Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam Botnet

Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses? 106

An anonymous reader writes: I have, for a while now, been collecting IP addresses from which email spam has been sent to, or attempted to be relayed through, my email server. I was wondering if I should publish them, so that others can adopt whatever steps are necessary to protect their email servers from that vermin. However, I am facing ethical issues here. What if the addresses are simply spoofed, and therefore branding them as spamming addresses might cause harm to innocent parties? What if, after having been co-opted by spammers, they are now used legitimately? I wonder if there's a market for all the thousands of webmail addresses that send Slashdot nothing but spam.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses?

Comments Filter:
  • No (Score:2, Informative)

    by Anonymous Coward

    I think you answered your own question. The only situation might be to share it privately with others, but publicly, no!

    • by Anonymous Coward

      Why not? Though personally I think it would be useless. Companies like Cisco maintain a senderbase registry for exactly this purpose, addressing many of your concerns, and even it has limited effectiveness at stopping new infected hosts.

  • by ma++i+ude ( 580592 ) on Tuesday September 01, 2015 @10:31AM (#50436481) Homepage
    As is, nobody cares about your list. Use an adaptive blacklist and join Project Honey Pot.
  • by Anonymous Coward on Tuesday September 01, 2015 @10:32AM (#50436489)

    There are hundreds of blacklists out there: https://mxtoolbox.com/problem/blacklist/

  • by Penguinisto ( 415985 ) on Tuesday September 01, 2015 @10:32AM (#50436501) Journal

    No, really, go talk to them [spamhaus.org]... they've been doing just that as a community for a lot longer, and probably have nearly all the stuff on your list and then some.

    • by Stan92057 ( 737634 ) on Tuesday September 01, 2015 @10:44AM (#50436627)
      Ya know ive been reporting spam to the FTC for years and nothing and i mean nothing happens. I don't see any spammers getting arrested,fined by the FTC. I also send an email asking a congressman just what the FTC is doing with all the reported spam and all he did was send me a personal info form to sign and release. which i laughed at since ya have to give the very same info when ya send an email to them.
      • Hey, it's not all clouds and doom, remember that corpse of Russian spam king who was found beaten to death with hammers? that was pretty cool

      • by TheCarp ( 96830 )

        If its any consolation, I was once involved in keeping a mail server under heavy spam load working and shutting down the incoming spew.... which did actually result in someone being taken away by the police and the last words the network engineer heard as they walked away was "you are lucky you are not in handcuffs".

        Admittedly it has nothing to do with the FTC and actually involved someone at the University who was intentionally misusing resources to spam in the most bone headed way (from his own desktop in

        • That,s a great story, nice to here the bad guy getting his due for once.
          • by TheCarp ( 96830 )

            Well you know, its nice when they actually sign their name to it. No really.... the fantastically brilliant marketing campaign for his personal consulting business was to use the school network to email a joke to a massive list of his closest friends, with his ad as the email signature.

            Oh totally fooled me, you must really just have a million friends that you never emailed before this day....right..... I am sure they all opted in too.

      • by mwvdlee ( 775178 )

        What actionable material have you been sending them?
        IP's are next to useless (mostly zombie hardware and outside whatever jurisdiction you report it to).
        Email addresses are nearly 100% fake, so useless. Same for sender domain names.
        Domain names and hosting is recycled within minutes (literally!) and paid for with stolen credit cards.

        • Ive been sending my spam to spamcop for almost 10 years. The full headers, body of email to collect the link address, but thing is like i said these are big name company's paying big time money to their ISP,host,email providers. Ive been doing this for a very long time.
        • The specific host that sent it to your mail server is the only one in the email headers that can really be trusted to be real, and that's because of your own mail server logging that it received the connection from there. Let them defend themselves to Spamhaus, SpamCop, or whoever else. There are methods established for them to do that. They then provide logs showing how it got through their servers and explain what they are doing to minimize that sort of traffic.

      • by sims 2 ( 994794 )

        I got a canned letter back from them once informing me I had the right to sue. They did not however tell me which report they were talking about.

      • by msauve ( 701917 )
        Your congresscritter accepts email? None of mine do - it's all web forms which they incorrectly call "email." But, that doesn't stop them from requiring my email address, and then sending me spam.
        • Well the form was at his web site ya know for the initial question, but i had to give Full name, address, zip code, email address and phone number so I,m like WTF just get a stink n answer. But nope, have to mail in a written form with the same info so i said F it. He lost my vote.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      I trust Spamhaus one hell of a lot less since they effectively blackmailed the company I worked for.

      Basically they blacklisted tens of thousands of domains (with no advance warning or contact) and refused to remove the listing until we stopped hosting a domain they unilaterally decided they didn't approve of. The domain wasn't spamming, it didn't even have any email accounts set up.

      There was no reasoning with the guy at Spamhaus I spoke with, who came across like some kind of rabidly insane cult member. Har

      • Re: (Score:2, Informative)

        by Anonymous Coward

        tens of thousands of domains

        Nobody blacklists "domains", every spam comes from a fake email address. No, they blacklist IP blocks.

        it didn't even have any email accounts set up.

        And? If you didn't block outbound SMTP it's trivial to write an SMTP client in just about any language. PHP even has mail functions built in to send mail. It's trivial to write up a PHP script that you upload a CSV file to and have it email everyone on it without an "email account".

        • Anti-spam blacklists do blacklist the domain and the IP thats host the web sites within that domain when a domain is advertised in spam messages. It's known in the industry as "spamvertising". It can get a domain kicked off of hosting if the email is clearly spam and advertises the domain even if the spam was sent through another company.

          • When I was working IT for a small company, we ended up being blacklisted because a workstation had a virus. The fact that the workstation had 0 chance of actually spamming didn't matter to them, they required the workstation to be rebuilt. Proper network design is to not allow outgoing email connections from anywhere but the email server, but that just isn't good enough for the rabid anti spam groups.

      • by Anonymous Coward

        Whatever. Unless you are high up in management, you do not know everything that is going on at your company.

        Anyway, I think you are full of shit.

        There are no innocent companies that are accused of spamming - they are either doing it themselves or allowing.

        Verdict : guilty.

        Don't like it? Fix your problems and stop bitching because your stupidity.

      • The domain wasn't spamming, it didn't even have any email accounts set up.

        You might want to check outbound traffic anyway. There's this stuff called malware...

      • by Cramer ( 69040 )

        I've worked with Spamhaus many times over the eons. I have NEVER seen them escalate a listing without cause, and without any attempt to contact the operator. I guess you have no one watching your abuse@ or postmaster@ mailboxes, or blocked the messages as "spam", etc.

        A former employer was a host for a rather large (and stupid spam operation -- spamming hostmaster@ your new ISP, literally seconds after the link was turned up) and we were never listed at all. Of course, *I* told spamhaus of their contract whe

  • If there's a yes/no in the headline, the answer is invariably "NO".

    Apart from that, considering how easy it is to spoof an IP, then you might actually be breaking the Law by enabling targetted attacks on private computer systems which is covered under the Computer Misude Act (in England) and on public systems, potentially you could be engaging the Official Secrets Act and the Terrorism Act.

    • This is more of an individual asking a yes/no question than a publication asking an inflammatory question just to get clicks.

      Also, Yes, you can spoof an IP, which means that you can make packets that you send look like they came from another IP address than they actually did. This may be fine for the one-off UDP packet or such, but email is sent using SMTP, which requires a TCP connection. If your return IP address is spoofed, the 3-way handshake cannot be completed, and therefore, the TCP connection will
      • Exactly, if the submitter is talking the IPs of machines that connected to their mail server, that can't be spoofed. The "received from" headers for servers on previous hops CAN be spoofed, and often are.

        As you said, while a _single_ packet can be spoofed, that wouldn't allow an SMTP connection to be established, so the IP which connected to their machine is reliably known. Their mail server adds a "received from" header with that known IP.

      • by TheCarp ( 96830 )

        This. Spoofing is so overblown. Spoofing is generally not the real issue with almost anything.

        The bigger issue is that people don't need to spoof, they just use someone else's machine. Getting malware installed on a machine is easy, getting it installed on hundreds or thousands of machines is easy.

        FFS my mother gets calls on the phone from people halfway across the world trying to trick her into giving them access to her machine (I find them fun, she hands them to me now...trick is to act very concerned and

        • by dkman ( 863999 )
          I would be somewhat interested in seeing some charts done. How many IPs fall into ARIN, LACNIC, APNIC, etc? In the US how many fall into Comcast, Time Warner, business ranges? Just out of curiosity.

          I also wonder if the list keeps track of a First Received On and Last Received On date, maybe a counter of Mails Received.
  • There are plenty of RBL's out there already. I would suggest talking to one of them and contributing your list.

  • by QuietLagoon ( 813062 ) on Tuesday September 01, 2015 @10:34AM (#50436517)
    If you publish a list, you then obligate yourself to keep that list up-to-date, not only by adding new addresses, but also by removing old addresses that no longer spam.

    .
    Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually. Are you planning to ban those IP addresses permanently?

    So I ask the question, how frequently do you plan top re-validate the addresses that are on your list as still spamming?

    • I'm not sure you're obligated to do anything.

      Should do something, perhaps. Definitely not obligated.

    • My virtual server apparently used to be owned by spammers before I rented it. Several web sites ban its IPv4 due to alleged proxies and/or spam.
      Thinking it might be a one-off false positive, I cancelled the server and got a new one within the same network, to no avail.

      So I contacted the admin of one of the websites that banned it. Turns out they blacklisted the whole network of cheap virtual servers years ago.
      IP blacklists should have expiration dates. Apparently most don't.

    • by mysidia ( 191772 )

      Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually.

      My mail servers IPs have been hijacked for spamming many times, probably about 3 or 4 times a month, but as far as I know, they are generally cleaned up within a few hours, and usually the volume is restricted by message rate controls.

      The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that lo

      • If someone's breaking into your server 3-4x/month, then you have major problems. If you have clients whose accounts are compromised, then SHUT THEM THE FUCK OFF AND MAKE THEM CLEAN THEIR MACHINES.

        Spoofing user names and using their lists is old hat. I have one ex-friend who greets me weekly with something new and exciting in an attachment. Luckily, I never open *anything*.

        But seriously, if your server's getting broken into that frequently, you need lessons. Numerous ones.

        • Once a week? The only solution is thermite. Lots and lots of thermite.

        • by mysidia ( 191772 )

          If you have clients whose accounts are compromised, then [...]

          It's not the same users over and over again. It's a different user almost every time.
          The couple users that DID get re-compromised, after we unlocked their account, were cancelled as a customer after the 3rd incident, and their computer was legitimately infected ---- It is just totally not our job as ISP to help them clean up their infection for free.
          There are about 3,000 hosted and ISP mailboxes and 500 domains.

          We do incoming and outgo

          • You need inline filtration. You're screwed unless you do. A carrier-grade filter ought to do it. Until then, you face a lot of slime.

            Your users are handily making mincemeat out of you. You get to control your SMTP, not them. Without a pipe to stanch the flow yourself, you're part of the problem, and not the solution. I know that sounds insulting, but it's true.

            Your knowledge of how RBLs and blocks work means you're spending way too much time dealing with the aftermath in firecontrol, rather than gently remi

      • >"The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that look spammy."

        Is there a difference? Spam includes UCE (Unrequested Commercial Email). Unrequested marketing junk *is* spam. I report it as such and ban most mail servers that send such stuff to my users. When I first started doing that many years ago, the very first to be banned, permanently, was Constant Contact. An

        • by mysidia ( 191772 )

          was Constant Contact. And boy were they pissed! They actually tried to tell my users we were doing something wrong ...

          We used to block ConstantContact on the inbound indirection, because we found them (1) Using more than half a dozen IP addresses to contact our mail servers AND putting high stress on our mail servers, and apparently defeating our 5-Messages-per-Second per-IP-Address rate limits; instead they were sending hundreds upon hundreds of messages per second, And (2) Frequently being a s

          • > It ended very badly: when a couple state governmental agencies started using ConstantContact for various newsletters between related org

            I can completely understand your situation. That is what caused us some issues too- some national organizations, ones we actually PAID to be a part of, decided to use those scumbags (Constant Contact) and some of my users were affected. But we stood fast and explained in detail to the organization sending them and the users exactly what was going on and why. Most of

    • Ya know Ive been reporting facebook and office depot 2 sites among a long list of spammers i have never used an email address on ever. So there is no question they got the email address from a spam-bot or bought a spammers email address dvd. Ive been reporting both to their host/isp/email provider and guess what? they do nothing, nada nit. I get spam from both every single day 365 days a year i report it to spamcop,gmail the FTC and still get spammed. So it really doesn't help if no ones going after the hos
      • by Anonymous Coward

        Of course individual complaints get pretty much ignored, use some common sense. You may be sure that you never gave a particular organisation permission to email you, but how can any authority that you report to be sure that at some point you didn't tick a box somewhere giving permission? They can't just take your word for it and send in the SWAT teams. Maybe someone with a similar email address to yours made a typo, and gave your address by mistake. Maybe at some point you inadvertently left that "allow us

        • by macraig ( 621737 )

          You forgot to mention the case that he might have an axe to grind against an organization and satiates his desire for revenge by filing fake spam complaints against them. I know, I know, that never actually happens, and the spam blacklists never got populated with poisonous lint from people doing that....

      • by macraig ( 621737 )

        What the Anonymous Coward said at 9:40am.

  • A better way would be to collect the ip's over time, those ip's that keep reoccurring over a period of say a few months are most likely dedicated spamming addresses. Although most large spammers probably keep shifting address and spoofing as you said since it would be to easy to stop them if they always used the same address. Unfortunately, a simple list of ip address won't really do much as they are not likely used more than a couple times each.

  • There are professionals who do this for a living. Keep your day job.

  • Yes. Publish them through a DNS Blacklist similar to others or add them to an existing one. Establish rules and guidelines for removal procedures.

  • What about the spam sent by the big email providers? It's a really interesting question what to do when you get -recurring- spam from these. (I get an offer for "Sun Microsystems User Lists" once a month from a chronic spammer sent either through Gmail or now Outlook. I report them to the abuse@xxx, but they keep on coming.) Do you blacklist a chronic spam source, that also has legitimate users? Do you quarantine everything from them, placing the burden on users/administrators to inspect and release le

    • cloud hosted email lets you still control SPF records. Big providers will list this as part of the setup process. Office365 will even warn you that DNS isn't properly configured if it detects you skipped this.

      Some SaaS resellers don't know what SPF records are. These are the same guys who took your website offline when the switched your mail provider, and they have no idea how that happened because websites have nothing to do with email (DERP), so then you had to call your OTHER IT guys. Those resell
  • There are plenty of such blacklists already published.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    You can compare your list to others to see if you have anything unique, and if you do I guess your options are either publishing your list on your own, or seeing if any of the other list would like to merge in your list. Some of the lists allow sites to remove themselves. Some of the lists appear to only have "recently" spamming addresses. Some lists specifically exclude residential ISP connections. There are pro
  • by Anonymous Coward

    As I type there are twelve, TWELVE!, comments on this thread. Comments should have been closed after 3 comments.

    Q: Should I Publish My Collection of Email Spamming IP Addresses?

    Comment 1: Yes.
    Comment 2: No.
    Comment 3: Maybe.

    No other comments are necessary. Close the comments for this thread!

  • I also have my own blacklist. I thought about publishing them however, I expect If you publish them you may be subject to some kind of retaliation.
  • by Anonymous Coward on Tuesday September 01, 2015 @10:50AM (#50436691)

    A 1 person maintained blacklist!! Sign me up!

  • Please no (Score:5, Insightful)

    by silas_moeckel ( 234313 ) <silas&dsminc-corp,com> on Tuesday September 01, 2015 @11:12AM (#50436951) Homepage

    If you think you can spoof a TCP connection you have no business running a RBL.

    • by Alomex ( 148003 )

      I can. It involves taking momentary control of a router upstream from you. First I need to find a non-secured router (i.e not running secure BGP and allowing arbitrary BGP updates), spoof a hole in the BGP table using a /30 routing prefix containing the purported sender during transmission, then revert to original configuration.

      • Sure it's possible it's not that probable. Even very big providers tend to clear their filters once you have enough prefixes being announced. Problem is I've heard the somebody must have spoofed my IP which was at least incorrect if not a lie thousands upon thousands of times more than it actually happening. That did not involve BGP but rather ARP and was back in the 90's. Most of the spoofing I see is CPE gear without uRPF, on ISP's without egress filtering connected to ISP's with no ingress filtering

        • by yetiman ( 262330 )

          "If you're in control of an ISP's router there are much more profitable things you can do than spam."
           
          ...Go Onnnnnnnnnnnnn

  • by EvilSS ( 557649 )
    There isn't much of a point to doing it. Most of this stuff is sent via botnets now so most of those IPs are probably DHCP addresses from ISP pools for home users. Maybe if there are addresses that constantly keep popping up, that might be somewhat useful, but those are probably on the existing blacklists already.
  • Spammers mint, use, and then abandon email addresses so quickly that a list of (outdated) addresses wouldn't be of much use to most people.

  • This has already been done by numerous places. One that I've found especially good for stopping bots from using signup forms is http://botscout.com./ [botscout.com.] The free daily limits are a little low but for us they're very, very effective. Using them dropped our bogus signups from 200/day to about 1 or 2 per day, sometimes zero.

  • 1) You don't want the legal ramifications of publishing this, especially if you live in the USA. I am American, so I know what I warn of.
    2) Black lists are so old as an anti-spam approach I don't know that anybody takes them seriously any more.
    3) Related to #1, do you really want the responsibility for situations where someone on your list was there due to ignorance and they fixed the open relay problem that led to the spam, they are no longer spamming at all, and yet there they are on your list? I
  • by hduff ( 570443 )

    What could possibly go wrong?

  • Why should anyone trust YOUR list?

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...