RE: Blocking mail from bad places
--- michael.dillon@bt.com wrote:----------------
Hey, you've just described the FUSSP! :-(
Solution!? Since when is a description of one aspect of the problem, considered to be the solution. In a nutshell I said that the email SPAM problem is getting worse, not just measured by SPAM volumes or number of new SPAM techniques, but measured by the number of people turning to non-email communications channels. ------------------------------------------------- Part of what you said was this:
: Soon Internet email will be like IRC, a quaint : service for Internet enthusiasts and oldtimers, : but not a useful tool for businesses or ordinary : individuals.
What I meant was: when only a few folks use email, the spammers will go away. Like parasites on a dead animal body. The spammer-parasites will find something else to devour. Besides, it was just a joke. I should've turned my smiley around. ;-) scott
On Tue, 03 Apr 2007 15:18:36 PDT, Scott Weeks said:
What I meant was: when only a few folks use email, the spammers will go away.
They won't go away, they'll just go infest whatever the people are using. We're already seeing significant amounts of blog-comment spam, and as soon as the spammers find a good methodology, they'll be Myspace and YouTube spam (if they aren't already)....
I can personally testify that, as a proportion of the "mail" I get through it, there's quite a bit of spam on MySpace - phishing scams (Adult MySpace Viewer), fake profiles designed to draw you to adult dating / webcam / porn sites, etc. Lots of attractive women claiming to want you to be their friend for some mysterious reason. Some of it is quite sophisticated: full blown "instant" profiles with fake comments ... the smarter spammers actually make the profile look real (often lifting material from legit user profiles), and then just stick their spam in the comments (and of course, "comment" spam is quite prevalent too, as is spam that invites you to join "groups" that are front ends to other sites, etc.) or wait a few days and then spam you via "bulletins". Sometimes, it is pretty hard to tell what is spam, and what is not... I have an acquaintance who specializes in documenting these scams and tracking down the sponsors of the affiliate programs funding some of them and getting affiliate accounts canceled (I've done this once in a while myself). Sometimes there's a strange mixture of sophistication and stupidity - plausible profiles, very credible on their face... all batched together, five or six "friend requests" at a time, coming within two or three minutes of each other at 4 a.m. Or two requests, from users with slightly different "names", and an identical photo. MySpace does a fairly good job of responding to complaints and terminating accounts (sometimes within hours of their creation). I'm not a dedicated YouTube user, but I've seen plenty of spam in comments on YouTube as well... this is a generic problem, with levels of vulnerability dependent on the architecture of the communications system, and the scale within which it operates (how attractive it is). Valdis.Kletnieks@vt.edu wrote:
On Tue, 03 Apr 2007 15:18:36 PDT, Scott Weeks said:
What I meant was: when only a few folks use email, the spammers will go away.
They won't go away, they'll just go infest whatever the people are using. We're already seeing significant amounts of blog-comment spam, and as soon as the spammers find a good methodology, they'll be Myspace and YouTube spam (if they aren't already)....
Some of it is quite sophisticated: full blown "instant" profiles with fake comments ... the smarter spammers actually make the profile look real (often lifting material from legit user profiles), and then just ...
At the MIT Spam Conference, I was talking to MySpace's anti spam researcher. He said that they see many profiles that look totally legit and which have been carefully nurtured for more than six months -- and then the formally legit profile suddenly becomes the drop site for a Phishing campaign or other spam repository. Captchas apparently help quite a bit to stem this kind of problem because they install a technical barrier that, while not impossible to break through programatically, at least delays things a bit and reduces the ROI for the spammer. Regards, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Greetings. While its a pretty brute force approach, one method I’m trying is to curtail the source of email. In otherwords, if smtp traffic comes from an unknown source it gets directed to a sendmail server that intentionally rejects the email message (550 with a informational message/url). If the email message comes from a “known” source (friend/family’s ISP) it gets routed to my main sendmail server which allows most email after checking for the obvious (non resolvable domains, blacklisted domains etc) using an access lists. I’ve cut down on Spam (including this account which I use solely for NANOG) to about 0. Granted the amount of valid email that can get rejected is high, but since I log the bounces on the drop server I can look for obvious rejects from good/expected email servers. Not by any means a solution to/for a large even medium size provider, but for a small home based setup it works well. Details at http://www.sumless.net/nsh.html Cheers, -Joe Blanchard
joej wrote:
Greetings.
While its a pretty brute force approach, one method I’m trying is to curtail the source of email. In otherwords, if smtp traffic comes from an unknown source it gets directed to a sendmail server that intentionally rejects the email message (550 with a informational message/url). If the email message comes from a “known” source (friend/family’s ISP) it gets routed to my main sendmail server which allows most email after checking for the obvious (non resolvable domains, blacklisted domains etc) using an access lists. I’ve cut down on Spam (including this account which I use solely for NANOG) to about 0. Granted the amount of valid email that can get rejected is high, but since I log the bounces on the drop server I can look for obvious rejects from good/expected email servers. Not by any means a solution to/for a large even medium size provider, but for a small home based setup it works well. Details at http://www.sumless.net/nsh.html
Cheers, -Joe Blanchard
Hi Joe, 1) You send bounces from spammers to innocent people, whose addresses have been forged. 2) Even if you modified the return address, so the bounce returns to the zombie, it does not make sense. Bots dont listen. Looks like you are adding to the noise and chance is good you are finding youself in a blacklist. 3) You are dropping valid emails. It might make more sense telling your friends not to send emails to port 25 but to port 26 if they want to get in. The spammers dont know how to switch to port 26. They will knock on the door once and go away. Another means would be switching to uucp. I have not seen any spam on our little uucp network yet. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.arl.pirates http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
While its a pretty brute force approach, one method Iâm trying is to curtail the source of email. In otherwords, if smtp traffic comes from an unknown source it gets directed to a sendmail server that intentionally rejects the email message (550 with a informational message/url).
1) You send bounces from spammers to innocent people, whose addresses have been forged.
This is an SMTP reject, not a bounce. It's a lethal variety of greylisting. This technique works great to keep spam out of your mailbox.
3) You are dropping valid emails.
Right. It also quite an effective way to be sure you never hear from non-technical users who don't understand your bounce message, and from people like me who don't feel like jumping through your hoops, particularly in a case like this where we're responding to a question you asked. R's, John
1) You send bounces from spammers to innocent people, whose addresses have been forged.
This is an SMTP reject, not a bounce. It's a lethal variety of greylisting.
This technique works great to keep spam out of your mailbox.
Inline rejection is a little dangerous for mailing lists (because you might be auto-unsubscribed), but IMHO it's better than receiving and quarantining, because at least the sender can do something to resolve the situation -- such as calling you to say their email was bounced by your spam filter. Providing a telephone number in the bounce is an effective way to deal with false positives. Regards, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
This technique works great to keep spam out of your mailbox.
Inline rejection is a little dangerous for mailing lists
And for anyone else who doesn't feel like jumping through your hoops.
Providing a telephone number in the bounce is an effective way to deal with false positives.
Only if you assume that everyone who writes to you is so desperate to send you mail that they are willing to make what may be an international call in the middle of the night. I have not found that to be a very realistic assumption. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://johnlevine.com, Mayor "I dropped the toothpaste", said Tom, crestfallenly.
on Wed, Apr 04, 2007 at 06:25:18PM -0400, John L wrote:
This technique works great to keep spam out of your mailbox.
Inline rejection is a little dangerous for mailing lists
And for anyone else who doesn't feel like jumping through your hoops.
Providing a telephone number in the bounce is an effective way to deal with false positives.
Only if you assume that everyone who writes to you is so desperate to send you mail that they are willing to make what may be an international call in the middle of the night. I have not found that to be a very realistic assumption.
I have to agree with John here - I've been sending back 'email me at postmaster@... if this in an error' for all rejections here since 2003 or so, and can count the legit mail to postmaster I've received in that time on one hand, maybe two; the stuff that gets rejected before the accept postmaster default gets a different error, containing a phone number. I've never had anyone call me there. Not that it bothers me much - I've done my part, I figure, and if they aren't willing to email a postmaster or call, then <shrug>? What can I do? I'll add that even if everyone were willing to email/call with problems, the hideous things that (e.g.) Exchange does to your carefully handcrafted rejection errors are enough to cripple the least tech-savvy of your likely audience, anyway. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/
One problem with the "bounce" solution is that for those of us with multiple domains (some of them wildcarded) mapped to our mailboxes, the volume of "backscatter" makes it a real hassle to sort out the valid bounces from the "noise". Even users with a single email address can be victimized often enough to dismiss this stuff as a form of "spam", and automatically delete it without looking; \every few months, I get pained complaints from one friend or family member or another about someone using their address to spam, and thousands of bounce messages winding up in their mailbox as a result... another major problem, in my opinion, caused by spam that is leading to email becoming more and more of an unreliable medium - even when everything works perfectly according to protocol and RFC, and a person gets a bounce message because an address is out of date or typoed or otherwise invalid, they'll never know. Thomas Steven Champeon wrote:
on Wed, Apr 04, 2007 at 06:25:18PM -0400, John L wrote:
This technique works great to keep spam out of your mailbox.
Inline rejection is a little dangerous for mailing lists
And for anyone else who doesn't feel like jumping through your hoops.
Providing a telephone number in the bounce is an effective way to deal with false positives.
Only if you assume that everyone who writes to you is so desperate to send you mail that they are willing to make what may be an international call in the middle of the night. I have not found that to be a very realistic assumption.
I have to agree with John here - I've been sending back 'email me at postmaster@... if this in an error' for all rejections here since 2003 or so, and can count the legit mail to postmaster I've received in that time on one hand, maybe two; the stuff that gets rejected before the accept postmaster default gets a different error, containing a phone number. I've never had anyone call me there.
Not that it bothers me much - I've done my part, I figure, and if they aren't willing to email a postmaster or call, then <shrug>? What can I do?
I'll add that even if everyone were willing to email/call with problems, the hideous things that (e.g.) Exchange does to your carefully handcrafted rejection errors are enough to cripple the least tech-savvy of your likely audience, anyway.
At 4/5/2007 08:38 AM -0700, Thomas Leavitt wrote: One problem with the "bounce" solution is that <snip/> ========================== So, I (Cutler) add: And, even the best-intentioned bounce messages often give lots of data, but no information, thus increasing the noise to signal ratio. For example, Paul most likely knows what the following means to him. To me it just means I can't send mail to Paul.
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
paul@vix.com SMTP error from remote mailer after RCPT TO:<paul@vix.com>: host sa.vix.com [204.152.187.1]: 553 5.7.1 Service unavailable; Client host [209.86.89.61] blocked using reject-all.vix.com; created / reason
------ This is a copy of the message, including all the headers. ------
- James R. Cutler james.cutler@consultant.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's what one of the messages my system produces: Apr 7 12:02:26 tongs postfix/smtpd[15229]: NOQUEUE: reject: RCPT from mail.middreut.com[208.61.243.195]: 454 Service unavailable; Client host [208.61.243.195] blocked using dnsbl.cagreens.org; Whoops! Please see http://greens.org/delist and note your sending address is --> 208.61.243.195 <--. Sorry.; from=<> to=<agates@godmoma.com> proto=ESMTP helo=<exchange.middreut.local> This provides a reasonable explanation... as long as you can read English. If you want to talk about hard to understand: every time I post to nanog, I get a bounce message from someone in Germany, in German. About as much use as my bounce message is to someone who doesn't read English. ... and why aren't bounce messages standardized in content and formatting?!? Thomas James R. Cutler wrote:
At 4/5/2007 08:38 AM -0700, Thomas Leavitt wrote:
One problem with the "bounce" solution is that <snip/> ========================== So, I (Cutler) add:
And, even the best-intentioned bounce messages often give lots of data, but no information, thus increasing the noise to signal ratio. For example, Paul most likely knows what the following means to him. To me it just means I can't send mail to Paul.
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
paul@vix.com SMTP error from remote mailer after RCPT TO:<paul@vix.com>: host sa.vix.com [204.152.187.1]: 553 5.7.1 Service unavailable; Client host [209.86.89.61] blocked using reject-all.vix.com; created / reason
------ This is a copy of the message, including all the headers. ------
- James R. Cutler james.cutler@consultant.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFGF+WyNEK1jn5bsMsRAi1pAKDCXnIBmY7wTybhNyJIPAntAUBvMgCfSDBV goClCVhxinIMW/yQ8gfR/Do= =+pbd -----END PGP SIGNATURE-----
On Sat, 07 Apr 2007 11:40:50 PDT, Thomas Leavitt said:
... and why aren't bounce messages standardized in content and formatting?!?
Jiminy creepers, why can't people run software that implements standards from the last frikking *millenium*??!? 1891 SMTP Service Extension for Delivery Status Notifications. K. Moore. January 1996. (Format: TXT=65192 bytes) (Obsoleted by RFC3461) (Status: PROPOSED STANDARD) 1892 The Multipart/Report Content Type for the Reporting of Mail System Administrative Messages. G. Vaudreuil. January 1996. (Format: TXT=7800 bytes) (Obsoleted by RFC3462) (Status: PROPOSED STANDARD) 1893 Enhanced Mail System Status Codes. G. Vaudreuil. January 1996. (Format: TXT=28218 bytes) (Obsoleted by RFC3463) (Status: PROPOSED STANDARD) 1894 An Extensible Message Format for Delivery Status Notifications. K. Moore, G. Vaudreuil. January 1996. (Format: TXT=77462 bytes) (Obsoleted by RFC3464) (Updated by RFC2852) (Status: PROPOSED STANDARD)
...and why aren't bounce messages standardized in content and formatting?
Jiminy creepers, why can't people run software that implements standards from the last frikking *millenium*??!?
because those are feel-good standards, with no selfishness hooks. emitting standardized bounce messages helps the internet but does little local good. and indeed, in the previous fracking millenium, we did well by doing good, but this is now. my personal blackhole list has at least 20K entries in it whose only "offense" was bouncing a joe-job back to me in non RFC 1891..1894. the rest of the world will no doubt go on JHD'ing this pre-compliant chaff, and eventually false-positive so much wheat that there will be no benefit to sending any kind of error-mail, much less compliant error-mail, since it won't be read no matter what it looks like. there's an argument to be made that we're already in that situation. store-and-forward should be a priv'd operation (like relay had to become), the universal message transport should be synchronous end-to-end. any errors must be reportable in real time unless there's a high-privilege relationship with the sender that permits queuing. i have an unrelated question. understand that i did my time in the messaging salt mines, i maintained a version of sendmail while eric allman was at britton-lee, i wrote a book about sendmail with fred avolio, i started the first e-mail reputation project and was the employer of eric ziegast when he invented the "RBL" DNS format universally used today. in other words i think i'm qualified to think hard thoughts about messaging. my question is, is there a network operations e-list that's like NANOG used to be, someplace where routers and switches and routes and packets and ones and zeroes are discussed, and where abuse policy, economics, morality, bots, web, e-mail, ftp, firewalls, uucp, and bitnet are considered irrelevant and off-topic? i did my time in the messaging salt mines. i'm ready to graduate. -- Paul Vixie
On Thu, 5 Apr 2007, Thomas Leavitt wrote:
One problem with the "bounce" solution is that for those of us with multiple domains (some of them wildcarded) mapped to our mailboxes, the volume of "backscatter" makes it a real hassle to sort out the valid bounces from the "noise".
<aol /> Backscatter from spam forgeries is *the* reason stevesobol.com is no longer a catchall domain. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Victorville, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
Steven Champeon wrote:
I'll add that even if everyone were willing to email/call with problems, the hideous things that (e.g.) Exchange does to your carefully handcrafted rejection errors are enough to cripple the least tech-savvy of your likely audience, anyway.
All the more reason to advise people not to use Exchange for any Internet based communications. Regards, Mat
Yes, its an SMTP bounce, not a store, try to forward and return. I should have clarified.
Right. It also quite an effective way to be sure you never hear from non-technical users who don't understand your bounce message, and from people like me who don't feel like jumping through your hoops, particularly in a case like this where we're responding to a question you asked.
Yes, unfortunately there are draw backs, I try to make the 550 bounce as informative as possible, (url link yadayada) but.. With a maillist I see the responses because I allow email from the network that serves the maillist server, in this case NANOG (: So... As needed I add IPs/Netblocks, but like I said very much over kill and administratively burdening. But the upside is (I think maybe 1) spam email in the last 3 months. I still get a count on the spam bounces, which have decreased, month 1=1752 bounces, 2=1292, 3=899. Again not an answer, more like a campaign.. Just my 2¢s on the whole thing. Cheers, -Joe Blanchard On 3:43 pm 04/04/07 John Levine <johnl@iecc.com> wrote:
1) You send bounces from spammers to innocent people, whose addresses have been forged.
This is an SMTP reject, not a bounce. It's a lethal variety of greylisting.
This technique works great to keep spam out of your mailbox.
3) You are dropping valid emails.
Right. It also quite an effective way to be sure you never hear from non-technical users who don't understand your bounce message, and from people like me who don't feel like jumping through your hoops, particularly in a case like this where we're responding to a question you asked.
R's, John
That makes sense, and matches up with my experience... you also have "amateur" spammers just doing stuff manually (as well as spammers paying people pennies a page to input CAPTCHA responses). Another issue is that the unsolicited contact paradigm blurs a bit, when you have musicians and promoters and organizations with causes, etc. all asking to be "added as a friend"... the situation becomes one of those "I know spam when I see it." ones... Ken Simpson wrote:
Some of it is quite sophisticated: full blown "instant" profiles with fake comments ... the smarter spammers actually make the profile look real (often lifting material from legit user profiles), and then just ...
At the MIT Spam Conference, I was talking to MySpace's anti spam researcher. He said that they see many profiles that look totally legit and which have been carefully nurtured for more than six months -- and then the formally legit profile suddenly becomes the drop site for a Phishing campaign or other spam repository.
Captchas apparently help quite a bit to stem this kind of problem because they install a technical barrier that, while not impossible to break through programatically, at least delays things a bit and reduces the ROI for the spammer.
Regards, Ken
On Wed, 4 Apr 2007 08:46:33 -0700 Ken Simpson <ksimpson@mailchannels.com> wrote: [...snip]
Captchas apparently help quite a bit to stem this kind of problem because they install a technical barrier that, while not impossible to break through programatically, at least delays things a bit and reduces the ROI for the spammer.
Regards, Ken
-- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Captchas are all fine and dandy but they are not ADA compliant and certainly a no-no for government or public agencies. Don't believe me? Accessibility issues (Section 508) will be the next Y2K obstacle for IT folks because all of our future software purchases require that the software is accessible. Within the next 18 months we'll have to provide a VPAT [example: http://www.section508.nasa.gov/vpat3.htm] for all software purchases. If your company doesn't know about these yet kiss goodbye to all your government customers. As for catching spam and viruses we gave up on open-source solutions a long time ago in favor of IronPort appliances. These products negate almost 100% of your effort in maintaining greylists or rulesets. You have plenty of choices out there with very different approaches and you can bet the top-tier companies like MailChannels, IronPort, and Mirapoint (among others) have something to make your life easier. matthew black network services california state university, long beach 1250 bellflower boulevard long beach, ca 90840-0101
On Tue, 03 Apr 2007 19:39:55 -0400 Valdis.Kletnieks@vt.edu wrote:
On Tue, 03 Apr 2007 15:18:36 PDT, Scott Weeks said:
What I meant was: when only a few folks use email, the spammers will go away.
They won't go away, they'll just go infest whatever the people are using. We're already seeing significant amounts of blog-comment spam, and as soon as the spammers find a good methodology, they'll be Myspace and YouTube spam (if they aren't already)....
MySpace and blog spamming can be cured instantly if users required all public posts to be moderated rather than automatically accepted. Many people see blogging as analogous to newspaper publishing. If you want to be a newspaper publisher, you also need an editor to review content printed in your paper (posted to your blog). I've posted to the Washington Post blogs and their on-line folks read and review each and every post to keep out the spam. Sure it's expensive, but that's the price for quality forums. If you leave a blank canvas for all to use, the taggers will come. As for YouTube spamming...well, that's like classified advertising. Some people will pay for big bold spots and some people can only afford a two-line ad. If you want to give everyone the opportunity to post for free, you have to accept the garbage. Do you want a content editor to ensure policy compliance or let it be a open to all who come? matthew black network services california state university, long beach 1250 bellflower boulevard long beach, ca 90840-0101
participants (14)
-
James R. Cutler
-
joej
-
John L
-
John Levine
-
Ken Simpson
-
Matthew Black
-
Matthew Sullivan
-
Paul Vixie
-
Peter Dambier
-
Scott Weeks
-
Steve Sobol
-
Steven Champeon
-
Thomas Leavitt
-
Valdis.Kletnieks@vt.edu