Jump to content

My Domain is being spoofed


uwecboi21
 Share

Recommended Posts

Hello,

I have a domain that is being used by a spammer to send out literally thousands of emails each day. I know this based on the number of bounces I receive in my catch-all box (100+/hour).

I have tried configuring a VERY restrictive SPF record for this domain. That SPF record has been in place for around 6 months. There has been discernable change in the spammers activities.

I haven't used this domain to send or receive emails for years (I've owned it since 1997). Anything that goes to any box at this domain is either bounces or spam emails. I have yet to see a single legit email sent to this domain since I've actively monitored this domain.

The spammer is a "Pharmacy" spammer. All the bounces have to do with pharmacies. It is probably just one spammer using this domain.

Is there anything useful I can do with spamcop and these bounced messages more-or-less automatically? Most bounces come back with complete headers and the original message. It occurs to me that the information in those headers would lead to open relays and servers that the spammer uses.

My ultimate objective is to identify this spammer. I would be just as happy if I could cut off his resources making it increasing difficult for him to profit from this spam.

Dale

Link to comment
Share on other sites

This has nothing to do with a SpamCop.net e-mail account.

I'm not even sure that a SPamCop.net Reporting account is even in use.

Therefore, this is being moved to the Lounge with this post.

The initial 'answer' would be a pointer ro the SpamCop FAQ here . one entry being "Why am I getting all these Bounces?" ... and moving on from there ....

Link to comment
Share on other sites

You would be wasting your time (unless you have unlimited time and monetary resources) trying to 'hurt' the spammer (there is a whole thread about Pharmacy spam and the pharmacy spammer here if you search for it)

However, if you want to report the bounces (not the spam within the bounces) via spamcop, it will alert whatever server admins there are who don't know that it is just as irritating to get hundreds of bounces as it is to get spam and they might stop bouncing the spam to you. Then the spam will go to the bit bucket which doesn't hurt the spammer much, but at least it is not bothering you.

As Wazoo said, there is a lot more information under 'Why Am I getting all these bounces' and misdirected bounces in the FAQ and wiki.

Miss Betsy

Link to comment
Share on other sites

I did manage to find out more information about this issue elsewhere.

After looking at the FAQ, I am a little surprised there isn't more preventive information available here.

But, no matter. I've found a strategy others have used.

Dale

Link to comment
Share on other sites

I did manage to find out more information about this issue elsewhere.

After looking at the FAQ, I am a little surprised there isn't more preventive information available here.

That's a rough statement there ... a number of FAQ entries I've written up get hammered because they are "too technical" .... other entries point to 'dscussions' where the item is addressed from serveral viewpoints, other data offered, etc., yet folks complain because there's too much to read and that there's not a 'simple' answer provided. Now, here's a statement that by looking at 'something' .. there's not enough data provided. Yet, "the answer" was found elsewhere .. though nothing provded 'here' as to what you have decided 'your answer' might have been.

Once again, a 'complaint' about the FAQ offered, but no 'solution' offered as to "how to fix" anything ... or help to the next person in the same situation.

Link to comment
Share on other sites

After looking at the FAQ, I am a little surprised there isn't more preventive information available here.

Sticking up for Wazoo...

Not sure what you mean by "preventive information" so I can't figure out what may have been missing from the FAQ etc.

I'm sorry that the e-mail system is so difficult to understand and so leaky, but we didn't invent it here. We are just watching it admiringly (grin) from the sidelines. Doubtless we could invent a better e-mail system knowing what we do now, but this is a bit like saying "I know a better way to fight the Iraq war, let's dig up Saddam and start over again." The best we can do is to is to provide whatever info we come up with in the best way we can so that others may be able to use it. We are private individuals like you, doing all this geekly stuff on our "free" time.

Forgery of innocent addresses and domains (HELOs) into spam messages is a very well-known problem that has been around for a very long time, and won't be fixed anytime soon, and certainly not by a bunch of SpamCop users running a wiki and a board. You cannot stop spammers from forging this information unless you catch them at the keyboard and can cut their hands off. You can't force mail exchanger hosts to check the bona fides of the from-addresses in every incoming e-mail message they handle (particularly since the from-addresses technically may not even be part of the SMTP header to begin with). SPF won't fix the problem, because not enough mail services are using it (either on the "supply side" or the "demand side") to provide a "critical mass" of protection.

Thanks for your attention, however, and I wish you success...

-- rick

Link to comment
Share on other sites

I don't know much about web site administration, but I bet that he found out that turning off the catch all would eliminate him getting the bounces. That would be preventative.

The OP didn't ask how to administer a website to prevent spam. He wanted to find the spammer and cut off his hands - something that most people around here may dream of, but in reality, want to preserve the freedom of the internet while retaining the utility of email. And that means that one blocks those who do not use the freedom of the internet considerately. That is preventative, but not practical for him since he doesn't use the email function.

And, even though, we try to educate the 'newbie' the reporting service is really for those who know some technical basics. Most of the simple instruction of how email works is aimed at end users, not people who are operating servers or websites. Perhaps someone who knows about domain administration should write a tutorial on how to set up and use a server and how to administer email for those who have domains that are not commercial. Most of the FAQ for server admins assume that they know the very basics.

And he apparently was not interested in teaching other server admins not to use misdirected bounces by sending spamcop reports - that is also preventative, not only for the reporter, but other users.

Miss Betsy

Link to comment
Share on other sites

Perhaps someone who knows about domain administration should write a tutorial on how to set up and use a server and how to administer email for those who have domains that are not commercial.

"A" tutorial is a bit of an impossibility .... Operating System, actaul mail software, add in security issues, firewalls, multiple servers to handle high-volume, on and on .... put another way, one of the most famous e-mail handbooks ...The Bat (based on the cover design) is showing as in it's third edition, at only 1232 pages .. and it only addresses one tool .... see Sendmail, Third Edition ... scroll on down that page and note the "... also bought ...." section ... and there's even more 'suggested' below that losting ....

also noting that SendMail has been replaced by other new, improved tools on a lot of systems around the world .... There are ton-loads of tutorials out there on installing it, but ... very few of them 'simple' .. on the other hand, some of the 'simple' ones also result in a server that is soon to be hijacked, with a vengence <g>

O'Reilly 'email' search results ... 1620 total results.

Link to comment
Share on other sites

One thing that techies tend to forget is that not everybody needs to know about all the possibilities.

There are several things that 'need' to be done to make something secure. For instance, the relays need to be turned off. To say, "check that relays are turned off" is good enough. They would have to find out from their documentation, how to do that. If they can't find it, then they could ask. That's when you would have to know the operating system, etc.

In fact, rather than a tutorial, perhaps a checklist of security measures would be better - including turning off the catchall account.

Miss Betsy

Link to comment
Share on other sites

In fact, rather than a tutorial, perhaps a checklist of security measures would be better - including turning off the catchall account.

A long time ago, the alpha geek in our office sternly counseled me to make sure that my small server was secured. I asked him how to do this, whereupon he winced, because this is an open ended question (i.e., you can never stop doing things to make something more secure). A checklist is a good idea, though. I will pass along the little that I know, which applies mainly to Unix systems.

The most obvious general items on the checklist would probably be things like:

  1. Turn off any internet daemons (that's "services" for Windows folks) that are not required, since they otherwise represent a possible means of attack. When you port-scan your system from outside, it should not answer on any ports that aren't strictly required. If you are not running a web sever, for example, you should shut down the web server daemon.
  2. Be sure that trivial FTP (TFTP) and anonymous FTP are turned off, as well as any other services that allow outsiders to send large amounts of data to your machine. Buffer overruns in FTP are a perennial way to crack system security.
  3. Make sure all your passwords (and all your users' passwords) are not trivial. There are ways for admins to require users to pick non-trivial passwords, and even to force them to change the passwords at intervals.
  4. Only give users (including yourself) the minimum access required for them to do their jobs. Include yourself in this, and you will be glad you did the next time you accidentally do a "rm -rf" or a "delete c:\*.*" (don't laugh, it happens).
  5. Consider restricting access to root logins from outside (i.e., from the public network). Some Linux distributions do this, I think. Anyone who needs root access from outside should be made to log on first as a user, then to "su" to root. This way, they need to have two user names and two passwords to become root.
  6. On some systems, the root login is eliminated completely in favor of "wheel" login (where only bona-fide members of the "wheel" group are allowed to become root, and only by logging on first as a user and then using the "su" command. On my Mac OS machines (which are based on BSD Unix), the root account has direct login completely disabled, even for "su"; the only way you can peform root-only tasks is to use the "sudo" command, which generally puts a time limit on such access.
  7. Turn on as much logging as you can, particularly for outside access to secure services like telnet, ssh, ftp, etc. If you are paranoid, you can even set up tasks that will send you e-mail notifications if strange things appear in the log (i did this once in the midst of a cracker attack). Then, spend some time every week or so reading your logs to see what kinds of things are happening.
  8. Keep the critical internet services patched and up to date, but read the release notes before patching and exercise some judgement as to whether or not you should apply them.
  9. Read the security news at places like CERT (http://www.cert.org/) and look for items that may apply to your system. I used to make a habit of this when I was running my public server.

As far as mail-specific services go, I can't offer much since I never played much with them. Sendmail's configuration stuff looks very arcane to me. Yet this is probably worth the study, since it allows you do things like:

  1. Stopping relaying by prohibiting outsiders from leaving mail for outsiders.
  2. Restricting use of outgoing mail hosts to only users in your domain.
  3. Requiring authentication (username/password etc.) for outside users who want to leave mail on a mail host for transmission.
  4. Setting up SPF records to tell other servers which hosts from your domain are authorized to transmit outgoing mail via SMTP.
  5. Setting up to check other domains' SPF records when you are offered mail from them, and rejecting the mail if it does not come from servers on the policy list.
  6. Setting up other outside DNS block lists (like SCBL) to allow you to reject mail from untrustworthy IP addresses.
  7. Requiring mail hosts wishing to leave mail to present at least what look like bona-fide credentials (HELOs, MAIL FROMs, etc.) even if you do not actually try to trace them on the network.
  8. Rejecting mail immediately via SMTP status code if it cannot be delivered (e.g., no such user, quota full), instead of punting to an MDA, which will have to send a "backscatter" bounce.
  9. Turning off "catchall" addresses so as to reject mail that is not addressed to an actual user account.

If you run a mail delivery agent (MDA) for user mail pickup, you can also make other settings here to deal with mail after your mail exchanger has received it. For example, I think that this is primarily where people set up their SpamAssassin procedures.

Obviously, and in connection with rule #1 in my first list, you should not set up an MX (receiving mail host) or MTA (mail relayer) if you do not need mail transfer service on the machine; i.e., use mail service provided by others (hopefully more secure). Don't set up an MTA "just because it would be nice" (as I did early on, thank God it didn't get humped by spammers). You also don't need to set up an MDA for mail pickup (Procmail, Qpop, etc.) if you have no mail coming into these machines.

The bottom line to all this is probably not to let anyone do anything more with your machine than they need to do, or than which you are capable of managing (whichever is the more restrictive).

I'm not a doctor, I don't play one on TV, reader beware, etc.

-- rick

Link to comment
Share on other sites

That's a rough statement there ... a number of FAQ entries I've written up get hammered because they are "too technical" .... other entries point to 'dscussions' where the item is addressed from serveral viewpoints, other data offered, etc., yet folks complain because there's too much to read and that there's not a 'simple' answer provided. Now, here's a statement that by looking at 'something' .. there's not enough data provided. Yet, "the answer" was found elsewhere .. though nothing provded 'here' as to what you have decided 'your answer' might have been.

Once again, a 'complaint' about the FAQ offered, but no 'solution' offered as to "how to fix" anything ... or help to the next person in the same situation.

I think you may have misunderstood my reply. My point is that, after reading the FAQ, SpamCop may not be the right place to go for my situation. I'll also add that I was disappointed.

The fact that a spammer is abusing my domain seems to be of little concern here. I thought the fact that the spammer has created what can only be described as a golden opportunity to thwart their spam by quickly identifying their relays and uri's - virtually in real time - would be of some interest.

As it turns out, there are some isolated people who have written about their experiences on this subject but I am understandably reluctant (after the bluefrog incident) to direct anyone to a personal blog.

If you were hurt by what I wrote, I hope this clears it up.

Link to comment
Share on other sites

Sticking up for Wazoo...

Not sure what you mean by "preventive information" so I can't figure out what may have been missing from the FAQ etc.

The fact is, preventing forging of from: addresses is an important step in preventing spam. There are several options including SPF, DomainKeys/DKIM etc. that make it harder for spammers to forge addresses. I could not any information or even a link to this kind of information here.

I'm sorry that the e-mail system is so difficult to understand and so leaky, but we didn't invent it here. We are just watching it admiringly (grin) from the sidelines. Doubtless we could invent a better e-mail system knowing what we do now, but this is a bit like saying "I know a better way to fight the Iraq war, let's dig up Saddam and start over again." The best we can do is to is to provide whatever info we come up with in the best way we can so that others may be able to use it. We are private individuals like you, doing all this geekly stuff on our "free" time.

I'm not suggesting we start over. I was simply looking for information on how to use what we have and not reinvent anything.

Forgery of innocent addresses and domains (HELOs) into spam messages is a very well-known problem that has been around for a very long time, and won't be fixed anytime soon, and certainly not by a bunch of SpamCop users running a wiki and a board. You cannot stop spammers from forging this information unless you catch them at the keyboard and can cut their hands off. You can't force mail exchanger hosts to check the bona fides of the from-addresses in every incoming e-mail message they handle (particularly since the from-addresses technically may not even be part of the SMTP header to begin with). SPF won't fix the problem, because not enough mail services are using it (either on the "supply side" or the "demand side") to provide a "critical mass" of protection.

SPF and DomainKeys are two technologies that merit mention here. Both are serious efforts to identify forgeries at the gate. If a forgery is found, the recipient need never see the email. While I'm *not* suggesting these are perfect solutions they are certainly less-imperfect than doing nothing. As a resource to combat spam, they deserve at least mention here particularly since reporting here can and does effect innocent domain owners (on occasion).

Thanks for your attention, however, and I wish you success...

And thanks for yours. Spammers abuse us all and it is a real shame when people who should be allies end up fighting amongst each other.

That said, I still think it would be nice if there was better information available to the spammer domain victims in the FAQ, including, perhaps links (not howtos or tutorials - links would suffice).

If this information is already available in the FAQ's and I simply missed it, my apologies.

One thing that techies tend to forget is that not everybody needs to know about all the possibilities.

There are several things that 'need' to be done to make something secure. For instance, the relays need to be turned off. To say, "check that relays are turned off" is good enough. They would have to find out from their documentation, how to do that. If they can't find it, then they could ask. That's when you would have to know the operating system, etc.

In fact, rather than a tutorial, perhaps a checklist of security measures would be better - including turning off the catchall account.

Miss Betsy

Thanks for the thoughtful response, Betsy. As it turns out, I don't have any relays at all. My email for this domain is managed by Google and, for the last few years, is incoming only (and exclusively spam).

I think a checklist would be a great idea for domain owners. As a domain owner, I can tell you that we often get it from both sides. Not only are our domains abused by spammers but then we also get it from people and organizations that are the recipients of this spam. Talk about the worst-case scenario.

The only thing I like about the occasional use of a catchall is that you can tell when a spammer is abusing your domain and for what. I know common thought is that they are bad but I did not have a catchall for years (since 2001/2002 sometime) and, when I have turned it on, I'm immediately swamped with spam and bounces. Having it off did nothing for me.

Again, thanks for your reply.

Link to comment
Share on other sites

"A" tutorial is a bit of an impossibility .... Operating System, actaul mail software, add in security issues, firewalls, multiple servers to handle high-volume, on and on .... put another way, one of the most famous e-mail handbooks ...The Bat (based on the cover design) is showing as in it's third edition, at only 1232 pages .. and it only addresses one tool .... see Sendmail, Third Edition ... scroll on down that page and note the "... also bought ...." section ... and there's even more 'suggested' below that losting ....

also noting that SendMail has been replaced by other new, improved tools on a lot of systems around the world .... There are ton-loads of tutorials out there on installing it, but ... very few of them 'simple' .. on the other hand, some of the 'simple' ones also result in a server that is soon to be hijacked, with a vengence <g>

O'Reilly 'email' search results ... 1620 total results.

I wouldn't suggest a tutorial here and I'm not having relay issues. Most tutorials on setting up your own server cover open relay issues these days.

As a domain owner who is interested in thwarting spammers from abusing their domains and, at the same time, other people, there are several things you should do. A few of them having nothing at all to do with the email server. For instance, as I've said before, SPF and DomainKeys/DKIM. I'd be surprised if SpamCop does not already know about and use these to filter email (Actually, I don't know. Does SpamCop filtering using SPF or DomainKeys/DKIM?)

As experts in spam, I would expect that, even if the average lay-person does not, SpamCop and some of the more technical people who visit here would know about resources that would help domain owners who are also abused by spammers.

Link to comment
Share on other sites

I wouldn't suggest a tutorial here and I'm not having relay issues. Most tutorials on setting up your own server cover open relay issues these days.

As a domain owner who is interested in thwarting spammers from abusing their domains and, at the same time, other people, there are several things you should do. A few of them having nothing at all to do with the email server. For instance, as I've said before, SPF and DomainKeys/DKIM. I'd be surprised if SpamCop does not already know about and use these to filter email (Actually, I don't know. Does SpamCop filtering using SPF or DomainKeys/DKIM?)

As experts in spam, I would expect that, even if the average lay-person does not, SpamCop and some of the more technical people who visit here would know about resources that would help domain owners who are also abused by spammers.

Let me amend my postings to reflect that I did find a reference to SPF and DomainKeys in the FAQ. In answer to the following:

"Q: Is there any way to mitigate the problem without entirely disabling auto-responses?"

It included links to both technologies. Of course, their usefulness is not limited auto-responses. Also, it appears that SpamCop does use these technologies already when filtering email.

Google search produced some links to forum messages containing both terms. A search using the built-in search engine provided no results.

Link to comment
Share on other sites

Let me amend my postings to reflect that I did find a reference to SPF and DomainKeys in the FAQ. In answer to the following:

"Q: Is there any way to mitigate the problem without entirely disabling auto-responses?"

It included links to both technologies. Of course, their usefulness is not limited auto-responses. Also, it appears that SpamCop does use these technologies already when filtering email.

Google search produced some links to forum messages containing both terms. A search using the built-in search engine provided no results.

The built-in search item has limitations based on the use of PHP amd MySQL .. the most obvious being that words must be four or more characters .. so an attempted search for SPF will fail .... this is why there was another search tool/option placed at the top of the screen, which also offers options as to just 'where' to search ... this is still not the greatest solution, nor is it finished .. as has been noted many, many times, there is a slight issue in that there is no "one" place yet for all data. The "official" web-page, FAQ, Help, whatever has been complained about for years, leading to all the other alternatives I've tried to come up with ... some worked, some didn't, some are still a work-in-progress ...

Please see Where To Get Help

SPF has come up a lot .. it is not "the" solution for a number of reasons, the major one being that it 'breaks' Forwarding ... which in the case of a SpamCop.net e-mail account, can be a real issue, as e-mail can be Forwarded to/from that account. But the actual issue is that SPF and/or DomainKeys is still of no value if the receiving system doesn't check or use that data in the first place .. and this leads us back to that neither tool "prevents" anyone from forging "your" data into their outgoing e-mail ....

Link to comment
Share on other sites

As experts in spam, I would expect that, even if the average lay-person does not, SpamCop and some of the more technical people who visit here would know about resources that would help domain owners who are also abused by spammers.

Well, sorry again, take this slip to the cashier for a cheerful refund :P

Seriously, though, what may be at work here are differing perspectives. Many of the techniques or objectives that you (as a domain operator) find important barely show up on my radar (as an end-user of e-mail). The reverse is almost certainly true.

For example, as an end-user, I do not benefit at all from SPF since my ISP does not bother to query the SPF records that you (and others) provide. Perhaps they should do this, and perhaps they will someday, but for me right now SPF is just another TLA. Likewise, I can't get very excited about detecting forged from-addresses, since it is of only academic or forensic interest to me:

  • My ISP does not reject messages with forged from-addresses, and I can't "unreceive" such a message that it forwards to me.
  • I know personally that the from-address is very easy to forge. Since the from-address is not trustworthy, it is not useful to deal with it in a spam complaint to a provider. Therefore the from-addresses used in spam do not even merit a glance from me.

There are other boards here where you might find other points of view, or information possibly of more use to you. Also, I can make the age-old suggestion that if you find gaps in the information here, why not help us fill them (such as by collaborating with the SpamCop Wiki? You'll learn, we'll learn, everybody comes out ahead.

-- rick

Link to comment
Share on other sites

<snip>As experts in spam, I would expect that, even if the average lay-person does not, SpamCop and some of the more technical people who visit here would know about resources that would help domain owners who are also abused by spammers.

Spamcop is a spam reporting system and a spam IP blocklist. The spamcop email service employs both services.

Although some users may be domain owners (who both report spam and use the blocklist), most users (or people interested in spamcop) are either end users or mail server admins.

End users either use the spamcop email service or Mailwasher (or some other filtering program that can use blocklists) or just report because, like people who pick up litter, feel as though they are contributing to the common good. Mail server admins use the spamcop blocklist to protect their users from spam.

Few domain owners control their own mail servers, I believe. They usually share them with others.

That's why you don't find much information for the domain owner here. How spam works, what can be done to prevent it going through a server (or how to keep off spam blocklists), how you can filter are the main topics (and also, for some, how you can attack the spammer - not generally recommended by all).

Though, if you want to stick around, and ask questions or help others, there certainly might be more domain owners who would frequent this forum. There is nothing like learning how the other side of the fence sees things for learning!

Miss Betsy

Link to comment
Share on other sites

SPF has come up a lot .. it is not "the" solution for a number of reasons, the major one being that it 'breaks' Forwarding ... which in the case of a SpamCop.net e-mail account, can be a real issue, as e-mail can be Forwarded to/from that account. But the actual issue is that SPF and/or DomainKeys is still of no value if the receiving system doesn't check or use that data in the first place .. and this leads us back to that neither tool "prevents" anyone from forging "your" data into their outgoing e-mail ....

As I said, while not a cure-all, less-imperfect than doing nothing. After all, if I'm not mistaken, most spam-filtering tools available today can check for SPF and/or DKIM/DomainKeys. Even though they are still emerging technologies, they already have a place at the table on par with RBL/reporting and filtering.

That said, the argument become circular:

They aren't effective because not everyone uses them -> We don't recommend them because they aren't effective -> Not everyone uses them because they are not recommended -> They aren't effective because not everyone uses them.

The irony is that, although spammers tactics evolve, anti-spam tactics stay relative static. I would argue that, at its inception, RBL had, as you say "no value if the receiving system doesn't check or use the data in the first place". And they weren't widely used - initially. Yet now we see it as the primary tool in combating spam. The same could be said of content-filtering of spam.

Even after all these years, not every server uses RBL and/or content-filtering. Even after all these years there are still thousands of open relays and, again, as spammers evolve, zombies. So, even after a considerable amount of time, the old-tried-and-true methods of combatting spam still fall short.

It reminds me of when my mother died of cancer. We wanted a cure but all the doctors could offer was a treatment.

RBL lists and filtering are a treatment for spam. DomainKeys is closer to the cure - that is, if we could assure that every email sent to us came from a verified source, we would filter based upon the reputation of that source. Sources that spam could quickly and easily be identified and completely filtered out.

In summary, given the fact that, RBL/reporting and filtering are not universally used, after a considerable amount of time, and that, even if they were, they will always fall short, isn't it time to evolve and move towards a cure?

Although some users may be domain owners (who both report spam and use the blocklist), most users (or people interested in spamcop) are either end users or mail server admins.

Again, thanks for the reply.

In fact, mail server admins and domain owners are kissing cousins. That is, if you want to send and receive email on your domain, you have to be a mail server admin.

And, since mail servers use the information from SPF and DomainKeys in almost exactly the same way as they do RBL/reporting lists (through DNS), they should know about and use the former just as they should the latter.

Armed with good information about how DomainKeys and/or SPF work, any mail server admin could make a compelling case to the owners of the domains they serve to make use of either technology.

Edited by uwecboi21
Link to comment
Share on other sites

For example, as an end-user, I do not benefit at all from SPF since my ISP does not bother to query the SPF records that you (and others) provide. Perhaps they should do this, and perhaps they will someday, but for me right now SPF is just another TLA.

As I said in reply to another, you could make the very same argument about RBL and content-filtering. That is, many ISP do not bother checking one or both. Perhaps it is because some people still view these methods as "just another TLA".

Likewise, I can't get very excited about detecting forged from-addresses, since it is of only academic or forensic interest to me:

  • My ISP does not reject messages with forged from-addresses, and I can't "unreceive" such a message that it forwards to me.
  • I know personally that the from-address is very easy to forge. Since the from-address is not trustworthy, it is not useful to deal with it in a spam complaint to a provider. Therefore the from-addresses used in spam do not even merit a glance from me.

But the goal behind RBL lists and such is the same. That is, you report to make it more difficult for the spammer. It isn't 100% effective. I would argue, considering the amount of spam out there continues to grow that, even after nearly 10 years of these lists, it's only moderately successful against the most inept spammers. Do I think RBL lists and reporting of spam are necessary and good? ABSOLUTELY! I just don't understand why we would use the same arguments against new methods that could just as easily - and with years of experience to support it - apply to what we do now.

There are other boards here where you might find other points of view, or information possibly of more use to you. Also, I can make the age-old suggestion that if you find gaps in the information here, why not help us fill them (such as by collaborating with the SpamCop Wiki? You'll learn, we'll learn, everybody comes out ahead.

I've never claimed to be an expert. In fact, as you can see, I'm considered a newbie here. I do have my own experiences and knowledge that I'm happy to share but I think discussion is a valuable and necessary step to creating something more formal. For instance, I would not want the Wiki to turn out like this discussion. That is, I would prefer to hear differing points of view.

Personally, I find discussion helps me to focus my thoughts on a matter and I appreciate the differing points of view expressed here as a way for me to codify my own thoughts and opinions.

Edited by uwecboi21
Link to comment
Share on other sites

That is, you report to make it more difficult for the spammer. It isn't 100% effective. I would argue, considering the amount of spam out there continues to grow that, even after nearly 10 years of these lists, it's only moderately successful against the most inept spammers.

I'm out of my league on the technicals here, but I'm puzzled by the above comment on a couple of levels.

I have used spamcop filtering for several years and it is mainly the spam assassin list that catches 99+% of spam sent to my main oldest address (and my spamcop.net address is very popular). Perhaps 50-100 per day, which only takes a few seconds to visually scan and make sure there isn't a legitimate message, and I don't recall the last time there was a legitimate message in the held mail after I revised my blocking list. I have a couple of other addresses not filtered that get a couple of hot stock tips per day, but not more.

The point is that spam filters DO work very well. People who don't want spam don't get spam. Obviously they are an irritant and we want to cut their hands off, but really they are not a problem when you get down to it if you don't want them to be, are they? Bad drivers are a bigger irritant, and danger.

The traffic spammers generate appears to be desired by the carriers, so it's not a problem to them. I guess we all pay for it indirectly to the tune of what, a buck or two per month on an ideal subscription price?

It's a good education incentive for ISPs who don't want the clutter. They can prevent most of it if they really cared.

It's a good evolutionary tool in the long run in that those who buy drugs, Nigerian scam victims, Paypal security verifications and so on will ultimately be removed from the human gene pool quicker than if they were allowed to hold onto their money and health longer, and without them, what would the spammers do?

How many other criminal enterprises are there that almost exclusively prey on the stupid and foolish?

Until anonymity is removed from email there will be spam. That's life.

Just spouting off.

:angry: :)

Link to comment
Share on other sites

I have used spamcop filtering for several years and it is mainly the spam assassin list that catches 99+% of spam sent to my main oldest address (and my spamcop.net address is very popular).

.

.

.

The point is that spam filters DO work very well. People who don't want spam don't get spam. Obviously they are an irritant and we want to cut their hands off, but really they are not a problem when you get down to it if you don't want them to be, are they? Bad drivers are a bigger irritant, and danger.

I suppose people use SpamCop for a variety of reasons. I'm sure some use it only to eliminate spam in their own mailboxes. They could care less if spammers are choking the internet as long as it doesn't inconvienence them. I understand that perspective and there is nothing wrong with it.

Others see spam as a huge waste of space on an internet that is constantly taxed by new demands for more speed, more bandwidth. They also don't see why they should have resort to more fees to eliminate something that, legally and ethically, shouldn't be happening in the first place. I would describe myself as belonging in this camp.

To extend your analogy, when I see a bad driver, I draw some comfort from the fact that they will likely pay a penalty in the future. If I see an obviously drunk driver, I would call them in. Spammers are no different and some of us would like to see more done to enforce social norms on spammers.

Whether you realize it or not, you benefit from those efforts. It's why we report spam instead of simply deleting it. It's not enough to eliminate the nuisance in our mailbox. We'd like to ensure no one else has to endure it. Without reporting, spam filters wouldn't be as good as they are.

The traffic spammers generate appears to be desired by the carriers, so it's not a problem to them. I guess we all pay for it indirectly to the tune of what, a buck or two per month on an ideal subscription price?

It's a good education incentive for ISPs who don't want the clutter. They can prevent most of it if they really cared.

That's a different persepective. I'm not sure I agree.

As for prevention, no ISP would be able to keep up without the community effort to identify spammers and their resources in order to filter it. Reporting takes a lot of man-hours. Thousands of people have to be involved. Without that common effort, filters wouldn't be very effective.

It's a good evolutionary tool in the long run in that those who buy drugs, Nigerian scam victims, Paypal security verifications and so on will ultimately be removed from the human gene pool quicker than if they were allowed to hold onto their money and health longer, and without them, what would the spammers do?

How many other criminal enterprises are there that almost exclusively prey on the stupid and foolish?

spam is a universal problem. Just because you may not see as much of it does not mean that it doesn't effect you. I won't delve into the costs of spam to each of us as that is well documented elsewhere.

I'm in favor of any tool that makes it increasingly difficult for a spammer to profit from their spam.

Link to comment
Share on other sites

As I said in reply to another, you could make the very same argument about RBL and content-filtering. That is, many ISP do not bother checking one or both. Perhaps it is because some people still view these methods as "just another TLA".

Absolutely, I agree. The best tool in the world does no good if no one uses it.

I begin to get the impression that you think this is a "SPF/DK vs RBL" debate. It is not.

I'm simply saying that as an end user, I get no protection from SPF nor am I likely to until my elephantine ISP decides to use it (and to do so properly, rejecting mail that doesn't pass scrutiny); even then, I won't get full benefit until ALL of the providers from which I receive mail also cooperate in SPF (i.e., they all must publish SPF records within their auth name servers). Under these circumstances, I'm left to my own devices to deal with the spam that my providers fail to reject despite clear evidence of their spammy nature.

This is not a judgement on how effective SPF is, or could be. It is simply a factual description of my own situation.

As you very correctly point out, I get no direct protection from RBLs or content filtering either, at least as far as preventing spam deliveries goes. That's why I pay SpamCop and forward all my mail to it, so it can use SCBL (and other filters) to separate the wheat from the special pork chaff.

Remember, we're talking here about mail that I've already received (i.e., it wasn't rejected at SMTP level) and am stuck with. Even if I did an SPF check on this mail, it could at best only tell me that the sending machine wasn't allowed to send me the mail. This is of little help to me, since I got the mail anyway. SpamCop's RBLs and content filters do do me some good, however, because they help me to efficiently isolate and report the spam.

I suppose people use SpamCop for a variety of reasons. I'm sure some use it only to eliminate spam in their own mailboxes. They could care less if spammers are choking the internet as long as it doesn't inconvienence them. I understand that perspective and there is nothing wrong with it.

Although I'm sure you didn't mean this as a general statement about SpamCop users, I must yet point out that your third sentence (bolded by me) simply does not at all follow from your second one.

  • Firstly, I'm not sure what else someone like me (an end-user) could do with SpamCop besides trap and report my own spam, since I can't use it to trap or report anyone else's spam.
  • Secondly, it simply isn't true that someone who uses SpamCop only to protect his own mail doesn't care about the spam problem in general. He just may not be in a position to do much more about it than he already does.

Every end-user of SpamCop who reports his spam through SpamCop is adding information to the SCBL, which helps block spam for all users subscribed (direclty or indirectly) to this list. Also (in at least a few cases), the admins to which we report spewing addresses and spammy websites use this info to button down their operations and kick off the spammers, which will also reduce spam for everyone.

Perhaps we are fighting a Sisyphean battle here, but I really don't think it can be said that individual end-user subscribers to SpamCop "could care less if spammers are choking the internet."

That said, the argument {against SPF etc.} become circular: They aren't effective because not everyone uses them -> We don't recommend them because they aren't effective -> Not everyone uses them because they are not recommended -> They aren't effective because not everyone uses them.

I don't recall that anyone here has "not recommended" SPF or Domain Keys. so I don't see a circular argument here. Some of us have simply pointed out that these are not (as yet) effective for all end users. Having done at least a small amount of study on SPF (something I've as yet failed to do for Domain Keys), I for one would certainly like to see more people use SPF, including my own providers; unfortunately, though, my providers do not include my advice in their planning. I can barely get them to answer technical queries when things go horribly wrong, let alone when things are fine but some upgrades are called for.

Best,

-- rick

Link to comment
Share on other sites

I suppose people use SpamCop for a variety of reasons. I'm sure some use it only to eliminate spam in their own mailboxes. They could care less if spammers are choking the internet as long as it doesn't inconvienence them. I understand that perspective and there is nothing wrong with it.

They aren't the only ones. There are server admins who do nothing to stop spam coming from computers that are not mail servers.

Others see spam as a huge waste of space on an internet that is constantly taxed by new demands for more speed, more bandwidth. They also don't see why they should have resort to more fees to eliminate something that, legally and ethically, shouldn't be happening in the first place. I would describe myself as belonging in this camp.

IME, most of the server admins who frequent this forum and the spamcop ngs feel the same way.

To extend your analogy, when I see a bad driver, I draw some comfort from the fact that they will likely pay a penalty in the future. If I see an obviously drunk driver, I would call them in. Spammers are no different and some of us would like to see more done to enforce social norms on spammers. <snip>

I'm in favor of any tool that makes it increasingly difficult for a spammer to profit from their spam.

That's true and the way to do that is to use blocklists that reject at the server level so the sender knows that why the email was rejected. There are no longer 'innocent' users on the internet. They are either part of the spam problem or are aware of how to stop spam from being accepted. SPF is another attempt to do a similar thing. But, until server admins stop being afraid of explaining to end users how spam can be prevented, neither one is going to be used effectively.

Miss Betsy

Link to comment
Share on other sites

I'm simply saying that as an end user, I get no protection from SPF nor am I likely to until my elephantine ISP decides to use it (and to do so properly, rejecting mail that doesn't pass scrutiny); even then, I won't get full benefit until ALL of the providers from which I receive mail also cooperate in SPF (i.e., they all must publish SPF records within their auth name servers). Under these circumstances, I'm left to my own devices to deal with the spam that my providers fail to reject despite clear evidence of their spammy nature.

And I'm simply saying that you are applying a standard to SPF/DK that you do not apply to RBL lists and filtering. If 50% of all ISP's used SPF/DK, that would not be a good thing? You would not benefit from it? It used to be that many, many ISP's had open servers. That number has been reduced - in part, due to reporting and, in part, due to the ISP's seeing value in securing those relays.

Since the inception of SpamCop and BL's, the idea was that people were going to be directly involved in order to create change. Without that community effort, I doubt we'd have made the progress we now benefit from.

At the same time, spammers have evolved. The amount of spam sent everyday continues to grow. The problem isn't going away.

If you agree with me that we need to continue to adapt, then I would ask what you would suggest? I am not promoting these technologies as an overnight cure. It would take time. Unfortunately, nothing done to date has had any success in reducing the amount of spam sent. Spammers are still profiting. Just because users here don't see it in their mailboxes doesn't mean it isn't still a problem for all of us.

So, what do we do if we what we have now doesn't work?

Remember, we're talking here about mail that I've already received (i.e., it wasn't rejected at SMTP level) and am stuck with. Even if I did an SPF check on this mail, it could at best only tell me that the sending machine wasn't allowed to send me the mail. This is of little help to me, since I got the mail anyway. SpamCop's RBLs and content filters do do me some good, however, because they help me to efficiently isolate and report the spam.

Someone correct me if I'm wrong but SpamCop filtering does make use of DK and/or SPF. I have a spammer who generates anywhere between 1000-2000 BOUNCES to my domain every day. No matter how clever that spammer is, you'll never see one of those spams because I use SPF and DK - as long as the filtering software checks it.

What is the incentive for ISP checking these if not by customer demand?

Although I'm sure you didn't mean this as a general statement about SpamCop users, I must yet point out that your third sentence (bolded by me) simply does not at all follow from your second one.

  • Firstly, I'm not sure what else someone like me (an end-user) could do with SpamCop besides trap and report my own spam, since I can't use it to trap or report anyone else's spam.
  • Secondly, it simply isn't true that someone who uses SpamCop only to protect his own mail doesn't care about the spam problem in general. He just may not be in a position to do much more about it than he already does.

First, you have to read the original post in context. To summarize, Eland said that he used SpamCop for filtering. He did not claim that he reported spam and there is no requirement to do so. Anyone could use SpamCop strictly to reduce spam at their inbox without ever reporting if they wanted. If you read elands post, I think you'll agree he doesn't come across as caring too much spam as problem, in general, but simply as a problem that, for himself, he uses a filter. If that's what he chooses, I don't have a problem with his choice.

Every end-user of SpamCop who reports his spam through SpamCop is adding information to the SCBL, which helps block spam for all users subscribed (direclty or indirectly) to this list.

Again, I don't get the impression that the poster I quoted reports spam. From that post, where do you get the impression that he believes spam is a large problem that he feels responsible to report?

Perhaps we are fighting a Sisyphean battle here, but I really don't think it can be said that individual end-user subscribers to SpamCop "could care less if spammers are choking the internet."

Well, neither of us is in a position to speak for *all* users of SpamCop. I never suggested that this applies to everyone. In fact, I made of point of saying that people fell into (at least) one of two distinct groups (with some grey area between them).

I don't think it would suprise anyone that some of the people use SpamCop to simply filter their email box. They aren't required to report and some won't.

I don't recall that anyone here has "not recommended" SPF or Domain Keys. so I don't see a circular argument here. Some of us have simply pointed out that these are not (as yet) effective for all end users. Having done at least a small amount of study on SPF (something I've as yet failed to do for Domain Keys), I for one would certainly like to see more people use SPF, including my own providers; unfortunately, though, my providers do not include my advice in their planning. I can barely get them to answer technical queries when things go horribly wrong, let alone when things are fine but some upgrades are called for.

Maybe that's the wrong way to put it. That is, you say here you are not not-recommending SPF/DK and earlier you said you don't see any value in it for you (for a variety of reasons). Believe it or not, the value an ISP places on any feature is directly related the value their customers place on it. So it IS circular.

You see no value because it's not widely used -> your ISP doesn't implement because their customers see no value -> it isn't widely used because ISP's don't implement it -> you see no value because it's not widely used.

Thanks for the reply,

Dale

Link to comment
Share on other sites

You see no value {in SPF} because it's not widely used -> your ISP doesn't implement because their customers see no value -> it isn't widely used because ISP's don't implement it -> you see no value because it's not widely used.

OK, let's try another tack.

I've received about 150 spams at my personal e-mail address over the past 24h or so, meaning that my provider's MX accepted them and passed them onto an MDA for my pickup. Right now, they've been forwarded to SpamCop, which has isolated the spam (using DNSBLs and SpamAssassin post-delivery) so that I can report it.

Is there something else you would recommend that I personally should do right now using SPF or Domain Keys in order to help me deal with these messages? And, no, saying "get your ISP to use SPF" is not a useful answer to me, because it doesn't do anything about the 150 spams I have right now.

-- edit added --

As for the quote above, you say that I see no value in SPF. That isn't exactly what I wrote. I wrote that I saw no value for me personally in SPF right now. These are very different statements.

I apologize if my meaning was not sufficiently clear. If I had been so offhandedly dismissive as to suggest that it won't work for anyone ever, then I could see where you would have reason to be perplexed.

Here's an analogy: I see no value for me personally right now in wearing a motorcycle helmet. This is not because I hate motorcycle helmets, or don't think they work, or would rather that bikers use some other kind of protection, it's simply because I don't ride a motorcycle. However, this doesn't mean that I don't see the value for others, or even the indirect, long-term value to myself, for everyone on a motorcycle to wear a helmet (e.g., less demand on the medical system, less need for long-term care, etc.). I could be persuaded to write my state legislators to support helmet laws, or perhaps even to contribute to a fund to increase helmet awareness or give away helmets to young bikers. But giving ME a helmet, however, is not going to help anybody (least of all me).

-- rick

Edited by rconner
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...