SPAM on List...
John Malmberg
wb8tyw at qsl.net
Fri Nov 15 04:56:01 EST 2002
Tim Potter wrote:
> On Thu, Nov 14, 2002 at 09:05:27PM -0500, John E. Malmberg wrote:
>
>> The SAMBA-TECHNICAL list reported that they have gone to the
>> bl.spamcop.net blocking list, and it has been relatively spam free
>> since then. The bl.spamcop.net is an aggressive blocking list with
>> a quick trigger.
>
> We did start using spamcop for a while but there was way to much
> collateral damage inflicted on innocent parties. For example we
> missed several offers of free hosting for the samba.org main server.
I do not know about the offers that you have, but I have some suspicions
based on watching the postings on the various anti-spam newsgroups.
If a hosting service is being listed in spamcop, it means that they are
ignoring spam complaints. They want legitimate users to use as body
shields to protect their paying spammers from being blocked by services
like Spamcop, MAPS and SPEWS, and others.
That way they can get act like the blocking lists are a worse plague
than the spammers, and get the people that they offered the free
services to do the complaining.
So I can see how some of them would make offers of free hosting.
But maybe I am mistaken.
When you found this "collateral damage", did you check the spamcop
database to find out why the sender's mail server was in the blocking
list? Did you also check to see how many blocking lists the I.P.
address was on? Most of them will give statistics and samples of the
spam confirmed to have come from the blocked I.P.
But yes, sometimes spamcop makes mistakes. One user used a spamassasin
script to with a small error to automatically cause his own ISP's e-mail
server to be blocked. A lot of newebies to the internet do not know how
to operate their e-mail programs and end up reporting themselves.
Spamcop does try to make sure their blocking list is accurate and does
take action agains these people and removes the mistaken blocks as soon
as they are notified of them. They keep track of every spam that was
reported, so they can check to see what happened.
If the retry code is used, and the ISP is resposive to abuse complaints,
then there should not be any significant collateral damage, as the
listing would expire in the 3 hours. If the listing lasts longer than
that, it means that they have a history of ignoring spam complaints.
And that history can be looked up from a public web form. In fact there
are several places that are keeping these statistics. The spam-assasin
tool uses these blocking lists as part of it's rating.
The ISPs that get on the blocking lists only stop the spammers when
their paying customers complain. They otherwise ignore the complaints.
> At the moment we have tridge's trusty home-grown spam stopper script
> which is reasonably effective. Martin is currently trialling
> bogofilter on the rsync list.
A filter is good to as a belt and suspenders approach, but it is best to
not accept e-mail from ISPs that do not respond to spam complaints.
I get the rsync list in digest mode, so I have not been able to trace
the spam from it.
On the Samba Technical list, I do trace the spam to the origin. Almost
all of it is either coming from known open-proxies (which is the same as
an open relay) or it is coming from domains that do not respond to abuse
reports. Mainly Korean and China domains.
The open-proxies can be dealt with proxies.relays.monkeys.com DNSbl, and
the other domains can be done with manual blocks. Most of the Korean
spam is coming from a handful of domains.
My other public e-mail address uses this method. If you use a
bogofilter to feed a local blocking list, that would have the greatest
effect. It does require a human to supervise the process though. But
they only would need to check the logs on a regular basis.
I get about 5 to 8 spams a month that gets through that process. The
spamcop blocked qsl.net gets a little bit less.
Mainly the spam is from newly discovered open-proxies. That is the
currently what the spammers are using to deliver their spew.
A few comes from dial up ports.
But if a legitimate message is mistaken for spam, it is better for the
sender to get a bounce message than to wonder what happened to their mail.
When it become clear that a domain is mainly sending spam, there is no
point in accepting any e-mail from it.
When the bogofilter is running, it would probably be useful to see how
many legitimate e-mails show up from the domains that spam comes from.
I suspect that if you do not count the open-proxies, open-relays, and
dialup services, that you will find that there will be no overlap
between the domains that send spam, and you get legitimate e-mail from.
And I would be surprised if you found any legitimate e-mail coming from
an open-proxy, open-relay, or known dialup equivalent I.P. address.
Sorry to run on like this, but I used to just delete the spam I got
until the porn advertisements started showing up.
QSL.NET is a free e-mail relay service for licensed amateur radio
operators. The owner pays for the bandwidth out of donations. He said
that he had to either institute aggressive spam blocking, or he would
have to shut down the service as he noticed that about 30% of the
bandwidth he was paying for was spam, and that was before the explosion
of spam that started last fall.
While there will be some holdouts for filtering instead of blocking, the
economics are against it.
Big companies and ISPs are using blocking lists. Some will not admit it
because they do not want to be accused of censorship, and they will
black hole suspect spam instead of bouncing it. They just claim
ignorance as to why the e-mail does not show up. Since they are usually
not the only one blackholing the domain, it looks to all that the
problem is with the sending ISP.
So when someone gets a bounce message, it usually means that their ISP
has a problem.
I have basically espressed all my thoughts on this subject, so unless
there is a direct question to me about any of this, I intend to go back
to just mailing list topic of RSYNC issues.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the rsync
mailing list