DoS Assaults Underway Against Spam Blocklists 797
Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
Blacklists' downfall (Score:2, Interesting)
I wonder how many people really rely on blacklists anymore. I've tried using them before only to find out that over half of my legitimate email was being filtered and a significant amount of spam was still getting through.
Bayesian is the only affective method I've seen for significant spam reduction.
Might not be spammers (Score:5, Interesting)
Personally I don't believe blacklists are the way to go, I think simply intelligent filtering should be installed wherever possible, and eventually spam will die out. I know spammers are smart and work their way around all sorts of blocks, but so are we, and there's a lot more of us than there are of them.
ObDisc:Don't bother flaming me about "collateral damage" or any of that crap, since I'm not the one ddosing the servers, and I've yet to find myself blacklisted, so I'm not interested.
SoBig (Score:5, Interesting)
who says its spammers? (Score:5, Interesting)
distributed? (Score:3, Interesting)
Client-side blocking (Score:5, Interesting)
Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.
Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.
Peas,
j
Re:It's illegal (Score:2, Interesting)
Attempting to find who is launching these attacks (its not right that the media assumes its the spammers) is VERY VERY unlikley.
The only thing you can really do is filter the attack. You cant really block 1000's of different legitamite, even if they are comprimised, from your services.
Unless you can find the IRC Bot, which 99.9% of these attacks are controlled from, you cant determine who started the DDoS. Even if you find a IRC hostname, chances are its BNC'd anyway, and what good would that do you.
Yes it might be illegal, but the internet is still very much like the wild wild west, sherrifs have no control and there are too many wide open spaces to hide.
Blacklists ARE useful (Score:5, Interesting)
If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
DNS based BL is useful because it doesn't even let it in the door.
This is crazy (Score:1, Interesting)
SoBig.F zombies attack!!! (Score:5, Interesting)
Go ahead and let them die (Score:4, Interesting)
I know it sounds heartless, but as a group, blacklists are becoming less-useful by the minute.
If they were all to disappear today, it would only speed the adoption of much more valuable tools against spam, namely bayesian-type filters that are far more effective.
Yet another legitimate p2p use... (Score:2, Interesting)
Still, the only workable solution is cryptographically-secure signatures, probably with a SSL/TLS set of root certs.
Hell, sounds like a job for the post office! Keep it relevant in the age of email..
Re:justice (Score:2, Interesting)
Blacklists by their very design have a HIGH false-positive ratio. How is that a "best solution"? I don't even think it's a "so-so solution." I'd call it a "horrible solution." On top of that, they are easily avoided.
Content filters are the next level of spam protection. It doesn't matter where the email came from, if you're trying to sell me a 12" dong I won't accept it. This is the only thing that will save us from a large P2P spam network.
Re:Why does he think it's spammers? (Score:4, Interesting)
Have you -ever- worked in network security?
Have you -ever- worked an abuse desk?
Having cleaned up one hosting providers network (and reputation) I take great umbrage with this statement:
They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.
These blocklists are very effective in stopping the entry of spam into a user's network. While I also think the guys running SPEWS could use some lessons in public relations, and have an easier way of getting IPs removed, that does -not- mean that they're evil and inneffective.
I also do not believe it is the large ISPs that are behind this. That's almost as laughable as Julian's statement that it's organized crim behind it. It's likely the larger spam groups that are behind it, like Ralsky and his ilk. And I -know- he has no moral compunction to not break the law.
And just a reminder:
Spamming is ILLEGAL in a not insignificant number of states, and several of them explicitly allow for blocking of offending IPs if the ISPs involved are unresponsive.
Who replies to spam? (Score:5, Interesting)
Evolution of a blacklist architecture. (Score:5, Interesting)
I can easily see web content filtering going the same way eventually.
Re:Why does he think it's spammers? (Score:1, Interesting)
Blame the backbone ISPs (Score:5, Interesting)
1. The backbone providers make money based on bandwidth consumption. They don't care whether the traffic is legitimate or not. It's in their financial interest to not take action against DOS/DDOS attacks and they don't. Many top-level providers will not even intervene unless a lower-level ISP's pipes are completely saturated, even if they complain about a DOS attack.
It would be so easy for the backbone providers to implement temporary blocking of DDOS attacks. These types of attacks are identifiable and the whole procedure could be automated and authenticated, but the top-level ISPs make money off spam and illegal DOS/DDOS activity. People need to petition the backbones to start taking responsibility and implmenting measures to shut down networks that have rogue systems consuming illegitimate bandwidth.
2. The local and federal governments do not effectively (if at all) enforce the plethora of existing computer tampering/break in/attack laws that are already on the books. These attacks CAN be tracked. The law enforcement agencies are either ignorant, unmotivated or unwilling to take action.
No new laws are needed. There are plenty of existing laws on the books right now to justify criminal prosecution of these attackers, which don't merely attack relay blacklists, but every other network along the way, making everyone suffer, including systems that don't use blacklists.
We need to hold the proper people accountable for not using the existing legal system to stop this; we need to hold the top-level providers responsible for allowing a majority of the traffic they bill their clients for to be unauthorized and illegitimate.
Imagine if 70% of the time you picked up your telephone someone else was using it? This is what's happening with Internet bandwidth.
Re:It's illegal (Score:5, Interesting)
It may be blacklisted sites wanting delisting (Score:2, Interesting)
I noticed that Joe Jared mentions his other site as a collateral casualty of the DDoS. Now where did I hear the term "collateral damage" before? As a provider of SPEWS blocklists, that would in effect make him as accountable as SPEWS, to use their own twisted logic of "a customer of an ISP is as guilty of spamming as the spammer themselves".
We do not condone any DDoS attack, nor do we condone the actions of SPEWS [chatmag.com]. The demise of Osirusoft demonstrates that unaccountable "vigilantism" does nothing to stem the tide of unwanted commercial emails and as stated in previous posts regarding spam, more rational discussion should be forthcoming, with real solutions, rather than the tactics used by the blocklists that would hack down the forest to fell one tree.
Re:Why does he think it's spammers? (Score:2, Interesting)
The devil is in the details. It's not a list of single IP addresses, that's far too large and complex to maintain. What's happening is large blocks (we're talking B class IP blocks here) are getting blacklisted because of the actions of a few individuals.
This does more harm than good especially with colocation services. What happens is one person starts spamming off a machine at a colocation company and SPEWS and other lists will blacklist the whole block that colocation company is on.
That kills mail services to the hundreds of other legitimate companies who are unfortunately on the same block as the one spammer.
Anyone familiar with Something Awful [somethingawful.com]'s battle with SPEWS knows this is a very real situation.
So what's a blacklister to do? Maintain a large list of several hundre thousand (at minimum) IP addresses or block B (and even A) class adress blocks to bring that list down to a far more easily maintained list?
That's why it's "evil". It's lazy, inefficient, ineffective, and does more harm than good.
Wait until someone who has a server within the same B class you're on to start spamming and you get put into the blacklist. Then we'll see if you're still singing the praises of blacklists.
Perhaps it's not the spammers ... (Score:4, Interesting)
Perhaps it's Something [somethingawful.com] Awful [kuro5hin.org] that's doing it?
Fark [fark.com] seems to think so [fark.com].
(Ever feel like you're writing for memepool [memepool.com] or Everything2 [everything2.com]? I sure do!)
Re:Why does he think it's spammers? (Score:4, Interesting)
Re:Why does he think it's spammers? (Score:2, Interesting)
Oh...I just noticed, the poster is a proud Republican...that explains it. Anyone who feels the need to brag about their conservatism generally has a soft spot for Joe McCarthy.
Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.
There's not any fundamental difference between Joe McCarthy and Chairman Mao.
Re:ever tried to get off SPEWS? (Score:5, Interesting)
Maybe this time it's a decent excuse, but next time you know. And any provider not willing to include a clause that lets you out if they get blacklisted is probably knowingly hiding spammers.
As to whether the provider is really "fine otherwise", to me that's like saying "my new dog keeps chewing the neighborhood kids' finger off, but otherwise he's fine . . . "
I'm really sorry that SPEWS has been a hassle for you and others, but it's worth it to me, and I wish more providers used SPEWS or similar (well, if it ever comes back). And, now that you know, you can plan for this sort of eventuality in the future, because it's only going to get more and more common as spam continues to grow.
Think globally, act locally (Score:5, Interesting)
I have been watching this closely for several weeks. Originally, I thought there would be trouble -- surely we would nail some legitimate networks and have to unblock them. But NOOOOO! Every day we reject more and more via the local blacklist and it's always the evildoers. I don't think anyone needs a DNS-based blacklist, all you have to do is harvest the power of the spam data you already have.
Partial Reliance on Blacklists (Score:2, Interesting)
A malfunctioning IP blacklist will give a message more points, but only a fraction necessary to send the message to dev/null
Thought of in another way is that the decision of whether the message is spam or not is distributed among lots of "decision makers" The weight of those decision makers is determined by the number of points they are allowed to assign to a given message.
We also use Spam Sleuth Enterprise [bluesquirrel.com] to protect our server from SoBig.F. We just look for the text "X-MailScanner: Found to be clean" and set it to enough points to delete the message. It takes the load off of our internal servers.
Hope this helps somebody.
Yet Another Plan for Spam (Score:3, Interesting)
I used to use dnsbls. When it was clear that blacklists weren't sufficient, I used them in conjunction with filtering. Then I had trouble with false positives of various dnsbls to the point where I'm now only using the filters. Of course, simply filtering doesn't solve the network and computing resources problem. So I had hatched Yet Another Plan for Spam a while back (had mucked around a bit with implementing it but got distracted).
The plan is essentially to use bayesian analysis of incoming mail to detect "open relays" and maintaining a personalized dnsbl. Initially every piece of incoming mail is analyzed. Upon being tagged spam, the connecting IP is added to the dnsbl preventing additional relaying of messages.
Pros:
1. No external testing/probing is required. All blacklisted IP's have been known to be an originator/relay point of spam.
2. A copy of the spam message can be retained in case of any dispute.
3. It's a personalized dnsbl so that it is generally immune to becoming a target by spammers (either ddosed or litigation).
4. A false positive does not impact systems not directly under your control.
5. Corrections to the dnsbl can be made as urgently as your time would allow.
6. Saves network and cpu resources due to rejection of additional messages from blacklisted IPs.
Cons:
1. Bayesian filter requires training and maintenance.
2. Personal dnsbl also means personal attention. More time and resources required to manage.
3. Not immune to false positives (actually amplifies the effect).
I'm sure I've missed some points on both the pros and cons, but it's a start.
Additional details of the plan had included a web interface for the blacklisted IP's delist the IP. The scheme works on a token system. Each IP is given a configured number of tokens per a configured period. Each delisting requires a token and is subtracted. Hopefully, this will minimize manual effort as it's trivially easy to get delisted (only requiring the blacklisted admin to visit a page and click on a button). However, if the problem is not fixed and the same IP continues to get listed and runs out of tokens, then my plan was to have the blacklisted party to purchase more tokens (something like the same webpage generating a tracking number linked to a paypal account). That way, there would also be financial incentives for the admin to fix their open relays.
My intention with the personal dnsbl was to reject future SMTP relay attempts based on IPs that have been known to relay spam. It doesn't exist to identify every open relay or proxy, but simply to deny those hosts the opportunity to send me more spam. I could careless if someone is running an open relay as long as it doesn't send me spam. So my plan is to only reject mail from people that have actually spammed me, and not in theory of being capable of spamming me. And the reason to use the connecting IP instead of any content in the email is to prevent junk data (too easily spoofed).
Anyhow, that was my YAPS. If enough people used such a system, it would probably put a decent dent in spam and open relays.
Any volunteers?
SoBig not a culprit????? (Score:2, Interesting)
Re:Why does he think it's spammers? (Score:3, Interesting)
This is getting tiresome . . .
My own email provider (Fastmail.fm) is very proactive about eliminating spammers and has a very strict anti-spam policy; however, it has been erroneously listed on Spamcop on at least one occasion causing problems for all of its legitamite users.
How do you know, other than by the facade they present to you, how pro-active or strict their antispam policy is? How do you know the listing was erroneous? Bottom line: you don't.
I read the blow-by-blow you posted, and it includes a blatant admission of guilt which completely contradicts the claims you made above. The page you cited doesn't include denial of spamming. On the contrary, the guy admits that spammers were (and are!) using his service. He even goes to great lengths to prove the that ratio of "good" email to spam from his service is very large, like 100k to 1 or something, and then argues that he shouldn't be listed bcause the spam originating from his company is so small in relation to the real mail.
Like so many posters here angry with SPEWS, this totally misses the point! SPEWS isn't a gentle suggestion to reduce your ISP spam output, or to make sure yor real mail/spam ratio is high. It is hardcore non-negotiable insistance that your ISP have ZERO spam tolerance. That's hard for some ISP's that are used to even the occasional pink contract for a little extra income. But it's the only way to avoid the list (except I guess DDoS now, yay).
Better solution than black-listing - gray listing (Score:1, Interesting)
It basically involes inspecting the sending ip, sender envelope, and recipient envelope. If the receiving MTA has never seen this particular combination of the three before, it does not accept delivery of the mail piece with a temporary failure message. The vast majority of spam would then be ultimately rejected because it is often sent through open MXs and not a valid MTA with valid sender and recipient envelope information.
It is designed to be a compliment to other anti-spam measures without being as inflexible and cumbersome as black/white lists.
Along those same lines, you could also do a quick reverse check to verify reply-to addresses at the MTA level.
The battle against spam is not totally lost, and we shouldn't cut off our nose to spite our face the way blacklists do.
Re:Why does he think it's spammers? (Score:2, Interesting)
Does the end really justify the means?
Re:Nonsense. (Score:3, Interesting)
It seems to me that, in fact, it is YOU who just doesn't get it. Not to put this on the same level or anything, but the exact same attitude was used to justify 9/11.
Sorry, In Your Rightous Anger You Missed the Point (Score:3, Interesting)
Blocking Brazil (Score:2, Interesting)
Re:ever tried to get off SPEWS? (Score:2, Interesting)
No it isn't. If I run an ISP mail server, it is my traffic -- if it weren't it wouldn't be going over my wire to my server.
There is no effort to hide the fact that blocklists are in use at my ISP, as in a typical installation we explain verbosely why we are rejecting a message. We also provide a web contact form which anyone may use to mail us regardless of their IP, and postmaster is always delivered. This is the method recommended in just about every FAQ on the subject I've seen so I presume it isn't unusual.
In fact we go further than that, most of our blocklists simply add points to the final 'score' of the message. The decision is left to the customer regarding what to do with messages that score as spam, in addition to giving them the ability to add whitelists and change the score that determines a messages spam status.
At last check, not a single user had disabled spam filtering. Evidently, this major concern over the right to filter doesn't really exist. We have our share of out-right tin foil hat wearing customers, and not one of them has been uncomfortable with our spam filtering.
I know of no ISP that makes an effort to hide the fact that they filter spam.
This results in their customers not receiving email. The decision that the sender of that email wasn't legitimate has been removed from the user and the sender and placed in the hands of some anonymous third party.
The ISP of the customer is not an anonymous third party by any means. They are the ones who own the traffic thats going over their wire.
If you were talking about random backbones filtering port 25 traffic going through their networks, I would agree with you. I know of no effort to do this, however.
In general, the ISP answer to blocking complaints is they simply use the list and do not control the content of it. The blocking list provider - if contactable - claims they just make up the list and the use of it is outside of their control. This means nobody is accountable for blocking.
The choice to use a blocklist operated by someone else is no less a choice than operating one yourself. Which would you rather ISPs use: coordinated, open blocklists or private, confidential, and individually assembled and maintained blocklists?
Whitelisting specific IPs within the SPEWS blocklist would defeat the point, to establish lists of bad neighborhoods in order to clear them out.
The problem with this sort of censorship - and it is indeed censorship
It's censorship? Then so is painting over the graffiti that someone sprays on your house under cover of darkness.
is the user never hears about it.
Again, I know of no service which does not inform the user that they block spam. My service even offers users a page you can go to and inspect each spam that's been caught.
When a business is blocked they quickly discover that blocking has made email unreliable for communications with customers. They can either abandon email for important stuff or they can try to convince the blockers that their commercial use of email is valid.
Or, they can change providers to one which does not support spam. Or, they can implement a technical solution such as smarthosting.
This is extremely difficult. Why? Spammers use email - if you use email commercially, then you might be a spammer.
If you "cold call" a non-personal communication over e-mail, you are a spammer in my opinion.
If you get blocked and claim you were blocked in error, you might be lying. Spammers lie, so anything you say can be considered to be a lie. Why should anyone unblock a spammer?
If SPEWS made a habit of whitelisting "legitimate" IPs, it would be no better than any other blocklist. SPEWS is not a
SPEWS effectiveness (Score:3, Interesting)
Re:Desparation (Score:3, Interesting)
Blocking mail might do that, but there are any number of ways to stop spam, every last one of them involves making the price of spam a price no one is willing to pay.
Using Baysian filtering to build a set of IP's which have a threashold (say 90% of e-mail) is spam, then it gets added to your black list (Mailserver or router blacklist).
Kirby
Re:Nonsense. (Score:2, Interesting)
First of all, it's sending email that is the problem for people on an email blocklist/blacklist. Not receiving email. And certainly not hosting websites.
And there's nothing difficult about paying someone to provide an email "smarthost" for you somewhere else, in unlisted netspace. Though you should of course bitch incessantly at your network provider for forcing you to take that option.
And of course, you should always remember while you're feeling sorry for yourself about being on an email blacklist, that there are a large number of people in the world with problems much worse than yours.
(I'm going to have to find out one day exactly why it is that Brazil apparently only has one ISP. It seems quite bizarre.)
Pete.Use of blacklists in a non-destructive way (Score:2, Interesting)
My ISP has multiple POP boxes for each customer though. Currently all the spam gets into one box and the (presumed) legit mail gets into my normal mail box.
Now and then some legit mail gets into the spam pop account. Now and then I check this account for messages that are non-spam. Until now, only some mailinglists have been incorrectly identified as spam (ironically, mostly from IT security companies).
There is still an amount of spam in my inbox too, but some rules take most of that out as well.
I would not want my ISP to throw away all the mail they think as spam; they should never do that without my consent. But blacklistst do not have to be a 0 or 1 (or black or white
Warper
0 - evil bit