Re: mitigating botnet CCs has become useless
On Tue, 08 Aug 2006 15:10:50 -0700, Rick Wesson wrote: Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets. Maybe so, but that argument doesn't buy me more helpdesk folks. The same holds true for the bandwidth argument, especially now that bandwidth is dirt cheap. On the other hand, it shouldn't be too difficult to come up with a walled garden profile for subs that have infected PCs, basically allowing only access to a filtering proxy, so these subs can download their patches and antivirus updates through it. Gr, Arjan H
ISP wants to stop outgoing web based spam
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il
Re: ISP wants to stop outgoing web based spam
Title: Re: ISP wants to stop outgoing web based spam Hello Hank: On 8/9/06 3:28 AM, Hank Nussbacher [EMAIL PROTECTED] wrote: Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il My answer is based on the word startup so I'm assuming no money but I could be wrong. :-) We use the standard SpamAssassin, ClamAV setup both on ingress and egress. On egress we set the detection levels and divert and save anything that is marked as Spam rather than sending it on with headers and subject modifications. We've found this to be very effective in reducing our scores with Comcast and AOL in particular and it's pretty much stopped our being blocked by those services, even using a fairly loose setting for SpamAssassin. As a service provider that forwards tons of mail to addresses on those networks (previously un-scanned so we forwarded everything, including Spam) we've found it essential to put these filters in place to guarantee (as much as anyone can) service for our email customers. Regards, Mike
Re: ISP wants to stop outgoing web based spam
On Wed, 2006-08-09 at 06:11 -0700, Michael K. Smith - Adhost wrote: [..] My answer is based on the word startup so I'm assuming no money but I could be wrong. :-) We use the standard SpamAssassin, ClamAV setup both on ingress and egress. Currently the trend seems to be to send images containing the advert. Though there is a OCR plugin for SA, it doesn't seem to be very effective as one can rotate the text by 1% or use a silly font or some colors to easily evade it. Anybody has a better plugin to solve that part? Greets, Jeroen signature.asc Description: This is a digitally signed message part
RE: ISP wants to stop outgoing web based spam
On Wed, 2006-08-09 at 09:50 -0400, Mills, Charles wrote: I think if such a thing would exist, the verification gifs to prevent automated free yahoo and hotmail account signups would be defeated as well. You mean Captcha (http://en.wikipedia.org/wiki/Captcha) Which is not so much of an issue: http://sam.zoy.org/pwntcha/ Otherwise simply setup a resource that people want to access (always the best example on the internet: a pr0n site) and present the image there and let them answer it for you ;) Hmm maybe I should look into hooking pwntcha into SA. Greets, Jeroen (who now will receive another [EMAIL PROTECTED] response that it doesn't understand multipart/signed messages can some nanog-list-admin remove that crappy thing?) signature.asc Description: This is a digitally signed message part
RE: ISP wants to stop outgoing web based spam
On Wed, 9 Aug 2006, Mills, Charles wrote: I guess I wasn't clear enough in my first posting. I am not interested in smtp (port 25 spam). We have that covered. I am only interested in blocking outgoing web based spam. A user sits and sends out spam via automated tools via Hotmail, Yahoo, Gmail, or whatever Webmail system where they have set up thousands of throwaway users. An antispam proxy (that I want to install and manage) has to be able to come between the user on his/her PC and the Hotmail system and scan the http posts and page templates for things like number of receipents and other tricks like keeping track of the number of http posts. It has to maintain a list of known free webmail systems that are abused. Based on my stats from Spamcop, 60% of all outgoing spam is http based rather than smtp based. Others may have slightly higher or lower numbers. So, is there any magic fu out there to solve this? Thanks, Hank Nussbacher http://www.interall.co.il Seems like all mail would have to go through the same server at that point or at least every server would have to run the software. Probably not practical for an ISP if you have multiple customers with their own mail servers? I assume you're looking for something that would sit on your egress point to your upstream providers? I would think that the Packeteer box would almost be there to do this if you could have it or a box like it inspect all traffic destined for port 25. Compare it against a database of known spammers, known spam keywords, etc.? Charles L. Mills Senior Network Engineer Access Data Corporation 90 Beta Drive Pittsburgh, PA 15238 (412) 968-4024 [EMAIL PROTECTED] http://www.accessdc.com http://www.accessdc.com/ Hosting, Colocation and Disaster Recovery From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael K. Smith - Adhost Sent: Wednesday, August 09, 2006 9:11 AM To: Hank Nussbacher; Nanog Subject: Re: ISP wants to stop outgoing web based spam Hello Hank: On 8/9/06 3:28 AM, Hank Nussbacher [EMAIL PROTECTED] wrote: Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il My answer is based on the word startup so I'm assuming no money but I could be wrong. :-) We use the standard SpamAssassin, ClamAV setup both on ingress and egress. On egress we set the detection levels and divert and save anything that is marked as Spam rather than sending it on with headers and subject modifications. We've found this to be very effective in reducing our scores with Comcast and AOL in particular and it's pretty much stopped our being blocked by those services, even using a fairly loose setting for SpamAssassin. As a service provider that forwards tons of mail to addresses on those networks (previously un-scanned so we forwarded everything, including Spam) we've found it essential to put these filters in place to guarantee (as much as anyone can) service for our email customers. Regards, Mike +++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Re: ISP wants to stop outgoing web based spam
On Wed, 09 Aug 2006 15:59:52 +0200 Jeroen Massar [EMAIL PROTECTED] wrote: On Wed, 2006-08-09 at 09:50 -0400, Mills, Charles wrote: I think if such a thing would exist, the verification gifs to prevent automated free yahoo and hotmail account signups would be defeated as well. You mean Captcha (http://en.wikipedia.org/wiki/Captcha) Which is not so much of an issue: http://sam.zoy.org/pwntcha/ Use of captchas has serious accessibility issues:0 visually-impaired users will have trouble completing forms. From a legal standpoint, this is a no-go and most definitely not possible for any government or public-sector agency in the United States. Several web accessibility regulations prohibit impairments. matthew black network services california state university, long beach 1250 bellflower boulevard long beach, ca 90840-0101
Re: ISP wants to stop outgoing web based spam
Michael We use the standard SpamAssassin, ClamAV setup both on Michael ingress and egress. On egress we set the detection levels Michael and divert and save anything that is marked as Spam rather Michael than sending it on with headers and subject modifications. I would let any ISP I use make this mistake once. After that the individuals responsible would be up on ECPA charges.
Re: ISP wants to stop outgoing web based spam
On Wed, 9 Aug 2006 18:11:47 +0300 (IDT) Hank Nussbacher [EMAIL PROTECTED] wrote: [original message edited for brevity--m.black] Based on my stats from Spamcop, 60% of all outgoing spam is http based rather than smtp based. Others may have slightly higher or lower numbers. So, is there any magic fu out there to solve this? Thanks, Hank Nussbacher http://www.interall.co.il Maybe I'm just an ignorant e-mail postmaster. I thought that nearly all e-mail was (E)SMTP-based (LMTP excepted). If it doesn't use the SMTP protocol, it's not reaching any mailbox. HTTP is a web browser protocol. WebMail gets converted by the web server and is subsequently routed using SMTP. matthew black network services california state university, long beach 1250 bellflower boulevard long beach, ca 90840-0101
Re: ISP wants to stop outgoing web based spam
Hi Hank, Have you had any luck combining Squid in a transparent proxy configuration with SpamAssassin? A commercial plugin like Cloudmark might provide better performance (since it doesn't have to evaluate thousands of regex rules for each connection). How to run Squid as a transparent proxy: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy I haven't figured out how to get Squid to let you run a script to scan and modify requests that are passing through. If you can figure that out I'd love to know! Otherwise, you might try looking at a couple of security auditing proxies: http://www.parosproxy.org/functions.shtml (Java) http://www.immunitysec.com/resources-freesoftware.shtml (Spike Proxy, Python) .. Or you could roll your own simple CGI script that accepts web queries and uses LWP or another simple package to fetch the results -- scanning for spam at the same time. Regards, Ken Simpson MailChannels Hank Nussbacher [09/08/06 18:11 +0300]: On Wed, 9 Aug 2006, Mills, Charles wrote: I guess I wasn't clear enough in my first posting. I am not interested in smtp (port 25 spam). We have that covered. I am only interested in blocking outgoing web based spam. A user sits and sends out spam via automated tools via Hotmail, Yahoo, Gmail, or whatever Webmail system where they have set up thousands of throwaway users. An antispam proxy (that I want to install and manage) has to be able to come between the user on his/her PC and the Hotmail system and scan the http posts and page templates for things like number of receipents and other tricks like keeping track of the number of http posts. It has to maintain a list of known free webmail systems that are abused. Based on my stats from Spamcop, 60% of all outgoing spam is http based rather than smtp based. Others may have slightly higher or lower numbers. So, is there any magic fu out there to solve this? -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: mitigating botnet CCs has become useless
--On August 8, 2006 4:03:36 PM +0200 Arjan Hulsebos [EMAIL PROTECTED] wrote: On Sat, 5 Aug 2006 17:17:27 -0400 (EDT), Sean Donelan typed: Railroads have the railroad police. The Post Office has postal inspectors. Do we want to give ISP security the power to arrest people? We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC. That's a nice idea, except how? How do you prove a user has gotten the malware off and patched? And further how can they do that without internet access? Hint, FWIR, it's not legal for us to distribute MS's patches to our subs. So how do you propose that? Some customers will fix themselves, some will just cancel and find an ISP that doesn't care they're spewing spam and worm traffic all the while complaining about how slow their internet service is. I'm really seriously interested, and I'm not trying to be a flaming troll-bait here. This is a *huge* problem. You can turn off a user sure enough, but how do you know it's OK to let that user back on. And besides doing that, we should educate our subs on how to properly maintain their PC (installing and keeping up-to-date antivirus software, patch the OS on a regular basis, you know the drill). And how is it our responsibility to educate users? I don't think it necessarily is. However because noone else is and we're all the ones most hurt by it we're forced to.
Re: ISP wants to stop outgoing web based spam
Maybe I'm just an ignorant e-mail postmaster. I thought that nearly all e-mail was (E)SMTP-based (LMTP excepted). If it doesn't use the SMTP protocol, it's not reaching any mailbox. HTTP is a web browser protocol. WebMail gets converted by the web server and is subsequently routed using SMTP. I think he's talking about blog spam, which is definitely submitted over HTTP. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: mitigating botnet CCs has become useless
--On August 8, 2006 12:06:42 PM -0400 Sean Donelan [EMAIL PROTECTED] wrote: On Tue, 8 Aug 2006, Arjan Hulsebos wrote: We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC. Botnet CCs are not naturally occuring phenomena. Relying only on defensive security, and not arresting the criminals, will just result in the criminals becoming bolder and more aggressive. In most cases ISPs are just taking action against innocent bystanders that got hit in the cross-fire. Those bystanders aren't the cause. If you let the criminals continue trying over and over again, you are just training them to become better shots. Telling your customers they should wear bullet-proof vests whenever they go outside isn't going to stop snippers. Arresting the snipper is going to stop the snipper. Yup this is a social problem. Just like there's nothing actually stopping any of us from beating up a guy on the street, we don't do it because it isn't legal, doesn't make sense, etc. Some muggers do, the people in control of the SPAM problem are the muggersthe people with infected systems are just the ones who've been mugged.
Re: ISP wants to stop outgoing web based spam
Ken Simpson wrote: Maybe I'm just an ignorant e-mail postmaster. I thought that nearly all e-mail was (E)SMTP-based (LMTP excepted). If it doesn't use the SMTP protocol, it's not reaching any mailbox. HTTP is a web browser protocol. WebMail gets converted by the web server and is subsequently routed using SMTP. I think he's talking about blog spam, which is definitely submitted over HTTP. I think that the person who started this thread is talking about spam coming from the wide variety of old, poorly written form handler scripts and other programs that at some point in the program talk to the mail program on the web server and thus allow an attacker to hijack said script for the purpose of using that script to amplify their spam message(s). As a web hosting provider I have had to shut down numerous scripts on my client's websites because of this reason. The question that I think is being asked here is how does one go about ensuring that email coming from a web form is actually a valid contact email and not a spam amplification attack. If there are measures that can be taken, what are those measures? Gregory Kuhn Coast to Coast Hosting
Re: ISP wants to stop outgoing web based spam
On 9-Aug-2006, at 12:02, Ken Simpson wrote: Maybe I'm just an ignorant e-mail postmaster. I thought that nearly all e-mail was (E)SMTP-based (LMTP excepted). If it doesn't use the SMTP protocol, it's not reaching any mailbox. HTTP is a web browser protocol. WebMail gets converted by the web server and is subsequently routed using SMTP. I think he's talking about blog spam, which is definitely submitted over HTTP. I thought it was pretty clear that he was talking about e-mail spam submitted using HTTP to webmail services like hotmail, yahoo and gmail: On 9-Aug-2006, at 11:11, Hank Nussbacher wrote: I guess I wasn't clear enough in my first posting. I am not interested in smtp (port 25 spam). We have that covered. I am only interested in blocking outgoing web based spam. A user sits and sends out spam via automated tools via Hotmail, Yahoo, Gmail, or whatever Webmail system where they have set up thousands of throwaway users. Blog spam is easily avoided by only ever using RSS and never, ever clocking through to read any comments :-) Joe
Re: ISP wants to stop outgoing web based spam
I thought it was pretty clear that he was talking about e-mail spam submitted using HTTP to webmail services like hotmail, yahoo and gmail: I guess I'm still a little confused about the poster's original request. It sounds like he is interested in stopping his own users from spamming via web-based email services such as Gmail and Hotmail, or via insecure forms. That can be accomplished hypothetically by filtering HTTP requests and looking for spam in POSTs; although with the proliferation os AJAX-style interfaces in these services, figuring out which POSTs refer to a message submission is far more difficult than it was in the good old Web 1.0 days. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: mitigating botnet CCs has become useless
On Wed, 09 Aug 2006 10:10:21 -0600, Michael Loftis wrote: Yup this is a social problem. Just like there's nothing actually stopping any of us from beating up a guy on the street, we don't do it because it isn't legal, doesn't make sense, etc. Some muggers do, the people in control of the SPAM problem are the muggersthe people with infected systems are just the ones who've been mugged. The ones who've been mugged don't start mugging other people, infected PCs will infect other PCs. That's the difference, and that's why an ISP should do something about that. Although it may be out of fashion, I'd like to see good netizenship. Gr, Arjan H
Re: mitigating botnet CCs has become useless
Arjan Hulsebos wrote: The ones who've been mugged don't start mugging other people, infected PCs will infect other PCs. That's the difference, and that's why an ISP should do something about that. Although it may be out of fashion, I'd like to see good netizenship. SPAM as other types of abuse is easiest to control closest to the source, which in most cases means the consumer ISP providing the local access for the user. Pete
Re: ISP wants to stop outgoing web based spam
On 8/9/06, Gregory Kuhn [EMAIL PROTECTED] wrote: I think he's talking about blog spam, which is definitely submitted over HTTP. Similar. Picture this ... 1. A satellite connectivity provider, that provides connectivity to huge swathes of west africa, among other places. 2. West african cities like Lagos, Nigeria, that are full of cybercafes that use this satellite connectivity, and have a huge customer base that has a largish number of 419 scam artists who sit around in cybercafes doing nothing except opening up free hotmail, gmail etc accounts, and posting spam through those accounts, using the cybercafe / satellite ISP's connectivity. 3. The cybercafe / satellite IP shows up in a Received: or X-Originating-IP type header in the spam that results. 4. The satellite provider really needs to do something about this - something proactive, because trying to whack cybercafe based scam artists after the fact is just not going to work. 5. So - a spamassassin plugin to a squid or other transparent proxy, for outbound filtering. Something that can be rolled out at the satellite provider level, or probably at the cybercafe level, and with an attached alert mechanism that logs the spamming IP, and the mac address of the PC that's sending the spam that got caught. Something that ISPs in west africa that operate on wafer thin margins, and resell satellite connectivity, can easily afford. Oh - and something that is not the usual kind of corporation / library type firewall [those would do this, but they'd roll over and die at the least hint of actual production use in this kind of scenario .. as some ISPs who deployed these in W. Africa apparently found out] I got asked this way back in 2005, and then talked to Justin Mason of the spamassassin project. He was of the opinion that it could be done but he wasnt too aware of anybody who had tried it, plus he didnt exactly have much free time on his hands for that. Anybody who can do it - with open source and reasonably low costs, plus ISP grade scalablity - please do let me know. I know some people (including govt / LE) who would be just as interested as Hank is. -srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
semi-IPV6 question (pls dont flame me for asking)
I put the subject that way, otherwise I think people would ignore this completely.I actually want to know, after all the years of pain from J.F. and everything,I really believe IPv8 is workable, if it was open and done right and not handled by a spastic mental patient (notice I didn't mention any names specifically).I have "higher-ups" who read about Ipv8 and demanded we implement it, thus the previous questions about finding you know who.After reading myself though, it seems very intuitive, it can tunnel and interface with ipv4 a lot easier than ipv6 can, its practically native, you can connect gateways, and such,and somewhere I read Lucent was actually selling IPv8 router gateways, but I haven't been able to find anything further, and now Lucent is gone, so that makes it kinda difficult.From a real technical standpoint, looking only at the mertis of the basic model, does anything think the ipv8 concept really viable, or are people just "happy" with the idea that ipv6 is "enough" "forever"?I mean, aside from the odd posting saying "coulda had a v8" - the joke is getting rather old, the addressing size capability of ipv8 and so forth, are rather appealing in some ways.For example, we have need of creating a simulated network environment of over 320 trillion nodes (don't ask), but working this out on ipv6 seems exceedingly difficult, where ipv8 has built-in concept of "clusters"/"galaxies" and easy ipv4 interface.Personally I think it would be easier to modify existing routers/etc to handle Ipv8 than the more complex incompatibility with ipv6.or have i got this all wrong? Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: SORBS Contact
On Wed, 9 Aug 2006, Matthew Sullivan wrote: Sad state of affairs when ISPs are still taking money from spammers and providing transit to known criminal organisations. Hey Mat. You aren't wrong, but that doesn't absolve you of the responsibility to de-list in an efficient manner when you have made a mistake, or if the listing is no longer accurate (i.e. if all the spammers have been kicked off the netblock in question.) $DAYJOB lists spam filtering amongst the services we offer to our clients. I know we're using you to block IPs at the firewall, and we're probably also doing so at the server level. I am going to talk to my boss and co-workers about the impact of removing SORBS from our DNSBL list, because your replies lately have been snarky and completely unprofessional, including the reply quoted above. (Yes. It sucks that spammers are still spamming. So what?) I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
Re: SORBS Contact
On Wed, 9 Aug 2006, Steve Sobol wrote: I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. Feh. Listings that are NO LONGER CORRECT, or in some cases, never were. Make sure brain is running before engaging fingers. :) -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
RE: ISP wants to stop outgoing web based spam
I think what was being talked about was that a lot of spam now comes as embedded images which unpack into ads for the usual stuff. It's actually been going on for a few years but I guess as the other stuff gets more and more effectively blocked this form becomes more salient. Thus far I don't know of any good filter for these. Common spam software seems to rotate or vary these slightly so it's not as simple as comparing to one you've seen before. Since the image formats are compressed, usually gif, tiny changes can ripple through the entire encoding. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: SORBS Contact
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. IMHO, it's not about making things 'better' - we don't expect NANOG'ers to be any more altruistic than other folk. It's about consumer protection, as the anti-spammers always say; if $BLACKLIST does a good job, we keep it. If it screws up too much, we go elsewhere. So Matt has an incentive to be correct, I should think. -- _ Nachman Yaakov Ziskind, FSPA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Re: ISP wants to stop outgoing web based spam
On Aug 9, 2006, at 2:15 PM, Barry Shein wrote: I think what was being talked about was that a lot of spam now comes as embedded images which unpack into ads for the usual stuff. It's actually been going on for a few years but I guess as the other stuff gets more and more effectively blocked this form becomes more salient. Thus far I don't know of any good filter for these. Common spam software seems to rotate or vary these slightly so it's not as simple as comparing to one you've seen before. Since the image formats are compressed, usually gif, tiny changes can ripple through the entire encoding. Now we'll have to throw our inbound email through an OCR. Then the spammers will start rotating the text or changing the background. So we'll write a better OCR that can see through such transformations. At which point, the spammers will be happy, because we'll have given them a tool to break Captchas. Hmmm... (Or just reject mail with images in it. :) -Dave PGP.sig Description: This is a digitally signed message part
Re: SORBS Contact
Don't forget racketeering. A person who commits crimes such as extortion, loansharking, bribery, and obstruction of justice in furtherance of illegal business activities. I think most network operators have learned about the ultra-liberal listing activities of RBLs these days. -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 Dean Anderson wrote: SORBS is a well-known abusive/defamatory blacklist. In the US, that violates a number of state and federal laws: 1. defamation 2. illegal group boycott in violation of antitrust act 3. (usually) unauthorized blocking by ISP in violation of its contract with its customer, which is a violation of the electronic communications privacy act. 4. There are frequently state laws that apply to electronic communications that are even more broad. You _can_ make the US based ISP not use SORBS. Most ISPs know better, already. --Dean See also http://www.iadl.org. --Dean On Mon, 7 Aug 2006, Brian Boles wrote: Can someone from SORBS contact me offlist if they are on here On Tue, 8 Aug 2006, Stefan Hegger wrote: We have the same problem. We are blacklisted and I filled out the webform. I got an email regarding ticket number and account/password to track the ticket. But it seems that nobody is working on it. There has been extensive discussion on NANAE and NANABl newsgroups on this issue. The bottom line: The SORBS ticket queue is handled by a group of unpaid volunteers, and there is quite a backlog. That's why there is the automatic de-listing system in place, which requires proper host names and longer time-to-live (TTL) values in rDNS. Yes, it's a bit of work, but it beats waiting for someone to get around to your ticket. No, I'm not associated in any way with SORBS, just an interested observer and system administrator who has had to deal with listings myself. On Tue, 8 Aug 2006, Michael Nicks wrote: Sad state of affairs when looney people dictate which IPs are good and bad. On Tue, 8 Aug 2006, S. Ryan wrote: Even worse if your ISP uses it and demands you ask the 'offender' to get 'themselves' removed.
RE: SORBS Contact
[EMAIL PROTECTED] wrote: I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. IMHO, it's not about making things 'better' - we don't expect NANOG'ers to be any more altruistic than other folk. It's about consumer protection, as the anti-spammers always say; if $BLACKLIST does a good job, we keep it. If it screws up too much, we go elsewhere. So Matt has an incentive to be correct, I should think. I fear we're veering off topic, but the problem with the If $BLACKLIST does a job, we'll keep using it axiom is that it makes the assumption that the majority of mail admins who use blacklists as part of their antispam arsenal are keeping close tabs on the efficacy and accuracy of the blacklists they use. Unfortunately I don't believe that is generally the case. In my experience, most use blacklists as a set and forget kind of weapon, and the only method they use to judge the reliability of a list is how many spams it blocks, regardless of accuracy. Too often you find admins that, when presented with an example of a false-positive caused by an inaccurate blacklist, cop the, Don't talk to me, talk to the blacklist operators attitude. And it isn't entirely a lazy admin problem. There really seems to be no *good* way to judge the relative accuracy of different blacklists. You can read thier policies and procedures, but how do you know if they actually follow them? Keeping an eye on mailing lists and newsgroups can help some, but how do you separate the net.kooks complaining about a valid listing from people with legitimate gripes? Especially when the blacklist admins often come off as bigger net.kooks than their detractors? It winds up looking like a big catch-22 to me. Blacklist operators essentially punt all responsibility for incorrectly blocked emails on the mail admins, and the mail admins punt all responsibility for incorrect listings back at the blacklist operators. And that leaves us with *no one* taking responsibility, which makes me seriously question the wisdom of using blacklists at all anymore. Personally, I think completely automated systems with very short listing times may be the way to go. It removes the human element from the listing and delisting process in order to avoid the personality-conflict/vendetta listings that seem to poison a number of popular blacklists. In the long run, though, I think the spammers have won the DNS blacklist war already and our time is better spent developing better content filters to worry with the actual content of the email than where it came from. Andrew Cruse
Re: semi-IPV6 question (pls dont flame me for asking)
I have higher-ups who read about Ipv8 and demanded we implement it Did you make sure to have them read the RFC? http://tools.ietf.org/html/rfc1621
Re: mitigating botnet CCs has become useless
On Wed, Aug 02, 2006 at 08:25:40AM +0200, Peter Dambier wrote: ... Let me try to become Gadi. First of all block port 80 (http) :) Next block port 53 udp (dns). Now you have got rid of amplification attacks because spoofing does no longer work and you have got rid of all those silly users that only know how to click the mouse. ... I think it was the 1970s when I started telling people that the only truly secure computer was the one that was unplugged and buried under two miles of fused stone. Of course, this conflicts with usability. And, these days, with the all-worshipped network access. This level of security is, of course, not the solution. I trust that Peter D. was being sarcastic. On Wed, Aug 02, 2006 at 06:29:55AM +, Paul Vixie wrote: [EMAIL PROTECTED] (Scott Weeks) writes: ... I'm just saying that there has to be a better way than police-type actions on a global scale. ... no, there doesn't have to be such a way. where the stakes are in meatspace (pun unintended), the remediation has to be in meatspace. cyberspace is just a meatspace overlay, it can only pretend to have different laws when nothing outside of cyberspace is at stake. i think that the days when botnets were mostly used for kiddie-on-kiddie violence or even gangster-on- gangster violence are permanently behind us. it's up to the real LEOs now, because it's on their turf now, which is to say, it's in the real world now. as was true of spam when i said this about spam ten years ago, it is true now of botnets that the only technical solution is gated communities. but the internet's culture, which merely mirrors the biases of those who use it, requires the ability for children to go door to door selling girl scout cookies, without necessarily having the key code to every one of the doors. so the internet community has no appetite for the trappings of any technical solution to botnets. the meatspace community and their LEOs absolutely *do*. I think it was Scott Weeks who pointed out that gated communities are for the rich, and only push the E-VIL out to the rest of the community, who then have to board up their windows and cower. How do we make our world less fearsome? As Barry Shein and others mentioned, we have to make this kind of action in general something which people are afraid to do because of its consequences. We also want to make it something which people are reluctant to do, not only because it's unprofitable, but because it's WRONG. I may sound like a fogy when I say this [OK, maybe I am one, but so are most of you that grew up along with me!], but it seems that in general many folks are worrying less about what is RIGHT and WRONG, but about what they can get away with, and what society feels permissive about. That's a general problem. It can be fixed only be educating folks from the time they're born (a) to CARE about right and wrong, and (b) to understand that messing with another's packets is as wrong as messing with his bank account. To make it less profitable, we have to make it harder. That means making sure that protection on networks is as good as possible. I am less adept at elaborating on that than many who have already done so. To make sure that there are consequences, we need to work with local Law Enforcement Organizations [for those who didn't know what LEOs were] to get these folks punished somehow. If that means that we have to educate the LEOs and legislatures, then that's what it takes. Do we need special Internet police? I would hope not. But perhaps we need an educated CyberCrime division of existing LEOs. This will not happen tomorrow, and not at all if we don't both push and help. And why is it up to us to do these things? Because it's our job. And in some cases our vocation. It may cost us more, or we may volunteer more time to do some of these things. But if the ones who know what they are doing don't do this, then it will cost us all even more. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: SORBS Contact
I think we can sufficiently indict SORBS by saying that they are a poorly managed email blacklist which isn't used by anyone with a clue, without putting on our tinfoil hats. http://www.iadl.org makes some interesting claims, but anyone who puts Paul Vixie in the same list of offenders with Alan Brown and Matt Sullivan is clueless at best. SORBS, SPEWS, etc. are a problem, but they aren't a criminal conspiracy, and claiming that they are isn't going to win any points among people who haven't followed the instructions at http://zapatopi.net/afdb/build.html Michael Nicks wrote: Don't forget racketeering. A person who commits crimes such as extortion, loansharking, bribery, and obstruction of justice in furtherance of illegal business activities. I think most network operators have learned about the ultra-liberal listing activities of RBLs these days. -Michael
Re: semi-IPV6 question (pls dont flame me for asking)
On 8/9/06, Cerebus cerebus [EMAIL PROTECTED] wrote: I really believe IPv8 is workable, Just Say No to crack! -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Detecting parked domains
* Jeremy Chadwick: On Wed, Aug 02, 2006 at 09:10:31PM +0200, Florian Weimer wrote: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? AFAICT, the main challenge is to define what parked means in the context of your application. It seemed quite obvious to me: he's talking about domain squatting. I've heard suggestions to treat parked domains less threatening than other types of domain squatting. This approach is somewhat dubious, based on a few things we've seen.
Re: SORBS Contact
Albert Meyer wrote: I think we can sufficiently indict SORBS by saying that they are a poorly managed email blacklist which isn't used by anyone with a clue, without putting on our tinfoil hats. http://www.iadl.org makes some interesting claims, but anyone who puts Paul Vixie in the same list of offenders with Alan Brown and Matt Sullivan is clueless at best. SORBS, SPEWS, etc. are a problem, but they aren't a criminal conspiracy, and claiming that they are isn't going to win any points among people who haven't followed the instructions at http://zapatopi.net/afdb/build.html Please parse usage of you and your as being generic and not directed at Albert Meyer except insomuch that I am replying to his message, thanks. Correct me if I'm wrong but this thread started because someone acquired from ARIN IP Space which was previously infested with spammers. The person acquiring the IP space sent multiple tickets (which annoys the crap out of every support list I've ever contacted) within the period of less than a week. CAN-SPAM which is a poorly conceived and almost totally unenforced law allows spammers one week to remove users from their lists, and this person seems to expect instant turnaround from a volunteer organization. It's unfortunate that he got tainted space from a RIR, and further unfortunate that it takes time to process removals, and further unfortunate that he is not capable of reading and following the directions on Matthew's website which clearly describe how to achieve removal from SORBS. Calling unpaid volunteers clueless because they don't process removals instantly is in and of itself clueless, especially considering that 1. dozens of people are removed from SORBS daily and 2. this person has failed to follow the stated policies and procedures to be removed from SORBS. SORBS, SPEWS, The AHBL all operate on their own set of rules, it's up to the administrators of the mail servers that use our lists whether or not they agree with our policies. Remember, and this is very important: When blacklisting there is no such thing as a false positive. You are either blocked or you aren't at the determination of the administrator using our list. Blacklisting is not, nor has it ever been based on whether your message is spam or not. If it helps you, think of it more as wanted and unwanted e-mail. By using SORBS the administrator is stating I do not want e-mail from people Matthew believes are spammers, and only a clueless person would think to enforce their will on someone else's mail server. And yes if you request removal from the AHBL and can't follow the simple removal instructions, you are in my mind and in my list too clueless to contribute e-mail to the public Internet, I therefore don't miss your traffic and have never had one of my users complain that they miss it either. -- Andrew D Kirch | Abusive Hosts Blocking List | www.ahbl.org Security Admin | Summit Open Source Development Group | www.sosdg.org Key fingerprint = 4106 3338 1F17 1E6F 8FB2 8DFA 1331 7E25 C406 C8D2
Re: ISP wants to stop outgoing web based spam
John Levine [EMAIL PROTECTED] writes: Allan I would let any ISP I use make this mistake once. After that Allan the individuals responsible would be up on ECPA charges. John I suppose any ISP foolish enough not to disclaim ECPA John confidentiality gets what it deserves. The ECPA doesn't provide any mechanism to explicitly disclaim responsibility under it. Even if it did such a disclaimer would undermine any claim to anything like common carrier status for an ISP This would make the ISP vulnerable to such things as libel based on user's content. This strikes me as jumping out of the spam/virus frying pan into the defamation fire.
Re: ISP wants to stop outgoing web based spam
On Wed, 9 Aug 2006, Ken Simpson wrote: Typical SMTP headers of http based spam: Received: from pmx2.montclair.edu (smtp-in.montclair.edu [130.68.1.65]) by broadway.montclair.edu (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id [EMAIL PROTECTED] for x; Wed, 09 Aug 2006 14:42:35 -0400 (EDT) Received: from pmx2.montclair.edu (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 032883F01 for x; Wed, 09 Aug 2006 14:42:35 -0400 (EDT) Received: from tw4.telgua.com.gt (tw3.telgua.com.gt [216.230.128.5]) by pmx2.montclair.edu (Postfix) with ESMTP id 8F6993F03 for x; Wed, 09 Aug 2006 14:42:35 -0400 (EDT) Received: from intelnet.net.gt (unknown [10.160.3.1]) by tw4.telgua.com.gt (Tumbleweed MailGate) with ESMTP id 72D1748A5C673; Wed, 09 Aug 2006 13:42:51 -0500 (CDT) Received: from [10.160.3.30] (Forwarded-For: [xx.56.145.19]) by messaging.telgua.com.gt (mshttpd); Wed, 09 Aug 2006 12:39:46 -0700 The key here is the bottom Received with the mshttpd. Only once it hits telgua.com.pt (this is just an example of the dozens I see per day), does it get converted into smtp, but the xx.56.145.19 IP is the one that gets listed in spam BLs. Basically, the state of blocking outgoing spam hasn't progressed in the past 4 years. Bummer. Hank Nussbacher http://www.interall.co.il I thought it was pretty clear that he was talking about e-mail spam submitted using HTTP to webmail services like hotmail, yahoo and gmail: I guess I'm still a little confused about the poster's original request. It sounds like he is interested in stopping his own users from spamming via web-based email services such as Gmail and Hotmail, or via insecure forms. That can be accomplished hypothetically by filtering HTTP requests and looking for spam in POSTs; although with the proliferation os AJAX-style interfaces in these services, figuring out which POSTs refer to a message submission is far more difficult than it was in the good old Web 1.0 days. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741 +++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Re: SORBS Contact
Actually I think this thread progressed from someone getting dirty blocks, to complaining about liberal-listing-RBLs (yes SORBS is one), to RBLs defending themselves and their obviously broken practices. We should not have to jump through hoops to satisfy your requirements. Best Regards, -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 Andrew D Kirch wrote: Albert Meyer wrote: I think we can sufficiently indict SORBS by saying that they are a poorly managed email blacklist which isn't used by anyone with a clue, without putting on our tinfoil hats. http://www.iadl.org makes some interesting claims, but anyone who puts Paul Vixie in the same list of offenders with Alan Brown and Matt Sullivan is clueless at best. SORBS, SPEWS, etc. are a problem, but they aren't a criminal conspiracy, and claiming that they are isn't going to win any points among people who haven't followed the instructions at http://zapatopi.net/afdb/build.html Please parse usage of you and your as being generic and not directed at Albert Meyer except insomuch that I am replying to his message, thanks. Correct me if I'm wrong but this thread started because someone acquired from ARIN IP Space which was previously infested with spammers. The person acquiring the IP space sent multiple tickets (which annoys the crap out of every support list I've ever contacted) within the period of less than a week. CAN-SPAM which is a poorly conceived and almost totally unenforced law allows spammers one week to remove users from their lists, and this person seems to expect instant turnaround from a volunteer organization. It's unfortunate that he got tainted space from a RIR, and further unfortunate that it takes time to process removals, and further unfortunate that he is not capable of reading and following the directions on Matthew's website which clearly describe how to achieve removal from SORBS. Calling unpaid volunteers clueless because they don't process removals instantly is in and of itself clueless, especially considering that 1. dozens of people are removed from SORBS daily and 2. this person has failed to follow the stated policies and procedures to be removed from SORBS. SORBS, SPEWS, The AHBL all operate on their own set of rules, it's up to the administrators of the mail servers that use our lists whether or not they agree with our policies. Remember, and this is very important: When blacklisting there is no such thing as a false positive. You are either blocked or you aren't at the determination of the administrator using our list. Blacklisting is not, nor has it ever been based on whether your message is spam or not. If it helps you, think of it more as wanted and unwanted e-mail. By using SORBS the administrator is stating I do not want e-mail from people Matthew believes are spammers, and only a clueless person would think to enforce their will on someone else's mail server. And yes if you request removal from the AHBL and can't follow the simple removal instructions, you are in my mind and in my list too clueless to contribute e-mail to the public Internet, I therefore don't miss your traffic and have never had one of my users complain that they miss it either. -- Andrew D Kirch | Abusive Hosts Blocking List | www.ahbl.org Security Admin | Summit Open Source Development Group | www.sosdg.org Key fingerprint = 4106 3338 1F17 1E6F 8FB2 8DFA 1331 7E25 C406 C8D2
Re: SORBS Contact
Michael Nicks wrote: Actually I think this thread progressed from someone getting dirty blocks, to complaining about liberal-listing-RBLs (yes SORBS is one), to RBLs defending themselves and their obviously broken practices. We should not have to jump through hoops to satisfy your requirements. Fair enough. End users ought not to have the functionality of email destroyed because originating SP's won't show due diligence in preventing abuse of the network. If you don't like SORBS, don't use it. Don't send email to anybody who does. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: SORBS Contact
On Wed, 9 Aug 2006, Michael Nicks wrote: themselves and their obviously broken practices. We should not have to jump through hoops to satisfy your requirements. We were hit by the requirement to include the word static in our DNS names to satisfy requirements. It wasn't enough to just say this /17 is only static IPs, one customer, one IP, no dhcp or other dynamics at all), we actually had to change all PTR records to this arbitrary standard. Took several weeks to get delisted even after that. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: ISP wants to stop outgoing web based spam
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten. Hope this helps. -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 Hank Nussbacher wrote: Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il
Re: SORBS Contact
Doesn't really surprise me to be frankly honest. :) The way their requirements are structured, they remind me a lot of a state agency. Best Regards, -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 Mikael Abrahamsson wrote: On Wed, 9 Aug 2006, Michael Nicks wrote: themselves and their obviously broken practices. We should not have to jump through hoops to satisfy your requirements. We were hit by the requirement to include the word static in our DNS names to satisfy requirements. It wasn't enough to just say this /17 is only static IPs, one customer, one IP, no dhcp or other dynamics at all), we actually had to change all PTR records to this arbitrary standard. Took several weeks to get delisted even after that.
Re: SORBS Contact
On Wed, 9 Aug 2006, Mikael Abrahamsson wrote: On Wed, 9 Aug 2006, Michael Nicks wrote: themselves and their obviously broken practices. We should not have to jump through hoops to satisfy your requirements. We were hit by the requirement to include the word static in our DNS names to satisfy requirements. It wasn't enough to just say this /17 is only static IPs, one customer, one IP, no dhcp or other dynamics at all), we actually had to change all PTR records to this arbitrary standard. Would people support if there was a defined and standardized way that providers can specify if the system with this ip address does or does not send email? There are several proposal for this but so far ISPs have not shown sufficient interest in implimenting any one - if number of ISPs agree to enter some records and it catches on then the need for 3rd party maintained lists of dynamic ip addresses would go away. --- Of course the root cause for all these still remains that certain OS vendor makes (and contines to) bad security design choices and this results in users of their system getting infected and being used as spam zombies. Combined with that is that many ISPs don't maintain good enough policies to shutdown infected users quickly or block their accounts from access to SMTP on per-user basis. Last is sometimes due to low margins and ISPs trying to cut cost and it is effecting abuse department - which the basicly the one part of the company that not only not make any money but causes to loose some business... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: mitigating botnet CCs has become useless
On Wed, 09 Aug 2006 20:16:44 +0300, Petri Helenius wrote: Arjan Hulsebos wrote: The ones who've been mugged don't start mugging other people, infected PCs will infect other PCs. That's the difference, and that's why an ISP should do something about that. Although it may be out of fashion, I'd like to see good netizenship. SPAM as other types of abuse is easiest to control closest to the source, which in most cases means the consumer ISP providing the local access for the user. Exactly. We, the ISPs, are the friendly (or maybe not-so-friendly at times) neighborhood police officer. It's our network, we set the rules, and we enforce them. Gr, Arjan H
Re: SORBS Contact
On 8/9/06, william(at)elan.net [EMAIL PROTECTED] wrote: --- Of course the root cause for all these still remains that certain OS vendor makes (and contines to) bad security design choices and this results in users of their system getting infected and being used as spam zombies. Combined with that is that many ISPs don't maintain good enough policies to shutdown infected users quickly or block their accounts from access to SMTP on per-user basis. Last is sometimes due to low margins and ISPs trying to cut cost and it is effecting abuse department - which the basicly the one part of the company that not only not make any money but causes to loose some business... That (blocking SMTP) could become illegal is some proposed net neutrality legislation is passed. I apologize in advance for stoking the flames
Re: SORBS Contact
Laurence End users ought not to have the functionality of email Laurence destroyed because originating SP's won't show due Laurence diligence in preventing abuse of the network. This is crisis mongering of the worst sort. Far more damage has been done to the functionality of email by antispam kookery than has ever been done by spammers. I have one email address that has: Existed for over a decade. Been posted all over Usenet and the Web in unmangled form. Only three letters so it gets spam from the spammers that send copies to every possible short address. All blacklisting turned off because that was causing too much mail to go into a black hole. In short it should be one of the worst hit addresses there is. All I have to do to make it manageable is run spamassassin over it. That is the mildest of several measures I could use to fix the spam problem. If it became truly impossible I could always fall back to requiring an address of the form apoindex+password and blocking all the one's that don't match the password(s). That would definitely fix the problem and doesn't require any pie in the sky re-architecting of the entire Internet to accomplish. For almost a decade now I have listened to the antispam kooks say that spam is going to be this vast tidal wave that will engulf us all. Well it hasn't. It doesn't show any sign that it ever will. In the meantime in order to fix something that is at most an annoyance people in some places have instigated draconian measures that make some mail impossible to deliver at all or *even in some case to know it wasn't delivered*. The antispam kooks are starting to make snail mail look good. It's pathetic. The functionality of my email is still almost completely intact. The only time it isn't is when some antispam kook somewhere decides he knows better than me what I want to read. Spam is manageable problem without the self appointed censors. Get over it and move on.
Re: ISP wants to stop outgoing web based spam
On Wed, 9 Aug 2006, Hank Nussbacher wrote: The key here is the bottom Received with the mshttpd. Only once it hits telgua.com.pt (this is just an example of the dozens I see per day), does it get converted into smtp, but the xx.56.145.19 IP is the one that gets listed in spam BLs. Basically, the state of blocking outgoing spam hasn't progressed in the past 4 years. Bummer. Shouldn't most of freemail/webmail services be doing their own outbound spam and virus checking now? When the user connects to the freemail/webmail service, hopefully with some type of authentication, outbound messages from the freemail/webmail's service affects the reputation of that service. If the scanning is done at the application layer at the freemail/webmail system, it has more knowledge about the application, e.g. detecting mass forwards, mailing lists, appended signature blocks, etc that may not be easily detectable form the user interface. And then it becomes the application service providers responsibility to maintain its effectiveness. Its no different whether I connect to my home mail service using HTTP/HTTPS, MSA-AUTH, SSH, TELNET, MS-RPC Exchange, etc. If I happen to be travelling on some random network, I still want to use the reputation of my home mail server not the random network I'm using. Of course, some freemail services aren't very good about know their customer when new users sign up. Anyone can get lots of different username accounts on some freemail services. If you believe some freemail services are too important to filter, some ISPs are looking at the next received header for their filtering. Nevertheless, if an ISP is interested in application layer filtering and deep protocol inspection (i.e. it may go through a proxy, so its not really packet' inspection anymore), there are some open source and commercial systems that could be modified to do this. They are usually advertised for classified information/parental control/employer control systems. For software installed on the PC itself, e.g. cybercafes, most major anti-virus and parental control software vendors already are web-mail aware, and scan incoming messages. They may be able to scan outgoing messages too. But I don't believe they've thought about using them for outbound spam filtering for web-mail. The network content control systems are a bit more specialized. There are some high-end firewalls typically bought for military gateways which claim to be able to do full content inspection of webmail transactions.
Re: SORBS Contact
On Thu, 2006-08-10 at 07:39, Aaron Glenn wrote: That (blocking SMTP) could become illegal is some proposed net neutrality legislation is passed. hahaha try enforcing that in other countries also, most networks are private (not state run) therefore we have the right to say yes/no what data enters our own network, because unless unless a contract (payment) exists for the senders ISP to receivers ISP to accept data off them, the senders ISP can be told to go to hell :) I apologize in advance for stoking the flames
Re: SORBS Contact
Allan Poindexter wrote: The functionality of my email is still almost completely intact. The only time it isn't is when some antispam kook somewhere decides he knows better than me what I want to read. Spam is manageable problem without the self appointed censors. Get over it and move on. Interesting comment - so would you consider as it is my network, that I should not be allowed to impose these 'draconian' methods and perhaps I shouldn't be allowed to censor traffic to and from my networks? Should you not be allowed to censor my traffic going to your network (if any)? The self appointed censors are not self appointed - they produce lists the admins of their own networks choose what traffic to accept or deny, if they choose to accept or deny based on a third party it doe not automatically make that person a self appointed censor. Regards, Mat
Re: SORBS Contact
On Thu, 2006-08-10 at 06:49, Mikael Abrahamsson wrote: We were hit by the requirement to include the word static in our DNS names to satisfy requirements. It wasn't enough to just say this /17 is only static IPs, one customer, one IP, no dhcp or other dynamics at all), we actually had to change all PTR records to this arbitrary standard. Took several weeks to get delisted even after that. We've had our moments with SORBS, Matthew is a very approachable person. Things get sorted out pretty quickly, generally within a few days, Matthew also has others who help him and one of them is an obnoxious . I do agree though, the requirment to have X TTL and 'static' or non 'dsl' 'dial' in DNS is a bit too far, I understand this is for automation, its the only part of SORBS i disagree with, that said we still use them, as do many large carriers ion this country, because the use of RBL's is for one reason, to STOP the wanker, and SORBS along with spamcop and spamhaus and njabl go a very long way to prevent peoples privacy being invaded by those vernom
Re: ISP wants to stop outgoing web based spam
On Wed, 9 Aug 2006, Matthew Black wrote: Use of captchas has serious accessibility issues:0 visually-impaired users will have trouble completing forms. From a legal standpoint, this is a no-go and most definitely not possible for any government or public-sector agency in the United States. Ditto for at least one EU jurisdiction, and likely several more of them. I can't quite remember if there already is a directive issued, but there definitely was/is an EU working group looking at a variety of equality issues. In Ireland, captchas would likely contravene the Equal Status Act of 2000 with respect to providing services, which applies to *all* persons and bodies. I believe the UK may have similar legislation in force (though I can't recall the name of the act). Turing tests can /easily/ be implemented in ASCII, which is compatible with screen readers used by the visually impaired. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: I have not the slightest confidence in 'spiritual manifestations.' -- Robert G. Ingersoll
Re: SORBS Contact
On 8/9/06, Noel [EMAIL PROTECTED] wrote: On Thu, 2006-08-10 at 07:39, Aaron Glenn wrote: That (blocking SMTP) could become illegal is some proposed net neutrality legislation is passed. Man, I really butchered that one. I look so much smarter when I don't post on NANOG... hahaha try enforcing that in other countries That has never stopped the US from making terrible policy (-: also, most networks are private (not state run) therefore we have the right to say yes/no what data enters our own network, because unless unless a contract (payment) exists for the senders ISP to receivers ISP to accept data off them, the senders ISP can be told to go to hell :) We're talking about owned Windows boxes on consumer/retail access networks (cable/dsl/whathaveyou).
Re: SORBS Contact
Steve Sobol wrote: On Wed, 9 Aug 2006, Matthew Sullivan wrote: Sad state of affairs when ISPs are still taking money from spammers and providing transit to known criminal organisations. Hey Mat. You aren't wrong, but that doesn't absolve you of the responsibility to de-list in an efficient manner when you have made a mistake, or if the listing is no longer accurate (i.e. if all the spammers have been kicked off the netblock in question.) If you checked with the original complainant you would find that both the zombie and DUHL listings are cleared. If you knew the ticket numbers and where they sit in the SORBS RT Support system you would know that there were multiple tickets logged the oldest now being 10 days, the most recent being 5 days - and under published policy the earliest was pushed into the more recent. You'll also note that the original complaint was about a single IP address as part of a /27 within a /19 listing. $DAYJOB lists spam filtering amongst the services we offer to our clients. I know we're using you to block IPs at the firewall, and we're probably also doing so at the server level. I am going to talk to my boss and co-workers about the impact of removing SORBS from our DNSBL list, because your replies lately have been snarky and completely unprofessional, including the reply quoted above. (Yes. It sucks that spammers are still spamming. So what?) The quoted text above is intended for a few that might still be on this list, non of which posted to this thread. The fact remains some ISPs provide transit to known criminal organisations for hijacked netblocks which are used for nothing but abuse (hosting trojans and viruses). Money talks. I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. Where do you get that from...? We fix incorrect listings as soon as notified and with no deliberate delay. If you are refering to listings like Dean Anderson's stolen netblock these are not delisted until such time as proof is obtained that our information is incorrect. We have been informed that Dean picked up that portable /16 (and 2 other networks - one of which was a non-portable UUNET block) when he parted company with OSF in 1998. I have been contacted on a few occasions by Dean demanding delisting, each time I have asked for proof that he did not steal the netblock from the OSFs creditors (taking without permission even from a company folding is still stealing) - his response was a lot of bluster followed by the creation of the IADL.org site. A few people (including myself) have attempted to contact 'The Open Group' who are the new owners of the old OSF organisation. I am not aware of a reply that has been received from anyone other than Dean indicating that Dean is the legitimate owner of the said netblock. You will also note that at least one of the netblocks that Dean has indicated that he was a legitimate owner of have been taken back and are reallocated. To date no-one has backed Dean up in his assertion that he did not steal the netblock, all that we have seen is a short time after the listing suddenly Dean started providing services to 'opengroup.org' and cited that as proof he owns the block - considering the OpenGroup is in the UK now and are now unlikely to be able to prove to a court that they are the legitimate owners of the netblock I don't see that as reason to consider Dean the legitimate owner. A verifiable document from the OSF/OpenGroup indicating that Dean Anderson is the legitimate owner of their /16 and it was transfered to him with their knowledge and permission is all that is required for delisting... however it seems Dean cannot obtain that adding weight to the view that he did indeed steal the netblocks. Something to consider before replying: is this on or off topic for NANOG? (personally I think part of this is on topic, other parts of the thread are definitely off topic) Regards, Mat
Re: SORBS Contact
Noel wrote: On Thu, 2006-08-10 at 06:49, Mikael Abrahamsson wrote: We were hit by the requirement to include the word static in our DNS names to satisfy requirements. It wasn't enough to just say this /17 is only static IPs, one customer, one IP, no dhcp or other dynamics at all), we actually had to change all PTR records to this arbitrary standard. Took several weeks to get delisted even after that. We've had our moments with SORBS, Matthew is a very approachable person. Things get sorted out pretty quickly, generally within a few days, Matthew also has others who help him and one of them is an obnoxious . I'd love to know which one... I have had several (had being the operative word) and from time to time some still are. I do agree though, the requirment to have X TTL and 'static' or non 'dsl' 'dial' in DNS is a bit too far, I understand this is for automation, It is for automation, but it is also so that the SORBS DUHL would become pointless. If a standard format was used admins would be able to choose their policy by simple regexs instead of relying on third-party lists which cannot possibly ever be 'uptodate' just because of the number of changes that happen on a daily basis around the world. This is also why I took the time to create: http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt There are things in the works that will enable the most complained about aspects of SORBS to be fixed and to go away permanently... The only thing that is delaying it is developer time... So I will say this publicly - those that want to see drastic changes @ SORBS that are, or have access to a perl coder with SQL knowledge, and is able to spend 20-40 hours of pure coding time writing a user interface for user permissions roles in Perl contact me off list as the user interface is the only thing that is holding up moving to the beta stage of the SORBS2 database. The SORBS2 database will allow registered RIR contacts to update list/delist parts/all of their netblocks within SORBS as well as getting instant reporting of issues (by mail or by SMS (fee applicable for SMS)) with minimal intervention from SORBS admins - this includes spam and DUHL listings. Regards, Mat
Re: SORBS Contact
Actually there can be false positive. ISP's who put address blocks into dialup blocks which have the qualification that the ISP is also supposed to only do it if they *don't* allow email from the block but the ISP's policy explicitly allows email to be sent. They have a default port 25 filter that will be turned off on request. i.e. they allow direct out going email on request. The said ISP *thinks* they are doing the right thing by listing the block when in reality they are lying by listing the block. Mark
Re: SORBS Contact
I'll post this back to NANOG as others are likely to comment similar ways... Michael J Wise wrote: On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote: This is also why I took the time to create: http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic-naming-schemes-00.txt Seems like it specifies a bit TOO much detail, but. This is why it says that it is a suggestion and indicated that the level of detail you choose to use is upto you, however if you adopt some of the more specific detail you should use the less specific detail. ie if you follow it you should as a minimum specify static/dynamic. If you want to add more detail like service type, that is your choice, but you shouldn't specify the service types (eg wifi) without specifying static/dynamic (does that make sense?). Also it should be noted that it is a 'suggested naming scheme for generic records' and therefore not intended to be mandatory, further it says you should indicate the hostname of the machine in preference to generic records. The idea being a common but extensible naming scheme for organisations want to specify generic/generated records rather than go to the hassle of creating individual records for each customer/host. Regards, Mat
Re: SORBS Contact
Mark Andrews wrote: Actually there can be false positive. ISP's who put address blocks into dialup blocks which have the qualification that the ISP is also supposed to only do it if they *don't* allow email from the block but the ISP's policy explicitly allows email to be sent. Actually that's debatable - the SORBS DUHL is about IPs assigned to hosts/people/machines dynamically. We do not list addresses where the ISP have sent the list explictitly saying 'these are static hosts, but they are not allowed to send mail' - similarly we do list hosts in the DUHL where the ISP has said 'these are dynamic but we allow them to send mail' - it's about the people using the SORBS DUHL for their purposes, not for helping ISPs getting around the issue of whether to use SORBS as a replacement to port 25 blocking. Regards, Mat
Re: SORBS Contact
On Wed, Aug 09, 2006 at 03:42:32PM -0600, Allan Poindexter wrote: Far more damage has been done to the functionality of email by antispam kookery than has ever been done by spammers. That is not even good enough to be wrong. ---Rsk, with apologies to Enrico Fermi
Re: ISP wants to stop outgoing web based spam
On Thu, 10 Aug 2006, Stefan Bethke wrote: Do you have any links or references? Just ask the user some basic question. E.g.: What is 2 added to 23?: textbox regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: Being disintegrated makes me ve-ry an-gry! huff, huff
Re: SORBS Contact
Mark Andrews wrote: Actually there can be false positive. ISP's who put address blocks into dialup blocks which have the qualification that the ISP is also supposed to only do it if they *don't* allow email from the block but the ISP's policy explicitly allows email to be sent. Actually that's debatable - the SORBS DUHL is about IPs assigned to hosts/people/machines dynamically. We do not list addresses where the ISP have sent the list explictitly saying 'these are static hosts, but they are not allowed to send mail' - similarly we do list hosts in the DUHL where the ISP has said 'these are dynamic but we allow them to send mail' - it's about the people using the SORBS DUHL for their purposes, not for helping ISPs getting around the issue of whether to use SORBS as a replacement to port 25 blocking. I wasn't thinking about SORBS. It was a general warning to only put blocks on lists where the usage matches the policy of the list. I was thinking about a Australian cable provider that doesn't do the right thing. I'm sure there will be other ISP's that also fail to check the list policy before nominating the address blocks for the lists. In reality there shouldn't be the need for dialup lists. Also most people don't really use the dialup lists correctly. They really should not be a absolute blocker. They should also turn off dialup pattern matching tests otherwise you are getting a double penalty for the same thing. Mark Regards, Mat -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
Re: SORBS Contact
Allan Poindexter wrote: The functionality of my email is still almost completely intact. The only time it isn't is when some antispam kook somewhere decides he knows better than me what I want to read. Spam is manageable problem without the self appointed censors. Get over it and move on. I rather suspect that your spam problem is manageable because other admins are using DNSBLs and are thereby putting pressure on ISPs to boot spammers off their networks. Even a list like SPEWS, which is used by very few people, may motivate ISPs to clean up their network. -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. - Brian W. Kernighan
Re: SORBS Contact
Mark Andrews wrote: I wasn't thinking about SORBS. It was a general warning to only put blocks on lists where the usage matches the policy of the list. Ah my apologies I misinterpreted. I was thinking about a Australian cable provider that doesn't do the right thing. I'm sure there will be other ISP's that also fail to check the list policy before nominating the address blocks for the lists. In reality there shouldn't be the need for dialup lists. You'll get nothing but agreement from me on that statement. There currently is a need for the list, however there *shouldn't* be any need for it. Regards, Mat
Re: ISP wants to stop outgoing web based spam
On 8/10/06, Sean Donelan [EMAIL PROTECTED] wrote: Shouldn't most of freemail/webmail services be doing their own outbound spam and virus checking now? Yes, Sean - they are. But it is far, far more productive for the source of this abuse to be choked off. Call it the difference between using mosquito repellant and draining a huge pool of stagnant water just outside your home. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: SORBS Contact
Matthew so would you consider as it is my network, that I should Matthew not be allowed to impose these 'draconian' methods and Matthew perhaps I shouldn't be allowed to censor traffic to and Matthew from my networks? If you want to run a network off in the corner by yourself this is fine. If you have agreed to participate in the Internet you have an obligation to deliver your traffic. At LISA a couple of years ago a Microsoftie got up at the SPAM symposium and told of an experiment they did where they asked their hotmail users to identify their mail messages as spam or not. He said the users got it wrong some small percentage amount of the time. I was stunned at the arrogance and presumption in that comment. You can't tell from looking at the contents, source, or destination if something is spam because none of these things can tell whether the message was requested or is wanted by the recipient. The recipient is the only person who can determine these things. There are simple solutions to this. They do work in spite of the moanings of the hand wringers. In the meantime my patience with email lost silently due to blacklists, etc. is growing thin.
Re: ISP wants to stop outgoing web based spam
I assume you were about to provide us with one great legal case cite. Don't be shy, go right ahead. On August 9, 2006 at 13:57 [EMAIL PROTECTED] (Allan Poindexter) wrote: John Levine [EMAIL PROTECTED] writes: Allan I would let any ISP I use make this mistake once. After that Allan the individuals responsible would be up on ECPA charges. John I suppose any ISP foolish enough not to disclaim ECPA John confidentiality gets what it deserves. The ECPA doesn't provide any mechanism to explicitly disclaim responsibility under it. Even if it did such a disclaimer would undermine any claim to anything like common carrier status for an ISP This would make the ISP vulnerable to such things as libel based on user's content. This strikes me as jumping out of the spam/virus frying pan into the defamation fire. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: SORBS Contact
On Wed, 9 Aug 2006, Allan Poindexter wrote:
moanings of the hand wringers. In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.
don't let some third party you have no relation to determine the 'fate' of
your email/messages? with all blacklists you run the same risk, someone
else now controls the fate of your 'service'. Unless you have some very
large hammer to beat them with it's going to cause you pain eventually,
when they decide that ${PROVIDER} is 'gone black' or whatever they call it
these days... or they just fat finger some entry.
-Chris
Re: ISP wants to stop outgoing web based spam
On Thu, 10 Aug 2006, Suresh Ramasubramanian wrote: On 8/10/06, Sean Donelan [EMAIL PROTECTED] wrote: Shouldn't most of freemail/webmail services be doing their own outbound spam and virus checking now? Yes, Sean - they are. But it is far, far more productive for the source of this abuse to be choked off. Call it the difference between using mosquito repellant and draining a huge pool of stagnant water just outside your home. Do we really want ISPs to become the enforcers for every Internet application someone may use or abuse? Webmail, online game cheating, blog complaints, auctions disputes, instant message harrasment, music sharing, online gambling, etc. Imagining you are going to stop drug dealers by removing public pay phones isn't addressing the real source of the problem.
Re: ISP wants to stop outgoing web based spam
Barry I assume you were about to provide us with one great legal Barry case cite. Don't be shy, go right ahead. The law is online in several places. Feel free to go read it.
Experiences with Citrix Load Balancing products?
Anyone used them? Good? Bad? Ugly? I don't know a lot about their products but I know they're new to the market compared to some of their competition. Seems they're buzzword compliant but I could care less about that, I'm really curious how they work in the real world. E-mails off list and I can summarize, or we can just have it out on the list (I'd rather the latter, I think this is relevant). Talking with someone in their engineering or sales group but it soundslike a lot of impossibly big claims in terms of concurrent sessions, throughput, and who's using them. TIA
RE: SORBS Contact
So with all this talk of Blacklists... does anyone have any suggestions
that would be helpful to curb the onslaught of email, without being an
adminidictator?
Right now, the ONLY list we are using is that which is provided through
spamcop. They seem to have a list that is dynamic and only blacklists
during periods of high reports, then takes them off the list after a
short time...
Or am I just a little naive?
Robert Hantson
Network Operations Director
QBOS, Inc - Dallas Texas
www.qbos.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Christopher L. Morrow
Sent: Wednesday, August 09, 2006 10:19 PM
To: nanog@merit.edu
Subject: Re: SORBS Contact
On Wed, 9 Aug 2006, Allan Poindexter wrote:
moanings of the hand wringers. In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.
don't let some third party you have no relation to determine the 'fate'
of
your email/messages? with all blacklists you run the same risk, someone
else now controls the fate of your 'service'. Unless you have some very
large hammer to beat them with it's going to cause you pain eventually,
when they decide that ${PROVIDER} is 'gone black' or whatever they call
it
these days... or they just fat finger some entry.
-Chris
RE: SORBS Contact
On Wed, 9 Aug 2006, Robert J. Hantson wrote:
So with all this talk of Blacklists... does anyone have any suggestions
that would be helpful to curb the onslaught of email, without being an
adminidictator?
Right now, the ONLY list we are using is that which is provided through
spamcop. They seem to have a list that is dynamic and only blacklists
during periods of high reports, then takes them off the list after a
short time...
Or am I just a little naive?
reference comment below about 'hammer to beat with' ... spamcop you
aren't paying for that 'service' right? So what happens when someone
reports someone you do business with? or messes up a report that affects
someone you do business with? Oops! dropped your email due to a
thirdparty we let 'moderate' our email, sorry!
you COULD monitor deliveries to unused addresses in your domain and
blacklist based on that... but that's a little dicey at times as well :(
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Christopher L. Morrow
On Wed, 9 Aug 2006, Allan Poindexter wrote:
moanings of the hand wringers. In the meantime my patience with email
lost silently due to blacklists, etc. is growing thin.
don't let some third party you have no relation to determine the 'fate'
of
your email/messages? with all blacklists you run the same risk, someone
else now controls the fate of your 'service'. Unless you have some very
large hammer to beat them with it's going to cause you pain eventually,
when they decide that ${PROVIDER} is 'gone black' or whatever they call
it
these days... or they just fat finger some entry.
-Chris
Re: ISP wants to stop outgoing web based spam
On 8/10/06, Sean Donelan [EMAIL PROTECTED] wrote: Do we really want ISPs to become the enforcers for every Internet application someone may use or abuse? Webmail, online game cheating, blog complaints, auctions disputes, instant message harrasment, music sharing, online gambling, etc. Imagining you are going to stop drug dealers by removing public pay phones isn't addressing the real source of the problem. The MAAWG bcps, for example, state that ISPs must take responsiblity for mitigating outbound spam and abuse. Whether the problem is bad enough for an ISP to put in automated filtering instead of dealing with abuse reports on a case by case basis, is a call for the ISP to make. For example, egress filtering / bcp38, port 25 blocking, route filters to stop martian packets and leaked routes from propogating .. or network level filtering slammer and other worm traffic for that matter. srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: SORBS Contact
On 8/9/06, Allan Poindexter [EMAIL PROTECTED] wrote: There are simple solutions to this. They do work in spite of the moanings of the hand wringers. In the meantime my patience with email lost silently due to blacklists, etc. is growing thin. There are simple solutions to this. They do work in spite of the moanings of the few who have been mistakenly blocked. In the meantime my patience with email lost in the sea of spam not blocked by blacklists, etc. is growing thin. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: SORBS Contact
On Aug 9, 2006, at 10:59 PM, Allan Poindexter wrote: At LISA a couple of years ago a Microsoftie got up at the SPAM symposium and told of an experiment they did where they asked their hotmail users to identify their mail messages as spam or not. He said the users got it wrong some small percentage amount of the time. I was stunned at the arrogance and presumption in that comment. You can't tell from looking at the contents, source, or destination if something is spam because none of these things can tell whether the message was requested or is wanted by the recipient. The recipient is the only person who can determine these things. I'm gonna hold up the I call bullshit card here. Recipients most certainly *can* get it wrong. Things I've seen reported as spam: - An autoresponse from [EMAIL PROTECTED] telling the user that the e- mail they had JUST sent to [EMAIL PROTECTED] had been accepted and was being fed to a human being for processing - Receipts for online purchases the user legitimately made ... and numerous other things just like this that, whether the user wants to call it spam or not, certainly is not spam. So yes, I would have to -- as much as it pains me in my heart of hearts -- agree with the Hotmail representative in your example. Users can and will get it wrong at the very least some small percentage of the time. Cheers, D -- Derek J. Balling Manager of Systems Administration Vassar College 124 Raymond Ave Box 0406 - Computer Center 217 Poughkeepsie, NY 12604 W: (845) 437-7231 C: (845) 249-9731 smime.p7s Description: S/MIME cryptographic signature
Re: SORBS Contact
On Aug 9, 2006, at 8:29 PM, Robert J. Hantson wrote: So with all this talk of Blacklists... does anyone have any suggestions that would be helpful to curb the onslaught of email, without being an adminidictator? Right now, the ONLY list we are using is that which is provided through spamcop. They seem to have a list that is dynamic and only blacklists during periods of high reports, then takes them off the list after a short time... Or am I just a little naive? Fairly naive. Spamcop blacklists a lot of IP addresses that send a lot of email that isn't spam. And some that send zero spam, by any sane definition. That doesn't mean to say it doesn't work for you, but don't mistake a list that'll block a mailserver for a week on the basis of one or two unsubstantiated reports as _safe_ solely because it will only block it for a week. Depending on your demographics SpamCop may have an acceptable false positive level, but it's not a list I advise most users to use as it regularly lists sources of large amounts of non-spam (such as, for example, mailservers used solely for closed-loop opt-in email). Despite that, though, it's quite effective if you're prepared to accept the false positive rate. You may want to look at the CBL or XBL if you're interested in a very effective IP based blacklist with a very low level of false positives. Not zero, but really pretty low. Pretty much all the others have levels of false positives that are bad enough that I wouldn't use them myself, though depending on the demographics of your recipients they may be acceptable to you. Using them to block mail to all recipients is likely to be problematic in most cases. Some recipients who choose to use it? Sure. As part of a scoring system? Perhaps. Blocking across all users? Probably a bad idea in most cases. Cheers, Steve
Re: SORBS Contact
Todd There are simple solutions to this. They do work in spite of Todd the moanings of the few who have been mistakenly blocked. So it is OK so long as we only defame a few people and potentially ruin their lives? Todd In the meantime my patience with email lost in the sea of Todd spam not blocked by blacklists, etc. is growing thin. Hmm. Let me think a minute. Nope not buying it. I have already given two simple solutions that don't involve potentially dropping job offers, wedding invitations, letters from old sweethearts, and other such irreplaceable email. Certainly it is impossible to guarantee all mail gets delivered. But to intentionally make it worse by deliberately deleting other people's email is arrogant and immoral. On the other side what do we have for those falsely defamed? I suppose we could psychically contact them to tell them their mail was deleted. Certainly email won't be reliable enough after these guys are done with it. If they worked for the post office these guys would be in jail.
Re: SORBS Contact
In the way you describe it any spam filter is bad any spam filter manufacturer should go to jail... On Wed, 9 Aug 2006, Allan Poindexter wrote: Todd There are simple solutions to this. They do work in spite of Todd the moanings of the few who have been mistakenly blocked. So it is OK so long as we only defame a few people and potentially ruin their lives? Todd In the meantime my patience with email lost in the sea of Todd spam not blocked by blacklists, etc. is growing thin. Hmm. Let me think a minute. Nope not buying it. I have already given two simple solutions that don't involve potentially dropping job offers, wedding invitations, letters from old sweethearts, and other such irreplaceable email. Certainly it is impossible to guarantee all mail gets delivered. But to intentionally make it worse by deliberately deleting other people's email is arrogant and immoral. On the other side what do we have for those falsely defamed? I suppose we could psychically contact them to tell them their mail was deleted. Certainly email won't be reliable enough after these guys are done with it. If they worked for the post office these guys would be in jail.
Re: SORBS Contact
Derek I'm gonna hold up the I call bullshit card here. Recipients Derek most certainly *can* get it wrong. Sorry I wasn't very clear. The results in the hotmail example were where the users said it wasn't spam but hotmail insisted it was. It is possible for a user to indentify non-spam as spam. But if a user says it isn't spam then it isn't no matter how much it might look like it might be. I have had this happend to me personally. Some of my fellow admins at the time insisted some of my incoming mail was spam. As it happened the mail (offering some telephone products) was specifically requested.
Re: SORBS Contact
Allan Poindexter wrote: Matthew so would you consider as it is my network, that I should Matthew not be allowed to impose these 'draconian' methods and Matthew perhaps I shouldn't be allowed to censor traffic to and Matthew from my networks? If you want to run a network off in the corner by yourself this is fine. If you have agreed to participate in the Internet you have an obligation to deliver your traffic. That's a very interesting statement. Here's my response, I'll deliver your traffic if it is not abusive if you delivery my non-abusive traffic. My definition of 'abusive' is applied to what I will let cross my border (either direction) - I expect you will want to do the same with the traffic you define as abusive, and I expect you to and support your right to do that. There are simple solutions to this. They do work in spite of the moanings of the hand wringers. In the meantime my patience with email lost silently due to blacklists, etc. is growing thin. Anyone using SORBS as I have intended and provided (and documented) will/should not silently discard mail. If anyone asks how to silently discard mail I actively and vigorously discourage the practice.* In fact because I disagree with that even in the case of virus infected mail I patches my postfix servers to virus scan inline so virus infected mail can be rejected at the SMTP transaction. RFC2821 is clear when you have issued an ok response to the endofdata command you accept responsibility for the delivery of that message and that should not fail or be lost through trivial or avoidable reasons - I consider virus detection and spam as trivial reasons - if you can't detect a reason for rejection at the SMTP transaction, deliver the mail. Regards, Mat * except in extreme/unusual circumstances - for example, there are 2 email addresses that if they send mail *to* me, they will get routed to /dev/null regardless of content.
Re: SORBS Contact
On 8/10/06, Allan Poindexter [EMAIL PROTECTED] wrote: Todd There are simple solutions to this. They do work in spite of Todd the moanings of the few who have been mistakenly blocked. So it is OK so long as we only defame a few people and potentially ruin their lives? That's quite a stretch there, bub. Defame means that it is somehow misrepresented as true, factual information. Publicly accessible (and non-mandatory) blacklists are opinions, not portrayed as fact by any stretch of the imagination. Todd In the meantime my patience with email lost in the sea of Todd spam not blocked by blacklists, etc. is growing thin. Hmm. Let me think a minute. Nope not buying it. If your inbound mail isn't at least 30% spam (or blocked spam attempts) these days, then you haven't been using the Internet long enough. I have better things to do than pass that 30% of mail traffic. The spam can FOAD as far as I care, and if there is a problem of a mistake with something improperly blocked, it is fixable (and takes a lot less maintenance time than dealing with the spam tsunami). Sorry, but those of us who have actually done this sort of thing for a living for a while know quite well why not every network can implement bayes-ish Report Spam button schemes (which are inaccurate anyhow, as you've pointed out), nor simply present all actual spam to the users (who would be flooded with well more than 30% in some cases -- there are in-use mailboxes on systems I've managed that would be above 99% spam if the spew weren't blocked at the gate). It's either lack of industry experience on your part, or you're yet another troll for a list renter or bulker -- which is it? Based on earlier statements of yours, I would give you the benefit of the doubt and assume the former. However, you just had to pull out the defame word in a completely invalid grammatical and legal context, so I'm starting to hedge bets on the latter. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: SORBS Contact
william In the way you describe it any spam filter is bad any spam william filter manufacturer should go to jail... Manufacturer? No. It is perfectly permissible for a recipient to run a filter over his own mail if he wishes. Jail? Not what I said. I said postal workers couldn't get away with this behavior. The laws governing email are different. BUT: They aren't as different as is generally believed. Go read the ECPA sometime. Being legal isn't the same thing as being moral. The world would be a better place if people started worrying about doing what is right rather than only avoiding what will get them in jail. If I seem testy about this it is because I am. A friend of mine with cancer died recently. I learned later she sent me email befoe she died. It did not reach me because some arrogant fool thought he knew better than me what I wanted to read. And it isn't the first time or the only sender with which I have had this problem. I have had plenty of users with the same complaint as well. I have in the past considered this antispam stuff ill advised or something I oppose. Expect me to fight it tooth and nail from now on.
Question for the List Maintaners -- (Re: SORBS Contact)
Matthew Sullivan wrote: If you checked with the original complainant you would find that both the zombie and DUHL listings are cleared. If you knew the ticket numbers and where they sit in the SORBS RT Support system you would know that there were multiple tickets logged the oldest now being 10 days, the most recent being 5 days - and under published policy the earliest was pushed into the more recent. You'll also note that the original complaint was about a single IP address as part of a /27 within a /19 listing. OK. I have no problem with that. I want you to understand that my observation comes from seeing *many* people complain about a lack of response. If it was just a couple, that'd be a horse of another color. And frankly, it's not like you try to hide. You're a public figure here and on several other discussion forums. So I don't think it's unreasonable to assume that if people are having trouble reaching SORBS, it's not because the contacts aren't published. In fact, I've seen a number of complaints that people *have* contacted SORBS and have failed to get a response. The quoted text above is intended for a few that might still be on this list, non of which posted to this thread. The fact remains some ISPs provide transit to known criminal organisations for hijacked netblocks which are used for nothing but abuse (hosting trojans and viruses). I'm not arguing that fact. Whether or not it was an appropriate response is another matter. I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. Where do you get that from...? We fix incorrect listings as soon as notified and with no deliberate delay. If you are refering to listings like Dean Anderson's stolen netblock these are not delisted until such time as proof is obtained that our information is incorrect. Perhaps refusal is not the proper word, and I apologize for using it. It does imply intent. failure may be a more accurate description. permission even from a company folding is still stealing) - his response was a lot of bluster followed by the creation of the IADL.org site. Yup, I know. I'm there too. I am one of Dean's most vocal detractors. Something to consider before replying: is this on or off topic for NANOG? (personally I think part of this is on topic, other parts of the thread are definitely off topic) It has been agreed that spam is offtopic, although the issue of hijacked netblocks certainly isn't. So I probably should have replied to you off-list (apologies to everyone else for lowering the S:N ratio). I don't know what the official word is on whether DNSBL operations in general are on-topic for this list. I would appreciate if the people in charge of deciding such things could tell me whether DNSBLs are on-topic or not... -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
Re: SORBS Contact
Sorry I wasn't very clear. The results in the hotmail example were where the users said it wasn't spam but hotmail insisted it was. It is possible for a user to indentify non-spam as spam. But if a user says it isn't spam then it isn't no matter how much it might look like it might be. Phishing spam leaps immediately to mind as a counterexample; the fact that the user mistakes it for legit mail is exactly the problem. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Re: ISP wants to stop outgoing web based spam
On Thu, 10 Aug 2006, Suresh Ramasubramanian wrote: The MAAWG bcps, for example, state that ISPs must take responsiblity for mitigating outbound spam and abuse. The RIAA, for example, states that ISPs must take responsibility for mitigating copyright infringement by its users. Lots of groups state that ISPs must take responsibility for lots of things. Abuse is a very open ended term. There is a difference between enforcing network/service rules such as preventing address forgeries, and being responsible for abuse or disputes between users Is the ISP responsible for mitigating all types of user abuse? Or only some types of abuse by users? For example, are ISPs responsible for mitigating liable, slander, defamation, harrasment, theft, counterfeting, gambling, intolerance, public morals, etc? People shouldn't confuse ISPs with law enforcement or courts. ISPs are responsible for enforcing network standards and its contracts. ISPs are not responsible for solving the world's problems. If the RIAA has a dispute concerning copyright infringement with a user, the RIAA sues the user to stop the user. ISPs aren't expected, yet, to scan users traffic to prevent copyright abuse. If you don't care which mosquitoes you kill, you could drain the swamp by cutting off the entire country of Nigeria. But the reality is all the criminals aren't limited to one place. Almost none of the criminals would even notice. But you will probably harm a lot of innocent Nigerians by doing that; and the smarter criminals will just migrate to new pastures and keep attacking you. Unlike mosquitoes, criminals aren't limited to breeding in only certain areas. The source isn't the ISP, the source is the criminal. If you can figure out a way to permanently ban criminals from every ISP in the world other than putting them in jail, you might have a shot with BCPs for ISPs. But even if there was only one ISP remaining in the world, with a single unified user database, I suspect criminals would still use their skills such as identity theft and fraud to get on the net. The goal needs to be arresting the bad guys. The problem isn't the ISP, its the criminal. Bad packets rarely spontanously occur on the net. Every exploit, every virus, every worm, every phishing mail started with a person. Letting the bad guys go free is just teaching the criminals how to improve their skills.
