Re: DDoS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 RBLs are only effective against perhaps 50% of spam traffic, because so much of it comes from never-seen-before zombies. I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which includes the PBL for blocking home computers, infected or not. Sorry, should have added, Your Results May Vary :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/Uev2YHPr/ypq5QRAmX4AJ0bQA3KScyMBLjwWzhnZq5nFlGj3wCfR7nc JO5q/i7gJTHK1N3Izfvlp8I= =C8VF -END PGP SIGNATURE-
Re: DDoS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-) RBLs are only effective against perhaps 50% of spam traffic, because so much of it comes from never-seen-before zombies. What appliances are you running? You might want to look at some kind of edge email traffic shaping layer. Regards, Ken - -- Ken Simpson CEO, MailChannels Fax: +1 604 677 6320 Web: http://mailchannels.com MailChannels - Reliable Email Delivery (tm) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/EGb2YHPr/ypq5QRAuKNAKCYqf7uVoJmSAdKSSFH1NOTsLsZ6gCgk1Id 7+dI9UOemZtgqAI5pM+LwY4= =V0fG -END PGP SIGNATURE-
Re: Using Mobile Phone email addys for monitoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It takes ~ 7 minutes from the time Nagios sends an email sms to ATT to the time it hits my phone. I'm using @mobile.mycingular.com because mmode.com stopped working (which results in at least two txt pages vs. the one I was used to). Is SMTP to a mobile phone a fundamentally flawed way to do this? I'm beginning to think it is! It's more effective to spend the money on SMS messages. Mobile providers are forced to use very aggressive anti spam measures, which can add significant delays in message delivery. Regards, Ken - -- Ken Simpson CEO, MailChannels Fax: +1 604 677 6320 Web: http://mailchannels.com MailChannels - Reliable Email Delivery (tm) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG4G6G2YHPr/ypq5QRAlG1AJ9/UGJwjzm1sAn5MUQpnGxRqMYtAACfaeh1 FVWwE0HDF6XdYMNz8d/zS7w= =+xQP -END PGP SIGNATURE-
Re: Blocking mail from bad places
James R. Cutler [05/04/07 16:30 -0400]: Todd makes my point exactly. As he notes, the rejection message tells me that the message was rejected by some system. It does not tell my why it was rejected. Thus, just like this message, it adds more to the noise to signal ratio! Has anyone ever thought of standardizing the 500-responses from the DATA phase? For instance, maybe 571 could always mean rejected because of the spam filter. If there was a standard for these response codes then maybe clients like Microsoft Outlook could do something useful with the error message. Regards, Ken At 4/5/2007 12:28 PM -0700, todd glassey wrote: - Original Message - From: mailto:[EMAIL PROTECTED]James R. Cutler To: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Sent: Thursday, April 05, 2007 12:08 PM Subject: Re: Blocking mail from bad places At 4/5/2007 08:38 AM -0700, Thomas Leavitt wrote: One problem with the bounce solution is that snip/ == So, I (Cutler) add: And, even the best-intentioned bounce messages often give lots of data, but no information, thus increasing the noise to signal ratio. For example, Paul most likely knows what the following means to him. To me it just means I can't send mail to Paul. Except that this message tells you why you cant send mail to Paul - because Paul's system refused it, not because Paul's system didnt exist or that Paul's address was bad. This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mailer after RCPT TO:[EMAIL PROTECTED]: host sa.vix.com [204.152.187.1]: 553 5.7.1 Service unavailable; Client host [209.86.89.61] blocked using reject-all.vix.com; created / reason -- This is a copy of the message, including all the headers. -- - James R. Cutler [EMAIL PROTECTED] - James R. Cutler [EMAIL PROTECTED] -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com signature.asc Description: Digital signature
Re: Blocking mail from bad places
Some of it is quite sophisticated: full blown instant profiles with fake comments ... the smarter spammers actually make the profile look real (often lifting material from legit user profiles), and then just ... At the MIT Spam Conference, I was talking to MySpace's anti spam researcher. He said that they see many profiles that look totally legit and which have been carefully nurtured for more than six months -- and then the formally legit profile suddenly becomes the drop site for a Phishing campaign or other spam repository. Captchas apparently help quite a bit to stem this kind of problem because they install a technical barrier that, while not impossible to break through programatically, at least delays things a bit and reduces the ROI for the spammer. Regards, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com signature.asc Description: Digital signature
Re: Blocking mail from bad places
1) You send bounces from spammers to innocent people, whose addresses have been forged. This is an SMTP reject, not a bounce. It's a lethal variety of greylisting. This technique works great to keep spam out of your mailbox. Inline rejection is a little dangerous for mailing lists (because you might be auto-unsubscribed), but IMHO it's better than receiving and quarantining, because at least the sender can do something to resolve the situation -- such as calling you to say their email was bounced by your spam filter. Providing a telephone number in the bounce is an effective way to deal with false positives. Regards, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com signature.asc Description: Digital signature
Re: Blocking mail from bad places
The alternative is the absurdity that a local ISP has: a 14 way cluster for mail acceptance, and another 20 way cluster for mail storage and retrieval with terabytes of storage space, 90% of the resources (or more) of which are taken up accepting and storing as much spam as possible... and this is an ISP with a few thousand dial up and DSL customers, and a small datacenter with three rows of racks. ... and none of these resource usages are billed back to the customers... they're just overhead. Does the local ISP do any connection management? A 14 machine cluster for a few thousand users sounds on the high side. For example, we have an ISP customer with 20,000 accounts and just 3 edge servers. For those who are interested, I did a talk at the MIT Spam Conference on throttling as a way of dealing with increased spam volume. Videos are here: http://www.youtube.com/watch?v=bBwdWQfaskI http://www.youtube.com/watch?v=0pGncfRZqm0 Email quaint? You betcha - my kids and their friends do email all the time: via MySpace and the equivalents, no SMTP required. They wouldn't know what an email client was if you hit them over the head with it. ... And not surprisingly, the new spam frontier is being quiety fought at MySpace, SixApart, Blogger, and other social networks. There was a very interesting presentation at the MIT Spam Conference concerning blog spam at SixApart. Videos here: http://www.youtube.com/watch?v=DZjArRqSc7A http://www.youtube.com/watch?v=ODXUE66J9B0 Regards, Ken [EMAIL PROTECTED] wrote: You cannot mandate how hard somebody must work. It doesn't work. Make it 'expensive enough' to be wrong, and *then* they will make the necessary effort to be 'right'. Some people block mail from bad places in an attempt to hurt the bad place, i.e. in an etempt to make it expensive for them to be bad. But nowadays there are so many bad places, so much SPAM that leaks through filters, and so many missing emails, that it becomes harder and harder to hurt the bad places by blocking email. Nowadays it is normal for email to mysteriously bounce, to go missing, to get delivered days or months late. Soon Internet email will be like IRC, a quaint service for Internet enthusiasts and oldtimers, but not a useful tool for businesses or ordinary individuals. --Michael Dillon -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Re: Slightly OT: Looking for an old domain for spam collection
The conclusion of that thread can be found here: http://www.merit.edu/mail.archives/nanog/msg04555.html Thanks! A word of caution. When attempting to collect IP address based abuse information, spoofed BGP announcements MUST be tracked as well. This topic or even mention of ASNs was excluded in the Guidelines for Management of DNS-Based Reputation Systems for Email written by Yakov Shafranovich, Nick Nicholas, Matt Sergeant, and Chris Lewis and published by Nick Nicholas on the ASRG reflector. This paper ironically excluded the role of the provider. We're not going to be using the data as a honey pot, so it won't affect anyone's reputation. This is really just for real-world load testing and evaluation of new techniques. Our customers get lots of mail, but we have to be -- how shall I say -- careful with it! A cooperative effort by providers is likely the _only_ viable solution for dealing with this chronic problem. Targeted abuse is also unlikely to be detected from disposed MX domains, but will detect amateurs. I agree whole-heartedly. What is particularly missing IMHO is a spoofed-BGP-route blacklist. Anyone making any progress on that sort of thing? Regards, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Shaw Cable Contact?
I need to talk to someone clueful at Shaw Cable about a core network issue. The tech line as usual is not helpful. Thanks very much, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Microsoft Corporate Postmaster Contact?
A client of ours is having an issue receiving mail from microsoft.com's corporate servers. Does anyone by chance have a contact for their postmaster? Thanks, Ken -- Ken Simpson, CEO MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Re: OT: How to stop UltraDNS sales people calling
Hi Paul, just curious, someone over at UltraDNS called and told me my own bind server is dropping 20% of queries. Can you please explain to me how did they log into my systems? That's nothing. A company in California emailed me a phony report that gave the names and contact info for various Fortune 500 contacts who had visited our web site. For a low low fee, we could install their software and start generating sales leads instantly! Regards, Ken -- Ken Simpson MailChannels Corporation Reliable Email Delivery (tm) http://www.mailchannels.com
Re: Yahoo! Mail Servers
I'm joining this thread rather late, and this may be somewhat OT, but... I have to ask: is this delay the result of the recent upswing in Spam worldwide? Can anyone at Yahoo or elsewhere comment? http://www.channelregister.co.uk/2006/10/31/botnet_spam_surge/page2.html Thanks, Ken S. Ryan [09/11/06 15:00 -0800]: I've filled it out and have yet to hear back as well. chuck goolsbee wroteth on 11/9/2006 2:46 PM: At 5:49 PM -0800 11/5/06, chuck goolsbee wrote: At 12:29 PM -0800 11/4/06, Dave Mitchell wrote: number of emails and being traffic shaped. To have your legitimate mailservers added to a white list, please refer to the following info. http://help.yahoo.com/help/us/mail/defer/defer-06.html I've filled in the form. And I'm pretty sure this is the second or third time I've done so. -dave p.s. Chuck, must be 'game on' in hell twice since Petach and I both work for Yahoo. :) I have my whistle skates, but won't drop the puck until my yahoo.com message backlogs sink to single digits, and/or a human being from yahoo!mail contacts me directly via the methods I outlined in the above referenced form. Just to follow up, six days has passed and other than one auto-reply promising: At 10:38 PM -0800 11/4/06, Yahoo! Customer Support wrote: Thank you for contacting Yahoo! Customer Care to answer your question. A support representative will get back to you within 48 hours regarding your issue. I haven't heard a peep from any human being at Yahoo. Has anyone else that filled in the placeb^X^X^X^X form heard back from them? Beuller? --chuck -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 601, 602 West Hastings St. Vancouver, BC, V6B 1P2, Canada Office: +1-604-677-2978
Re: ISP wants to stop outgoing web based spam
On 10 Aug 2006, at 22:07, Barry Shein wrote: [...] The vector for these has been almost purely Microsoft Windows. I wonder. From the point of view of a MX host (as opposed to a customer-facing smarthost), would TCP fingerprinting to identify the OS and apply a weighting to the spam score be a viable technique? We have been doing that in our traffic shaping SMTP transport for a while now. We have found a 95% correlation between spam sources and Windows hosts. If you drill down to specific versions of Windows, the correlation is even higher. For _blocking_ connections (as opposed to, say, just slowing them down), you must combine host type with reputation information. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: SORBS Contact
Weighing in with an opinion, as bad as blacklists *may be*, at least they let the sender know something's up. Not in an artful way, to be sure, but they give some notice. The sender can do _something_, including dropping his association with the recipient b/c it's not worth his time and trouble. Blackholing email because you think it's spam, OTOH, is pure evil. Host type can only be used as a relatively small weighting factor toward blocking connections. However in the absence of any other reputation data on a particular IP, it's a safe way to trigger throttling or rate limiting. IMHO receivers have a right to filter traffic in any way that reduces abuse while serving the needs of their end users. There is a lot of pressure from end users and legitimate email senders to ensure that whatever blocking strategy is in use ensures that the good stuff is not blocked. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: fingerprinting and spam ID (was: Re: ISP wants to stop outgoing web based spam)
The problem is that I already see enough legit mail hit the quarantine due to being HTML/multipart, suspected of being sent direct-to-MX due to Exchange's bizarre habit of not providing an audit trail via Received headers, etc. Of course by the time you can inspect the body of a message, it's already sucked down a large chunk of your resources. Host type is useful in pre-filtering even before you go so far as to send the banner -- to get rid of or at least slow down the crap that you almost certainly know is on its way. The biggest problem with email isn't that it doesn't work; the biggest problem with email is that there are so many vendors who simply refuse to implement SMTP properly. I heartily agree! We have seen some laughable renditions of SMTP over the years. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: ISP wants to stop outgoing web based spam
Alexander Harrowell [11/08/06 17:09 +0100]: Holding the geek snobbery for a moment, I don't think I've ever worked anywhere where the e-mail wasn't MSExchange...so that would kill 100% of e-mail containing actual financially meaningful information. Yes it would if host type was the only factor you used to decide whether to block a connection. It would be silly and unwise to block based on host type alone. However in the absence of any other information about an IP, it's at least a good and safe way to trigger rate limiting or throttling of a connection. Once the sender gets a few good mails through and proves its worthiness, its good reputation will vastly outweight the host type. Legitimate senders don't move around a lot, so their positive reputation has time to build. Spammers on the other hand use very short-lived IPs which do not have a chance to build reputation. The next iteration for spammers will be to move in a big way toward sending via legitimate outbound mail servers. A previous thread was already discussing a variant of this technique, where webmail accounts are automatically plundered from cafes in Nigeria to exploit the good reputation of ISPs. Regards, Ken On 8/11/06, Ken Simpson [EMAIL PROTECTED] wrote: On 10 Aug 2006, at 22:07, Barry Shein wrote: [...] The vector for these has been almost purely Microsoft Windows. I wonder. From the point of view of a MX host (as opposed to a customer-facing smarthost), would TCP fingerprinting to identify the OS and apply a weighting to the spam score be a viable technique? We have been doing that in our traffic shaping SMTP transport for a while now. We have found a 95% correlation between spam sources and Windows hosts. If you drill down to specific versions of Windows, the correlation is even higher. For _blocking_ connections (as opposed to, say, just slowing them down), you must combine host type with reputation information. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741 -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: ISP wants to stop outgoing web based spam
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten. Can you elaborate on the situation off-list? It seems to me that stopping outbound webmail spam is something that would not be profitable for an ISP. I am wondering what the ISP's motivation is to solve this problem. Regards, Ken Hope this helps. -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 Hank Nussbacher wrote: Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: ISP wants to stop outgoing web based spam
Hi Hank, Have you had any luck combining Squid in a transparent proxy configuration with SpamAssassin? A commercial plugin like Cloudmark might provide better performance (since it doesn't have to evaluate thousands of regex rules for each connection). How to run Squid as a transparent proxy: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy I haven't figured out how to get Squid to let you run a script to scan and modify requests that are passing through. If you can figure that out I'd love to know! Otherwise, you might try looking at a couple of security auditing proxies: http://www.parosproxy.org/functions.shtml (Java) http://www.immunitysec.com/resources-freesoftware.shtml (Spike Proxy, Python) .. Or you could roll your own simple CGI script that accepts web queries and uses LWP or another simple package to fetch the results -- scanning for spam at the same time. Regards, Ken Simpson MailChannels Hank Nussbacher [09/08/06 18:11 +0300]: On Wed, 9 Aug 2006, Mills, Charles wrote: I guess I wasn't clear enough in my first posting. I am not interested in smtp (port 25 spam). We have that covered. I am only interested in blocking outgoing web based spam. A user sits and sends out spam via automated tools via Hotmail, Yahoo, Gmail, or whatever Webmail system where they have set up thousands of throwaway users. An antispam proxy (that I want to install and manage) has to be able to come between the user on his/her PC and the Hotmail system and scan the http posts and page templates for things like number of receipents and other tricks like keeping track of the number of http posts. It has to maintain a list of known free webmail systems that are abused. Based on my stats from Spamcop, 60% of all outgoing spam is http based rather than smtp based. Others may have slightly higher or lower numbers. So, is there any magic fu out there to solve this? -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: ISP wants to stop outgoing web based spam
Maybe I'm just an ignorant e-mail postmaster. I thought that nearly all e-mail was (E)SMTP-based (LMTP excepted). If it doesn't use the SMTP protocol, it's not reaching any mailbox. HTTP is a web browser protocol. WebMail gets converted by the web server and is subsequently routed using SMTP. I think he's talking about blog spam, which is definitely submitted over HTTP. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Re: ISP wants to stop outgoing web based spam
I thought it was pretty clear that he was talking about e-mail spam submitted using HTTP to webmail services like hotmail, yahoo and gmail: I guess I'm still a little confused about the poster's original request. It sounds like he is interested in stopping his own users from spamming via web-based email services such as Gmail and Hotmail, or via insecure forms. That can be accomplished hypothetically by filtering HTTP requests and looking for spam in POSTs; although with the proliferation os AJAX-style interfaces in these services, figuring out which POSTs refer to a message submission is far more difficult than it was in the good old Web 1.0 days. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741