Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses?

An anonymous reader writes: I have, for a while now, been collecting IP addresses from which email spam has been sent to, or attempted to be relayed through, my email server. I was wondering if I should publish them, so that others can adopt whatever steps are necessary to protect their email servers from that vermin. However, I am facing ethical issues here. What if the addresses are simply spoofed, and therefore branding them as spamming addresses might cause harm to innocent parties? What if, after having been co-opted by spammers, they are now used legitimately? I wonder if there's a market for all the thousands of webmail addresses that send Slashdot nothing but spam.

No

[Anonymous Coward]

I think you answered your own question. The only situation might be to share it privately with others, but publicly, no!

Re:

[Anonymous Coward]

Why not? Though personally I think it would be useless. Companies like Cisco maintain a senderbase registry for exactly this purpose, addressing many of your concerns, and even it has limited effectiveness at stopping new infected hosts.

What sort of a question is this?

[ma++i+ude]

As is, nobody cares about your list. Use an adaptive blacklist and join Project Honey Pot.

Re:

[Spazmania]

Exactly, he's about 20 years too late to the IP address blacklisting game.

Publish your own, or join in

[Anonymous Coward]

There are hundreds of blacklists out there: https://mxtoolbox.com/problem/blacklist/

Go talk to Spamhaus

[Penguinisto]

No, really, go talk to them [spamhaus.org]... they've been doing just that as a community for a lot longer, and probably have nearly all the stuff on your list and then some.

Re:Go talk to Spamhaus

[Stan92057]

Ya know ive been reporting spam to the FTC for years and nothing and i mean nothing happens. I don't see any spammers getting arrested,fined by the FTC. I also send an email asking a congressman just what the FTC is doing with all the reported spam and all he did was send me a personal info form to sign and release. which i laughed at since ya have to give the very same info when ya send an email to them.

Re:

[rubycodez]

Hey, it's not all clouds and doom, remember that corpse of Russian spam king who was found beaten to death with hammers? that was pretty cool

Re:

[Stan92057]

Well i must have missed that story but I,m not that extreme.Public shame, jail,prison, fines sure. Killing them a bit much to me.

Re:

[rubycodez]

it was goons who killed him, not any legal venue, so no worries

http://archive.wired.com/wired... [wired.com]

Re:

[TheCarp]

If its any consolation, I was once involved in keeping a mail server under heavy spam load working and shutting down the incoming spew.... which did actually result in someone being taken away by the police and the last words the network engineer heard as they walked away was "you are lucky you are not in handcuffs".

Admittedly it has nothing to do with the FTC and actually involved someone at the University who was intentionally misusing resources to spam in the most bone headed way (from his own desktop in

Re:

[Stan92057]

That,s a great story, nice to here the bad guy getting his due for once.

Re:

[TheCarp]

Well you know, its nice when they actually sign their name to it. No really.... the fantastically brilliant marketing campaign for his personal consulting business was to use the school network to email a joke to a massive list of his closest friends, with his ad as the email signature.

Oh totally fooled me, you must really just have a million friends that you never emailed before this day....right..... I am sure they all opted in too.

Re:

[mwvdlee]

What actionable material have you been sending them?
IP's are next to useless (mostly zombie hardware and outside whatever jurisdiction you report it to).
Email addresses are nearly 100% fake, so useless. Same for sender domain names.
Domain names and hosting is recycled within minutes (literally!) and paid for with stolen credit cards.

Re:

[Stan92057]

Ive been sending my spam to spamcop for almost 10 years. The full headers, body of email to collect the link address, but thing is like i said these are big name company's paying big time money to their ISP,host,email providers. Ive been doing this for a very long time.

Re:

[mr_mischief]

The specific host that sent it to your mail server is the only one in the email headers that can really be trusted to be real, and that's because of your own mail server logging that it received the connection from there. Let them defend themselves to Spamhaus, SpamCop, or whoever else. There are methods established for them to do that. They then provide logs showing how it got through their servers and explain what they are doing to minimize that sort of traffic.

Re:

[sims 2]

I got a canned letter back from them once informing me I had the right to sue. They did not however tell me which report they were talking about.

Re:

[Stan92057]

Why should we have to sue when its a law they are breaking? just saying.

Re:

[msauve]

Your congresscritter accepts email? None of mine do - it's all web forms which they incorrectly call "email." But, that doesn't stop them from requiring my email address, and then sending me spam.

Re:

[Stan92057]

Well the form was at his web site ya know for the initial question, but i had to give Full name, address, zip code, email address and phone number so I,m like WTF just get a stink n answer. But nope, have to mail in a written form with the same info so i said F it. He lost my vote.

Re:

[Anonymous Coward]

I trust Spamhaus one hell of a lot less since they effectively blackmailed the company I worked for.

Basically they blacklisted tens of thousands of domains (with no advance warning or contact) and refused to remove the listing until we stopped hosting a domain they unilaterally decided they didn't approve of. The domain wasn't spamming, it didn't even have any email accounts set up.

There was no reasoning with the guy at Spamhaus I spoke with, who came across like some kind of rabidly insane cult member. Har

Re:

[Anonymous Coward]

tens of thousands of domains

Nobody blacklists "domains", every spam comes from a fake email address. No, they blacklist IP blocks.

it didn't even have any email accounts set up.

And? If you didn't block outbound SMTP it's trivial to write an SMTP client in just about any language. PHP even has mail functions built in to send mail. It's trivial to write up a PHP script that you upload a CSV file to and have it email everyone on it without an "email account".

Re:

[mr_mischief]

Anti-spam blacklists do blacklist the domain and the IP thats host the web sites within that domain when a domain is advertised in spam messages. It's known in the industry as "spamvertising". It can get a domain kicked off of hosting if the email is clearly spam and advertises the domain even if the spam was sent through another company.

Re:

[Coren22]

When I was working IT for a small company, we ended up being blacklisted because a workstation had a virus. The fact that the workstation had 0 chance of actually spamming didn't matter to them, they required the workstation to be rebuilt. Proper network design is to not allow outgoing email connections from anywhere but the email server, but that just isn't good enough for the rabid anti spam groups.

Re:

[Coren22]

They had taken over the DNS record for the command and control servers. So they saw the computer going out and checking for the next set of addresses to spam, but the computer could not actually send mail.

You can call bullshit, but that doesn't make what you say right.

Re:

[mr_mischief]

RBLs generally aren't used to outright block mail. A responsible mail host will assign a score (using something like SpamAssassin) to different traits. Presence on a particular blacklist is worth a certain number of points on that score. Other things like what's in the subject line, whether the server connecting to your server is following the RFCs strictly, the Bayesian analysis of the message vs. spam received in the past, and stuff like that feeds into the score.

This will mostly make messages from your d

Re:

[mr_mischief]

Sorry, I don't see that. There's no paper trail at all. Neither the hosting company nor the RBL have any access to anything concrete other than the sender IP. You could certainly try contacting the postmaster, hope the range is owned by someone reputable, and ask for details, but good luck getting that. For example, in Europe data protection law would prevent that company giving out details of a customer they've hosted that was spamming to a third party (even if they are spammers, they can terminate them c

yeah right

[Anonymous Coward]

Whatever. Unless you are high up in management, you do not know everything that is going on at your company.

Anyway, I think you are full of shit.

There are no innocent companies that are accused of spamming - they are either doing it themselves or allowing.

Verdict : guilty.

Don't like it? Fix your problems and stop bitching because your stupidity.

Re:

[chispito]

The domain wasn't spamming, it didn't even have any email accounts set up.

You might want to check outbound traffic anyway. There's this stuff called malware...

Re:

[Cramer]

I've worked with Spamhaus many times over the eons. I have NEVER seen them escalate a listing without cause, and without any attempt to contact the operator. I guess you have no one watching your abuse@ or postmaster@ mailboxes, or blocked the messages as "spam", etc.

A former employer was a host for a rather large (and stupid spam operation -- spamming hostmaster@ your new ISP, literally seconds after the link was turned up) and we were never listed at all. Of course, *I* told spamhaus of their contract whe

Asked then answered: journalism 101

[ihtoit]

If there's a yes/no in the headline, the answer is invariably "NO".

Apart from that, considering how easy it is to spoof an IP, then you might actually be breaking the Law by enabling targetted attacks on private computer systems which is covered under the Computer Misude Act (in England) and on public systems, potentially you could be engaging the Official Secrets Act and the Terrorism Act.

You just don't get it.

[freeze128]

This is more of an individual asking a yes/no question than a publication asking an inflammatory question just to get clicks.

Also, Yes, you can spoof an IP, which means that you can make packets that you send look like they came from another IP address than they actually did. This may be fine for the one-off UDP packet or such, but email is sent using SMTP, which requires a TCP connection. If your return IP address is spoofed, the 3-way handshake cannot be completed, and therefore, the TCP connection will

Yeah, can spoof the header, not the connecting IP

[raymorris]

Exactly, if the submitter is talking the IPs of machines that connected to their mail server, that can't be spoofed. The "received from" headers for servers on previous hops CAN be spoofed, and often are.

As you said, while a _single_ packet can be spoofed, that wouldn't allow an SMTP connection to be established, so the IP which connected to their machine is reliably known. Their mail server adds a "received from" header with that known IP.

Re:

[TheCarp]

This. Spoofing is so overblown. Spoofing is generally not the real issue with almost anything.

The bigger issue is that people don't need to spoof, they just use someone else's machine. Getting malware installed on a machine is easy, getting it installed on hundreds or thousands of machines is easy.

FFS my mother gets calls on the phone from people halfway across the world trying to trick her into giving them access to her machine (I find them fun, she hands them to me now...trick is to act very concerned and

Re:

[dkman]

I would be somewhat interested in seeing some charts done. How many IPs fall into ARIN, LACNIC, APNIC, etc? In the US how many fall into Comcast, Time Warner, business ranges? Just out of curiosity.

I also wonder if the list keeps track of a First Received On and Last Received On date, maybe a counter of Mails Received.

Re:

[ihtoit]

fuck off AC, I don't need to justify myself to anybody.

RBL's

[mu51c10rd]

There are plenty of RBL's out there already. I would suggest talking to one of them and contributing your list.

How often are the addresses re-validated?

[QuietLagoon]

If you publish a list, you then obligate yourself to keep that list up-to-date, not only by adding new addresses, but also by removing old addresses that no longer spam.

.
Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually. Are you planning to ban those IP addresses permanently?

So I ask the question, how frequently do you plan top re-validate the addresses that are on your list as still spamming?

Re:

[NatasRevol]

I'm not sure you're obligated to do anything.

Should do something, perhaps. Definitely not obligated.

Re:

[NatasRevol]

Your opinion is just that. An opinion.

Re:

[NatasRevol]

BWHAHAHAHA

Damn that's funny. I'm sure Spamhaus is just quivering about getting a cease-and-desist letter.

ACK

[xororand]

My virtual server apparently used to be owned by spammers before I rented it. Several web sites ban its IPv4 due to alleged proxies and/or spam.
Thinking it might be a one-off false positive, I cancelled the server and got a new one within the same network, to no avail.

So I contacted the admin of one of the websites that banned it. Turns out they blacklisted the whole network of cheap virtual servers years ago.
IP blacklists should have expiration dates. Apparently most don't.

Re:

[mysidia]

Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually.

My mail servers IPs have been hijacked for spamming many times, probably about 3 or 4 times a month, but as far as I know, they are generally cleaned up within a few hours, and usually the volume is restricted by message rate controls.

The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that lo

Re:

[postbigbang]

If someone's breaking into your server 3-4x/month, then you have major problems. If you have clients whose accounts are compromised, then SHUT THEM THE FUCK OFF AND MAKE THEM CLEAN THEIR MACHINES.

Spoofing user names and using their lists is old hat. I have one ex-friend who greets me weekly with something new and exciting in an attachment. Luckily, I never open *anything*.

But seriously, if your server's getting broken into that frequently, you need lessons. Numerous ones.

Re:

[geminidomino]

Once a week? The only solution is thermite. Lots and lots of thermite.

Re:

[mysidia]

If you have clients whose accounts are compromised, then [...]

It's not the same users over and over again. It's a different user almost every time.
The couple users that DID get re-compromised, after we unlocked their account, were cancelled as a customer after the 3rd incident, and their computer was legitimately infected ---- It is just totally not our job as ISP to help them clean up their infection for free.
There are about 3,000 hosted and ISP mailboxes and 500 domains.

We do incoming and outgo

Re:

[postbigbang]

You need inline filtration. You're screwed unless you do. A carrier-grade filter ought to do it. Until then, you face a lot of slime.

Your users are handily making mincemeat out of you. You get to control your SMTP, not them. Without a pipe to stanch the flow yourself, you're part of the problem, and not the solution. I know that sounds insulting, but it's true.

Your knowledge of how RBLs and blocks work means you're spending way too much time dealing with the aftermath in firecontrol, rather than gently remi

Re:

[markdavis]

>"The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam, and which messages are just "legitimate marketing" that look spammy."

Is there a difference? Spam includes UCE (Unrequested Commercial Email). Unrequested marketing junk *is* spam. I report it as such and ban most mail servers that send such stuff to my users. When I first started doing that many years ago, the very first to be banned, permanently, was Constant Contact. An

Re:

[mysidia]

was Constant Contact. And boy were they pissed! They actually tried to tell my users we were doing something wrong ...

We used to block ConstantContact on the inbound indirection, because we found them (1) Using more than half a dozen IP addresses to contact our mail servers AND putting high stress on our mail servers, and apparently defeating our 5-Messages-per-Second per-IP-Address rate limits; instead they were sending hundreds upon hundreds of messages per second, And (2) Frequently being a s

Re:

[markdavis]

> It ended very badly: when a couple state governmental agencies started using ConstantContact for various newsletters between related org

I can completely understand your situation. That is what caused us some issues too- some national organizations, ones we actually PAID to be a part of, decided to use those scumbags (Constant Contact) and some of my users were affected. But we stood fast and explained in detail to the organization sending them and the users exactly what was going on and why. Most of

Re:

[markdavis]

>Either this is bullshit

Nope

> or you have a total of 10 users.

I have 171 users.

>Try running an ISP, even a small one with just a few hundred users, and watch how much bitching you have to deal with when you block ConstantContact, MailChimp, SendGrid, etc..

We get some rare/occasional bitching, and we explain why we do what we do, and they are then appreciative of our very low spam rate and find some work-around.

One can't do that as an ISP, since it is like censorship. But we are not an ISP and can

Not doing it right

[macraig]

http://www.projecthoneypot.org... [projecthoneypot.org]

Re:

[Stan92057]

Ya know Ive been reporting facebook and office depot 2 sites among a long list of spammers i have never used an email address on ever. So there is no question they got the email address from a spam-bot or bought a spammers email address dvd. Ive been reporting both to their host/isp/email provider and guess what? they do nothing, nada nit. I get spam from both every single day 365 days a year i report it to spamcop,gmail the FTC and still get spammed. So it really doesn't help if no ones going after the hos

Re:

[Anonymous Coward]

Of course individual complaints get pretty much ignored, use some common sense. You may be sure that you never gave a particular organisation permission to email you, but how can any authority that you report to be sure that at some point you didn't tick a box somewhere giving permission? They can't just take your word for it and send in the SWAT teams. Maybe someone with a similar email address to yours made a typo, and gave your address by mistake. Maybe at some point you inadvertently left that "allow us

Re:

[macraig]

You forgot to mention the case that he might have an axe to grind against an organization and satiates his desire for revenge by filing fake spam complaints against them. I know, I know, that never actually happens, and the spam blacklists never got populated with poisonous lint from people doing that....

Re:

[macraig]

What the Anonymous Coward said at 9:40am.

Time

[Phunction]

A better way would be to collect the ip's over time, those ip's that keep reoccurring over a period of say a few months are most likely dedicated spamming addresses. Although most large spammers probably keep shifting address and spoofing as you said since it would be to easy to stop them if they always used the same address. Unfortunately, a simple list of ip address won't really do much as they are not likely used more than a couple times each.

No.

[CaptainDork]

There are professionals who do this for a living. Keep your day job.

Yes

[Gunfighter]

Yes. Publish them through a DNS Blacklist similar to others or add them to an existing one. Establish rules and guidelines for removal procedures.

Gmail, Outlook, Yahoo, etc?

[david.emery]

What about the spam sent by the big email providers? It's a really interesting question what to do when you get -recurring- spam from these. (I get an offer for "Sun Microsystems User Lists" once a month from a chronic spammer sent either through Gmail or now Outlook. I report them to the abuse@xxx, but they keep on coming.) Do you blacklist a chronic spam source, that also has legitimate users? Do you quarantine everything from them, placing the burden on users/administrators to inspect and release le

Re:

[Killall -9 Bash]

cloud hosted email lets you still control SPF records. Big providers will list this as part of the setup process. Office365 will even warn you that DNS isn't properly configured if it detects you skipped this.

Some SaaS resellers don't know what SPF records are. These are the same guys who took your website offline when the switched your mail provider, and they have no idea how that happened because websites have nothing to do with email (DERP), so then you had to call your OTHER IT guys. Those resell

Blacklists

[elistan]

There are plenty of such blacklists already published.

https://en.wikipedia.org/wiki/... [wikipedia.org]

You can compare your list to others to see if you have anything unique, and if you do I guess your options are either publishing your list on your own, or seeing if any of the other list would like to merge in your list. Some of the lists allow sites to remove themselves. Some of the lists appear to only have "recently" spamming addresses. Some lists specifically exclude residential ISP connections. There are pro

Comments should be closed on this thread!

[Anonymous Coward]

As I type there are twelve, TWELVE!, comments on this thread. Comments should have been closed after 3 comments.

Q: Should I Publish My Collection of Email Spamming IP Addresses?

Comment 1: Yes.
Comment 2: No.
Comment 3: Maybe.

No other comments are necessary. Close the comments for this thread!

re blacklist

[freddieb]

I also have my own blacklist. I thought about publishing them however, I expect If you publish them you may be subject to some kind of retaliation.

Someones new to the internet...

[Anonymous Coward]

A 1 person maintained blacklist!! Sign me up!

Re:Someones new to the internet...

[Anonymous Coward]

Someone who doesn't know the existence of official blacklists really shouldn't be running a mail server.

Re:

[jakimfett]

This is all that needed to be said.

Please no

[silas_moeckel]

If you think you can spoof a TCP connection you have no business running a RBL.

Re:

[Alomex]

I can. It involves taking momentary control of a router upstream from you. First I need to find a non-secured router (i.e not running secure BGP and allowing arbitrary BGP updates), spoof a hole in the BGP table using a /30 routing prefix containing the purported sender during transmission, then revert to original configuration.

Re:

[silas_moeckel]

Sure it's possible it's not that probable. Even very big providers tend to clear their filters once you have enough prefixes being announced. Problem is I've heard the somebody must have spoofed my IP which was at least incorrect if not a lie thousands upon thousands of times more than it actually happening. That did not involve BGP but rather ARP and was back in the 90's. Most of the spoofing I see is CPE gear without uRPF, on ISP's without egress filtering connected to ISP's with no ingress filtering

Re:

[yetiman]

"If you're in control of an ISP's router there are much more profitable things you can do than spam."
 
...Go Onnnnnnnnnnnnn

No

[EvilSS]

There isn't much of a point to doing it. Most of this stuff is sent via botnets now so most of those IPs are probably DHCP addresses from ISP pools for home users. Maybe if there are addresses that constantly keep popping up, that might be somewhat useful, but those are probably on the existing blacklists already.

It's a waste of time

[JustAnotherOldGuy]

Spammers mint, use, and then abandon email addresses so quickly that a list of (outdated) addresses wouldn't be of much use to most people.

Already been done

[JustAnotherOldGuy]

This has already been done by numerous places. One that I've found especially good for stopping bots from using signup forms is http://botscout.com./ [botscout.com.] The free daily limits are a little low but for us they're very, very effective. Using them dropped our bogus signups from 200/day to about 1 or 2 per day, sometimes zero.

Re:

[ebvwfbw]

Get politicians to understand that this is a problem. Care about it. Otherwise, they'll say pass the sweet and sour sauce.

When we can show someone is doing it, let's put 'em in jail, for a long time. No white collar place either, place like Chino or Attica.

When they get out, if they go back to doing spam, cut their head off.

Wasted so much frickin' time over the past couple of decades dealing with their BS. Way too much time.

Short answer

[Zontar_Thing_From_Ve]

1) You don't want the legal ramifications of publishing this, especially if you live in the USA. I am American, so I know what I warn of.
2) Black lists are so old as an anti-spam approach I don't know that anybody takes them seriously any more.
3) Related to #1, do you really want the responsibility for situations where someone on your list was there due to ignorance and they fixed the open relay problem that led to the spam, they are no longer spamming at all, and yet there they are on your list? I

What?

[hduff]

What could possibly go wrong?

Trust?

[mo0n_sniper]

Why should anyone trust YOUR list?