SPAM on List...

John E. Malmberg wb8tyw at qsl.net
Mon Dec 9 07:15:00 EST 2002 

Martin Pool wrote:

> On15 Nov 2002, Tim Potter wrote:
> 
>> On Thu, Nov 14, 2002 at 09:05:27PM -0500, John E. Malmberg wrote:
>> 
>>> The SAMBA-TECHNICAL list reported that they have gone to the 
>>> bl.spamcop.net blocking list, and it has been relatively spam 
>>> free since then. The bl.spamcop.net is an aggressive blocking 
>>> list with a quick trigger.
>> 
>> We did start using spamcop for a while but there was way to much 
>> collateral damage inflicted on innocent parties. For example we 
>> missed several offers of free hosting for the samba.org main 
>> server.
> 
> And dp.samba.org (aka lists.samba.org) has an IP that is blacklisted
>  by some people...

If it was on any of the reputable blocking lists, I would not be able to
receive any of the SAMBA lists, and you would be getting the bounces.

QSL.NET uses aggressive spam blocking.  It is in the terms of it's use.

I just checked on relays.osirus.com, and samspade.org.  They show no 
listings.

> IP-based blacklisting is too coarse a tool, and it makes it hard to 
> make exceptions for people who really are not spammers, even if 
> initially classified as such.

I.P. based blocking has shown to be the only thing that motivates some
domains to act on abuse reports.

However, you can eliminate about 99% of spam with out using a blocking
list as aggressive as spamcop.

The http://relays.osirusoft.com/ is an aggregate of a number of block
lists, of various quality.  Each list returns a different I.P. address
for a listing, so the SMTP server apparently can be configured to use
what ever level is needed.

And the bounce message can contain an alternate contact means such as a
web form if someone needs a white-listing.

Encompasserve.org uses MAPS and DUL, plus local blocking lists
maintained by the postmaster.  It has a 99% spam free rate.

Most of the spam that gets through is from Open Proxies, and dial up
ranges that have not yet been listed.

As I stated before:

If you check the I.P. address that the spam came into the samba.lists
servers on, you will likely find that the spam came in on, and in this
order:

1. Open Proxies. - Rare to get a legitimate e-mail from these.  To get
listed, means that the ISP is not acting on abuse reports.
Apparently MAPS is not listing these yet.

2. Dial-up equivalents, this is DHCP or modem lines.  ISPs do not seem
to act on abuse reports for these claiming that they can not trace them,
so it has become standard procedure for most mail servers not to accept
any e-mail from them.  Most Open Proxies are on dial-up equivalents.
These are listed in DULS, but some of the apparently free lists may be 
more accurate.

3. Open-Relays.  Since spammers are mostly assuming these are blocked,
they are using open-proxies instead.

4. Known spam friendly domains.  These are either countries that are
allowing large amounts of spam to be sent, or domains that are owned by
spamming operations.  Once they discover your server, they will flood it
with spam until a block is placed on it.


So if someone is on those type of lists above, not being able to post to 
the samba mailing list is the least of their worries.

And if a hosting service is on a major blocking list for more than a 
week, it indicates that they are not acting on abuse reports, so are not 
a good choice


> News reports say that spam has more than tripled in the last year, 
> which seems anecdotally true.  I think we're actually getting more 
> accurate classification, it's just that the numbers are larger.

QSL.NET went to aggressive spam blocking about two years ago.  QSL.NET 
is a free e-mail and web and ftp site for Amateur Radio Operators, and 
runs entirely on donations.

Unlike home ISP users, a large enough outfit like QSL.NET pays by the 
killobyte for their Internet connectivity.  And their measurements two 
years ago determined that over 30% of their operational costs were 
bandwidth charges were due to spam being sent to their members.  That is 
why the blocks were put in place.  If they used filtering there would be 
no cost avoidance.


This is also why the use of blocking lists are increasing.  Cost 
avoidance.  If QSL.NET is noticing these costs, you can bet that other 
ISPs are too.

I do not know if samba.org's bandwidth usage is high enough that to be 
billed by the killobyte, or if it is a flat rate.


Some time last fall apparently Korea passed an OPT-OUT with the 
equivalent of "ADV" in the headers law.  Right after that, list that I 
subscribe to at a major university went from 2 spams a week to over 8 
spams a day.  99% from Korea.


Now my spam is up that gets through both Encompasserve.org and qsl.net.
It is getting to almost an average of 1 a week, which is up from this 
last summer of 1 per month or less.

It is clear that just from the spam that I receive, spam is definitely 
up considerably.  It is not just a case of better classifications.
And most of the spam that I get on my public addresses is addressed to a 
mailing list, not me directly.

I was off-line last week.  There were 347 e-mail messages in my inbox.
After I parsed all of the spam through spamcop, there were only about 
240 messages left.

Not very much spam came from any of the SAMBA.ORG lists, the majority 
came from a classic computer list, that does not appear to be blocking 
any of the Korean domains.

Of the spam that was sent to me directly instead of to a mailing list, 
there were only about 6 at the most.  And I do not think that either 
postmaster is accepting e-mail from those I.P. addresses.


Now the other thing to consider is that when the filter makes a mistake 
and deletes a legitimate message, it is quite a while before the sender 
figures out, if at all that the message did not get through.

If the message is bounced, the sender knows immediately, and can use the 
alternate contact information, such as a web form to request a 
whitelisting.  They also know that there is probably a problem with 
their ISP or with the particular block list, and they have the 
information needed to fix it.


And again, if someone is sending from an open-proxy, open-relay, or 
other known spam source, it is likely that not many other e-mail servers 
are accepting their e-mail.

And if a hosting service is being blocked by one of the major blocking 
lists, it is a good indication that any e-mail sent from them will not 
be widely accepted either.


So a web form can be used for when an I.P. address should be 
whitelisted, and a spam-assasin like filter can give you statistics to 
tell you if an address should be blocked.

Filtering makes spam your problem.  Using a blocking list makes spam the 
problem of the ISP sending the spam.  Eventually almost noone will 
accept e-mail from them, either from local blocking lists, or public ones.


-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the rsync mailing list