it to a mail delivery agent, which then must decide whether or not to deliver it, and then send a "delayed bounce" if it does not.
   

In either case, SMTP suggests that the return-path address (which may be the same or different from the "from" address) must be notified with a bounce message.

If the mail is REJECTED, and the sending host is a spam proxy, then it will probably not generate any bounces. If the sending host is a bonafide mail host, it will attempt to deliver the bounce to the return-path.

If the mail is accepted but then found to be undeliverable or unwanted later on, the MDA in the receiving domain is supposed to send a delayed bounce back to the return-path. It can omit the bounce if it finds (using SPF for example) that the message may have been spoofed.

Many anti-spammers (including many in this forum) would prefer that ISPs be more proactive in rejecting obvious spam mail; however, not many ISPs do this (for a variety of reasons).

-- rick

[showker]

A SOLUTION THAT WOULD WORK

Many anti-spammers (including many in this forum) would prefer that ISPs be more proactive in rejecting obvious spam mail; however, not many ISPs do this (for a variety of reasons). -- rick

LOL.

Now think about that for a moment.

Back in 2000, we authored the "ISP Self-Regulatory Anti-spam Initiative"

It was based on several cold, hard, facts:

1) Legislation cannot do anything about spam and cybercrime,

2) Law enforcement cannot do anything about spam and cybercrime, and

3) Users cannot do anything about spam and cybercrime.

So it was an in-your-face logical deduction that the ONLY entity

who could actually do anything about spam is the Internet Industry

itself.

The initiative is simple:

The largest ISPs in the U.S. come together and share in the formation

of an internet task force. This would be composed of a half dozen

skilled internet sleuths who would work each day to gather the latest

spam, throw away the losers, and identify the spamvertised sites and

IP blocks of those most prolific or dangerous spammers.

This might cost a half-million a year, divided amongst such players as

AOL, MSN, EarthLink, Yahoo, Google, Comcast, Verizon. So, pocket

change.

As soon as the Task Force would validate an intruder, they would

enter the IP blocks into the "master" blocking list which feeds ALL

of the participating ISPs.

Since they would be blocking at root server level, those cyber crooks

and their spamvertised sites would INSTANTLY become invisible --

inaccessible to the entire constituency of that ISP. Presto!

Any ISP who did not sign in to the Initiative, and pony up their share

of the expense would run the risk of getting "turned off" in the event

spam emanated from their IP blocks -- at which THEY too would become

instantly invisible. ISPs who did not participate would also be denied

use of the Task Force and would continue to get spammed.

"Innocent" ISPs or Block owners who were dragged into oblivion by

virtue of hacks, zombies, etc., would be provided a recension method

where by they FIX the problem, join the Initiative, and get turned

back on. This includes turning over the tracking records for the

subscriber responsible for the criminal activities.

Any ISP to stupid, or too arrogant to participate, like www.Joker.com

would eventually become invisible to the greater population of the U.S.

Yes, Joker could continue spamming China and the other non-participants,

but they would no longer exist to people using the Initiative supported

ISPs. In fact, the spammers would not even know they're no longer

visible except revenue from the big ISPs would suddenly end.

People would not know the ISP was blocking it -- they would simply

see much, much less spam. They wouldn't get the spam, so it wouldn't

matter that they couldn't click on the link in the spam.

If they clicked on a link to the spam site, they would simply get:

"Domain cannot be found." or some such.

Game over. Problem solved.

Now, consider for a moment what would happen if AOL, MSN, EarthLink,

Yahoo, Google, Comcast, Verizon and some of the other million-plus

ISPs simply turned OFF all of ARIN. None of their users can even

access IPs located on ARIN.

None of their users can get to anyone using or hosted by those ISPs.

Suddenly you'd find a lot of otherwise questionable ISPs cleaning up

their act and disallowing spammers to use their systems.

Suddenly you'd see a lot of ISPs joining the Initiative.

The Initiative instrument was actually a lot more complete than this,

with legal, engineering and so forth, but you get the picture.

The honest people cut off the dishonest people so they're never seen again,

but the dishonest people can continue to spam each other all they want.

The unfortunate truth is, we gave up trying to sell the program after

getting nowhere with MSN or AOL. They simply didn't want to hear

about a solution to spam. Period.

:angry:

[Miss Betsy]

Yes, I think that you have summarized it. I don't know exactly how the server at the sending end decides how to direct a rejected email, but if it is /from/ there, there must be a way to determine which email account sent it - though I don't know if it is only the return path.

If an email is accepted, the mailhost is no longer 'supposed' to try to return it if it is undeliverable. I guess if there were some kind of filter, it still could be done. If it is undeliverable, it probably just gets dropped in reality - just as mistyped addresses no longer are sent to a catchall address and are just not accepted.

Some businesses don't want to reject any email, in case it is a sale. However, for the ordinary end user, the only reason server admins don't reject email is because they can't explain how email works to their clients, IMHO, and clients get upset when email is rejected. They don't get upset when it gets dropped because they don't know it has been dropped.

Miss Betsy

[rconner]

The largest ISPs in the U.S. come together and share in the formation

of an internet task force. This would be composed of a half dozen

skilled internet sleuths who would work each day to gather the latest

spam, throw away the losers, and identify the spamvertised sites and

IP blocks of those most prolific or dangerous spammers.

I suggest that, in effect, this is what many firms do when they hire outside spam filtering specialists (Brightmail, Ironport, etc.) to process their customers’ incoming mail. These filtering services detect spam threats in real time, and block or detain messages based on that information. No, this isn't a "task force," but it is a sort of collaboration among the ISPs (through their payments to these services).

As soon as the Task Force would validate an intruder, they would

enter the IP blocks into the "master" blocking list which feeds ALL

of the participating ISPs.

You are essentially describing DNS blocking lists, which are already in widespread use (pertinent example: the SpamCop blocking list or SCBL). There are maybe five or ten DNSBLs which are widely used across the industry, so perhaps these could be thought of as "master lists" in the sense you describe.

Since they would be blocking at root server level, those cyber crooks

and their spamvertised sites would INSTANTLY become invisible --

inaccessible to the entire constituency of that ISP. Presto!

Not sure I follow what you mean by "blocking at root server level." If you are saying that all traffic from Company X netspace should be blocked if Company X is found guilty of transmitting spam on any of those addresses, then phone your lawyers and tell them to expect a lawsuit from Company X.

On the other hand, reputable and mature DNSBLs have proven time and again their ability to detect and block specific IPs that are delivering spam mail. They do not (and don't have to) deal with entire blocks of addresses, many of which may be perfectly innocent.

The problem of "spamvertised sites" is a much more nebulous one, owing to the use of redirection (via HTTP, META, or scri_pt), reverse-web-proxy bots, crooked DNS, crooked registrars, etc. I could "ban" a spamvertised site right now, but the site would move to another IP address (or another dozen addresses) ten minutes from now, and could have a completely different domain name three days from now. Very hard to track and block this sort of activity. I know, I've tried it.

Any ISP to stupid, or too arrogant to participate, like www.Joker.com

would eventually become invisible to the greater population of the U.S.

I feel compelled to point out that as far as I know, Joker does not send spam. I don't recall ever having reported Joker as a spam source in the thousands upon thousands of reports I've made over the years. Joker is a domain registrar, one that famously serves and supports spammers. Many of us wish they wouldn't do so, but this is a business decision for them, and they take the position that they are not responsible for the uses to which their customers put the domains they set up, so long as those uses are not clearly illegal. Putting on my libertarian hat for a moment, I can see where they are coming from on this. There is no law anywhere, nor any language in their ICANN agreement, that would implicate Joker for selling a domain name to someone who wants to use it for a Canadian Pharmacy spam site or the like, as long as the registrant follows proper procedures and reports valid identifying data for the whois database.

Now, consider for a moment what would happen if AOL, MSN, EarthLink,

Yahoo, Google, Comcast, Verizon and some of the other million-plus

ISPs simply turned OFF all of ARIN.

Huh?? ARIN is the regional internet registry for the U.S. and Canada (and parts of the Caribbean). They are the mother of all IP blocks used in these countries. If one of these providers "turned off ARIN," ALL of their traffic would come to a complete and total halt. This would certainly stop spam, but it would be, well, a bit inconvenient otherwise.

-- rick

[rconner]

Yes, I think that you have summarized it. I don't know exactly how the server at the sending end decides how to direct a rejected email, but if it is /from/ there, there must be a way to determine which email account sent it - though I don't know if it is only the return path.

When a mail server accepts a relay, it essentially promises to deliver the message on to the next stage (usually an MX). If it cannot make this delivery promptly, it is required to give a bounce message explaining why. The reasons could include (1) the next-stage MTA refused to accept the mail, (2) it reports temporary inability to accept mail, or (3) it could not be reached at all.

This notion of the mail host being responsible for messages in its immediate possession is ingrained into SMTP and is the means by which we can have reasonable end-to-end delivery assurance on a system that is based on many asynchronous or "connectionless" relays (to use some protocol jargon).

A "real" mail host always knows who to send the bounces to -- the return path address. This is in fact the very definition of a return-path address -- the party who needs to be notified of delivery problems. SMTP didn't anticipate that people would be forging return-path addresses, so there is no provision for any kind of verification of this address. Technologies like SPF and DKIM seek to augment this behavior of SMTP by allowing return-paths and/or mail host IPs to be matched up to internet providers; they allow the mail host to omit sending bounces where these might be inappropriate or misdirected.

If an email is accepted, the mailhost is no longer 'supposed' to try to return it if it is undeliverable.

If by this you mean that the mail host is off the hook as soon as it completes its relay, then I agree. If I am your outgoing MTA, and you give me a message to send, and I manage to hand it off successfully to the recipient's MX host, then I am finished my job. I have passed on responsibility for the message to that MX, and I no longer need concern myself with it. If the MX has accepted the mail in error and finds that it cannot be delivered, it is the MX that must account for this by sending a bounce to you via the return-path.

Some businesses don't want to reject any email, in case it is a sale. However, for the ordinary end user, the only reason server admins don't reject email is because they can't explain how email works to their clients, IMHO, and clients get upset when email is rejected. They don't get upset when it gets dropped because they don't know it has been dropped.

Precisely. No one will complain (or even thank) their ISP for rejecting a spam, but let that ISP reject an important "real" message and then stand back to watch the fur fly. I think this is why most ISPs take the wimpier position of detaining spam (i.e., putting it in spam queues) rather than rejecting it outright.

-- rick

[Miss Betsy]

If by this you mean that the mail host is off the hook as soon as it completes its relay, then I agree. If I am your outgoing MTA, and you give me a message to send, and I manage to hand it off successfully to the recipient's MX host, then I am finished my job. I have passed on responsibility for the message to that MX, and I no longer need concern myself with it. If the MX has accepted the mail in error and finds that it cannot be delivered, it is the MX that must account for this by sending a bounce to you via the return-path.

I don't think so. Although the idea that email has to either deliver an email or send a 'bounce' is the ideal, because of spammers forging the return-path, it is no longer practical to accept an email and then return it to the sender - unless, of course, the receiving MX is certain that the return path is authentic. What happens now is that emails that can't be delivered are dropped. And that is true of email that is not deliverable because it didn't pass a spam content filter. Some ISPs do tag those emails to go to a junk or spam folder, but most simply drop them. That is the whole point of being able to report 'misdirected bounces' - that email that is not deliverable is NOT returned to the return path.

Not only that, but many service providers are also dropping outgoing email that doesn't pass a spam filter.

Miss Betsy

[showker]

Huh?? ARIN is the regional internet registry for the U.S. and Canada (and parts of the Caribbean).

Ooops! You are correct -- I meant to say APNIC.

But that was a little rash on my part -- they would never block in that fashion.

I suggest that, in effect, this is what many firms do when they hire outside spam filtering specialists (Brightmail, Ironport, etc.) to process their customers’ incoming mail.

You missed the point -- as do so many others.

It's not about the email at all. We've already established that "filtering" and "blocking" the sender of email spam is totally

ineffective and a total waste of the resources.

The "task force" would organize and implement a block on the IP address of the spamvertised web site -- if not the entire

spread of IP addresses owned by the particular ISP.

Note I also said the Task Force would weed out the most prolific and begin there.

FOR INSTANCE:

There is one spam cartel advertising "Megadik" using some 200 different domains as 'landing' pages for their ads. The owner of ALL of the domains (according to Whois, which is suspect) is supposedly in China.

Since November 15th the honeypots have received some 3,500 spams from this entity -- they've all been reported -- they're all on the various DNSBLs, but they continue to spam.

However the Task Force would investigate and discover that of all that spam, there is only TWO destinations. TWO. This is something NO filter or black list could figure out because it's the THIRD link found in the trail of links to the spammer's revenue source. I know, I've been tracking them.

This takes maybe five minutes. But a human has to do it. NOT a filter or DNSBL.

So they block the RANGE of IP addresses which are the ultimate targets of all that spam. That range of IP addresses is now invisible to the Initiative member's constituency. Game Over.

If you are saying that all traffic from Company X netspace should be blocked if Company X is found guilty of transmitting spam on any of those addresses, then phone your lawyers and tell

them to expect a lawsuit from Company X.

NOW YOU'RE TALKING !!!! You finally got it !!!

Having the owners of Megadik file a suit would be like a gift from heaven.

But consider, these cyber criminals aren't going to bring suit!

What are they going to say???

"Your honor, we're suing this Task Force because they're preventing us from distributing pornography (a violation of Title 18 of the Federal Code) and keeping us from making money by stealing people's identities!"

What's the Judge going to say???

(In reality, this is what ICANN should be doing, but they aren't. The Task Force could be set up like ICANN so they're "un-suable")

On the other hand, reputable and mature DNSBLs have proven time and again their ability to detect and block specific IPs that are delivering spam mail.

That may be correct in many cases. However - as these forums prove again and again, there are specific spammers IN these "mature DNSBLs" but the spammer continues to operate and spread their spam.

The problem of "spamvertised sites" is a much more nebulous one, owing to the use of redirection (via HTTP, META, or scri_pt), reverse-web-proxy bots, crooked DNS, crooked registrars, etc. I could "ban" a spamvertised site right now, but the site would move to another IP address (or another dozen addresses) ten minutes from now, and could have a completely different domain name three days from now.

Yup. You are correct. However in many, many of the worst and most prolific cases, ALL of the domains owned by the spammer funnel down to one or two specific outlaw ISPs providing nameserver or DNS services.

One specific case we've been tracking has ALL of their ecommerce destinations on ONE ISP, across ONE range of IPs. Knock those out and you've thwarted that spammer's revenue source until he can re-deploy. Once all his domains and web pages are made 'unavailable' he's got to rebuild on another.

Yes, it IS indeed a cat and mouse game. It may take months to get the attention of these rogue ISPs by killing blocks of their IP addresses. But once you've knocked out a sufficient number of their ranges, word will spread and they'll start to figure out that if they let the spammer back into their system, they're going to lose more of the "product" which they need to stay afloat.

That's why it's called the "Self-Regulatory Initiative"

ISPs MUST get over being lazy and money hungry to the point that they ignore their responsibility to the web community as a whole.

You have to understand that this is NOT about email spam. It's about turning OFF the IP blocks providing DNS for the spammer's "revenue"

I feel compelled to point out that as far as I know, Joker does not send spam. I don't recall ever having reported Joker as a spam source in the thousands upon thousands of reports I've made over the years. Joker is a domain registrar, one that famously serves and supports spammers.

Thank you. NOW you are coming to the point.

Why is it so difficult for the Net industry to see this??? You may have reported "thousands" of reports. But did you chase down the whole trail leading to the origin of the offenses?

There are tens of thousands of criminal domain operations either hosted by Joker, or on Joker's name servers.

It would take only ONE or maybe TWO episodes of JOKER getting blocked by the "Big Six" ISPs to finally get it through his thick skull that providing these services to criminals is 'eventually' going to be very unprofitable.

Besides, in the by-laws managing the Task Force, JOKER would have a method by which he could petition to get his IP ranges back. Will he do it just to protect his criminal constituency? We don't know.

Many of us wish they wouldn't do so, but this is a business decision for them, and they take the position that they are not responsible for the uses to which their customers put the domains they set up, so long as those uses are not clearly illegal.

C'mon man. Surely you've evolved beyond that -- if you've chased as much cybercrime as you claim to !

That's why there's spam in the first place. No one has any teeth, and everyone is afraid to stand up for what is right. "Political Correctness"

Sure, many of us "wish" they wouldn't fly planes into buildings or set of bombs in subways too.

There is no law anywhere, nor any language in their ICANN agreement, that would implicate Joker for selling a domain name to someone who wants to use it for a Canadian Pharmacy spam site or the like, as long as the registrant follows proper procedures and reports valid identifying data for the whois database.

That is correct.

YOU'VE NAILED THE MAIN PROBLEM

How many of Joker registered domains have correct Whois ? Why isn't ICANN policing THEIR OWN regulations?

We call and track spammer domain owners via physical means. We have YET to find a Joker registered hosted domain that

has accurate Whois information. In fact, it looks very suspicious. As if Joker is paying ICANN to look the other way.

If Joker is providing DNS and Nameserver services in the commission of a felony, then they are in part aiding and abetting.

Get those DNS ranges blocked by the "Big Six" and you quickly get Joker's attention. But what's he going to say?

In the case of the Canadian Pharmacy, Joker may be innocent -- this will be proven by the Task Force who validates where the Canadian Pharmacy is physically hosted. THOSE are the IP targets, NOT the registrar.

If you own a mall, and a criminal sets up shop IN the mall, then the mall organization has some responsibility. If the business starts at the mall, but them moves to another location to begin the criminal activities, the mall is no longer implicated.

But this conversation is simple reinforcement that the ENTIRE Internet industry needs an overhaul. ICANN needs to be

disolved and a REAL regulatory entity put in its place. There should be NO domain kiting. There should be NO rogue registrars.

Kill those two practices, and you've killed 90% of the spam. Period. The other 10% would then be managable with your

outdated filters and black holes.

C'mon... if we were fighting this war on the streets of our neighborhoods, I'll bet you wouldn't be so nice to the enemy. Why are we tollerating him on the internet.

:angry:

[rooster]

Miss Betsy;

Thanks for updating my wet(brain) ware.

I assume the cognoscente following this thread know what you meant by the following quote, but for dilettantes like me you might want to do a minor edit/clarification... unless I am completely misunderstanding you. Who would have been reporting these 'valuable' bounces, the one receiving the original email being bounced or the sender receiving the bounce?

I don't know all the ins and outs, but even spamcop, at one time, did not allow reporting of these bounces because they thought the use of this kind of bounce was valuable. As you know, it is no longer valuable - just as catchall is no longer valuable either because of what the spammer uses it for.

rconnor:

That's pretty much the way I understood the "bounce'-MTA/MUR response options and objectives. So, by association, your proviso is probably justified; --you must be confused and should seek professional help ASAP.

Has anyone gathered stats to monitor the effect over time when an ISPs 'drops' mail at the server level for "From:" addies on the SC Blocklist? How would these results compare to results of a protocol that involves an "undelivered/undeliverable" return message, and how would this message be coded? The reason I'm interested in this is that somewhere in the back of my mind I seem to remember reading about some ISP getting DDoS'd by irritated spammers.

It might better belong in a thread of its own, but one small wrinkle I just noticed on my system vis. an 'end-user' blocklist, derives from some spammer(s) forging "Return Path" addresses that are actually in my Icedove/TBird Message Fitler (File to:) Whitelist. e.g., [at]washingtonpost.com and [at]lists.pyropus.ca.

I puzzled over these, wondering if someone at the Washington post had forgot to lock down a server, or if one of their servers had got 'botted' ; or something.... but I didn't think 'getmail' (.pyropus.ca) would ever allow such a lapse. Regrettably, I was away the week these came in, so I didn't submit them and can't provide a SC tracking URL [Note: I don't use getmail. I'm just on their ng mailing list]

[Miss Betsy]

Not sure I follow what you mean by "blocking at root server level." If you are saying that all traffic from Company X netspace should be blocked if Company X is found guilty of transmitting spam on any of those addresses, then phone your lawyers and tell them to expect a lawsuit from Company X.

I think it has been pretty well established that 'my server, my rules' - Company X cannot win a suit based another company's decision to block email from their IP addresses.

Miss Betsy

[Miss Betsy]

Miss Betsy;I assume the cognoscente following this thread know what you meant by the following quote, but for dilettantes like me you might want to do a minor edit/clarification... unless I am completely misunderstanding you. Who would have been reporting these 'valuable' bounces, the one receiving the original email being bounced or the sender receiving the bounce?

At one time, it was considered 'best practice' to accept email and, if it was termed undeliverable, send an email to the return path saying it was undeliverable. I think you described the reasons and the practice.

At one time, after spammers discovered that forging the return path was a good idea for them, people were getting many of these 'best practice' emails that were spam, and they argued in the spamcop newsgroup that these 'secondhand spam' should be reportable through spamcop. I don't remember who, but, at least one 'official' spamcop person said that reporting what are now called 'misdirected bounces' would be too disruptive to normal email traffic. However, as the flood grew, not only spamcop, but AOL and others, decided that the benefits of notifying the sender that the email had not been delivered were not justified in the face of the increase of 'secondhand spam' or misdirected bounces or spam with forged return addresses. Spamcop allowed them to be reported to the people who were sending the misdirected bounce so that they could see that primarily what they were doing is delivering via these emails to the return path was spam which had not come from the return path. AOL listened to the complaints and stopped accepting email and then sending a non-delivery message. I don't what they do instead - whether they drop it or try to determine if it comes from a legitimate return path or look at it for good addresses before they accept it.

It is now NOT 'best practice' to accept email and then send an email to advise of non-delivery.

The 'reporter' is the one receiving the email to the forged return path advising of non-delivery sent by the network that received it . The 'sender' of the non-deliverable email is the spammer who has made up an address hoping to find a victim. Once his email has been accepted and determined to be non-deliverable, the only way to find out who really sent it, is to look at the headers since the return path is forged. Any non-deliverable message to the return path is sent to a completely innocent person whose email was forged by the spammer.

Has anyone gathered stats to monitor the effect over time when an ISPs 'drops' mail at the server level for "From:" addies on the SC Blocklist?

There are no "From:" addies on the SC Blocklist; there are only IP addresses.

How would these results compare to results of a protocol that involves an "undelivered/undeliverable" return message, and how would this message be coded? The reason I'm interested in this is that somewhere in the back of my mind I seem to remember reading about some ISP getting DDoS'd by irritated spammers.

DDoS attacks have directed against anti-spammers such as Spamcop, but not lately. Individual reporters were attacked in the beginning. However, there is no point for spammers to attack anti-spam organizations or reporters - everybody, probably even including the spammers, use filters (either DNSBLs or content filters) to eliminate spam before it enters the inbox.

Email that is rejected at the server level is coded - it has to be because everything at this point is 'code' so to speak. The email is returned to the sending server and then decoded.

There is a whole series of codes describing why email is returned - most of which are not translated to the text that the end user sees.

It might better belong in a thread of its own, but one small wrinkle I just noticed on my system vis. an 'end-user' blocklist, derives from some spammer(s) forging "Return Path" addresses that are actually in my Icedove/TBird Message Fitler (File to:) Whitelist. e.g., [at]washingtonpost.com and [at]lists.pyropus.ca.

I puzzled over these, wondering if someone at the Washington post had forgot to lock down a server, or if one of their servers had got 'botted' ; or something.... but I didn't think 'getmail' (.pyropus.ca) would ever allow such a lapse. Regrettably, I was away the week these came in, so I didn't submit them and can't provide a SC tracking URL [Note: I don't use getmail. I'm just on their ng mailing list]

If you had been able to run them through the sc parser, you would have found that the IP addresses from which the spam came had nothing whatsoever to do with the IP addresses of either the washington post or pyropus.

And, IMHO, is a good illustration of why 'end-user' blocklists are not very useful.

Miss Betsy

[Miss Betsy]

How many of Joker registered domains have correct Whois ?

Why isn't ICANN policing THEIR OWN regulations?

Complaineator - in the tools section of this forum - agrees with you. Make ICANN police their own regulations.

If Joker is providing DNS and Nameserver services in the

commission of a felony, then they are in part aiding and abetting.

That might be difficult to show. Are newspapers and magazines liable for ads that are placed by scammers? The Post Office is not liable for snail mail that contains a scam.

<snip>

If you own a mall, and a criminal sets up shop IN the mall,

then the mall organization has some responsibility. If the business

starts at the mall, but them moves to another location to begin

the criminal activities, the mall is no longer implicated.

I don't think it does. It obviously will hurt the other businesses in the mall and eventually the mall owner will have a different clientele and those are the reasons that a mall owner might institute rules and regulations, but legally, I don't think the mall owner has any liability if one of his customers turns out to be running a scam.

But, I agree with you - that if the major players on the internet were really interested in getting rid of spam, it could be done very easily through cooperation. However, they are all competitors.

Miss Betsy