I haven't exactly seen an increase in spam, per se, what I have seen is the spammers are working harder at getting around the RBL and other spam blocks. Forwarded message:
Has anyone else noticed a surge in the amount of spam email they've been getting? Anyone know the cause? I use RBL but I'm still getting quite a bit.
Tony
-------------- -- ---- ---- --- - - - - - -- - - - - - - Tony Bourke tony@vegan.net
-- Richard Shetron multics@ruserved.com multics@acm.rpi.edu NO UCE What is the Meaning of Life? There is no meaning, It's just a consequence of complex carbon based chemistry; don't worry about it The Super 76, "Free Aspirin and Tender Sympathy", Las Vegas Strip.
On Wed, Aug 09, 2000 at 10:17:00AM -0400, multics@ruserved.com wrote:
I haven't exactly seen an increase in spam, per se, what I have seen is the spammers are working harder at getting around the RBL and other spam blocks.
Forwarded message:
Has anyone else noticed a surge in the amount of spam email they've been getting? Anyone know the cause? I use RBL but I'm still getting quite a bit.
I've also been testing every spam we receive against a small script that looks it up in rbl.maps.vix.com, rss.maps.vix.com, dul.maps.vix.com, relays.orbs.org, and outputs.orbs.org. As much as I prefer the philosophy of RSS and RBL to ORBS, RSS and/or RBL only listed one of the servers from which we we've been spammed in the last two or three weeks. ORBS listed most of the spam sent via relay and DUL has actually caught a fair number of 'direct to mx' spams. I think when we actually start using blackhole lists (within the month) we will select DUL and outputs.orbs.org. I expect that combination to significantly reduce our spam volume. Ben -- Ben Beuchler insyte@bitstream.net MAILER-DAEMON (612) 321-9290 x101 Bitstream Underground www.bitstream.net
Ben Beuchler wrote:
I think when we actually start using blackhole lists (within the month) we will select DUL and outputs.orbs.org. I expect that combination to significantly reduce our spam volume.
It should work. Just keep in mind that your use of ORBS may result in blocking a large amount of legitimate traffic as well as spam. If you and your customers don't have a problem with this, go for it. -- David
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of David Charlap Sent: Wednesday, August 09, 2000 8:08 AM To: nanog@merit.edu Subject: Re: surge in spam email (fwd)
Ben Beuchler wrote:
I think when we actually start using blackhole lists (within
month) we will select DUL and outputs.orbs.org. I expect
Is Telstra still being blocked? the that
combination to significantly reduce our spam volume.
It should work.
Just keep in mind that your use of ORBS may result in blocking a large amount of legitimate traffic as well as spam.
If you and your customers don't have a problem with this, go for it.
-- David
On Wed, Aug 09, 2000 at 09:20:07AM -0700, Roeland M.J. Meyer wrote:
Is Telstra still being blocked?
petra:~$ ./spamtest 139.134.5.153 rbl.maps.vix.com => rss.maps.vix.com => dul.maps.vix.com => relays.orbs.org => 127.0.0.4 outputs.orbs.org => -- Ben Beuchler insyte@bitstream.net MAILER-DAEMON (612) 321-9290 x101 Bitstream Underground www.bitstream.net
On Wed, Aug 09, 2000 at 11:25:15AM -0500, Ben Beuchler wrote:
On Wed, Aug 09, 2000 at 09:20:07AM -0700, Roeland M.J. Meyer wrote:
Is Telstra still being blocked?
petra:~$ ./spamtest 139.134.5.153 rbl.maps.vix.com => rss.maps.vix.com => dul.maps.vix.com => relays.orbs.org => 127.0.0.4 outputs.orbs.org =>
Note 127.0.0.4 indicates a manual listing -- it doesn't indicate that the relay 139.134.5.153 has been tested and found to be promiscuous. $ dig txt 153.5.134.139.relays.orbs.org | grep TXT ;; 153.5.134.139.relays.orbs.org, type = TXT, class = IN 153.5.134.139.relays.orbs.org. 86400 TXT "Telstra and \ Optus - spam haveners, refusing to act. " Highly unscientific research seems to indicate that it's the manual entries that cause the bulk of the false positives when testing for spam using the relays.orbs.org zone. (What's a "havener"? :) Joe
On Thu, Aug 10, 2000 at 07:21:02AM +1200, Joe Abley wrote:
relays.orbs.org => 127.0.0.4 outputs.orbs.org =>
Note 127.0.0.4 indicates a manual listing -- it doesn't indicate that the relay 139.134.5.153 has been tested and found to be promiscuous.
$ dig txt 153.5.134.139.relays.orbs.org | grep TXT ;; 153.5.134.139.relays.orbs.org, type = TXT, class = IN 153.5.134.139.relays.orbs.org. 86400 TXT "Telstra and \ Optus - spam haveners, refusing to act. "
Highly unscientific research seems to indicate that it's the manual entries that cause the bulk of the false positives when testing for spam using the relays.orbs.org zone.
I agree, which is why I intend to use outputs.orbs.org. It does not contain the manual entries. It supposedly only contains confirmed relays. Ben -- Ben Beuchler insyte@bitstream.net MAILER-DAEMON (612) 321-9290 x101 Bitstream Underground www.bitstream.net
Date: Thu, 10 Aug 2000 07:21:02 +1200 From: Joe Abley <jabley@automagic.org> Subject: Re: surge in spam email (fwd)
On Wed, Aug 09, 2000 at 11:25:15AM -0500, Ben Beuchler wrote:
Is Telstra still being blocked? =20
On Wed, Aug 09, 2000 at 09:20:07AM -0700, Roeland M.J. Meyer wrote: =20 petra:~$ ./spamtest 139.134.5.153 rbl.maps.vix.com =3D>=20 rss.maps.vix.com =3D>=20 dul.maps.vix.com =3D>=20 relays.orbs.org =3D> 127.0.0.4 outputs.orbs.org =3D>=20
Note 127.0.0.4 indicates a manual listing -- it doesn't indicate that the relay 139.134.5.153 has been tested and found to be promiscuous.
Or, conceivably the relay was tested and found to _not_ be promiscuous. Either way, it's not a story I would want to tell in court.
$ dig txt 153.5.134.139.relays.orbs.org | grep TXT ;; 153.5.134.139.relays.orbs.org, type =3D TXT, class =3D IN 153.5.134.139.relays.orbs.org. 86400 TXT "Telstra and \ Optus - spam haveners, refusing to act. "
Highly unscientific research seems to indicate that it's the manual entries that cause the bulk of the false positives when testing for spam using the relays.orbs.org zone.
See above comment... -tjs
[ On Wednesday, August 9, 2000 at 11:08:02 (-0400), David Charlap wrote: ]
Subject: Re: surge in spam email (fwd)
Just keep in mind that your use of ORBS may result in blocking a large amount of legitimate traffic as well as spam.
It's impossible to tell the difference between "legitimate" traffic and unwanted traffic arriving from any mailer that's susceptible to theft of service attacks, and if you want to block lots of spam then you have to block all mail from such mailers. This is also the quickest and most effective way to really get the attention of the admins who control such mailers too, and in doing so put some pressure on them to fix their configurations! -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
On August 9, 2000 at 12:25 woods@weird.com (Greg A. Woods) wrote:
It's impossible to tell the difference between "legitimate" traffic and unwanted traffic arriving from any mailer that's susceptible to theft of service attacks, and if you want to block lots of spam then you have to block all mail from such mailers. This is also the quickest and most effective way to really get the attention of the admins who control such mailers too, and in doing so put some pressure on them to fix their configurations!
On the other hand they've been at this relay-blocking stuff for years and spam just goes up and up and the spam technology gets better and better. That's the problem, sounds good, no measurables. It all stands on a sales pitch, basically.
From here it looks like spammers are mining relays in the orient and other locales and able to come up with them by the hundreds and switch in seconds automatically if one is blocked.
Attached is a list of 60 different open relays one spammer used on us just yesterday (the number is number of spams sent before we blocked it.) I say the emperors (ORBS et al) have no clothes, and they're mostly not worth the effort and noise they cause in their campaign to harangue the (mostly) honest by shaking doors to make sure they're locked lest a crook get in. There are just way too many doors and these efforts are kinda like King Knute ordering the tide not to come in (enough metaphors yet?) We need laws, there are thus far no viable technical solutions to spam, and any claim otherwise is IMHO acting in the spammers' interests (since a legislator would love to punt on the belief that we just need to close a few more relays and the problem is solved.) Anyhow: Where are the measurables? 119 entoo.connect.com.au 112 mailsite.dmn.com.au 64 root@www.awf.poznan.pl 56 www.nehls.de 51 berbigao.ciberdados.pt 48 margaux.vital.co.uk 48 203.106.85.201 47 scutter.tele2.net.uk 38 host-195.certex.se 36 213.162.13.133 36 202.3.41.183 33 yarrina.connect.com.au 29 203.126.68.25 28 www.franchise.org.au 28 194.216.173.150 27 mail@203.31.165.4 27 203.116.209.155 24 mta2-rme.xtra.co.nz 24 202.138.13.204 23 www.ctonline.it 22 mta1-rme.xtra.co.nz 22 IDENT:root@tulip.swiftech.net.sg 20 wellington.csi.net.uk 19 asterix.rain.fr 18 twtpemr2.acer.com.tw 18 root@loxy.swiftech.net.sg 18 fwuser@c3n12p5.calypso.net 18 194.186.224.133 18 193.222.60.31 17 ubistb.ubi.pt 16 serv2.is1.u-net.net 16 mta3-rme.xtra.co.nz 16 acemail2.acenet.net.au 15 venus.i3-service.de 15 firewall-user@203.103.72.218 14 194.74.63.249 13 relay.iunet.it 12 mta4-rme.xtra.co.nz 11 aslmsin.com.sg 10 domino.sanitrans.org 6 beer.uven.ru 4 194.172.92.34 3 212.35.64.5 2 rubis.promo.oleane.com 2 mitra.conexis.es 2 203.39.3.182 1 zippy.ims.net 1 skate.cape.com 1 posets.cepymearagon.es 1 c3n12p5.calypso.net 1 aloha.webkahuna.com 1 212.34.192.20 1 212.15.64.10 1 210.63.96.18 1 203.62.199.3 1 203.123.5.231 1 195.141.231.195 -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
At 3:46 PM -0400 8/9/00, Barry Shein wrote:
We need laws,...
<snip> I dunno,... using your list as a guide, I don't find a lot that US legislators can do... last I heard, .au, .pl, .de, .pt, .uk, .sg, .tw, .fr, .nz, and .es are all outside of the "long arm o' the law". I didn't take the time to see how many of the [IP] and .(com|net|org) entries were actually in the US or were themselves foreign, but the top 6 entries in your list would "laugh at those silly American laws". That puts the majority of spam out of the reach of the law, making the law a useless waste of time. This is definitely an area that self-governance (ORBS, MAPS, et al, choose YOUR personal favorite... "let's not argue over who killed who") is best.
119 entoo.connect.com.au 112 mailsite.dmn.com.au 64 root@www.awf.poznan.pl 56 www.nehls.de 51 berbigao.ciberdados.pt 48 margaux.vital.co.uk 48 203.106.85.201 47 scutter.tele2.net.uk 38 host-195.certex.se 36 213.162.13.133 36 202.3.41.183 33 yarrina.connect.com.au 29 203.126.68.25 28 www.franchise.org.au 28 194.216.173.150 27 mail@203.31.165.4 27 203.116.209.155 24 mta2-rme.xtra.co.nz 24 202.138.13.204 23 www.ctonline.it 22 mta1-rme.xtra.co.nz 22 IDENT:root@tulip.swiftech.net.sg 20 wellington.csi.net.uk 19 asterix.rain.fr 18 twtpemr2.acer.com.tw 18 root@loxy.swiftech.net.sg 18 fwuser@c3n12p5.calypso.net 18 194.186.224.133 18 193.222.60.31 17 ubistb.ubi.pt 16 serv2.is1.u-net.net 16 mta3-rme.xtra.co.nz 16 acemail2.acenet.net.au 15 venus.i3-service.de 15 firewall-user@203.103.72.218 14 194.74.63.249 13 relay.iunet.it 12 mta4-rme.xtra.co.nz 11 aslmsin.com.sg 10 domino.sanitrans.org 6 beer.uven.ru 4 194.172.92.34 3 212.35.64.5 2 rubis.promo.oleane.com 2 mitra.conexis.es 2 203.39.3.182 1 zippy.ims.net 1 skate.cape.com 1 posets.cepymearagon.es 1 c3n12p5.calypso.net 1 aloha.webkahuna.com 1 212.34.192.20 1 212.15.64.10 1 210.63.96.18 1 203.62.199.3 1 203.123.5.231 1 195.141.231.195
"Derek J. Balling" wrote:
I dunno,... using your list as a guide, I don't find a lot that US legislators can do... last I heard, .au, .pl, .de, .pt, .uk, .sg, .tw, .fr, .nz, and .es are all outside of the "long arm o' the law". I didn't take the time to see how many of the [IP] and .(com|net|org) entries were actually in the US or were themselves foreign, but the top 6 entries in your list would "laugh at those silly American laws". That puts the majority of spam out of the reach of the law, making the law a useless waste of time. This is definitely an area that self-governance (ORBS, MAPS, et al, choose YOUR personal favorite... "let's not argue over who killed who") is best.
Keep in mind that the spam usually doesn't originate from the relay site your computer is receiving it from. Judging from the "send your money here" addresses and phone numbers that I usually find in the spam, the people sending the spam (or the people contracting to have the spam sent) are mostly in the US. With a proper set of laws on the books, law enforcement could simply read the content of the spam to get a phone number, address or PO box, and prosecute whoever owns it. The fact that they abused a foreign server in the process shouldn't change anything. -- David
On Wed, 9 Aug 2000, David Charlap wrote:
"Derek J. Balling" wrote:
I dunno,... using your list as a guide, I don't find a lot that US legislators can do... last I heard, .au, .pl, .de, .pt, .uk, .sg, .tw, .fr, .nz, and .es are all outside of the "long arm o' the law". I didn't take the time to see how many of the [IP] and .(com|net|org) entries were actually in the US or were themselves foreign, but the top 6 entries in your list would "laugh at those silly American laws". That puts the majority of spam out of the reach of the law, making the law a useless waste of time. This is definitely an area that self-governance (ORBS, MAPS, et al, choose YOUR personal favorite... "let's not argue over who killed who") is best.
Keep in mind that the spam usually doesn't originate from the relay site your computer is receiving it from.
True.
Judging from the "send your money here" addresses and phone numbers that I usually find in the spam, the people sending the spam (or the people contracting to have the spam sent) are mostly in the US.
True.
With a proper set of laws on the books, law enforcement could simply read the content of the spam to get a phone number, address or PO box, and prosecute whoever owns it. The fact that they abused a foreign server in the process shouldn't change anything.
The only problem with that is the simple fact that geting innocent people in trouble is more likely. For example: "Dumb Person A" sends a million SPAMs to anyone who will complain about it. In the message, they put a note telling the recipiant to send $5 to "Innocent Victim B"'s Home/PO BOX address. Then person B gets all kinds of complaints, and if the law read the email message, then they would pay the price too. -Brad
-- David
On Wed, 9 Aug 2000, Brad wrote:
On Wed, 9 Aug 2000, David Charlap wrote:
With a proper set of laws on the books, law enforcement could simply read the content of the spam to get a phone number, address or PO box, and prosecute whoever owns it. The fact that they abused a foreign server in the process shouldn't change anything.
The only problem with that is the simple fact that geting innocent people in trouble is more likely. For example: "Dumb Person A" sends a million SPAMs to anyone who will complain about it. In the message, they put a note telling the recipiant to send $5 to "Innocent Victim B"'s Home/PO BOX address. Then person B gets all kinds of complaints, and if the law read the email message, then they would pay the price too.
-Brad
This is precisely the problem with some providers current policy. Case in point: Someone SPAMvertized a website hosted by one of our customers. The SPAM was injected from a UUNet dialup port by one of THEIR customers. What was their response? They threatened to blackhole the /20 that contained the IP address of the website that was SPAMvertized. We try to make our BGP announcements responsibly but, actions like this will force us to announce specific /24's, especially when further investigation showed that the individual who SPAMvertized the site had no affiliation with it what-so-ever and had done so in attempt to get the site shut down. In the conference call with one of our upstreams and UUNet, I asked them if this was their firm policy -- no exceptions -- they blackholed ANY site that was SPAMvertized. I was told yes -- UNTIL I asked what they would do if someone SPAMvertized _THEIR_ site to 10,000,000 newsgroups as a test of their policy. For what it's worth, we, along with the customer in question have a ZERO TOLERANCE policy on SPAM. The site in question _was_ shut down during our investigation. Punishing someone without proof that they indeed have done something that is unacceptable is just opening ourselfs up for the newest, _EASIEST_ DoS attack ever. Now, a single 14.4 modem connect SPAM injector site can shut down a site sitting on OC192. Tons of bang for the buck to the DoS kiddies, Huh? Want to hurt the IPO of the latest .com to go public? Just SPAMvertize about it. --- John Fraizer EnterZone, Inc
An interesting idea, but I have recently seen an increase in companys that are sending spam advertising websites/ip addresses of _other_ companies without approval... this means that currently any filters like SpamCop will chase up the owners of that IP space, and with any legalities in place, the "long arm of the law" could fall on the wrong people... regards, -mvh. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of David Charlap Sent: Thursday, August 10, 2000 6:44 AM To: nanog@merit.edu Subject: Re: surge in spam email (fwd) With a proper set of laws on the books, law enforcement could simply read the content of the spam to get a phone number, address or PO box, and prosecute whoever owns it. The fact that they abused a foreign server in the process shouldn't change anything. -- David
[ On Wednesday, August 9, 2000 at 15:46:37 (-0400), Barry Shein wrote: ]
Subject: Re: surge in spam email (fwd)
On the other hand they've been at this relay-blocking stuff for years and spam just goes up and up and the spam technology gets better and better.
That's the problem, sounds good, no measurables. It all stands on a sales pitch, basically.
True enough. Though I would contend that if even a very few of the major e-mail providors stood up and backed ORBS (or something almost identical to it) that the ability of spammers to send their sales pitches for free would be severely squelched. Unfortunately ORBS is ineffective in closing open relays because it doesn't cost most open relays enough to leave their broken systems lying about. It's a chicken & egg situation -- if all of the real legitimate e-mail from known open relays was blocked then they'd quickly fix their systems but everyone's playing chicken and nobody wants to stand up in front of the users and tell them they're not allowed to receive any e-mail, legitimate or not, from any known open relay. Some providers say they'll lose customers if they do this (and they may), while others say they'll face an enormous support overload. I think if *everyone* stood up at once and declared that open relays were bad for us all then there wouldn't be too much trouble because there'd be nowhere for frustrated customers to jump to! ;-)
We need laws, there are thus far no viable technical solutions to spam, and any claim otherwise is IMHO acting in the spammers' interests (since a legislator would love to punt on the belief that we just need to close a few more relays and the problem is solved.)
Anyhow: Where are the measurables?
Laws? Global laws? Where are you going to get those from? Though as a technical solution something like ORBS might not be perfect, and of course it can only react as fast as its users, but any technical solution seems far more attractive than local, unenforcable, laws! Now if we had laws against open relays that might be a different story.... :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
On Wed, 9 Aug 2000, Greg A. Woods wrote:
It's a chicken & egg situation -- if all of the real legitimate e-mail from known open relays was blocked then they'd quickly fix their systems but everyone's playing chicken and nobody wants to stand up in front of the users and tell them they're not allowed to receive any e-mail, legitimate or not, from any known open relay. Some providers say they'll lose customers if they do this (and they may), while others say they'll face an enormous support overload.
Your biggest roadblock will be the management of such a plan when you cannot even get everyone to agree as to which application to use: MAPs or ORBS or individual filter lists. I haven't seen this group come to a consensus.
I think if *everyone* stood up at once and declared that open relays were bad for us all then there wouldn't be too much trouble because there'd be nowhere for frustrated customers to jump to! ;-)
Ya know, Greg, if everyone in China jumped off a 12 inch stool simultaneously it'd cause a tidal wave which would sweep over the entire United States. Or maybe not. But it's not worth losing sleep over. I'm not really trying to be too sarcastic, but I think your world-view of what the net has become is anachronistic and the idea that some project like ORBS is going to harass every open-relay in the world, every workstation capable of forwarding mail for example, into behaving better is at this point in time kinda like the Chinese footstool tidal wave (is that from Dr Strangelove? whatever.) No, we need a legislative approach, with some technical support to help increase the likelihood that spammers who break the law will get caught. But first it has to be illegal, or else it's all for naught. Put it this way: I consider my house locked up even if I do have glass windows, and even if glass is rather easy to break. If it were legal for a person of ill intent to break the glass to get into my house to rob me the first approach would not in my mind be to board up all the glass unless I really lived in some mad max anarchy. I'd first want to see it made illegal to break into my property. Then, with reasonable diligence, I can enjoy the sunshine and spend my time and money on more important things than trying to engineer it so it's impossible to break in. Or at least I can do the cost/benefit analysis from the situation where it's illegal to break in, rather than just a stupid cat and mouse game as we're currently playing with spammers most of the time. The Walrus and the Carpenter Were walking close at hand; They wept like anything to see Such quantities of sand: "If this were only cleared away," They said, "It would be grand!" "If seven maids with seven mops Swept for half a year, Do you suppose," the walrus said, "That they could get it clear?" "I doubt it," said the Carpenter, And shed a bitter tear. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
[ On Thursday, August 10, 2000 at 15:59:25 (-0400), Barry Shein wrote: ]
Subject: Re: surge in spam email (fwd)
I'm not really trying to be too sarcastic, but I think your world-view of what the net has become is anachronistic and the idea that some project like ORBS is going to harass every open-relay in the world, every workstation capable of forwarding mail for example, into behaving better is at this point in time kinda like the Chinese footstool tidal wave (is that from Dr Strangelove? whatever.)
Ah, but you don't have to harass every open relay -- just enough to get the message across (and in the mean time to keep the spammers at bay). The problem with leaving the teeth out of a system like ORBS is that it's like preaching to the choir -- you never get your message across to the people who can actually do something about the situation. Of course I have to say "everybody" because otherwise nobody'll jump. The trick is to get enough of the big fish to jump -- the rest will be caught in the wave! OK, now, on the count of "three": "One".... ;-)
No, we need a legislative approach, with some technical support to help increase the likelihood that spammers who break the law will get caught. But first it has to be illegal, or else it's all for naught.
Well, relayed spam is likely already illegal, perhaps several times over if the spammer is stupid enough to commit one or more of several often used frauds at the same time. The problem is in getting the right party to complain officially, and of course dealing with the jurisdictional issues. The proof is certainly easy enough to come by in the vast majority of cases, even without the co-operation of the abused system's admin. These issues, along with the fact that a significant portion of spammers are already off-shore, especially for us Canadians, are why I think a technical solution is the only real solution that'll ever stand a chance of success in the long run.
Put it this way: I consider my house locked up even if I do have glass windows, and even if glass is rather easy to break.
If it were legal for a person of ill intent to break the glass to get into my house to rob me the first approach would not in my mind be to board up all the glass unless I really lived in some mad max anarchy.
I'd first want to see it made illegal to break into my property.
So, since it's already illegal for someone to steal services from another, why do so many mailers continue to leave their doors wide open, even during a storm? Shouldn't they at least install a screen door and pretend to latch the hook on it? ;-)
Then, with reasonable diligence, I can enjoy the sunshine and spend my time and money on more important things than trying to engineer it so it's impossible to break in.
oddly enough fixing most open relays is actually cheaper (and some might even argue easier!) than installing an old broom handle in your patio doors! ;-) The trick is to get the patio door makers to install a physical block in the first place, and then of course even trickier is the problem of getting existing patio door users to install a new set of secure doors. Luckily in the software world it doesn't have to cost quite so much to do such upgrades. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Greg A. Woods Sent: Thursday, August 10, 2000 3:57 PM
Ah, but you don't have to harass every open relay -- just enough to get the message across (and in the mean time to keep the spammers at bay). The problem with leaving the teeth out of a system like ORBS is that it's like preaching to the choir -- you never get your message across to the people who can actually do something about the situation.
The problem is ORBS black-holing Telstra/Optus. This effectively black-holes OZ and NZ, in their entirety. At that point, ORBS credibility is toasted with me. I have also put three major clients with AboveNet. ORBS's blackhole there, didn't sit well with me either. BTW, the current client is both in AboveNet and does traffic with OZ. ORBS has used up so many credibility points with me that I am now recommending against any affiliation with ORBS, in any way, shape, or means, whatsoever. Amazingly, our client's connectivity to OZ is now improving. We might even revive this customer. We are also planning to place assets, in OZ, and can't afford to have it disconnected from our SJO data center. I'm not a spam fan, but ORBS is completely out of control and renegade now. I can't condone such irresponsible behaviour. I am routing around the problem. If they had only blocked selected subnets, that I can understand. But to block an entire country, for the sins of a few, is irresponsible. I have now endured two revenue hits because of ORBS ... there won't be a third ... I can't afford it. The trust is broken and won't be restored. BTW, I am revisiting the RBL as well, however, they do seem a bit more responsible over there. --- R O E L A N D M . J . M E Y E R CEO, Morgan Hill Software Company, Inc. Managing Architect Tel: (925)373-3954 Fax: (925)373-9781 http://staff.mhsc.com/rmeyer
On Thu, Aug 10, 2000 at 06:57:04PM -0400, Greg A. Woods wrote:
These issues, along with the fact that a significant portion of spammers are already off-shore, especially for us Canadians, are why I think a technical solution is the only real solution that'll ever stand a chance of success in the long run.
Technical solutions can't solve behavioral problems in the long run, only ever in the short run. That's true 99% of the time, and I have not seen any compelling reason to believe this is different. Quite the opposite, in fact.
oddly enough fixing most open relays is actually cheaper (and some might even argue easier!) than installing an old broom handle in your patio doors! ;-)
You admit "most", but quietly gloss over what happens with the rest.
On 08/10/00, "Greg A. Woods" <woods@weird.com> wrote:
These issues, along with the fact that a significant portion of spammers are already off-shore, especially for us Canadians, are why I think a technical solution is the only real solution that'll ever stand a chance of success in the long run.
How many years have we been attempting technical solutions? Five, six? I work for MAPS. The RBL and things like it are probably the most effective tools we've got for stopping spammers (note I don't say "stopping spam" -- there are other ways to refuse the largest number of messages, but we want to stop SPAMMERS.) These may look like technical tools, but in truth, boycotts are social -- as they have to be, because spam is, and has always been, a SOCIAL problem. I was about to rant a whole lot more on this subject, but then I remembered that NANOG is about technical issues, so it'd be out of place. If anybody's curious, please e-mail me off list. -- J.D. Falk "Laughter is the sound Product Manager that knowledge makes when it's born." Mail Abuse Prevention System LLC -- The Cluetrain Manifesto
Attached is a list of 60 different open relays one spammer used on us just yesterday (the number is number of spams sent before we blocked it.) [...] 119 entoo.connect.com.au [...] 33 yarrina.connect.com.au
Can you forward abuse@connect.com.au a copy of the spam relayed through these machines? There's a good chance we're already aware of this party (if not already actioned it). Neither machine should be an open relay, although downstream customers occasionally do silly things. Also, entoo.connect.com.au has aggressive rate limiting, which should at least frustrate the spammer who signs up for a throwaway account on a Friday night with the intention of spamming all weekend. --- Andrew McNamara (System Architect) connect.com.au Pty Ltd Lvl 3, 213 Miller St, North Sydney, NSW 2060, Australia Phone: +61 2 9409 2117, Fax: +61 2 9409 2111
On Wed, 9 Aug 2000, Greg A. Woods wrote:
It's impossible to tell the difference between "legitimate" traffic and unwanted traffic arriving from any mailer that's susceptible to theft of service attacks, and if you want to block lots of spam then you have to block all mail from such mailers. This is also the quickest and most effective way to really get the attention of the admins who control such mailers too, and in doing so put some pressure on them to fix their configurations!
And the quickest way is to subscribe to a list like the MAPS Relay Spam Stopper or ORBS. (Please, let's not discuss ORBS or MAPS in depth. We don't need another flamewar. Thanks.) -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Linux Instructor, PC/LAN Program, Natl. Institute of Technology, Akron, OH sjsobol@NorthShoreTechnologies.net - 888.480.4NET - 216.619.2NET
On Wed, 9 Aug 2000, Greg A. Woods wrote:
[ On Wednesday, August 9, 2000 at 11:08:02 (-0400), David Charlap wrote: ]
Subject: Re: surge in spam email (fwd)
Just keep in mind that your use of ORBS may result in blocking a large amount of legitimate traffic as well as spam.
It's impossible to tell the difference between "legitimate" traffic and unwanted traffic arriving from any mailer that's susceptible to theft of service attacks, and if you want to block lots of spam then you have to block all mail from such mailers. This is also the quickest and most effective way to really get the attention of the admins who control such mailers too, and in doing so put some pressure on them to fix their configurations!
An example of legitimate traffic is an email sent from me to a friend at a different provider. I am unable to send this "legitimate" email to friends at other providers because my mail server has been listed in ORBS "manual" entry database since the begining of the year.. The reason: "DoS attack threats". ORBS failed to mention in their manual entry list that our mail server has never had open relays. We do not block the ORBS testers, and according to ORBS own records, our mail server is secured, properly configured, and does not accept any relay mail -and never has-. ORBS has listed our mail server because some jackass not associated with our company made a DoS attack threat to -obviously- the wrong person. Every attempt to contact ORBS to find out who this person was, what their IP address was, what they said, or any request for any information has gone unanswered and ignored. If you choose to use ORBS, you -will- block "legitimate" traffic, such as this email, from reaching their intended destinations. ORBS is a personal vendetta list (my $0.02 worth). If anyone can give reason for my mail server being on the ORBS list, I would be glad to entertain their findings. Thanks, Brad Baker Director: Network Operations Americanisp brad@americanisp.net 303-984-5700 x12
Greg A. Woods
If you respond to a harris poll email they never stop sending you polls, even when you request them to cease. "Greg A. Woods" wrote:
[ On Wednesday, August 9, 2000 at 11:08:02 (-0400), David Charlap wrote: ]
Subject: Re: surge in spam email (fwd)
Just keep in mind that your use of ORBS may result in blocking a large amount of legitimate traffic as well as spam.
It's impossible to tell the difference between "legitimate" traffic and unwanted traffic arriving from any mailer that's susceptible to theft of service attacks, and if you want to block lots of spam then you have to block all mail from such mailers. This is also the quickest and most effective way to really get the attention of the admins who control such mailers too, and in doing so put some pressure on them to fix their configurations!
-- Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
-- Thank you; |--------------------------------| | Thinking is a learned process. | | ICANN member @large | | Gigabit over IP, ieee 802.17 | |--------------------------------| Henry R. Linneweh
participants (18)
-
Andrew McNamara
-
Barry Shein
-
Ben Beuchler
-
Brad
-
David Charlap
-
Derek J. Balling
-
Henry R. Linneweh
-
J Bacher
-
J.D. Falk
-
Joe Abley
-
John Fraizer
-
Marc Van Hoof
-
multics@ruserved.com
-
Roeland M.J. Meyer
-
Shawn McMahon
-
Steven J. Sobol
-
Tim Salo
-
woods@weird.com