Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

DoS Assaults Underway Against Spam Blocklists 797

Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
This discussion has been archived. No new comments can be posted.

DoS Assaults Underway Against Spam Blocklists

Comments Filter:
  • by seanadams.com ( 463190 ) * on Thursday August 28, 2003 @04:00PM (#6817435) Homepage
    Apparently spammers aren't going to sit by...

    Has anyone stopped to think that maybe it's not spammers who are doing this? I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down. They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

    All of these centralized blacklists have made so many enemies in their history that any finger pointing is simply laughable. They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks. This is not your normal DDOS: it is not only the originators of the DDOS, but the very network itself that wants them destroyed!
    • by Anonymous Coward on Thursday August 28, 2003 @04:02PM (#6817454)
      Althought he presents a valid arguement, WE DONT WANT TO HEAR THAT!
    • by Anonymous Coward on Thursday August 28, 2003 @04:07PM (#6817525)

      Everyone appears to want to direct mod power today, so why not?
    • Actually SPEWS is very effective. It makes people DO something about spammers they are harbouring or sharing space with. Naturally, that's why you hate them.
      • by hypovex ( 639352 ) on Thursday August 28, 2003 @04:43PM (#6818002)
        What makes you think they don't? Most U.S. based ISPs don't require anything more than enough complaints with reasonable evidence to shut spammers down. It's really unnecessary to block an entire /24 or /16 if you think that's what is necessary to get attention. Spamcop, ordb, dsbl, & maps are just great and actually are bold enough to let the world know who they are and what they are doing. Spews takes it WAY too far, are completely irresponsible, are the worst chickenhawks on the net, and completely ineffective. Just for argument's sake, a couple years back, I used osirusoft for about a month with not even a dent in the amount of crap I received in my inbox. But did lose a lot of email from people that should have never been associated with their listings. This cost me time and money. I don't blame the isp who got themself blacklisted because they never received any complaints directly. This was because the only relation between them to the said spammer, was a freaking email address hosted by one of their customers, which was used as a the administrative contact record, for a domain they had nothing to do with. N.A.N.A.E, Osirusoft, s.p.e.w.s. : Chug one. I'm happy to see you getting what you've had coming for a long time.
      • by ZoneGray ( 168419 ) on Thursday August 28, 2003 @04:54PM (#6818107) Homepage
        Sure it's effective. So is shutting off your mail server.

        The problem is that collective IP blacklisting is so mistake-prone that it's just unacceptable. I had a server, one that hosted e-mail for several domains (none of which do anything remotely spam-like), and somebody forged the IP in a header, and the server got into some darned blacklist based on three anonymous "reports". Thankfully, most people are smart enough to use better anti-spam measures such as keyword or header filtering, which don't cede control to external mobs.

        On a corporate server, you'd be nuts to use one of those blacklists; at the very least, you want to be able to whitelist your important business partners. Perhaps the DDOS attacks are from some disgruntled syadmin who got canned when an important e-mail to the CEO mistakenly bounced.
    • indeed (Score:5, Insightful)

      by Trepidity ( 597 ) <delirium-slashdot@@@hackish...org> on Thursday August 28, 2003 @04:14PM (#6817616)
      Even if you happen to like the blocklists and agree with their methods, it's clearly irresponsible to assume they're being attacked by spammers -- there are a lot of non-spammers who would love to take them out.
    • by fmaxwell ( 249001 ) on Thursday August 28, 2003 @04:16PM (#6817642) Homepage Journal
      I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down.

      I will be equally happy when someone uses a DoS to keep you from posting comments with which I disagree. As you point out, a DoS is a valid way to suppress free speech.

      They are pure evil in their methods,

      How is it "evil" to publish a list of IP addresses that match a listing criteria? You don't want to block e-mail from Nigeria? Fine. Don't use nigeria.blackholes.us. You don't like SPEWS listing criteria? Don't use them. (I don't because I don't like their criteria).

      and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

      Absolutely untrue. I use several of the blacklists for my domain and the quantity of spam blocked is tremendous with very little collateral damage. Without those blacklists, I would be seeing far more spam than legitimate e-mail every day.

      They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks.

      Yeah, the same large ISPs who, in many cases, were writing "pink contracts" for spammers and making money from spam. Those are the large ISPs that really hate the blacklists. And if it wasn't for the blacklists, more and more ISPs would be writing pink contracts.
      • by rusty0101 ( 565565 ) on Thursday August 28, 2003 @04:28PM (#6817812) Homepage Journal
        "They are pure evil in their methods,"

        How is it "evil" to publish a list of IP addresses that match a listing criteria? You don't want to block e-mail from Nigeria? Fine. Don't use nigeria.blackholes.us. You don't like SPEWS listing criteria? Don't use them. (I don't because I don't like their criteria).

        What he is getting at is not himself using the list, it is midling sized ISP's using these lists preventing him from sending legitimate e-mail to people who can't get that e-mail, because his ISP is blackholed even though the ISP has corrected the issue that got them on the blackhole list in the first place. Or that his ISP's ISP happens to be blackholed through no falt of his own ISP's policies or practices.

        The problem with blacklists is that they decide that it is more important to thow the baby out with the bath watter than it is to see if the baby is clean.

      • by seanadams.com ( 463190 ) * on Thursday August 28, 2003 @04:31PM (#6817863) Homepage
        How is it "evil" to publish a list of IP addresses that match a listing criteria?

        I will tell you precisely why, and these points are almost never brought up by the usual SPEWWS critics:

        1) Those listing criteria are not publicly specified - only a small group of network admins, and readers of NANAE, who are familiar with SPEWS understand their method. The vast majority of admins using these blacklists are people who are just desperate to stop spam so they install tool XYZ without realizing the implications. SPEWS feeds on this desperation to get their foot in the door - it's not until someone finds that a ton of their legitimate mail is being blocked due to deliberate "collateral damage" that they realize they need to ask their administrator to stop using SPEWS (or whitelist the hapless victim with whom they're trying to communicate).

        2) SPEWS keeps logs which are not deailed and often downright inaccurate.

        3) SPEWS does not provide a way for spam filters to differentiate between real spammers and collateral damage. It's all listed the same.

        There is a reason why civilized countries have laws against libel/slander, and SPEWS walks a *very* thin line.
    • by paitre ( 32242 ) on Thursday August 28, 2003 @04:20PM (#6817706) Journal
      You, sir, are a know-nothing dumbass .

      Have you -ever- worked in network security?

      Have you -ever- worked an abuse desk?

      Having cleaned up one hosting providers network (and reputation) I take great umbrage with this statement:

      They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

      These blocklists are very effective in stopping the entry of spam into a user's network. While I also think the guys running SPEWS could use some lessons in public relations, and have an easier way of getting IPs removed, that does -not- mean that they're evil and inneffective.

      I also do not believe it is the large ISPs that are behind this. That's almost as laughable as Julian's statement that it's organized crim behind it. It's likely the larger spam groups that are behind it, like Ralsky and his ilk. And I -know- he has no moral compunction to not break the law.

      And just a reminder:

      Spamming is ILLEGAL in a not insignificant number of states, and several of them explicitly allow for blocking of offending IPs if the ISPs involved are unresponsive.

      • by BasharTeg ( 71923 ) on Thursday August 28, 2003 @04:37PM (#6817925) Homepage
        These blocklists are very effective in stopping the entry of spam into a user's network.

        These blocklists are also very effective in keeping me from sending email from my T1 from Lightyear Communications.

        I'm sure there are a million other guys out there with a thousand dollar a month T1 that is completely worthless for emailing customers thanks to these blocklists.

        Go ahead and shout "spam-haus" and tell me I'm doing business with spammers or companies that support spammers, or in this case, our company's T1 is provided by a company (Lightyear) that gets their upstream from a company (UUNet), that supports spammers.

        I guess by associating with spammers through about 4 levels of indirection, we are guilty and need to be punished.

        Spam-Nazi apologists are worse than Spam-Nazis themselves. I was a Spam-Nazi myself until suddenly the punishment was applied to me, and there was nothing I could do about it.

        I hope SPEWS is pinned by packetting until they shut down.
        • by dissy ( 172727 ) on Thursday August 28, 2003 @05:11PM (#6818333)
          > I'm sure there are a million other guys out there with a thousand dollar a month
          > T1 that is completely worthless for emailing customers thanks to these
          > blocklists.

          What you are wrong about is its not thanks to the blocklists, its thanks to the ISPs that have willingly chosen to use the blocklists, and share the same opinion as the people that run the blocklist, who do not want you to email them.

          Do you think its only you that knows SPEWS blocks UUnet ?
          The ISPs that use SPEWS know this too. They still use SPEWS. They do not want email to enter their network that comes from you!
          Yes, even through about 4 levels of indirection, the networks you are trying to send email to have chosen to not want your emails.

          Why are you blaming the blacklists for this?

          You bitch and moan that it isnt fair to you to have your IPs blocked by those that want them blocked. You sound just like a spammer with that logic.

          You may be happy to see SPEWS packeted until they are shut down, but what about my right to choose that I want to block email from people who spam, and people just like you, who use ISPs indirectly that support spam?

          Are you so much more importaint than I that my right to choose not to recieve your email is less importaint than your right to force your emails upon me aginst my will?

          • Are you so much more importaint than I that my right to choose not to recieve your email is less importaint than your right to force your emails upon me aginst my will?

            I'm not emailing you asshole.

            I'm emailing my customers who are users of ISPs who tell them nothing about their use of SPEWS. They then call us and claim they never got their bills or statements, and we're supposed to explain to them how THEIR ISP is behaving (choosing to throw away their legitmate emails without notifying them). Then whe
  • Blacklists' downfall (Score:2, Interesting)

    by Nonac ( 132029 ) *
    I'm not condoning this DDoS, but the perpetrator is probably just some sysadmin running a legitimate, secure server that found its way onto some blacklists and got frustrated by all the red tape getting off the lists. This may be his last hope to get off their list.

    I wonder how many people really rely on blacklists anymore. I've tried using them before only to find out that over half of my legitimate email was being filtered and a significant amount of spam was still getting through.

    Bayesian is the only
    • by AltGrendel ( 175092 ) <ag-slashdot&exit0,us> on Thursday August 28, 2003 @04:18PM (#6817670) Homepage
      There are many people on both the SpamAssassin and qmail-scanner list that are talking about this. Any software that uses RBLs may have to be reconfigured.

      And depending on just Bayesian filtering is putting all of your eggs in one basket, IMHO (though it is a pretty darn good basket). There are many spammers out there trying to poison Bayes databases by adding random dictonary words to their HTML based emails.

      • by bogado ( 25959 )
        Spamassassin does Bayesian and much more. It is the best because it has several baskets in one program alone. You can rate the best basket yourself or simply trusting the default scores. :-)
    • by rossz ( 67331 ) <`ogre' `at' `geekbiker.net'> on Thursday August 28, 2003 @04:30PM (#6817843) Homepage Journal
      Yeah, the red tape is a bitch. Here's a list of the red tape:

      1. Close your open relays
      2. Kick off known spammers
      3. Stop list washing system admins who complain about spam
      4. Stop making it nearly impossible to submit complaints
    • The farther you let junk travel into the system, the worst your problem is. Bayesian is hard to apply at the network level, you must leave it to the individual users, causing a twofold problem: you keep letting the scum of Earth parasite your network (if you are an ISP) and you expand the processing needs of the end user (ever saw Mozilla Mail "think" for a couple of minutes after you mark one or two email as junk?). This is undesirable.

      Lists work pretty well. They ocasionally piss people off, but the cost
  • by Lead Butthead ( 321013 ) on Thursday August 28, 2003 @04:01PM (#6817442) Journal
    So when do we get to launch our DDoS against the spammers again?
  • It's illegal (Score:5, Insightful)

    by mabu ( 178417 ) on Thursday August 28, 2003 @04:01PM (#6817445)
    Would someone please remind the federal government that DOS attacks are illegal? Anyone want to encourage them to take action against these people? Can they stop playing golf long enough to do their job?

    • Re:It's illegal (Score:5, Interesting)

      by mabu ( 178417 ) on Thursday August 28, 2003 @04:29PM (#6817825)
      A friend of mine who runs an ISP filed a case with the FBI. He had all the evidence, he had $100,000+ worth of damage he could prove. The case was meticulously documented. The FBI felt it was a rock solid case. They presented it to the DAs in multiple juridictions and they refused to prosecute or pursue the case. He even had the perps home address and telephone number and enough evidence to link him to credit card fraud, attacks on major corporations and much more, and the authorities blew the case off and didn't take action.
  • by grasshoppa ( 657393 ) <skennedy&tpno-co,org> on Thursday August 28, 2003 @04:03PM (#6817462) Homepage
    Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.Too bad my users and I are behind a trained spamassassin, then, eh?
  • by G-funk ( 22712 ) <josh@gfunk007.com> on Thursday August 28, 2003 @04:03PM (#6817468) Homepage Journal
    Of course it probably is spammers, but it wouldn't suprise me if some people who've had themselves blacklisted unfairly would like to ddos some blacklist servers into the beyond.

    Personally I don't believe blacklists are the way to go, I think simply intelligent filtering should be installed wherever possible, and eventually spam will die out. I know spammers are smart and work their way around all sorts of blocks, but so are we, and there's a lot more of us than there are of them.

    ObDisc:Don't bother flaming me about "collateral damage" or any of that crap, since I'm not the one ddosing the servers, and I've yet to find myself blacklisted, so I'm not interested.
  • SoBig (Score:5, Interesting)

    by ifreakshow ( 613584 ) * on Thursday August 28, 2003 @04:04PM (#6817474)
    Earlier this week when people talked about the writer of SoBig leasing his virus network for spamming [slashdot.org] many people said spammers wouldn't want to be involved with virii/attacks. I think the DOSing of black list sites pretty much shows that the people sending spam have little moral problem with invading your computer to break the law.
  • Solution (Score:4, Funny)

    by alphax45 ( 675119 ) <(moc.liamg) (ta) (derfla.elyk)> on Thursday August 28, 2003 @04:04PM (#6817479)
    Why don't we just offer all the main spammers a free seminar on some small island in the south pacific or somewhere where no one will care, then when they all get there..

    NUKE IT!!!

    Problem solved :)
  • I wonder... Is it the people who are paying for the SPAM also paying for these attacks? I can imagine a campaign among these sleazeballs drumming up support for a DDOS of the spam blacklists...

    Just my act-now-to-get-a-six-foot-penis worth...
  • by tongue ( 30814 ) on Thursday August 28, 2003 @04:04PM (#6817486) Homepage
    what makes you think its spammers? there a plenty of legitimate email users with a beef against these fascists--me, for one. i had a domain on a subnet that's entirely blocked despite the fact that i don't have open relays nor have i ever done any kind of spamming. several of my clients within larger corporate structures couldn't receive email from me because some PHB read in DildoCTO Quarterly that these lists can stop spam--never mind the fact that they can stop any kind of legitimate email use as well. There were a LOT of times i'd wished i had had the wherewithal to undertake something like this; spammers or not, i applaud the culprits.
  • by silentbozo ( 542534 ) on Thursday August 28, 2003 @04:05PM (#6817493) Journal
    Bad for them. The main reason for creating centralized blocklists was so people who reformed, or who kicked spammers off their blocks, could have their IPs relisted without having to worry that random admins had hardcoded filters into their routers. One central source for listing, one central source for delisting.

    If they succeed in negating the value of centralized blocklists, guess what - admins will go back to blacklisting blocks manually. Those IP blocks will become useless once enough people add them to their blocklists, and there won't be any easy way of redeeming them.

    Anyone who wants to get internet access better get a clause in their contract guaranteeing that the IPs they get weren't abused by someone in the past, or else they might be getting a useless connection.
  • Desparation (Score:4, Insightful)

    by RevJim ( 564784 ) on Thursday August 28, 2003 @04:06PM (#6817503) Homepage
    This is an act of desparation on the part of spammers that proves the anti-spammers are winning the battle. Fortunately, the next phase of the "war" is moving away from blacklists and focusing on technologies that are user-based and user-specific, such as Bayesian filtering. There is no level of DDoS attack that can stop that battle.
    • Re:Desparation (Score:5, Insightful)

      by McDutchie ( 151611 ) on Thursday August 28, 2003 @05:07PM (#6818291) Homepage
      Fortunately, the next phase of the "war" is moving away from blacklists and focusing on technologies that are user-based and user-specific, such as Bayesian filtering.
      On the contrary, spammers love Bayesian and any other kind of filtering because it doesn't stop them from sending their spam. They love it when people "just hit delete" either manually or in an automated fashion through filtering, instead of actively blocking their junk and getting their accounts shut down. They don't mind that you don't get their junk; they will just increase the amount of spam they send tenfold every year so they keep making money on those suckers that are born every minute, until e-mail has been completely destroyed. Blocking - aggressive, massive blocking and boycotting of spam supporting networks - is the only way to save e-mail.
      • Hmmm, curious. I always thought the most effective way of stopping spam was to make it a money losing proposition....

        Blocking mail might do that, but there are any number of ways to stop spam, every last one of them involves making the price of spam a price no one is willing to pay.

        Using Baysian filtering to build a set of IP's which have a threashold (say 90% of e-mail) is spam, then it gets added to your black list (Mailserver or router blacklist).


  • ... battering many other blocklist services...

    "Spam, spam, spam, spam. Lovely spam, wonderful... Ow! Ow! Stop that! Bad spam! Ow! That hurts!"

  • Impressive (Score:3, Funny)

    by 3terrabyte ( 693824 ) on Thursday August 28, 2003 @04:06PM (#6817508) Journal
    "We're usually under attack from 5,000 to 10,000 servers at once," Linford said, with incoming data flows as large as 100 million bytes per second. "They're extremely large attacks that would bring down just about anything." But Spamhaus, with 16 servers scattered through 10 countries, has been able to ride it out, Linford said.

    Hopefully there isn't a slashdot story linking to them any time soon!

  • distributed? (Score:3, Interesting)

    by TheSHAD0W ( 258774 ) on Thursday August 28, 2003 @04:07PM (#6817518) Homepage
    Might need to move these block lists onto a distributed network. If lists were sent out via a Gnutella- or BitTorrent-like system, using digital signatures to verify authenticity, it'd be impossible to DoS.
  • Client-side blocking (Score:5, Interesting)

    by jtoker ( 693138 ) on Thursday August 28, 2003 @04:08PM (#6817537) Homepage
    I'm not too disappointed to hear of these new attacks. Conspiracy theories and the like aside, I'd rather have the responsibility for SPAM-blocking placed on the client side.

    Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.

    Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.

  • by Gothmolly ( 148874 ) on Thursday August 28, 2003 @04:10PM (#6817549)
    Because you can reject mail at the SMTP level. I typically get about 70 emails a day to my own server. About 40-50 get denied by a DNS based filter on qmail (rblsmtpd). Which means on average, only 25 get through to Spamassassin, where another 15-20 are deleted due to high spam thresholds. Then I get about 5-8 real emails, and maybe 1 or 2 spams that make it through (which Mozilla mail promptly eats as spam).
    If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
    DNS based BL is useful because it doesn't even let it in the door.
  • by phillymjs ( 234426 ) <slashdotNO@SPAMstango.org> on Thursday August 28, 2003 @04:10PM (#6817557) Homepage Journal
    From the article: In a technique called a "distributed denial of service attack," vandals exploit security flaws to plant programs, called "Trojan arses," on thousands of Internet-connected computers. They then order the Trojan arse programs to spew useless data at a targeted machine.

    The mental image of a bunch of Greek soldiers pouring from the sphincter of a huge, wooden butt is just too funny for words.

  • by ph43thon ( 619990 ) on Thursday August 28, 2003 @04:13PM (#6817593) Journal
    the internet has become self-aware.. these aren't trojans and virii that we see.. (well, they are, but) we're seeing the Internot wake up. It's practicing by attacking blacklists.. since they prevent full unfettered emailing. Network Packets have become the flowing nuerons of it's killer Internett brain.. all these random SoBigs and Slammer.Dongs are multiplying to the point where sentient behaviour must emerge!!!!

  • by hey ( 83763 ) on Thursday August 28, 2003 @04:13PM (#6817597) Journal
    Maybe this is the SoBig.F zombies at work. They have awakened from their "sleeper cells". There was a rummor [slashdot.org] that they were going to be used by spammers -- but not in this way.
  • by RevJim ( 564784 ) on Thursday August 28, 2003 @04:14PM (#6817618) Homepage

    I know it sounds heartless, but as a group, blacklists are becoming less-useful by the minute.

    If they were all to disappear today, it would only speed the adoption of much more valuable tools against spam, namely bayesian-type filters that are far more effective.

  • by teamhasnoi ( 554944 ) * <teamhasnoiNO@SPAMyahoo.com> on Thursday August 28, 2003 @04:17PM (#6817649) Journal
    Otherwise, we are going to be a nation of skinny, refinanced, gargantuan penises that want to show you something on our webcams!

  • Who replies to spam? (Score:5, Interesting)

    by smcavoy ( 114157 ) on Thursday August 28, 2003 @04:20PM (#6817709)
    Has there ever been studies on who responds to spam, and why?

  • by emil ( 695 ) on Thursday August 28, 2003 @04:22PM (#6817734)
    • Centralization of the blacklist is bad. Therefore, the lists should be p2p.
    • Each blacklist should be signed by the maintainer's private key. The public keys should be kept in several well-known locations.
    • An application, running on a mailserver, should have options to:
      1. Download blacklists from specified upstream sources, preferably by rsync protocol, although even gzip would be an improvement over what we've had.
      2. Apply some or all of the blacklists to inbound messages.
      3. Offer the blacklists for further download.
      4. Automatically announce new blacklists, the recall of canceled blacklists, or newer/faster/replacement upstream blacklist servers.
    • The blacklist application should work with all major MTAs, including sendmail and exchange. It should be platform-neutral, and we should do what is necessary to get MS to package it on the CD.

    I can easily see web content filtering going the same way eventually.

  • by mabu ( 178417 ) on Thursday August 28, 2003 @04:23PM (#6817743)
    People need to understand two reasons why they get spam and DDOS attacks:

    1. The backbone providers make money based on bandwidth consumption. They don't care whether the traffic is legitimate or not. It's in their financial interest to not take action against DOS/DDOS attacks and they don't. Many top-level providers will not even intervene unless a lower-level ISP's pipes are completely saturated, even if they complain about a DOS attack.

    It would be so easy for the backbone providers to implement temporary blocking of DDOS attacks. These types of attacks are identifiable and the whole procedure could be automated and authenticated, but the top-level ISPs make money off spam and illegal DOS/DDOS activity. People need to petition the backbones to start taking responsibility and implmenting measures to shut down networks that have rogue systems consuming illegitimate bandwidth.

    2. The local and federal governments do not effectively (if at all) enforce the plethora of existing computer tampering/break in/attack laws that are already on the books. These attacks CAN be tracked. The law enforcement agencies are either ignorant, unmotivated or unwilling to take action.

    No new laws are needed. There are plenty of existing laws on the books right now to justify criminal prosecution of these attackers, which don't merely attack relay blacklists, but every other network along the way, making everyone suffer, including systems that don't use blacklists.

    We need to hold the proper people accountable for not using the existing legal system to stop this; we need to hold the top-level providers responsible for allowing a majority of the traffic they bill their clients for to be unauthorized and illegitimate.

    Imagine if 70% of the time you picked up your telephone someone else was using it? This is what's happening with Internet bandwidth.
  • by raj2569 ( 211951 ) <rajNO@SPAMlinuxense.com> on Thursday August 28, 2003 @04:31PM (#6817858) Homepage
    As the anti spam officer in a Major ISP in India, I have no problems with blocklists as such. But the people who maintain the blacklists also has a responsibility to correct their mistakes immediatly. They must listen to people who maintain networks and if a machine is wrongly listed they must remove it. The procedure for taking out a machine from blacklists must be documented and verifiable.

    We have a large cable network, and there are 3 4 trouble making customers. We do allow people to run their own mail servers. But that also means that some customers misuse it to send spam. It takes us a day or 2 to shut down the spammer, and by then the C bloc will be listed in some black holes.

    Now de listing it becomes a major pain if the black holes are not responsive. If the procedures are well documented life of ISPs become much easir.

    and no we have not considered denying the freedom of our customers to run their own outgoing mail servers. one or two random spammers cannot force us to deny that freedom to majority of legitimate users in our network.

  • by mercuryresearch ( 680293 ) on Thursday August 28, 2003 @04:33PM (#6817880) Journal
    I'm getting a bit tired of people applauding DOS attacks on blocklists. Many of us run small mail servers for ourselves and/or small companies where EVERYONE who recieves email is in agreement that blocking spam is the right thing to do. When everyone chooses to do this, it's not censorship. Seriously -- the volume of spam is overwhelming, and in a small business there is no one delegate managing email to, and it's consuming precious bandwidth. Spam is the problem, not block lists. No spam, no blocklists, simple as that.

    My server has seen as many as 500 spams a day directed at it -- for just two email accounts releated to my business. I had little choice but to elect to use drastic measures and escalate them until the spam became manageable -- and the best defense due to bandwidth issues (we run on just 128K because that's all that's available to us) is blocklists. The problem has been so bad that I maintain an internal block list that uses iptables to simply not route packets from IP blocks (/24) for any email that gets through the first layer of blocklists that sendmail checks.

    Osirusoft in particular was very, very useful to me, because they maintained a number of DNS mirrors of other blocklists, so you could pick and choose how drastic you wished your blocking to be. I will miss their service greatly -- and can already notice it as my spam has doubled since it was removed from my sendmail config.

    Without blocklists, email for my small business at least would be useless. I know that I've lost business using them, but I'd lose more business/time/money without -- there's no friggin' way I'm going to search through (and accept the bandwidth hit from) five hundred messages to find the few legitimate ones and still have time to get real work done.
  • WAR (Score:4, Insightful)

    by hawkbug ( 94280 ) <psx@fi[ ]e.com ['mbl' in gap]> on Thursday August 28, 2003 @04:39PM (#6817945) Homepage
    This is WAR. Spammers will stoop to any level to get their crap into people's mailboxes, and now the blacklists are giving into their guerilla tactics - I say keep fighting, eventually they will figure out where the attack is coming from, and shut the damn thing down. We must never give up fighting spam, at any cost.
  • Blacklists and Spam (Score:4, Informative)

    by DLG ( 14172 ) on Thursday August 28, 2003 @04:40PM (#6817955)
    I personally HAVE been blacklisted (by ordb.org) and once I cleared up the problem (some ability to relay) I was let out. This took 2 hours total, so I feel comfortable USING ordb.org myself, now that I am responsible for protecting a large network from spam. I also use spamassassin, quarantining and a number of other methods to prevent false positives, and we do notify once you get past spamassassin.

    If I did not use SOME rbl though, I would be sending out 6000 spam blocking notification messages a day mostly to people who aren't there or are not the real sender. Since I block things prior to getting through postfix, I am able to send them back a clear informative message on the blockage, DURING the transmission.

    In any case, I have heard of lots of bad stuff about SPEWS and all but my experience with spamhaus and ordb are that both help block alot of mail, and are responsible with their efforts.

    In any case, it is my business (and my company's business of course) how we handle our incoming stream. If we choose to use a blacklist that is our right. As it waspointed out, we could always create our own (It is pretty easy to create a dnsbased one even to share with a few friends or whatnot)...

    No one is going to be able to stop ALL blacklists, but by attacking the large centralized ones, it does not IMPROVE the ability to get taken off an RBL. It just makes it harder really.

  • by rayvd ( 155635 ) on Thursday August 28, 2003 @04:40PM (#6817959) Homepage Journal
    This morning around 6:30AM MST, the spam levels on our work server dropped from ~800 spam/hr to ~35/hr. They'd been hovering at the 800 level for more than a week (most are not actualy spam, but "bounces" from SoBig.F faking our domain as the From address). It's staying right around 35 still about 7 hours later..

    Not complaining, but very strange nonetheless!
  • by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Thursday August 28, 2003 @04:42PM (#6817992) Homepage
    Perhaps it's not the spammers ...

    Perhaps it's Something [somethingawful.com] Awful [kuro5hin.org] that's doing it?

    Fark [fark.com] seems to think so [fark.com].

    (Ever feel like you're writing for memepool [memepool.com] or Everything2 [everything2.com]? I sure do!)

  • by dcavanaugh ( 248349 ) on Thursday August 28, 2003 @04:57PM (#6818137) Homepage
    We use Spam Assasin on Sendmail. We have Sendmail configured so that when a message is positively identified as spam, we automatically update our local access file to blacklist the entire class C of the relay host.

    I have been watching this closely for several weeks. Originally, I thought there would be trouble -- surely we would nail some legitimate networks and have to unblock them. But NOOOOO! Every day we reject more and more via the local blacklist and it's always the evildoers. I don't think anyone needs a DNS-based blacklist, all you have to do is harvest the power of the spam data you already have.
  • by ryanvm ( 247662 ) on Thursday August 28, 2003 @05:22PM (#6818466)
    I think this is cool. An epic battle between good and evil rages on the Internet. It's sort of like a Lord of the Rings for geeks. Oh wait, Lord of the Rings is for geeks.
  • by zaad ( 255863 ) on Thursday August 28, 2003 @05:23PM (#6818496)

    I used to use dnsbls. When it was clear that blacklists weren't sufficient, I used them in conjunction with filtering. Then I had trouble with false positives of various dnsbls to the point where I'm now only using the filters. Of course, simply filtering doesn't solve the network and computing resources problem. So I had hatched Yet Another Plan for Spam a while back (had mucked around a bit with implementing it but got distracted).

    The plan is essentially to use bayesian analysis of incoming mail to detect "open relays" and maintaining a personalized dnsbl. Initially every piece of incoming mail is analyzed. Upon being tagged spam, the connecting IP is added to the dnsbl preventing additional relaying of messages.


    1. No external testing/probing is required. All blacklisted IP's have been known to be an originator/relay point of spam.
    2. A copy of the spam message can be retained in case of any dispute.
    3. It's a personalized dnsbl so that it is generally immune to becoming a target by spammers (either ddosed or litigation).
    4. A false positive does not impact systems not directly under your control.
    5. Corrections to the dnsbl can be made as urgently as your time would allow.
    6. Saves network and cpu resources due to rejection of additional messages from blacklisted IPs.

    1. Bayesian filter requires training and maintenance.
    2. Personal dnsbl also means personal attention. More time and resources required to manage.
    3. Not immune to false positives (actually amplifies the effect).

    I'm sure I've missed some points on both the pros and cons, but it's a start.

    Additional details of the plan had included a web interface for the blacklisted IP's delist the IP. The scheme works on a token system. Each IP is given a configured number of tokens per a configured period. Each delisting requires a token and is subtracted. Hopefully, this will minimize manual effort as it's trivially easy to get delisted (only requiring the blacklisted admin to visit a page and click on a button). However, if the problem is not fixed and the same IP continues to get listed and runs out of tokens, then my plan was to have the blacklisted party to purchase more tokens (something like the same webpage generating a tracking number linked to a paypal account). That way, there would also be financial incentives for the admin to fix their open relays.

    My intention with the personal dnsbl was to reject future SMTP relay attempts based on IPs that have been known to relay spam. It doesn't exist to identify every open relay or proxy, but simply to deny those hosts the opportunity to send me more spam. I could careless if someone is running an open relay as long as it doesn't send me spam. So my plan is to only reject mail from people that have actually spammed me, and not in theory of being capable of spamming me. And the reason to use the connecting IP instead of any content in the email is to prevent junk data (too easily spoofed).

    Anyhow, that was my YAPS. If enough people used such a system, it would probably put a decent dent in spam and open relays.

    Any volunteers?
  • by Skapare ( 16644 ) on Thursday August 28, 2003 @06:15PM (#6819043) Homepage

    Maybe this is NOT even a DDoS attack at all. The SoBig.F virus includes its own SMTP engine, and so, is bypassing the smart host mail server at each of the various ISPs the infected machines are served by. It is now making SMTP connections to various MX hosts all over the network directly from that access IP address which probably never was used that way in the past by most people. DNSBLs are, or were, scalable because the queries done by the receiving MX servers to verify each sending IP address would be cached by the DNS server there for usually at least a day or two. That caching is effective when the number of connecting SMTP clients (the sending role) is small. What SoBig.F did was greatly increase the number of different IP addresses being SMTP clients. This could be immensely greater, many times the number originally seen. That would mean the resolving DNS server at the MX server site would be missing its cache much more often, both due to the more diverse queries being done, as well as the increased volume of mail. My theory is that this alone, if the increase factor is high enough, could overwhelm the authoritative DNS servers for the DNSBL zones and appear like a DDoS attack.

    DNSBLs might have also be configured in more servers as a result of the SoBig.F virus going around, too, to help block it.

    How to verify this would be to examine the range of source addresses hitting the authoritative servers. If the range is about the same as before, or generally represents the resolving DNS servers those MX servers are using, then I could be right. Still, it is possible for a real DDoS attack to fake exactly that so as to look like this theory holds.

    If the attack has source addresses that are not functioning as resolving DNS servers, then the theory would be wrong. But resolving servers, when run separate from authoritative servers, are usually blocked from outside usage. So simple testing would be inadequate to show that they are not real DNS servers.

  • by rahlquist ( 558509 ) on Thursday August 28, 2003 @10:24PM (#6820703) Homepage
    Ok we have all this wonderful file sharing technology avalible, why not put it to good use. Why not build a distributed black list. One that is shared over an automated file sharing network similar to Napster or Kazaa. DDOS only works with a target, with 100 or more geographically diverse machines sharing it I wish them luck. Make being able to access the list depend on your willingness to share it out too. Of course someone would have to figure out the infrastructure but this would rock.

Adding manpower to a late software project makes it later. -- F. Brooks, "The Mythical Man-Month"