Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Wed, May 08, 2002 at 10:56:12PM +0200, Emile van Bergen wrote: what has size got to do with it? Because the distinction between a customer and an ISP is not clear. [...] that was a tautology. it only matters if you think size is relevant. it doesn't matter in the slightest whether an ISP's customer is another ISP or not. Using your mentality, then everything always gets escalated to the highest point (since everyone below the top-most ISP is essentially a customer). So... essentially, the highest point is nearly always the network provider... UUnet, Level3, MCIWorldcom... whomever owns the actual physical cable. So, continuing on that, you will have the 4 or 5 big physical network operators, each being responsible for all their downstream customers. An RBL will essentially hold each of these 4 or 5 physical network operators responsible for any spam that originates with their network. How impossible is that? You would essentially making the big 5 operators Gods of Email... controlling everything. And you would then have the situation that all the customers of, for example, UUnet, would not use any RBL because if they did, and that RBL decided that UUnet was responsible for spam, then they themselves would be blocked (just like many Asian ISPs do not use RBLs because many RBLs just block all mail from Asia, so they would in essense be blocking themselves). Qwest is an ISP. Is it responsible for mail sent from their ISP customers? yes. absolutely. without exception. they are responsible for all mail sent by their customers. Read above, and you will see what will happen from that. Perhaps they should be. Then, would you say, if a large percentage of their customer ISPs are spamha?ser (plural for spamhaus), should we start blocking all mail from Qwest? yes. if a significant amount of spam is coming out of qwest and they are doing little or nothing to stop it then they should be black-listed. Read above, and you will see what will happen from that... if you hold the large providers responsible for all their customers email, the end result is that no users will use the RBL for fear that their own network provider will be blacklisted by the RBL. At which percentage? How can we measure that? Using spam messages vs. total output perhaps? That sounds remarkably like what Spamcop's doing. So which criteria would *you* choose? You seem avoiding that question. at no percentage. it's about quantity of spam received versus their willingness and/or ability to do something about their spammer customers - as judged by competent people with several years experience in anti-spam activities. Ah ha... foot in mouth again. A small ISP with, for example, 500 customers, will find it very easy to shut down the account of a spammer. Perhaps you can explain how Hotmail, or any number of large freemail service providers, can do the same just as easily? If you agree that it is harder for large providers to act just as fast as a small provider, then you will see that there IS a difference between the way a small and large provider act regarding complaints and spam. So that, by itself, proves that your logic of size and mail volume does not matter is immediately flawed and incorrect. technological decisions and judgements should be made by those who are competent to make them, not by democratic processes or by giving equal weight to the opinions of experts and the ignorant/stupid. Then you think the US democratic process and people, whereby all are given a vote and have the ability to shape the outcome, is stupid. Are you American? Hence my question. Apparently you see a big and fundamental difference between an ISP, who would be allowed to do direct to MX SMTP, and a customer, who would not be allowed to do direct to MX SMTP. no, stop putting bullshit words in my mouth. i see a fundamental difference between dynamic IP address and static IP addresses. All your focus seems to go on dynamic IPs... yet you fail to see that those on static IPs will probably have higher bandwidth, and hence can do far more damage than any user on dynamic IPs. are you being genuinely stupid or is this a deliberate attempt to put straw-man words in my mouth? Just continue assuming I'm stupid. That's fine with me, if that helps. you're doing a damn good job of proving that you are stupid. Of course not. But now I understand. You were basically assuming that everyone agrees that 1. ISP is equivalent to static IPs, and 2. Customer is equivalent to dynamic IP. stop putting words in my mouth. especially stop putting cretinous words in my mouth. But thats the way other people see your standpoint... ISP = static IP and allowed to send direct-to-mx mail, Customer = dynamic IP and forced to use upstream's mail servers. Perhaps if people are not seeing your point of view... then it is your problem and not everyone elses? -- To UNSUBSCRIBE, email to
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Fri, May 10, 2002 at 07:19:27AM +0800, Jason Lim wrote: On Wed, May 08, 2002 at 10:56:12PM +0200, Emile van Bergen wrote: what has size got to do with it? Because the distinction between a customer and an ISP is not clear. [...] that was a tautology. it only matters if you think size is relevant. it doesn't matter in the slightest whether an ISP's customer is another ISP or not. Using your mentality, then everything always gets escalated to the highest point (since everyone below the top-most ISP is essentially a customer). So... essentially, the highest point is nearly always the network provider... UUnet, Level3, MCIWorldcom... whomever owns the actual physical cable. Calm down and think it through. There is a chain of responsiblity and any incident can be escalated. If ISP1 is on Sprint and ISP1 takes no action about spam from spammer-leaf-node-on-ISP1, then one needs to escalate to Sprint to take action to enforce aup on ISP1. If it turns out that sprint pipes mail to abuse@ into /dev/null, or even has a yellow contract with ISP1 that permits spam, then what? Or it might be that an ISP is trying to do something about a customer (monsterhut) or is just half-assed. Maybe you use rfc-ignorant. It's also possible that your standards might not jibe with everyone elses. Me, I think any site sending email that will not accept bounces deserves to go into RBL. Not everyone would even qualify such email as spam, but we do. You might decide that your customers cannot live without Sprint. You might decide that they cannot live **long term** with such actions. Or you might give them a choice. -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content/site management, online commerce, internet integration, Debian linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
Using your mentality, then everything always gets escalated to the highest point (since everyone below the top-most ISP is essentially a customer). So... essentially, the highest point is nearly always the network provider... UUnet, Level3, MCIWorldcom... whomever owns the actual physical cable. Calm down and think it through. There is a chain of responsiblity and any incident can be escalated. If ISP1 is on Sprint and ISP1 takes no action about spam from spammer-leaf-node-on-ISP1, then one needs to escalate to Sprint to take action to enforce aup on ISP1. If it turns out that sprint pipes mail to abuse@ into /dev/null, or even has a yellow contract with ISP1 that permits spam, then what? Or it might be that an ISP is trying to do something about a customer (monsterhut) or is just half-assed. Maybe you use rfc-ignorant. I understand completely on what you are trying to say. Naturally, if a downstream customer of, for example, UUnet, refuses to take any action against their spamming users, then UUnet must step in to do something. However, my point is... on the actual size of the customer. For example... if the customer was small ISP with 500 users, then 100 spam complaints against that small ISP would obviously mean something is seriously wrong with that small ISP (technically, or otherwise), and UUnet would be justified in either cutting off the small ISP or doing other similar actions. If the customer was a large ISP with 5M users, then 100 spam complaints doesn't seem so many when you look at it from a top-down picture, and UUnet may not be justified in cutting off that large ISP for those complaints, EVEN THOUGH the number of complaints is the same as the small ISP. Now... if the complaints were 10,000, then obviously they have a problem... if you agree with this thinking, then we are thinking along the terms of ratios and mail volumes, and then we start looking at the methods employed by RBLs like Spamcop. Hence, it makes sense that large customers (such as large ISPs, Universities, etc.) are given more breathing room regarding complaints, and are allowed to handle this more. Does this make sense? It's also possible that your standards might not jibe with everyone elses. Me, I think any site sending email that will not accept bounces deserves to go into RBL. Not everyone would even qualify such email as spam, but we do. I thought there was more-or-less a standard definition of spam... unsolicited bulk email. Are bounces going to /dev/null, or such, unsolicited bulk email? Perhaps I am mistaken regarding the definition. You might decide that your customers cannot live without Sprint. You might decide that they cannot live **long term** with such actions. Or you might give them a choice. Well... if it was personal email, i could probably accept it. For business email, even a few missed customer emails would be more than unacceptable. So RBLs that employ netblock-wide filters are unacceptable... only ones that target specific IPs would do well as they, obviously, would have less effect that a block on a whole ISP like Sprint. That would mean more spam gets through, but as a business, i think that is better. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
Yes. But if you want to get rid of _any_ spam, shut down your MTA. Which will yield about the same effect than using Spamcop as a German ISP. Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question?^ Why should I? After first noticing GMX in the Spamcop BL, I have simply disabled it on my machines in its entirety. It is my firm opinion that Spamcop sucks, and I don't intend to collaborate with them. Okay... like I've said before, what do you mean GMX is in Spamcop? Alternatively, I'll ask you this... what would do if you found GMX in a BL other than Spamcop? You would probably email the list operators (if you can actually FIND them, unlike Spews, BLARS, and other hidden owner RBLs), and tell them that GMX is a big freemail provider, and stuff like that. So why would you handle all other RBLs different from Spamcop? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
--- Q41: How does one contact SPEWS? A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above... Note that posting messages in these newsgroups lists will not have any effect on SPEWS listings the fact is that SPEWS lists known spam sources.this is good. i *WANT* known spam sources to be blocked. I don't want to receive mail from known spam sources. you seem to think that there's something wrong with this. Okay... in that case, you can block virtually ALL the large network providers and hosting providers like Sprint, UUnet, Level3, etc., because nearly all of them have some sort of spam problem, big or small. I know of virtually no large provider that has not had 1 single complaint of spam about them. Jason has complained in the past about his IP addresses being listed in spews even though none of them has ever been used for sending spam. Simply because he lives in a country that contains lots of open relays is enough to be listed as a spammer. Is this a better policy than spamcop? well, then, all he has to do is move to another country. problem solved, right? after all, if it's a documented policy, it must be right and he has no cause to complain...any more than anyone else has cause to complain about spamcop's documented policy. That is real mature... move to another country. So that is your solution. I think that just about sums up the logic you have about all this. ISP is (eg. Sprint), they will still block them. In Spamcop's case, it won't ban large ISPs, because if you tell them a general figure for the mail volume, it will take that into consideration. why the hell should an RBL care how big an ISP is? it's not relevant - they're either part of the spam problem or they're not. size doesn't come into it. Okay... go ahead and block Sprint, UUnet, Level3, Hotmail, YahooMail, and all other providers with spam complaints. It is relevant. In my spare time I run two small ISPs in Melbourne. The total user-base of them both is 1000 users, logs are carefully watched, and spam incidence is almost zero. 18 months ago I was running one of Europe's larger ISPs with 500,000 users (probably comparable to the entire online population of Australia). The amount of spam reports was hugely higher as you would expect primarily because of having a larger user base. it's still not relevant. a host is either a spam problem or not. if it is a problem, then it should be blacklisted regardless of the size of the ISP responsible for it. if it's not a problem, then it shouldn't be listed. Again, go ahead and block Sprint, UUnet, Level3, Hotmail, YahooMail, and all other providers with spam complaints. Blocking one of the smaller Melbourne ISPs because of 10 different people complaining about spam in one day is reasonable. But blocking zonnet.nl for less than 500 spam reports would be totally unreasonable! I think it is all relative. If a small company with 500 users has 100 spam complaints, then obviously their problem is real big and they are having a serious problem... and unless they clean up their act, they are obviously blackhat. On the other hand, Hotmail getting 100 complaints when they have... what... 10M email accounts (or more?), would be plain stupid. It is all relative. And to say otherwise is plainly foolish. most complaints are self-evidently made by idiots. hardly anyone who is capable of reading headers isn't going to waste their time reporting to spamcop, they're going to maintain their own filters insteadwhich leaves the vast majority of spamcop reporters being idiots. garbage in, garbage out. I can read the headers just fine. I use Spamcop because it saves me time. If I was to personally parse all the spams that I get manually, then thats all i'd do all day. I have better things to do... not sure about you. that's one of the problems with spamcop. if a host deserves to be listed in an RBL, then it should be listed regardless of how large the ISP is. otherwise you end up with notorious spam-havens like uunet being immune to listing no matter how many pink contracts they sign, while small ISPs get listed just because some vermin spammer forged their IP address in a Received line. I've said it before, and I'll say it again... go ahead and block Sprint, UUnet, Level3, Hotmail, YahooMail, and all other providers with spam complaints. a bad (i.e. spamhaven) ISP should be blacklisted regardless of their size. good ISPs shouldn't be blacklisted. Your definition of good and bad is so subjective it isn't worth commenting on. I work with facts and figures. Spamcop does the same... if a host is considered to have above 2% email as spam, or something like that, then it will block that
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002, Craig Sanders wrote: On Tue, May 07, 2002 at 12:22:26PM +1000, Russell Coker wrote: [SNIP] It is relevant. In my spare time I run two small ISPs in Melbourne. The total user-base of them both is 1000 users, logs are carefully watched, and spam incidence is almost zero. 18 months ago I was running one of Europe's larger ISPs with 500,000 users (probably comparable to the entire online population of Australia). The amount of spam reports was hugely higher as you would expect primarily because of having a larger user base. it's still not relevant. a host is either a spam problem or not. if it is a problem, then it should be blacklisted regardless of the size of the ISP responsible for it. if it's not a problem, then it shouldn't be listed. That is clear reasoning. However, things become less clear as soon as you go on to define *when* a host must be considered a spam problem then. The criteria for that are never unfallible, otherwise we wouldn't even be having this discussion. They are always based on some heuristic that reasons based on indirect data. So what I don't understand is why you'd consider any heuristic that pulls the size of the host into the equasion as invalid a priori? It may be just as valid as anything else. Saying that only the information may be used whether a host is an open relay is too simple a way out of this discussion. Sure, that criterium is easy enough; there are no negative consequences at all to closing the MTA, so the errors in the reasoning (spam often comes through open relays, therefore all open relays are spam sources) don't really matter because anybody can and should fix the problem anyway. Also, not unimportantly, you can perform a conclusive test without manual intervention. However, this doesn't solve the problem at hand: spammers that just spam from their IPs directly to recipient's MXes are not included at all in this heuristic. I hope you can follow the argument that it would be desireable to do something about *that* as well, and that it makes sense for people to try and devise some heuristic that shows correlation between its output and whether a host is a spam problem. Then, you may consider Spamcop's heuristic bad, sure. But so far it's the only serious attempt of attacking the problems that are left once you take the open relays out. If you have a better way to decide whether a host is a direct spam source than Spamcop's (effectively the complaints / output volume ratio), then by all means, please share your wisdom. We may learn something. Even a heuristic that would leave out the complaints and use e.g. Spamassassin's rules, you'd still need to factor in the output volume. And it makes sense too, you know. If you would just change 'host' to 'person'. At which point do you suggest to punish someone by disconnecting him from the internet? After sending one spam message? Two? Even if he sends a lot of other, highly esteemed mail, contributing greatly to arts and sciences? The point is, you'll inevitably arrive at some ratio to the total number of messages sent. There's not only nothing wrong with Spamcop using that. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 17:44, Jason Lim wrote: Jason has complained in the past about his IP addresses being listed in spews even though none of them has ever been used for sending spam. Simply because he lives in a country that contains lots of open relays is enough to be listed as a spammer. Is this a better policy than spamcop? well, then, all he has to do is move to another country. problem solved, right? after all, if it's a documented policy, it must be right and he has no cause to complain...any more than anyone else has cause to complain about spamcop's documented policy. That is real mature... move to another country. So that is your solution. I think that just about sums up the logic you have about all this. I think that Craig was trying to draw an analogy between my position on SpamCop and the position some people take regarding SPEWS. capable of reading headers isn't going to waste their time reporting to spamcop, they're going to maintain their own filters insteadwhich leaves the vast majority of spamcop reporters being idiots. garbage in, garbage out. I can read the headers just fine. I use Spamcop because it saves me time. If I was to personally parse all the spams that I get manually, then thats all i'd do all day. I have better things to do... not sure about you. Same here, that's why I use SpamCop. Also I'll trust the scripts of SpamCop to parse the headers correctly rather than my own ability, presumably the SpamCop admins know better how to parse such headers than I do, and scripts are not going to mis-read things or make typos... No one is asking you for every spam you receive. Give 1 example. And even if 1 example got though, the Spamcop admins (check the newsgroups and mailing lists) are contantly tweaking and improving the code used to identify spam. So even IF your example does prove to be true (which you have no proof or example of) then tell Spamcop and they will analyse it. Yes, presumably the SpamCop admins could be discredited if someone proves that their scripts mis-diagnose spam sources and they fail to fix them. So someone who dislikes SpamCop could attack them by publishing information on how to defeat their scripts... -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 15:57, Marc Haber wrote: On Tue, 7 May 2002 01:49, Marc Haber wrote: Yes. But if you want to get rid of _any_ spam, shut down your MTA. Which will yield about the same effect than using Spamcop as a German ISP. Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question?^ Why should I? After first noticing GMX in the Spamcop BL, I have simply disabled it on my machines in its entirety. It is my firm opinion that Spamcop sucks, and I don't intend to collaborate with them. There are much better blocking lists than the one with the highest false positive rate. I currently use the following black lists, and IMHO none of them give false positives. bl.spamcop.net, blackholes.mail-abuse.org, dialups.mail-abuse.org, relays.mail-abuse.org, relays.osirusoft.com, relays.ordb.org, dnsbl.njabl.org, abuse.rfc-ignorant.org, postmaster.rfc-ignorant.org -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
NOTE: unless you have something worthwhile and DIFFERENT to say, go away and stop bothering me. i'm not at all interested in the brain-damaged opinions of a moron, and this thread got very boring a long time ago. On Tue, May 07, 2002 at 05:44:39PM +1000, Jason Lim wrote: the fact is that SPEWS lists known spam sources.this is good. i *WANT* known spam sources to be blocked. I don't want to receive mail from known spam sources. you seem to think that there's something wrong with this. Okay... in that case, you can block virtually ALL the large network providers and hosting providers like Sprint, UUnet, Level3, etc., because nearly all of them have some sort of spam problem, big or small. I know of virtually no large provider that has not had 1 single complaint of spam about them. if they are running an open relay then i will block them. if they allow spammers to hide on their network then i will block them. big isp's will only stop signing pink contracts if it costs them more than they gain. That is real mature... move to another country. So that is your solution. I think that just about sums up the logic you have about all this. you must be an american - you can't recognise sarcasm unless it has ...NOT! on the end. why the hell should an RBL care how big an ISP is? it's not relevant - they're either part of the spam problem or they're not. size doesn't come into it. Okay... go ahead and block Sprint, UUnet, Level3, Hotmail, YahooMail, and all other providers with spam complaints. i don't have a problem with blocking servers belonging to any of the above - if they are part of the spam problem (whether due to incompetence or greed), they should be black-listed. On the other hand, Hotmail getting 100 complaints when they have... what... 10M email accounts (or more?), would be plain stupid. if hotmail runs an open relay then it should be black-listed. It is all relative. And to say otherwise is plainly foolish. no, it's not relative. there is an absolute, black-and-white criteria which you are too stupid to see: if a site is part of the spam problem then it should be black-listed. if it is not part of the problem then it shouldn't be listed. most complaints are self-evidently made by idiots. hardly anyone who is capable of reading headers isn't going to waste their time reporting to spamcop, they're going to maintain their own filters insteadwhich leaves the vast majority of spamcop reporters being idiots. garbage in, garbage out. I can read the headers just fine. I use Spamcop because it saves me time. thank you for being an example to support my argument. a bad (i.e. spamhaven) ISP should be blacklisted regardless of their size. good ISPs shouldn't be blacklisted. Your definition of good and bad is so subjective it isn't worth commenting on. to the contrary, your lowbrow definition is subjective - relying on arbitrary and irrelevant criteria like ISP size. mine is purely objective: is a site part of the spam problem or not? do they originate or relay spam? if yes, then they are bad so blacklist them. if not, then don't. I work with facts and figures. Spamcop does the same... if a host is considered to have above 2% email as spam, or something like that, then it will block that host. So therefore, if UUnet (good or bad) sends out 10M emails per day, and Spam complaints are 1000, then okay... but if a tiny host sends out 500K emails, and spam complaints are also 1K, then obviously they have a problem. this idea is brain-damaged. all it does is allow spammers to hide in the volume of larger ISP...they can get away with spamming (and the ISP can get away with signing pink contracts) as long as they keep the spam under X percent of the total volume. that's why i don't like spamcop. they are nothing but crappy implementations of stupid ideas. I've said it before, but you obviously don't get it. i get what you said. the problem is not my comprehension, but the fact that you are wrong. both your example hosts above have a spam problem. both should be fixed. hosting or relaying for a spammer is not suddenly OK just because you send millions of emails a day. it's wrong if you send only 1 email/day, and it's still wrong if you send 10 billion emails/day. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 10:25:12AM +0200, Emile van Bergen wrote: On Tue, 7 May 2002, Craig Sanders wrote: no, it's not relative. there is an absolute, black-and-white criteria which you are too stupid to see: if a site is part of the spam problem then it should be black-listed. if it is not part of the problem then it shouldn't be listed. Pray tell then, *when* is a site part of the spam problem? Please share your infallible, absolute, black-and-white criteria for that, because obviously we were missing it all along. yes, you have missed it because i've mentioned it several times in this thread. here it is spelt out so that even you or jason should be able to understand it: 1. is the site an open relay? 2. is the site a spam source? 3. does the site host any spamvertised sites? 4. does the site provide any other spam support services? if any of the above are true, then the site should be black-listed. regardless of company size. see, the criteria are very simple: are they spammers or do they assist spammmers? no subjectivity, no exceptions, no different rules for the big end of town. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
Hi, On Tue, 7 May 2002, Craig Sanders wrote: On Tue, May 07, 2002 at 10:25:12AM +0200, Emile van Bergen wrote: On Tue, 7 May 2002, Craig Sanders wrote: no, it's not relative. there is an absolute, black-and-white criteria which you are too stupid to see: if a site is part of the spam problem then it should be black-listed. if it is not part of the problem then it shouldn't be listed. Pray tell then, *when* is a site part of the spam problem? Please share your infallible, absolute, black-and-white criteria for that, because obviously we were missing it all along. yes, you have missed it because i've mentioned it several times in this thread. here it is spelt out so that even you or jason should be able to understand it: 1. is the site an open relay? That is a good one, but doesn't catch all cases. You recognise that too: 2. is the site a spam source? That's my point. *Where* is your threshold? *When* do you, with absolute certainty, conclude that a site is a spam source? Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 18:21, Emile van Bergen wrote: I currently use the following black lists, and IMHO none of them give false positives. [SNIP] dialups.mail-abuse.org, You must be kidding. This is a list that considers people who don't use their provider's MTA as trespassers (quote from MAPS' information page about this list), and assumes dialup/DSL people to be guilty by default. Making the ISP accountible for the mail sent by their customers by having it forced through their MTA in this way is a senseless way of approaching the problem, IMHO. No it is a quite sensible way of doing it. When an ISP has 64,000 phone lines with associated IP addresses in active use then a spammer can just make repeated connections with different IP addresses to send out spam. Blocking one of the IP addresses used by a dial-up will do no good, as the person using it by that time probably isn't the spammer! Also you have to take some action against the ISP when spam goes through their network. Some time ago I was working for an ISP where the help-desk workers (the people who read postmaster email) were very unwilling to communicate in any language other than Dutch. They only grudgingly started communicating with me (the most senior member of the Unix admin team) after I promised to persue the matter through the chain of command and get their boss repremanded if something didn't happen! If you did get the help-desk people to read your complaint about spam (which would be unlikely if it wasn't written in Dutch) then there was only the smallest possibility that it might be forwarded to me as user [EMAIL PROTECTED] was spammed by someone from our site (without any headers, IP addresses, or time stamps), so I'd just delete the message as attempting to get the full details was more pain than it was worth. Also flaming the ISP in the nl.* usenet groups generally didn't do any good (although there was one single occasion when an intelligent person translated one of the flames to English and sent it to me and I then fixed it). The only solution to such a situation is to block dial-ups and then block the outbound relays from the ISP if they are used for spam. Blocking outbound mail is something that makes everyone take notice, and then people like me get the support they need to get things done. -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 10:21:30AM +0200, Emile van Bergen wrote: On Tue, 7 May 2002, Russell Coker wrote: I currently use the following black lists, and IMHO none of them give false positives. [SNIP] dialups.mail-abuse.org, btw, dynablock.wirehub.net is better. unlike the MAPS DUL it is updated regulary. it's also a free service. You must be kidding. This is a list that considers people who don't use their provider's MTA as trespassers (quote from MAPS' information page about this list), you don't have to use your dialup ISP's mail server. you are free to use any reputable mail server on the net (e.g. via uucp over tcp). and assumes dialup/DSL people to be guilty by default. Dynamic IP address is the criteria. seems like a perfectly reasonable assumption to me. in my experience, all mail which comes directly from a dynamic IP *IS* spam. the tiny handful of hobbyists with their own domains hosted on a dynamic IP with linux or freebsd should quit whining and use their ISP's mail server. or get themselves a uucp over tcp mail feed. or batched smtp over ssh. or similar. frankly, if they're not competent to do any of these things then they're not competent enough to be running a mail server on the internet. Making the ISP accountible for the mail sent by their customers by having it forced through their MTA in this way is a senseless way of approaching the problem, IMHO. making ISPs responsible for the mail sent by their customers is the ONLY thing that actually works. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 18:55, Craig Sanders wrote: Dynamic IP address is the criteria. seems like a perfectly reasonable assumption to me. in my experience, all mail which comes directly from a dynamic IP *IS* spam. the tiny handful of hobbyists with their own domains hosted on a dynamic IP with linux or freebsd should quit whining and use their ISP's mail server. or get themselves a uucp over tcp mail feed. or batched smtp over ssh. or similar. frankly, if they're not competent to do any of these things then they're not competent enough to be running a mail server on the internet. Absolutely. Findind a suitable server to relay through is not that difficult. Relaying mail securely through ssh tunnels prevents unauthorised use and only requires a server with ssh access that accepts [127.0.0.1]25 connections. On a few occasions after discussions such as this one I have offered an ssh account on one of my servers for such purposes to one of the people involved in the dicsussion, but then it always seems to turn out that they don't REALLY want to solve an email problem, they just want to argue about spam politics. -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002, Craig Sanders wrote: and assumes dialup/DSL people to be guilty by default. Dynamic IP address is the criteria. Ok, if that the *only* criteria I don't have a problem with it. Making the ISP accountible for the mail sent by their customers by having it forced through their MTA in this way is a senseless way of approaching the problem, IMHO. making ISPs responsible for the mail sent by their customers is the ONLY thing that actually works. I don't get this. In the other thread you advocate that site size shouldn't matter, and I agree to that when it comes to this thing. Following this reasoning, would you want to force an ISP that only has a single connection also to deliver all their mail through that upstream ISP's MTAs, purely for accountability purposes? That's nonsense. Hopefully DUL indeed only lists dynamic IP blocks. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 18:41, Craig Sanders wrote: yes, you have missed it because i've mentioned it several times in this thread. here it is spelt out so that even you or jason should be able to understand it: 1. is the site an open relay? Most people here agree on this, but you'll still see some debate, particularly about the distinction between relays that are merely open and relays that have been actively abused. Some people think that we shouldn't block an open relay until it's spammed us. 2. is the site a spam source? What is a spam source? If one of your customers suddenly starts sending out spam does that make you a spam source? What if they do it just after the chief admin has gone on holidays and the junior people make spam blocking a low priority? 3. does the site host any spamvertised sites? That is not inherantly wrong. If someone who is paying one of my clients for legitimate web serving and spamvertises it through another ISP then I won't immidiately take the site down. Firstly it's an issue for the other ISP to stop the spam being sent. Then I have to be convinced that the spam was sent out by the owner of the site before I will consider taking it down (otherwise if you don't like a site you can spamvertise it to get it taken down). 4. does the site provide any other spam support services? OK, but that's difficult to determine. -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
Okay... in that case, you can block virtually ALL the large network providers and hosting providers like Sprint, UUnet, Level3, etc., because nearly all of them have some sort of spam problem, big or small. I know of virtually no large provider that has not had 1 single complaint of spam about them. if they are running an open relay then i will block them. if they allow spammers to hide on their network then i will block them. You are *ONLY* concerned with open relays? What about all the spam that is direct to MX or uses the ISP's mail server? why the hell should an RBL care how big an ISP is? it's not relevant - they're either part of the spam problem or they're not. size doesn't come into it. Okay... go ahead and block Sprint, UUnet, Level3, Hotmail, YahooMail, and all other providers with spam complaints. i don't have a problem with blocking servers belonging to any of the above - if they are part of the spam problem (whether due to incompetence or greed), they should be black-listed. Ah ha... but Sprint was blocked by some RBLs... not just an IP or server of Sprint, all of Sprint's netblocks. Apparently, as your say, that is the only way for them to wake up (as collateral damage costs the ISP money), and that is how all the manual RBLs work. Spamcop blocks individual IPs... ah... are you contradicting yourself? On the other hand, Hotmail getting 100 complaints when they have... what... 10M email accounts (or more?), would be plain stupid. if hotmail runs an open relay then it should be black-listed. It is all relative. And to say otherwise is plainly foolish. no, it's not relative. there is an absolute, black-and-white criteria which you are too stupid to see: if a site is part of the spam problem then it should be black-listed. if it is not part of the problem then it shouldn't be listed. Then go ahead and block UUnet's netblocks, as well as Sprint, Level3, and all the other big company's netblocks, because I doubt you will find one big company with a spotless spam record. a bad (i.e. spamhaven) ISP should be blacklisted regardless of their size. good ISPs shouldn't be blacklisted. Your definition of good and bad is so subjective it isn't worth commenting on. to the contrary, your lowbrow definition is subjective - relying on arbitrary and irrelevant criteria like ISP size. An ISP's size is arbitrary and irrelevent, while good and bad is clear. If you say so. mine is purely objective: is a site part of the spam problem or not? do they originate or relay spam? if yes, then they are bad so blacklist them. if not, then don't. THEN go ahead and block UUnet's netblocks, as spam is proven to originate with them. Sprint, Level3, Reach, and a whole host of the big networks all have proven to have spam originate with them. Go ahead and blacklist them, and see what you are left with. I work with facts and figures. Spamcop does the same... if a host is considered to have above 2% email as spam, or something like that, then it will block that host. So therefore, if UUnet (good or bad) sends out 10M emails per day, and Spam complaints are 1000, then okay... but if a tiny host sends out 500K emails, and spam complaints are also 1K, then obviously they have a problem. this idea is brain-damaged. all it does is allow spammers to hide in the volume of larger ISP...they can get away with spamming (and the ISP can get away with signing pink contracts) as long as they keep the spam under X percent of the total volume. Well, if they did that, then obviously the volume of spam would rise, and then the % of spam to email volume would increase, and hence they would end up blocked. hosting or relaying for a spammer is not suddenly OK just because you send millions of emails a day. it's wrong if you send only 1 email/day, and it's still wrong if you send 10 billion emails/day. Very good. Then please, go ahead and block virtual every large host (and since you said even tiny hosts with 1 email/day), and every small host with any spam complaints against it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
[SNIP] no, it's not relative. there is an absolute, black-and-white criteria which you are too stupid to see: if a site is part of the spam problem then it should be black-listed. if it is not part of the problem then it shouldn't be listed. Pray tell then, *when* is a site part of the spam problem? Please share your infallible, absolute, black-and-white criteria for that, because obviously we were missing it all along. And if he can answer that, we've solved the spam problem altogether! Fantastic! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
2. is the site a spam source? That's my point. *Where* is your threshold? *When* do you, with absolute certainty, conclude that a site is a spam source? Actually, he sort of answered you... if any of the above are true, then the site should be black-listed. regardless of company size. So, with 1 spam complaint against it, regardless of size, then that company should be blacklisted. I am still wondering why he hasn't blacklisted UUnet, Level3, and other large ISP's netblocks, since many of them do have spam originate with them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002, Russell Coker wrote: On Tue, 7 May 2002 18:21, Emile van Bergen wrote: You must be kidding. This is a list that considers people who don't use their provider's MTA as trespassers (quote from MAPS' information page about this list), and assumes dialup/DSL people to be guilty by default. Making the ISP accountible for the mail sent by their customers by having it forced through their MTA in this way is a senseless way of approaching the problem, IMHO. No it is a quite sensible way of doing it. When an ISP has 64,000 phone lines with associated IP addresses in active use then a spammer can just make repeated connections with different IP addresses to send out spam. Blocking one of the IP addresses used by a dial-up will do no good, as the person using it by that time probably isn't the spammer! Of course. As said, if the list causes only people with *dynamic* IPs to be forced to use their ISP's MTA, I'd agree that it's a very good idea. But if we start using a policy that declares all endpoint-to-endpoint mail illegal, allowing the direct to MX SMTP privilege only to large(r) sites, then we'll set ourselves back to some form of uucp, and practically start to advocate a single policing global mail hub that's in the end responsible for everyone's mail. I'm sure it would require a MS Passport account ;-) I'd *hate* that to happen -- it defeats the point of the internet itself, where individual people aren't just hapless consumers but can be producers as well if they choose to. [SNIP good points about pressuring ISPs to act responsibly] But where do you stop the accountibility chain? At which point (size!) do sites become responsible for their own actions? Indeed, the only sensible answer seems to be if it has a fixed IP address. Not whether they are intermittently connected, whether they use PPP, or what their bandwith is. That has nothing to do with it. In short, dialup is the wrong name. It should be dynamic IP. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
1. is the site an open relay? Most people here agree on this, but you'll still see some debate, particularly about the distinction between relays that are merely open and relays that have been actively abused. Some people think that we shouldn't block an open relay until it's spammed us. I believe in innocent until proven guilty. But thats me. And I also believe in it, because it is very possible that one of the tests to determine if it is an open-relay is braindead... what if I made a mail server that pretends it will relay email, but in fact does not, and actually records the IP that tried to abuse the open relay and reports it to the admins (i consider that very whitehat)? My point is that the test is not foolproof either... unlike your everything is black and white stance. This word is not black or white... if only it were. 3. does the site host any spamvertised sites? That is not inherantly wrong. If someone who is paying one of my clients for legitimate web serving and spamvertises it through another ISP then I won't immidiately take the site down. Firstly it's an issue for the other ISP to stop the spam being sent. Then I have to be convinced that the spam was sent out by the owner of the site before I will consider taking it down (otherwise if you don't like a site you can spamvertise it to get it taken down). Actually, we have experienced this. A number of our clients have those affiliate programs, and every now and then, one of their affiliates decides to promote via spam. We will not take them down straight away... because we have worked with our clients and know they will remove that affiliate. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
Of course. As said, if the list causes only people with *dynamic* IPs to be forced to use their ISP's MTA, I'd agree that it's a very good idea. Very good idea... but how is the RBL going to stay so up-to-date with what is static, what is dynamic, etc.? It sounds good, but would be a logistic and administrative nightmare to keep it all current. Or has this been automated (or some other way)? But if we start using a policy that declares all endpoint-to-endpoint mail illegal, allowing the direct to MX SMTP privilege only to large(r) sites, then we'll set ourselves back to some form of uucp, and practically start to advocate a single policing global mail hub that's in the end responsible for everyone's mail. I'm sure it would require a MS Passport account ;-) Good grief... don't give Micro$oft any MORE ideas ;-) But where do you stop the accountibility chain? At which point (size!) do sites become responsible for their own actions? Indeed, the only sensible answer seems to be if it has a fixed IP address. Not whether they are intermittently connected, whether they use PPP, or what their bandwith is. That has nothing to do with it. In short, dialup is the wrong name. It should be dynamic IP. This sounds good to me. If it is a dynamic IP, then they can keep redialing (if dialup) and hence get around Spamcop's blocks. SO, block the dynamic IPs, then use Spamcop to handle the static IPs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002, Jason Lim wrote: Of course. As said, if the list causes only people with *dynamic* IPs to be forced to use their ISP's MTA, I'd agree that it's a very good idea. Very good idea... but how is the RBL going to stay so up-to-date with what is static, what is dynamic, etc.? It sounds good, but would be a logistic and administrative nightmare to keep it all current. Or has this been automated (or some other way)? See http://www.mail-abuse.org/dul/adding.htm. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 19:48, Jason Lim wrote: And I also believe in it, because it is very possible that one of the tests to determine if it is an open-relay is braindead... what if I made a mail server that pretends it will relay email, but in fact does not, and actually records the IP that tried to abuse the open relay and reports it to the admins (i consider that very whitehat)? My point is that the test is not foolproof either... unlike your everything is black and white stance. If you can send a cryptographically signed message is to a mail server outside your network and addressed to a machine in your network, if you receive it at it's destination and the crypto sign matches then you know it's an open relay. This word is not black or white... if only it were. Open relay tests are very black or white. -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 06:55:29PM +1000, Craig Sanders wrote: On Tue, May 07, 2002 at 10:21:30AM +0200, Emile van Bergen wrote: and assumes dialup/DSL people to be guilty by default. Dynamic IP address is the criteria. seems like a perfectly reasonable assumption to me. in my experience, all mail which comes directly from a dynamic IP *IS* spam. the tiny handful of hobbyists with their own domains hosted on a dynamic IP with linux or freebsd should quit whining and use their ISP's mail server. or get themselves a uucp over tcp mail feed. or batched smtp over ssh. or similar. frankly, if they're not competent to do any of these things then they're not competent enough to be running a mail server on the internet. We operate in one of the older RoadRunner areas and have been providing that service for years for hobbyists. 100:1 any such hobbyist can find that equivalent anywhere in the world. Making the ISP accountible for the mail sent by their customers by having it forced through their MTA in this way is a senseless way of approaching the problem, IMHO. making ISPs responsible for the mail sent by their customers is the ONLY thing that actually works. Yes, and the only times we've been blacklisted was when our customers turned out to be running open relays on their shiny new NT boxes. Many cable modem systems provide static addresses. This gets really sticky, because lately we've been getting a lot of spam from them. The local abuse/postmaster@isp merely disclaims responsibility and forwards complaints to the operator. Just local here in Portland Maine there are some 3000 businesses on cable; as more and more of them start running their own SMTP servers and plugging in CDROM email databases this problem will mushroom. The damage a spammer can do from dialup is nothing compared to what he can do on a 2M cable connection with a linux box and powerful MTA. The only entity that can do anything is the ISP. They have to be responsible for the mail their customers send. cfm craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content/site management, online commerce, internet integration, Debian linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
Hi, On Tue, 7 May 2002, [EMAIL PROTECTED] wrote: On Tue, May 07, 2002 at 06:55:29PM +1000, Craig Sanders wrote: On Tue, May 07, 2002 at 10:21:30AM +0200, Emile van Bergen wrote: Making the ISP accountible for the mail sent by their customers by having it forced through their MTA in this way is a senseless way of approaching the problem, IMHO. making ISPs responsible for the mail sent by their customers is the ONLY thing that actually works. Don't skip the part that says by having it forced through the ISP's MTA. I agree with the point of holding ISPs responsible for spammers on their network, just not with the 'solution' of forcing all mail to go through their MTA, at least when static IPs are concerned. They can be blocked on an IP-by-IP basis, and the ISP can easily disconnect the customer to which the IP belongs. Yes, and the only times we've been blacklisted was when our customers turned out to be running open relays on their shiny new NT boxes. Many cable modem systems provide static addresses. This gets really sticky, because lately we've been getting a lot of spam from them. The local abuse/postmaster@isp merely disclaims responsibility and forwards complaints to the operator. Just local here in Portland Maine there are some 3000 businesses on cable; as more and more of them start running their own SMTP servers and plugging in CDROM email databases this problem will mushroom. The damage a spammer can do from dialup is nothing compared to what he can do on a 2M cable connection with a linux box and powerful MTA. The only entity that can do anything is the ISP. They have to be responsible for the mail their customers send. That's all fine, but then the solution is to hold the ISP responsible if he leaves a known spammer connected, *not* to force their customers to use their MTA. Both the connectivity and the MTA service are subject to some acceptable use policy. The ISP does not need the MTA as an extra gatekeeper for blocking spammers - he can just disconnect them, if he's good willing. If he isn't, the rest of the world does not need to be able to block an ISPs MTA to be able to pressure the ISP to disconnect spammers; they can just block his customer netblocks instead. That's a much cleaner solution than to force sites (that have a static IP) to use some ISPs MTA, because you don't have to decide at which size or connectedness you draw the line. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Sun, May 05, 2002 at 11:48:10PM +1000, Jason Lim wrote: This is why Spamcop's collateral damage is much lower than others in that it does not block entire ranges, and which is why it is suitable for an ISP or Hosting company to use. both of the above assertions are false. spamcop does NOT have lower (let alone much lower) collateral damage than other RBL's - in fact, it has a MUCH HIGHER level of collateral damage than professionally run RBLs. Nor is it at all suitable for use by ISP or hosting companies. at best, it might be suitable for use by a hobbyist who didn't care much about collateral damage. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Sun, May 05, 2002 at 11:48:10PM +1000, Jason Lim wrote: This is why Spamcop's collateral damage is much lower than others in that it does not block entire ranges, and which is why it is suitable for an ISP or Hosting company to use. both of the above assertions are false. spamcop does NOT have lower (let alone much lower) collateral damage than other RBL's - in fact, it has a MUCH HIGHER level of collateral damage than professionally run RBLs. Nor is it at all suitable for use by ISP or hosting companies. at best, it might be suitable for use by a hobbyist who didn't care much about collateral damage. It would be useful if you backed up your point with some sort of evidence or proof. My point is that the collateral damage is lower, due to the fact that entire IP ranges are not blocked, and hence it is useful for hosting companies and ISPs. What is your's? What fact do you have to prove otherwise? How does blocking entire IP ranges like other RBLs lower collateral damage? Sincerely, Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Mon, May 06, 2002 at 04:31:24PM +1000, Jason Lim wrote: It would be useful if you backed up your point with some sort of evidence or proof. you're the one making the claim - the onus is on YOU to *prove* that spamcop has a lower collateral damage than other RBLs. My point is that the collateral damage is lower, due to the fact that entire IP ranges are not blocked, and hence it is useful for hosting companies and ISPs. your theoretical point isn't worth very much, especially when practical experience directly contradicts your theory. What is your's? What fact do you have to prove otherwise? How does blocking entire IP ranges like other RBLs lower collateral damage? professionally run RBLs block genuine spam sources - including open relays. operations like spamcop can automatically blacklist any IP address which happens to be mentioned (or forged) in the headers of any message that any moron user forwards to the spamcop system.this kind of idiot automation results in much higher collateral damage. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 01:49, Marc Haber wrote: On Sun, 5 May 2002 23:48:10 +1000, Jason Lim [EMAIL PROTECTED] wrote: Hold on... IS any spam coming from t-online, gmx and web.de? Yes. But if you want to get rid of _any_ spam, shut down your MTA. Which will yield about the same effect than using Spamcop as a German ISP. Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question? It seems that everyone who's complaining about spamcop has not done so. Using a DNSBL without taking note of the proceedures for using it (in this case informing them of the size of a big ISP that seems to get hit too easily) is not the smart thing to do... -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 10:29:41AM +1000, Russell Coker wrote: Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question? why the hell should I, or anyone else, have to go out of my way to inform some third party how large the ISP i work for is? or how much mail volume passes through the mail server. even ignoring the fact that that could be commercial in-confidence information, isn't the act of demanding that just as bad as reply with REMOVE to unsubscribe? what happens next week when rival company spampig starts up, followed by spambusters inc, and a dozen more competitors over as many weeks. should i have to submit my details to all of them just because they want to run a business? It seems that everyone who's complaining about spamcop has not done so. Using a DNSBL without taking note of the proceedures for using it (in this case informing them of the size of a big ISP that seems to get hit too easily) is not the smart thing to do... the people who are complaining about spamcop are NOT using it. the people complaining are those who have been adversely affected by spamcop's idiot automation. there are many RBLs around. some good, some bad. spamcop is one of the worst. at least the other RBLs have technical criteria for being listed - i.e. running an open relay or proof of being a repeat spam source. by contrast, even forged Received: headers can get you listed in spamcop's RBL. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
And Spamcop does *NOT* block entire ranges of IPs like other RBLs, so it is virtually impossible for you to say that t-online, gmx and web.de are blocked. Only the spamming IPs within their ranges would be blocked, NOT the entire range. T-Online does Port 25 blocking, forcing you to use their smarthost. GMX and web.de are e-mail only services and offer SMTP-AUTH-based e-mail services. If their smarthost gets blocked, I dare to say that T-Online is blocked. I couldn't receive _any_ e-mail from _any_ T-Online user for a week, which virtually means shutting me off from Germany's largest-by-far end-user ISP. In that case, T-Online will not have a problem, as the user's IP will be blocked, not the mail server, UNLESS T-Online has setup their mail server to hide their user's IP, which most ISPs do not do. On the other hand, it would be weird if GMX and web.de only have 1 outgoing mail server. I assume that they, like hotmail and other freemail services, would have many multiple outgoing mail servers to handle their traffic (just for example, mail12.web.de, mail6.web.de, etc.). Then only one of the mail servers, at most, would be blocked. And anyway, spam really shouldn't be able to come out of web-based email services. Don't they have rate-limiting or anything like that implemented? I know that even with Hotmail's service, if you set it up on Outlook Express to bypass their web-based login, that your IP *does* should up in the email sent. Your IP does not should up if you login via the web, but then, you cannot send many emails. So there is a trade-off... so web-based email providers would all probably be smart enough to implement a similar system, right? Then, if GMX and these other ISPs kick out that spammer, after 1 week that IP is again clear, so it can again send email. Great. After two hours, I'd have customers complaining. True, but I was assuming that these companies have more than one IP, and more than one mail server. And as I said, a dialup/broadband ISP will not have a problem, as the block IP will be that of their customer, not of their mail server. A web-based freemail provider will also not have a problem, as they *should* implement rate-limiting on their outgoing mail (to stop people sendng 1,000 emails/day from their account, and other silly things like that). Now, if gmx and web.de allow people to send unlimited emails from their account, and other stupid things like that, then perhaps they will be blocked. But would they be that stupid? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 10:29:41AM +1000, Russell Coker wrote: Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question? why the hell should I, or anyone else, have to go out of my way to inform some third party how large the ISP i work for is? or how much mail volume passes through the mail server. even ignoring the fact that that could be commercial in-confidence information, isn't the act of demanding that just as bad as reply with REMOVE to unsubscribe? Well, what happens when you are listed in OTHER RBLs then? In those cases, you would have an even more interesting time. Let us see: From the BLARS RBL (http://www.blars.org/errors/block.html): --- If you would like a site be added or removed from BlarsBL, you may hire Blars at his normal consulting rates (currently $250/hour, 2 hour minimum, $1000 deposit due in advance for non-established customers) to investigate your evidence about the site. If it is found that the entry was a mistake, no charge will be made and the entire deposit will be refunded. Send Blars email from a non-listed account to verify current rates and arrange payment. --- From SPEWS RBL (http://www.spews.org/faq.html): --- Q41: How does one contact SPEWS? A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above... Note that posting messages in these newsgroups lists will not have any effect on SPEWS listings Q42: My IP address/range is being listed by SPEWS but I'm not a spammer and I just signed up for this/these address(s). What can I do to be removed from the list? A42: SPEWS is just an automated system, if spam or spam involvement (hosting spammers, selling spamware) from your IP address/range ceases, it will drop out of the list in time. If you wish, you can discuss SPEWS and blocklist related issues in the public forums mentioned above. A SPEWS editor or developer should see the postings and may double check the listing if you feel it is a mistake, putting the text SPEWS: in the subject can help. Will this get you removed from a SPEWS listing? No, not if there are problems with your host. In fact, the first step you need to take is to complain to your host about the listing, in almost all cases they are the only people who can get an address/range out of the SPEWS list. Do note that your addresses may be listed due to a larger spam related problem with your host, in that case they will not be removed until the problem is fixed. --- With those services, you have to *BEG* your way out of them. At least with Spamcop, if you are listed, the admins are more than happy to work with you... instead of hiding themselves. what happens next week when rival company spampig starts up, followed by spambusters inc, and a dozen more competitors over as many weeks. should i have to submit my details to all of them just because they want to run a business? Um... no... because many RBLs say that they don't care how large an ISP is (eg. Sprint), they will still block them. In Spamcop's case, it won't ban large ISPs, because if you tell them a general figure for the mail volume, it will take that into consideration. at least the other RBLs have technical criteria for being listed - i.e. running an open relay or proof of being a repeat spam source. by contrast, even forged Received: headers can get you listed in spamcop's RBL. Spamcop also has clearly defined policy. Forged headers? I report spam to spamcop almost daily when I have the time, and rarely does it have a problem. You are underestimating Spamcop's ability... have you ever tried reporting spam to it, and looking at the way it analyses items? Go sign up for a free reporting account, and you will soon see what Spamcop can really do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 11:16:58AM +1000, Jason Lim wrote: On Tue, May 07, 2002 at 10:29:41AM +1000, Russell Coker wrote: Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question? why the hell should I, or anyone else, have to go out of my way to inform some third party how large the ISP i work for is? or how much mail volume passes through the mail server. even ignoring the fact that that could be commercial in-confidence information, isn't the act of demanding that just as bad as reply with REMOVE to unsubscribe? Well, what happens when you are listed in OTHER RBLs then? In those cases, you would have an even more interesting time. Let us see: From the BLARS RBL (http://www.blars.org/errors/block.html): yes, you quoted this before. who gives a shit? who's even heard of BLARS RBL before?there are hundreds of crappy little RBLs around, most of them run by complete morons. your argument seems to be that because BLARS RBL has arsehole policies, that spamcop can do whatever it likes. From SPEWS RBL (http://www.spews.org/faq.html): --- Q41: How does one contact SPEWS? A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above... Note that posting messages in these newsgroups lists will not have any effect on SPEWS listings the fact is that SPEWS lists known spam sources.this is good. i *WANT* known spam sources to be blocked. I don't want to receive mail from known spam sources. you seem to think that there's something wrong with this. i've been using SPEWS-enabled RBLs for over a year now, with no noticable(*) collateral damage from them. i've been using them on my home mail server which handles about 3000-5000 messages/day. i've been using it on my main work mail server which handles over 75000 messages/day. i've been using it on several other mail servers. SPEWS does *NOT* represent a collateral damage problem. so, for all your whining about SPEWS, there's actually no real problem. hard to believe, considering the amount of noise you've been making about it. (*) meaning: I examine my mail logs closely every day and I haven't noticed any; and none of my users has ever complained about legitimate mail being rejected due to false positives from SPEWS. what happens next week when rival company spampig starts up, followed by spambusters inc, and a dozen more competitors over as many weeks. should i have to submit my details to all of them just because they want to run a business? Um... no... because many RBLs say that they don't care how large an you miss the point and head off on an irrelevant tangent. never mind, your tangent is easily dismissed too. ISP is (eg. Sprint), they will still block them. In Spamcop's case, it won't ban large ISPs, because if you tell them a general figure for the mail volume, it will take that into consideration. why the hell should an RBL care how big an ISP is? it's not relevant - they're either part of the spam problem or they're not. size doesn't come into it. that's one of the problems with spamcop. if a host deserves to be listed in an RBL, then it should be listed regardless of how large the ISP is. otherwise you end up with notorious spam-havens like uunet being immune to listing no matter how many pink contracts they sign, while small ISPs get listed just because some vermin spammer forged their IP address in a Received line. at least the other RBLs have technical criteria for being listed - i.e. running an open relay or proof of being a repeat spam source. by contrast, even forged Received: headers can get you listed in spamcop's RBL. Spamcop also has clearly defined policy. so? their policy is still moronic, whether it's clearly defined or not. Forged headers? I report spam to spamcop almost daily when I have the time, and rarely does it have a problem. rarely is not the same as never. rarely just means that there is a fundamental flaw in their method but that nobody has decided to use spamcop to attack a third party's ability to communicate yet. it would be trivial to write a script to do so. it's also obvious just from looking at headers in spam that spammers are definitely aware of how spamcop works and are deliberately forging IP addresses and domain names belonging to anti-spammers. You are underestimating Spamcop's ability... not at all. i've seen the results of spamcop's ability. Go sign up for a free reporting account, and you will soon see what Spamcop can really do. i don't want an account from spamcop. i think they are incompetent morons. all my encounters with them so far confirm that opinion. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 12:22:26PM +1000, Russell Coker wrote: On Tue, 7 May 2002 11:43, Craig Sanders wrote: --- Q41: How does one contact SPEWS? A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above... Note that posting messages in these newsgroups lists will not have any effect on SPEWS listings the fact is that SPEWS lists known spam sources.this is good. i *WANT* known spam sources to be blocked. I don't want to receive mail from known spam sources. you seem to think that there's something wrong with this. Jason has complained in the past about his IP addresses being listed in spews even though none of them has ever been used for sending spam. Simply because he lives in a country that contains lots of open relays is enough to be listed as a spammer. Is this a better policy than spamcop? well, then, all he has to do is move to another country. problem solved, right? after all, if it's a documented policy, it must be right and he has no cause to complain...any more than anyone else has cause to complain about spamcop's documented policy. the point here is that shit happens and mistakes are made. the solution is to do what can be done to correct them, not use it as justification for errors and/or stupidity by others. personally, i suspect that jason is exaggerating the problem or deliberately misleading as to the cause. i use RBLs that incorporate SPEWS data, yet i'm still capable of receiving mail from china and korea and other asian eastern-european countries which are known to have huge spam open-relay problems. the only hosts that are rejected due to SPEWS are those that are confirmed open relays or spam sources. my bet is that there is some other reason for his IP address being listed in SPEWS, and rather than fix the problem he has chosen to just flame SPEWS. ISP is (eg. Sprint), they will still block them. In Spamcop's case, it won't ban large ISPs, because if you tell them a general figure for the mail volume, it will take that into consideration. why the hell should an RBL care how big an ISP is? it's not relevant - they're either part of the spam problem or they're not. size doesn't come into it. It is relevant. In my spare time I run two small ISPs in Melbourne. The total user-base of them both is 1000 users, logs are carefully watched, and spam incidence is almost zero. 18 months ago I was running one of Europe's larger ISPs with 500,000 users (probably comparable to the entire online population of Australia). The amount of spam reports was hugely higher as you would expect primarily because of having a larger user base. it's still not relevant. a host is either a spam problem or not. if it is a problem, then it should be blacklisted regardless of the size of the ISP responsible for it. if it's not a problem, then it shouldn't be listed. Blocking one of the smaller Melbourne ISPs because of 10 different people complaining about spam in one day is reasonable. But blocking zonnet.nl for less than 500 spam reports would be totally unreasonable! you seem to think that automatic blocking because there has been a complaint is valid. it's not. complaints mean nothing. any idiot can make a complaint, and most complaints are self-evidently made by idiots. hardly anyone who is capable of reading headers isn't going to waste their time reporting to spamcop, they're going to maintain their own filters insteadwhich leaves the vast majority of spamcop reporters being idiots. garbage in, garbage out. RBLs should only list sites that are proven to be either an open relay, spam source, or other real problem. listings based on complaints should be manually checked by a human, not processed automatically with a script. that's one of the problems with spamcop. if a host deserves to be listed in an RBL, then it should be listed regardless of how large the ISP is. otherwise you end up with notorious spam-havens like uunet being immune to listing no matter how many pink contracts they sign, while small ISPs get listed just because some vermin spammer forged their IP address in a Received line. Changing the weighting takes care of that. no, it doesn't. weighting only makes a difference if you accept the basic validity of the method. the method isn't valid, it is fundamentally flawed. A large ISP with a bad policy on spam could have the same weighting as a small ISP with a good policy. that's completely counterproductive. a bad (i.e. spamhaven) ISP should be blacklisted regardless of their size. good ISPs shouldn't be blacklisted. Let's assume that the administrators of SpamCop are not stupid! why? that assumption contradicts all the evidence available. it's also obvious just from looking at headers in spam
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002 10:29:41 +1000, Russell Coker [EMAIL PROTECTED] wrote: On Tue, 7 May 2002 01:49, Marc Haber wrote: Yes. But if you want to get rid of _any_ spam, shut down your MTA. Which will yield about the same effect than using Spamcop as a German ISP. Have you sent an email to the administrators of spamcop informing them of the sizes of the ISPs in question?^ Why should I? After first noticing GMX in the Spamcop BL, I have simply disabled it on my machines in its entirety. It is my firm opinion that Spamcop sucks, and I don't intend to collaborate with them. There are much better blocking lists than the one with the highest false positive rate. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Thu, 2 May 2002 21:47:07 +1000, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 2 May 2002 19:58, Glenn Hocking wrote: I've found that spamcop blocks email from both GE (General Electric) and Pizza Hut mail servers which clients of mine need to receive. Are the GE and Pizza Hut cases because of mis-reporting? Or have these companies spammed? Generally, I have found the Spam Cop blocking list to be much too aggressive for being useable as a filter for an ISP. They classify spam sources by the amount of legitimate mail they receive compared to the amount of spam they receive. Naturally, an english language organisation does not receive much legitimate e-mail from Germany, so they have found to frequently list t-online, gmx and web.de, the three largest e-mail providers for the german speaking countries, all three of them being pure white head when it comes to spam fighting. I wouldn't even use the Spam Cop blocking list for generating RBL-Warning-Headers. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Thu, 2 May 2002 21:47:07 +1000, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 2 May 2002 19:58, Glenn Hocking wrote: I've found that spamcop blocks email from both GE (General Electric) and Pizza Hut mail servers which clients of mine need to receive. Are the GE and Pizza Hut cases because of mis-reporting? Or have these companies spammed? Generally, I have found the Spam Cop blocking list to be much too aggressive for being useable as a filter for an ISP. They classify spam sources by the amount of legitimate mail they receive compared to the amount of spam they receive. Naturally, an english language organisation does not receive much legitimate e-mail from Germany, so they have found to frequently list t-online, gmx and web.de, the three largest e-mail providers for the german speaking countries, all three of them being pure white head when it comes to spam fighting. Hold on... IS any spam coming from t-online, gmx and web.de? Also note that Spamcop blocks points of origination... that is, afaik, it blocks the actual sender's IP. Now, if your IP was 111.222.111.222 and the spammer's (which is blocked by spamcop) is 111.222.111.223, then you would still not be affected, because only the spammer's IP was blocked. And Spamcop does *NOT* block entire ranges of IPs like other RBLs, so it is virtually impossible for you to say that t-online, gmx and web.de are blocked. Only the spamming IPs within their ranges would be blocked, NOT the entire range. Then, if GMX and these other ISPs kick out that spammer, after 1 week that IP is again clear, so it can again send email. If the same IP repeatedly gets blocked, then the period gets longer, AFAIK. This is why Spamcop's collateral damage is much lower than others in that it does not block entire ranges, and which is why it is suitable for an ISP or Hosting company to use. Sincerely, Jason http://www.zentek-ionternational.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Thu, 2 May 2002 19:58, Glenn Hocking wrote: I've found that spamcop blocks email from both GE (General Electric) and Pizza Hut mail servers which clients of mine need to receive. I've found that no matter what RBL list I use there is always legitimate mail being blocked and therefore useless for me as an global email service provider. A large part of the reason for this is the fact that many legitimate companies also spam. Are the GE and Pizza Hut cases because of mis-reporting? Or have these companies spammed? -- If you send email to me or to a mailing list that I use which has 4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]