DoS Assaults Underway Against Spam Blocklists 797
Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
Why does he think it's spammers? (Score:5, Insightful)
Has anyone stopped to think that maybe it's not spammers who are doing this? I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down. They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.
All of these centralized blacklists have made so many enemies in their history that any finger pointing is simply laughable. They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks. This is not your normal DDOS: it is not only the originators of the DDOS, but the very network itself that wants them destroyed!
MOD PARENT DOWN. (Score:5, Funny)
Re:Nonsense. (Score:3, Interesting)
MOD PARENT SIDEWAYS (Score:5, Funny)
Everyone appears to want to direct mod power today, so why not?
Re:MOD PARENT SIDEWAYS (Score:3, Funny)
Re:Why does he think it's spammers? (Score:3, Insightful)
Re:Why does he think it's spammers? (Score:4, Interesting)
Re:Why does he think it's spammers? (Score:5, Informative)
The problem is that collective IP blacklisting is so mistake-prone that it's just unacceptable. I had a server, one that hosted e-mail for several domains (none of which do anything remotely spam-like), and somebody forged the IP in a header, and the server got into some darned blacklist based on three anonymous "reports". Thankfully, most people are smart enough to use better anti-spam measures such as keyword or header filtering, which don't cede control to external mobs.
On a corporate server, you'd be nuts to use one of those blacklists; at the very least, you want to be able to whitelist your important business partners. Perhaps the DDOS attacks are from some disgruntled syadmin who got canned when an important e-mail to the CEO mistakenly bounced.
Re:Why does he think it's spammers? (Score:5, Informative)
Re:Why does he think it's spammers? (Score:5, Insightful)
These lists are basically operating under the assumption that punishing a large group of people weakly associated with undesired behavior will result in the elimination of that behavior by the minority of that group. The innocents are unable to do anything about the people they are affiliated with. The ISP is like a zoning commission. Yes, with enough complaints from their customers/constituents, they might change their ways, but in the short term, the people punished have no real control over the situation.
You also show why this tactic is doomed to failure. The honest non-spammers will continue to not spam, but be incredibly inconvenienced, while the spammers will ignore the edict and run around spamming on other networks.
Doug
SPEWS effectiveness (Score:3, Interesting)
Re:Why does he think it's spammers? (Score:3, Insightful)
But that was bad. Really bad. Because it created an environment that favored ISPs who let a spammer on at least once and a while, then moved them around or tempora
Re:Why does he think it's spammers? (Score:3, Insightful)
The problem is it may be fine for you to want to press hard against ISPs and potentially drive them out of business if they're light on spammers. Fine, that's your choice, make your voice heard with your dollar. The rest of us have to make do with the resulting mess.
I don't care how easy it is to get un-blocked, the problem is there's still lag between being blocked, and finding that out, and then figuring out
indeed (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re:Why does he think it's spammers? (Score:5, Insightful)
How is it "evil" to publish a list of IP addresses that match a listing criteria? You don't want to block e-mail from Nigeria? Fine. Don't use nigeria.blackholes.us. You don't like SPEWS listing criteria? Don't use them. (I don't because I don't like their criteria).
What he is getting at is not himself using the list, it is midling sized ISP's using these lists preventing him from sending legitimate e-mail to people who can't get that e-mail, because his ISP is blackholed even though the ISP has corrected the issue that got them on the blackhole list in the first place. Or that his ISP's ISP happens to be blackholed through no falt of his own ISP's policies or practices.
The problem with blacklists is that they decide that it is more important to thow the baby out with the bath watter than it is to see if the baby is clean.
-Rusty
Re:Why does he think it's spammers? (Score:4, Funny)
Re:Why does he think it's spammers? (Score:4, Informative)
Not quite correct. They decide to list, and delist, people based on their criteria. They decide how you will contact them when you get listed - or decide to make it absolutely impossible to reliably contact them, and decide to mock you/nitpick the minutae of your phrasing when you fall back on posting to nanae.
And many of them decide, quite clearly, to be assholes.
Re:Why does he think it's spammers? (Score:4, Informative)
I will tell you precisely why, and these points are almost never brought up by the usual SPEWWS critics:
1) Those listing criteria are not publicly specified - only a small group of network admins, and readers of NANAE, who are familiar with SPEWS understand their method. The vast majority of admins using these blacklists are people who are just desperate to stop spam so they install tool XYZ without realizing the implications. SPEWS feeds on this desperation to get their foot in the door - it's not until someone finds that a ton of their legitimate mail is being blocked due to deliberate "collateral damage" that they realize they need to ask their administrator to stop using SPEWS (or whitelist the hapless victim with whom they're trying to communicate).
2) SPEWS keeps logs which are not deailed and often downright inaccurate.
3) SPEWS does not provide a way for spam filters to differentiate between real spammers and collateral damage. It's all listed the same.
There is a reason why civilized countries have laws against libel/slander, and SPEWS walks a *very* thin line.
Re:Why does he think it's spammers? (Score:4, Informative)
The SPEWS FAQ (still available at a number of mirors) very clearly spells out the criteria for SPEWS listings. You are either willfully ignorant or lying to make such a claim.
SPEWS keeps logs which are not deailed and often downright inaccurate.
Specific reference, please.
SPEWS does not provide a way for spam filters to differentiate between real spammers and collateral damage. It's all listed the same.
SPEWS makes it very clear that their listing is of IP addresses owned by spammer-friendly ISPs, not just spammers. If an admin uses SPEWS without understanding what it will be filtering,that admin should be fired.
Re:Why does he think it's spammers? (Score:4, Informative)
In the mean time, feel free to dig through these [google.com].
Re:Why does he think it's spammers? (Score:4, Interesting)
Have you -ever- worked in network security?
Have you -ever- worked an abuse desk?
Having cleaned up one hosting providers network (and reputation) I take great umbrage with this statement:
They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.
These blocklists are very effective in stopping the entry of spam into a user's network. While I also think the guys running SPEWS could use some lessons in public relations, and have an easier way of getting IPs removed, that does -not- mean that they're evil and inneffective.
I also do not believe it is the large ISPs that are behind this. That's almost as laughable as Julian's statement that it's organized crim behind it. It's likely the larger spam groups that are behind it, like Ralsky and his ilk. And I -know- he has no moral compunction to not break the law.
And just a reminder:
Spamming is ILLEGAL in a not insignificant number of states, and several of them explicitly allow for blocking of offending IPs if the ISPs involved are unresponsive.
Re:Why does he think it's spammers? (Score:5, Informative)
These blocklists are also very effective in keeping me from sending email from my T1 from Lightyear Communications.
I'm sure there are a million other guys out there with a thousand dollar a month T1 that is completely worthless for emailing customers thanks to these blocklists.
Go ahead and shout "spam-haus" and tell me I'm doing business with spammers or companies that support spammers, or in this case, our company's T1 is provided by a company (Lightyear) that gets their upstream from a company (UUNet), that supports spammers.
I guess by associating with spammers through about 4 levels of indirection, we are guilty and need to be punished.
Spam-Nazi apologists are worse than Spam-Nazis themselves. I was a Spam-Nazi myself until suddenly the punishment was applied to me, and there was nothing I could do about it.
I hope SPEWS is pinned by packetting until they shut down.
Re:Why does he think it's spammers? (Score:5, Insightful)
> T1 that is completely worthless for emailing customers thanks to these
> blocklists.
What you are wrong about is its not thanks to the blocklists, its thanks to the ISPs that have willingly chosen to use the blocklists, and share the same opinion as the people that run the blocklist, who do not want you to email them.
Do you think its only you that knows SPEWS blocks UUnet ?
The ISPs that use SPEWS know this too. They still use SPEWS. They do not want email to enter their network that comes from you!
Yes, even through about 4 levels of indirection, the networks you are trying to send email to have chosen to not want your emails.
Why are you blaming the blacklists for this?
You bitch and moan that it isnt fair to you to have your IPs blocked by those that want them blocked. You sound just like a spammer with that logic.
You may be happy to see SPEWS packeted until they are shut down, but what about my right to choose that I want to block email from people who spam, and people just like you, who use ISPs indirectly that support spam?
Are you so much more importaint than I that my right to choose not to recieve your email is less importaint than your right to force your emails upon me aginst my will?
Re:Why does he think it's spammers? (Score:3, Insightful)
I'm not emailing you asshole.
I'm emailing my customers who are users of ISPs who tell them nothing about their use of SPEWS. They then call us and claim they never got their bills or statements, and we're supposed to explain to them how THEIR ISP is behaving (choosing to throw away their legitmate emails without notifying them). Then whe
ever tried to get off SPEWS? (Score:5, Insightful)
Re:ever tried to get off SPEWS? (Score:5, Informative)
They start with the IP, then list class C, then widen the number of class Cs. It takes a fucking lot to get expanded. There is less than 1% of the internet listed by SPEWS (after removing IANA reserved space)
I have Brazil, Argentina, Korea and China tagged on my server. Number of false positives: 0. YMMV.
Re:ever tried to get off SPEWS? (Score:5, Informative)
Yes, some may say "find another ISP", but that's not always easy; contracts may make that impossible for many months and the ISP may otherwise be fine as is.
If they block anything, they should only block the IP's that cause the problem, not large netblocks.
Re:ever tried to get off SPEWS? (Score:5, Interesting)
Maybe this time it's a decent excuse, but next time you know. And any provider not willing to include a clause that lets you out if they get blacklisted is probably knowingly hiding spammers.
As to whether the provider is really "fine otherwise", to me that's like saying "my new dog keeps chewing the neighborhood kids' finger off, but otherwise he's fine . . . "
I'm really sorry that SPEWS has been a hassle for you and others, but it's worth it to me, and I wish more providers used SPEWS or similar (well, if it ever comes back). And, now that you know, you can plan for this sort of eventuality in the future, because it's only going to get more and more common as spam continues to grow.
Re:ever tried to get off SPEWS? (Score:5, Insightful)
That's a great idea. On the other hand, I live in a small town with exactly one feasible ISP that's not a residential cable service with incoming port filters. My options are:
Hmmm. Let me think about that one for a while.
Re:ever tried to get off SPEWS? (Score:4, Funny)
Re:ever tried to get off SPEWS? (Score:3, Insightful)
No, it's the equivalent of trying to go from the slum to the downtown area. With your analogy, the city has walled off the slum. Those who live in the slum and want to go into the city have to move out of the slum first. I wonder how well that policy would go down outside the digital realm. Besides, if I recall, the government
Re:ever tried to get off SPEWS? (Score:3, Insightful)
Ok.
Tell me how an ISP can be 100% sure that the new user application they just received will not be used for spamming?
That's fundamentally what SPEWS is requiring of the ISPs.
Re:ever tried to get off SPEWS? (Score:3, Insightful)
And that is perfectly OK! Really. Part of the reason that spam exists is it's largely unregulated environment. It's market-driven, and so SPEWS is a reasonable way of dealing with such a scourge when laws and regulations can't or won't help. Of course, by extension, it's perfectly OK for SPEWS to go away or fade into obscurity due to market backlash against it. It's worth noting that this did not happen. SPEWS was continuing to gain popularity.
But DDoS is
Re:ever tried to get off SPEWS? (Score:3, Funny)
Oh, wait, pebs [slashdot.org]! I know, tell that "SCO [slashdot.org] from [slashdot.org] it [slashdot.org]" joke again!
That's a great one, especially over and over again!
Remember how you kept posting that joke, and like, getting modded +5 Funny, over and over again on the same joke, but then you found out that Funny mods don't count toward your karma, and you were all pissed and stuff, because you learned that? That was awesome! Heh.
Re:ever tried to get off SPEWS? (Score:5, Insightful)
Spammers with unbalanced ethics:lawyers ratios have already attempted to make life hell in court for blocklist owners that they could track down. I know of no instances where the spammers won, but the costs and hassles associated with defending yourself from a lawsuit exist whether one wins or loses.
Who can blame SPEWS for planning ahead for this? Answer: spammers who are really pissed off.
, and there's no way to get a hold of them. They start with Class C's, then progress to banning class A's.
That's the whole goal of SPEWS. SPEWS is not a list of spammers, its a Spam Prevention Early Warning System. Listing individual spammers addresses has not been entirely effective, as spammers simply find providers who are willing to lie for them, thus SPEWS was created to punish ISPs who are unresponsive to legitimate abuse reports. SPEWS exists to counterbalance the profit those ISPs may make from spammers with loss of profits from those who want to use the internet for a legitimate purpose.
Some of the crazies who post on nana-e even have the whole country of Brazil banned on their private lists.
I add a very very large score via SpamAssassin to any mail that comes from Brazil, Mexico, China, Taiwan, Korea, and several other nations who appear to be becoming spam havens. What's your point? I have, in many years on the net, never received an e-mail I wanted from those countries.
SPEWS had information too on DNS blackholing (i.e. preventing your users from going to internet sites) and on HTTP blocking.
Uhhhh...yes...and? Is there something immoral about administering the ISP you are responsible for in the manner you see fit? It's my business, I can do as I damn please. If I want to filter out every website except my own, that is my right. My customers vote with their business, they do not get a direct say in how I run my outfit. Every business owner understands this concept when it is put into their terms, yet spammers seem to be very against this right when it comes to ISP owners. Gee, wonder why.
If it was anyone else (the government) who was advocating this, people would be outraged.
So? Very often it is acceptable for an individual to do something that a government cannot. For instance, if the government tried to convince me to go to XYZ Church, I would be outraged. For an individual to do so is nothing short of normal.
Re:ever tried to get off SPEWS? (Score:4, Insightful)
This results in their customers not receiving email. The decision that the sender of that email wasn't legitimate has been removed from the user and the sender and placed in the hands of some anonymous third party.
In general, the ISP answer to blocking complaints is they simply use the list and do not control the content of it. The blocking list provider - if contactable - claims they just make up the list and the use of it is outside of their control. This means nobody is accountable for blocking.
The problem with this sort of censorship - and it is indeed censorship - is the user never hears about it. When a business is blocked they quickly discover that blocking has made email unreliable for communications with customers. They can either abandon email for important stuff or they can try to convince the blockers that their commercial use of email is valid. This is extremely difficult. Why? Spammers use email - if you use email commercially, then you might be a spammer. If you get blocked and claim you were blocked in error, you might be lying. Spammers lie, so anything you say can be considered to be a lie. Why should anyone unblock a spammer?
Either email can be used for commercial purposes, or it cannot. Anti-spam folks want to ban all commercial use of email.
Brazil (Score:3, Informative)
Yes, many have the entirety of Brazil blocked. And for good reason, too. Doing so cuts out a huge chunk of spam and reduces the costs on the receiving mail servers and networks noticeably. It works.
The problem is that most of Brazil is served by one big telco monopoly that is operated entirely incompetently. That doesn't necessarily mean each person in that company is incompetent, but those that are not are surely aware of their inability to do the right thing and stop the spam.
Some people even blocke
Re:ever tried to get off SPEWS? (Score:3, Funny)
Re:Why does he think it's spammers? (Score:5, Insightful)
Am I the only one who did not have this problem? (Score:5, Informative)
The volume of spam is sufficient without removing the blacklists.
Re:Why does he think it's spammers? (Score:3, Informative)
Your network is probably still providing some service to a spammer in some way. The requirement of SPEWS, other than for first time spammers (i.e. this means any services to any repeat spammers), is that absolutely every service be terminated with no exceptions. This not only includes IP access through which they may spam, but also web hosting, DNS hosting, phone service, office space rental, ... everything ... period. Now if you really have done all that, and posted a description of exactly everything t
Re:Why does he think it's spammers? (Score:5, Informative)
Here's a great blow by blow report [fastmail.fm] of one such incident by Jeremy Howard, one of the directors of the company, as well as some reasons the list doesn't work.
Re:Why does he think it's spammers? (Score:3, Interesting)
This is getting tiresome . . .
My own email provider (Fastmail.fm) is very proactive about eliminating spammers and has a very strict anti-spam policy; however, it has been erroneously listed on Spamcop on at least one occasion causing problems for all of its legitamite users.
How do you know, other than by the facade they present to you, how pro-active or strict their antispam policy is? How do you know the listing was erroneous? Bottom line: you do
Sorry, In Your Rightous Anger You Missed the Point (Score:3, Interesting)
Re:Why does he think it's spammers? (Score:5, Insightful)
Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.
Re:Why does he think it's spammers? (Score:3, Funny)
Heh I read that as "...generally has a soft spot for Charmin".
Maybe I just don't have enough caffeiene in my system right now, but that made for an amusing interpretation.
Re:Why does he think it's spammers? (Score:5, Insightful)
Blacklists' downfall (Score:2, Interesting)
I wonder how many people really rely on blacklists anymore. I've tried using them before only to find out that over half of my legitimate email was being filtered and a significant amount of spam was still getting through.
Bayesian is the only
Quite a few actually. (Score:4, Informative)
And depending on just Bayesian filtering is putting all of your eggs in one basket, IMHO (though it is a pretty darn good basket). There are many spammers out there trying to poison Bayes databases by adding random dictonary words to their HTML based emails.
Re:Quite a few actually. (Score:3, Informative)
Re:Blacklists' downfall (Score:4, Insightful)
1. Close your open relays
2. Kick off known spammers
3. Stop list washing system admins who complain about spam
4. Stop making it nearly impossible to submit complaints
"Affective" it maybe but it is also expensive (Score:3, Insightful)
Lists work pretty well. They ocasionally piss people off, but the cost
Re:Whitelisting (Score:4, Informative)
Whitelist: allow everything in from anyone on that list
IFF doesn't meet above criteria, filter it.
So, it doesn't prevent anyone from contacting you the first time, unleass their email says something like "bigger penis breast enlarger xxx sex goatse.cx tubgirl"
Best defense is a good offense (Score:5, Funny)
Re:Best defense is a good offense (Score:2, Funny)
Let's send them tons of unwanted emails advertising p0rn and herbal supplements.
It's illegal (Score:5, Insightful)
Re:It's illegal (Score:5, Interesting)
Re:It's illegal (Score:5, Insightful)
Try as they may... (Score:4, Funny)
Might not be spammers (Score:5, Interesting)
Personally I don't believe blacklists are the way to go, I think simply intelligent filtering should be installed wherever possible, and eventually spam will die out. I know spammers are smart and work their way around all sorts of blocks, but so are we, and there's a lot more of us than there are of them.
ObDisc:Don't bother flaming me about "collateral damage" or any of that crap, since I'm not the one ddosing the servers, and I've yet to find myself blacklisted, so I'm not interested.
SoBig (Score:5, Interesting)
Solution (Score:4, Funny)
NUKE IT!!!
Problem solved
Funding and source for these attacks? (Score:2)
Just my act-now-to-get-a-six-foot-penis worth...
RickTheWizKid
who says its spammers? (Score:5, Interesting)
Distributed blocklists (Score:5, Insightful)
If they succeed in negating the value of centralized blocklists, guess what - admins will go back to blacklisting blocks manually. Those IP blocks will become useless once enough people add them to their blocklists, and there won't be any easy way of redeeming them.
Anyone who wants to get internet access better get a clause in their contract guaranteeing that the IPs they get weren't abused by someone in the past, or else they might be getting a useless connection.
at least you can be removed. (Score:3, Insightful)
Unfortunately, spammers are like bad apples - when they find a spam-friendly ISP, they tend to conglomerate. Second, you don't think that individual SysAdmins will do worse? At least with centralized blocklists, you can be removed. Try that wi
Desparation (Score:4, Insightful)
Re:Desparation (Score:5, Insightful)
Re:Desparation (Score:3, Interesting)
Blocking mail might do that, but there are any number of ways to stop spam, every last one of them involves making the price of spam a price no one is willing to pay.
Using Baysian filtering to build a set of IP's which have a threashold (say 90% of e-mail) is spam, then it gets added to your black list (Mailserver or router blacklist).
Kirby
Bad spam (Score:2)
"Spam, spam, spam, spam. Lovely spam, wonderful... Ow! Ow! Stop that! Bad spam! Ow! That hurts!"
Impressive (Score:3, Funny)
Impressive.
Hopefully there isn't a slashdot story linking to them any time soon!
distributed? (Score:3, Interesting)
Client-side blocking (Score:5, Interesting)
Damnit, if I want a larger penis, then I should be able to read SPAM directed towards that. That being said, I'd much prefer if these SPAM services were forced to be opt-in.
Unfortunately, client-side filtering doesn't adequately address the massive amounts of bandwidth consumed by SPAM operations. Nonetheless, the idea that an autonymous corporation/whatever can decide what is valid e-mail for ME is just as offensive, in my opinion, as e-mail advertising product/scam/idea X.
Peas,
j
Re:Client-side blocking (Score:3, Insightful)
If it was opt-in, it wouldn't be spam.
Blacklists ARE useful (Score:5, Interesting)
If I had to burn CPU to Bayes-classify all mails, it would bog me down more than I am now (running on Linux on an old PC).
DNS based BL is useful because it doesn't even let it in the door.
"Trojan arses"??? (Score:5, Funny)
The mental image of a bunch of Greek soldiers pouring from the sphincter of a huge, wooden butt is just too funny for words.
~Philly
The Internet has you!! (Score:4, Funny)
HAAHAHAHAHAHAHAHAAHAHAHA@@@@#!!  ; you beloNG TO THE INTERRRNOTT@@!!
SoBig.F zombies attack!!! (Score:5, Interesting)
Go ahead and let them die (Score:4, Interesting)
I know it sounds heartless, but as a group, blacklists are becoming less-useful by the minute.
If they were all to disappear today, it would only speed the adoption of much more valuable tools against spam, namely bayesian-type filters that are far more effective.
These attacks must be stopped! (Score:5, Funny)
Who replies to spam? (Score:5, Interesting)
Evolution of a blacklist architecture. (Score:5, Interesting)
I can easily see web content filtering going the same way eventually.
Blame the backbone ISPs (Score:5, Interesting)
1. The backbone providers make money based on bandwidth consumption. They don't care whether the traffic is legitimate or not. It's in their financial interest to not take action against DOS/DDOS attacks and they don't. Many top-level providers will not even intervene unless a lower-level ISP's pipes are completely saturated, even if they complain about a DOS attack.
It would be so easy for the backbone providers to implement temporary blocking of DDOS attacks. These types of attacks are identifiable and the whole procedure could be automated and authenticated, but the top-level ISPs make money off spam and illegal DOS/DDOS activity. People need to petition the backbones to start taking responsibility and implmenting measures to shut down networks that have rogue systems consuming illegitimate bandwidth.
2. The local and federal governments do not effectively (if at all) enforce the plethora of existing computer tampering/break in/attack laws that are already on the books. These attacks CAN be tracked. The law enforcement agencies are either ignorant, unmotivated or unwilling to take action.
No new laws are needed. There are plenty of existing laws on the books right now to justify criminal prosecution of these attackers, which don't merely attack relay blacklists, but every other network along the way, making everyone suffer, including systems that don't use blacklists.
We need to hold the proper people accountable for not using the existing legal system to stop this; we need to hold the top-level providers responsible for allowing a majority of the traffic they bill their clients for to be unauthorized and illegitimate.
Imagine if 70% of the time you picked up your telephone someone else was using it? This is what's happening with Internet bandwidth.
Black lists and delisting (Score:4, Insightful)
We have a large cable network, and there are 3 4 trouble making customers. We do allow people to run their own mail servers. But that also means that some customers misuse it to send spam. It takes us a day or 2 to shut down the spammer, and by then the C bloc will be listed in some black holes.
Now de listing it becomes a major pain if the black holes are not responsive. If the procedures are well documented life of ISPs become much easir.
and no we have not considered denying the freedom of our customers to run their own outgoing mail servers. one or two random spammers cannot force us to deny that freedom to majority of legitimate users in our network.
raj
A Defensive tool, not censorware (Score:5, Insightful)
My server has seen as many as 500 spams a day directed at it -- for just two email accounts releated to my business. I had little choice but to elect to use drastic measures and escalate them until the spam became manageable -- and the best defense due to bandwidth issues (we run on just 128K because that's all that's available to us) is blocklists. The problem has been so bad that I maintain an internal block list that uses iptables to simply not route packets from IP blocks (/24) for any email that gets through the first layer of blocklists that sendmail checks.
Osirusoft in particular was very, very useful to me, because they maintained a number of DNS mirrors of other blocklists, so you could pick and choose how drastic you wished your blocking to be. I will miss their service greatly -- and can already notice it as my spam has doubled since it was removed from my sendmail config.
Without blocklists, email for my small business at least would be useless. I know that I've lost business using them, but I'd lose more business/time/money without -- there's no friggin' way I'm going to search through (and accept the bandwidth hit from) five hundred messages to find the few legitimate ones and still have time to get real work done.
WAR (Score:4, Insightful)
Blacklists and Spam (Score:4, Informative)
If I did not use SOME rbl though, I would be sending out 6000 spam blocking notification messages a day mostly to people who aren't there or are not the real sender. Since I block things prior to getting through postfix, I am able to send them back a clear informative message on the blockage, DURING the transmission.
In any case, I have heard of lots of bad stuff about SPEWS and all but my experience with spamhaus and ordb are that both help block alot of mail, and are responsible with their efforts.
In any case, it is my business (and my company's business of course) how we handle our incoming stream. If we choose to use a blacklist that is our right. As it waspointed out, we could always create our own (It is pretty easy to create a dnsbased one even to share with a few friends or whatnot)...
No one is going to be able to stop ALL blacklists, but by attacking the large centralized ones, it does not IMPROVE the ability to get taken off an RBL. It just makes it harder really.
Anyone else observer a huge dropoff in spam? (Score:3, Insightful)
Not complaining, but very strange nonetheless!
Perhaps it's not the spammers ... (Score:4, Interesting)
Perhaps it's Something [somethingawful.com] Awful [kuro5hin.org] that's doing it?
Fark [fark.com] seems to think so [fark.com].
(Ever feel like you're writing for memepool [memepool.com] or Everything2 [everything2.com]? I sure do!)
Think globally, act locally (Score:5, Interesting)
I have been watching this closely for several weeks. Originally, I thought there would be trouble -- surely we would nail some legitimate networks and have to unblock them. But NOOOOO! Every day we reject more and more via the local blacklist and it's always the evildoers. I don't think anyone needs a DNS-based blacklist, all you have to do is harvest the power of the spam data you already have.
I think it's cool... (Score:5, Funny)
Yet Another Plan for Spam (Score:3, Interesting)
I used to use dnsbls. When it was clear that blacklists weren't sufficient, I used them in conjunction with filtering. Then I had trouble with false positives of various dnsbls to the point where I'm now only using the filters. Of course, simply filtering doesn't solve the network and computing resources problem. So I had hatched Yet Another Plan for Spam a while back (had mucked around a bit with implementing it but got distracted).
The plan is essentially to use bayesian analysis of incoming mail to detect "open relays" and maintaining a personalized dnsbl. Initially every piece of incoming mail is analyzed. Upon being tagged spam, the connecting IP is added to the dnsbl preventing additional relaying of messages.
Pros:
1. No external testing/probing is required. All blacklisted IP's have been known to be an originator/relay point of spam.
2. A copy of the spam message can be retained in case of any dispute.
3. It's a personalized dnsbl so that it is generally immune to becoming a target by spammers (either ddosed or litigation).
4. A false positive does not impact systems not directly under your control.
5. Corrections to the dnsbl can be made as urgently as your time would allow.
6. Saves network and cpu resources due to rejection of additional messages from blacklisted IPs.
Cons:
1. Bayesian filter requires training and maintenance.
2. Personal dnsbl also means personal attention. More time and resources required to manage.
3. Not immune to false positives (actually amplifies the effect).
I'm sure I've missed some points on both the pros and cons, but it's a start.
Additional details of the plan had included a web interface for the blacklisted IP's delist the IP. The scheme works on a token system. Each IP is given a configured number of tokens per a configured period. Each delisting requires a token and is subtracted. Hopefully, this will minimize manual effort as it's trivially easy to get delisted (only requiring the blacklisted admin to visit a page and click on a button). However, if the problem is not fixed and the same IP continues to get listed and runs out of tokens, then my plan was to have the blacklisted party to purchase more tokens (something like the same webpage generating a tracking number linked to a paypal account). That way, there would also be financial incentives for the admin to fix their open relays.
My intention with the personal dnsbl was to reject future SMTP relay attempts based on IPs that have been known to relay spam. It doesn't exist to identify every open relay or proxy, but simply to deny those hosts the opportunity to send me more spam. I could careless if someone is running an open relay as long as it doesn't send me spam. So my plan is to only reject mail from people that have actually spammed me, and not in theory of being capable of spamming me. And the reason to use the connecting IP instead of any content in the email is to prevent junk data (too easily spoofed).
Anyhow, that was my YAPS. If enough people used such a system, it would probably put a decent dent in spam and open relays.
Any volunteers?
Maybe this is NOT even a DDoS attack at all (Score:3)
Maybe this is NOT even a DDoS attack at all. The SoBig.F virus includes its own SMTP engine, and so, is bypassing the smart host mail server at each of the various ISPs the infected machines are served by. It is now making SMTP connections to various MX hosts all over the network directly from that access IP address which probably never was used that way in the past by most people. DNSBLs are, or were, scalable because the queries done by the receiving MX servers to verify each sending IP address would be cached by the DNS server there for usually at least a day or two. That caching is effective when the number of connecting SMTP clients (the sending role) is small. What SoBig.F did was greatly increase the number of different IP addresses being SMTP clients. This could be immensely greater, many times the number originally seen. That would mean the resolving DNS server at the MX server site would be missing its cache much more often, both due to the more diverse queries being done, as well as the increased volume of mail. My theory is that this alone, if the increase factor is high enough, could overwhelm the authoritative DNS servers for the DNSBL zones and appear like a DDoS attack.
DNSBLs might have also be configured in more servers as a result of the SoBig.F virus going around, too, to help block it.
How to verify this would be to examine the range of source addresses hitting the authoritative servers. If the range is about the same as before, or generally represents the resolving DNS servers those MX servers are using, then I could be right. Still, it is possible for a real DDoS attack to fake exactly that so as to look like this theory holds.
If the attack has source addresses that are not functioning as resolving DNS servers, then the theory would be wrong. But resolving servers, when run separate from authoritative servers, are usually blocked from outside usage. So simple testing would be inadequate to show that they are not real DNS servers.
Distributed Spam List (Score:3, Insightful)
Re:justice (Score:3, Funny)
I find most people, when a hammer is liberally applied to the head, find their weakness to be blunt objects.
They tend to dislike them.
Re:justice (Score:3, Insightful)
Blocklists are vigilante defense, if not vigilante justice. Vigilante justice is justice meted out by self-appointed individuals or groups. Blocklists aren't, for the most part, trying to punish/mete out justice to spammers. They're just trying to block the flow of spam.
But they are self-appointed and work according to a set of informal rules that they adhere to voluntarily. That sounds like vigilante to me.
I'm not saying this as criticism, but simply as
Re: (Score:2)
Yes (Score:5, Funny)
pamcop's Haight theorizes that the increasingly sophisticated attacks suggest a link with organized crime, but admits he hasn't a shred of evidence.
Anyone else have a wilder guess?
Yes. It's Aliens launching a denial of service attack in advance of their assimilation of the human race. This is clear and obvious to the most casual observer, although I don't have a shred of evidence to support this notion.
Re:Mitnick's at it again. (Score:3, Funny)