SPAM on List...
John E. Malmberg
wb8tyw at qsl.net
Mon Dec 9 07:15:00 EST 2002
Martin Pool wrote:
> On15 Nov 2002, Tim Potter wrote:
>
>> On Thu, Nov 14, 2002 at 09:05:27PM -0500, John E. Malmberg wrote:
>>
>>> The SAMBA-TECHNICAL list reported that they have gone to the
>>> bl.spamcop.net blocking list, and it has been relatively spam
>>> free since then. The bl.spamcop.net is an aggressive blocking
>>> list with a quick trigger.
>>
>> We did start using spamcop for a while but there was way to much
>> collateral damage inflicted on innocent parties. For example we
>> missed several offers of free hosting for the samba.org main
>> server.
>
> And dp.samba.org (aka lists.samba.org) has an IP that is blacklisted
> by some people...
If it was on any of the reputable blocking lists, I would not be able to
receive any of the SAMBA lists, and you would be getting the bounces.
QSL.NET uses aggressive spam blocking. It is in the terms of it's use.
I just checked on relays.osirus.com, and samspade.org. They show no
listings.
> IP-based blacklisting is too coarse a tool, and it makes it hard to
> make exceptions for people who really are not spammers, even if
> initially classified as such.
I.P. based blocking has shown to be the only thing that motivates some
domains to act on abuse reports.
However, you can eliminate about 99% of spam with out using a blocking
list as aggressive as spamcop.
The http://relays.osirusoft.com/ is an aggregate of a number of block
lists, of various quality. Each list returns a different I.P. address
for a listing, so the SMTP server apparently can be configured to use
what ever level is needed.
And the bounce message can contain an alternate contact means such as a
web form if someone needs a white-listing.
Encompasserve.org uses MAPS and DUL, plus local blocking lists
maintained by the postmaster. It has a 99% spam free rate.
Most of the spam that gets through is from Open Proxies, and dial up
ranges that have not yet been listed.
As I stated before:
If you check the I.P. address that the spam came into the samba.lists
servers on, you will likely find that the spam came in on, and in this
order:
1. Open Proxies. - Rare to get a legitimate e-mail from these. To get
listed, means that the ISP is not acting on abuse reports.
Apparently MAPS is not listing these yet.
2. Dial-up equivalents, this is DHCP or modem lines. ISPs do not seem
to act on abuse reports for these claiming that they can not trace them,
so it has become standard procedure for most mail servers not to accept
any e-mail from them. Most Open Proxies are on dial-up equivalents.
These are listed in DULS, but some of the apparently free lists may be
more accurate.
3. Open-Relays. Since spammers are mostly assuming these are blocked,
they are using open-proxies instead.
4. Known spam friendly domains. These are either countries that are
allowing large amounts of spam to be sent, or domains that are owned by
spamming operations. Once they discover your server, they will flood it
with spam until a block is placed on it.
So if someone is on those type of lists above, not being able to post to
the samba mailing list is the least of their worries.
And if a hosting service is on a major blocking list for more than a
week, it indicates that they are not acting on abuse reports, so are not
a good choice
> News reports say that spam has more than tripled in the last year,
> which seems anecdotally true. I think we're actually getting more
> accurate classification, it's just that the numbers are larger.
QSL.NET went to aggressive spam blocking about two years ago. QSL.NET
is a free e-mail and web and ftp site for Amateur Radio Operators, and
runs entirely on donations.
Unlike home ISP users, a large enough outfit like QSL.NET pays by the
killobyte for their Internet connectivity. And their measurements two
years ago determined that over 30% of their operational costs were
bandwidth charges were due to spam being sent to their members. That is
why the blocks were put in place. If they used filtering there would be
no cost avoidance.
This is also why the use of blocking lists are increasing. Cost
avoidance. If QSL.NET is noticing these costs, you can bet that other
ISPs are too.
I do not know if samba.org's bandwidth usage is high enough that to be
billed by the killobyte, or if it is a flat rate.
Some time last fall apparently Korea passed an OPT-OUT with the
equivalent of "ADV" in the headers law. Right after that, list that I
subscribe to at a major university went from 2 spams a week to over 8
spams a day. 99% from Korea.
Now my spam is up that gets through both Encompasserve.org and qsl.net.
It is getting to almost an average of 1 a week, which is up from this
last summer of 1 per month or less.
It is clear that just from the spam that I receive, spam is definitely
up considerably. It is not just a case of better classifications.
And most of the spam that I get on my public addresses is addressed to a
mailing list, not me directly.
I was off-line last week. There were 347 e-mail messages in my inbox.
After I parsed all of the spam through spamcop, there were only about
240 messages left.
Not very much spam came from any of the SAMBA.ORG lists, the majority
came from a classic computer list, that does not appear to be blocking
any of the Korean domains.
Of the spam that was sent to me directly instead of to a mailing list,
there were only about 6 at the most. And I do not think that either
postmaster is accepting e-mail from those I.P. addresses.
Now the other thing to consider is that when the filter makes a mistake
and deletes a legitimate message, it is quite a while before the sender
figures out, if at all that the message did not get through.
If the message is bounced, the sender knows immediately, and can use the
alternate contact information, such as a web form to request a
whitelisting. They also know that there is probably a problem with
their ISP or with the particular block list, and they have the
information needed to fix it.
And again, if someone is sending from an open-proxy, open-relay, or
other known spam source, it is likely that not many other e-mail servers
are accepting their e-mail.
And if a hosting service is being blocked by one of the major blocking
lists, it is a good indication that any e-mail sent from them will not
be widely accepted either.
So a web form can be used for when an I.P. address should be
whitelisted, and a spam-assasin like filter can give you statistics to
tell you if an address should be blocked.
Filtering makes spam your problem. Using a blocking list makes spam the
problem of the ISP sending the spam. Eventually almost noone will
accept e-mail from them, either from local blocking lists, or public ones.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the rsync
mailing list