SPAM on List...

John Malmberg wb8tyw at
Fri Nov 15 04:56:01 EST 2002

Tim Potter wrote:

> On Thu, Nov 14, 2002 at 09:05:27PM -0500, John E. Malmberg wrote:
>> The SAMBA-TECHNICAL list reported that they have gone to the 
>> blocking list, and it has been relatively spam free 
>> since then.  The is an aggressive blocking list with
>>  a quick trigger.
> We did start using spamcop for a while but there was way to much 
> collateral damage inflicted on innocent parties.  For example we 
> missed several offers of free hosting for the main server.

I do not know about the offers that you have, but I have some suspicions 
based on watching the postings on the various anti-spam newsgroups.

If a hosting service is being listed in spamcop, it means that they are
ignoring spam complaints.  They want legitimate users to use as body
shields to protect their paying spammers from being blocked by services 
like Spamcop, MAPS and SPEWS, and others.

That way they can get act like the blocking lists are a worse plague 
than the spammers, and get the people that they offered the free 
services to do the complaining.

So I can see how some of them would make offers of free hosting.
But maybe I am mistaken.

When you found this "collateral damage", did you check the spamcop 
database to find out why the sender's mail server was in the blocking 
list?  Did you also check to see how many blocking lists the I.P. 
address was on?  Most of them will give statistics and samples of the 
spam confirmed to have come from the blocked I.P.

But yes, sometimes spamcop makes mistakes.  One user used a spamassasin 
script to with a small error to automatically cause his own ISP's e-mail 
server to be blocked.  A lot of newebies to the internet do not know how 
to operate their e-mail programs and end up reporting themselves.

Spamcop does try to make sure their blocking list is accurate and does 
take action agains these people and removes the mistaken blocks as soon 
as they are notified of them.  They keep track of every spam that was 
reported, so they can check to see what happened.

If the retry code is used, and the ISP is resposive to abuse complaints,
then there should not be any significant collateral damage, as the 
listing would expire in the 3 hours.  If the listing lasts longer than 
that, it means that they have a history of ignoring spam complaints.

And that history can be looked up from a public web form.  In fact there 
are several places that are keeping these statistics.  The spam-assasin 
tool uses these blocking lists as part of it's rating.

The ISPs that get on the blocking lists only stop the spammers when 
their paying customers complain.  They otherwise ignore the complaints.

> At the moment we have tridge's trusty home-grown spam stopper script
>  which is reasonably effective.  Martin is currently trialling 
> bogofilter on the rsync list.

A filter is good to as a belt and suspenders approach, but it is best to 
not accept e-mail from ISPs that do not respond to spam complaints.

I get the rsync list in digest mode, so I have not been able to trace 
the spam from it.

On the Samba Technical list, I do trace the spam to the origin.  Almost 
all of it is either coming from known open-proxies (which is the same as 
an open relay) or it is coming from domains that do not respond to abuse 
reports.  Mainly Korean and China domains.

The open-proxies can be dealt with DNSbl, and 
the other domains can be done with manual blocks.  Most of the Korean 
spam is coming from a handful of domains.

My other public e-mail address uses this method.  If you use a 
bogofilter to feed a local blocking list, that would have the greatest 
effect.  It does require a human to supervise the process though.  But 
they only would need to check the logs on a regular basis.

I get about 5 to 8 spams a month that gets through that process.  The 
spamcop blocked gets a little bit less.

Mainly the spam is from newly discovered open-proxies.  That is the 
currently what the spammers are using to deliver their spew.
A few comes from dial up ports.

But if a legitimate message is mistaken for spam, it is better for the 
sender to get a bounce message than to wonder what happened to their mail.

When it become clear that a domain is mainly sending spam, there is no 
point in accepting any e-mail from it.

When the bogofilter is running, it would probably be useful to see how 
many legitimate e-mails show up from the domains that spam comes from.

I suspect that if you do not count the open-proxies, open-relays, and 
dialup services, that you will find that there will be no overlap 
between the domains that send spam, and you get legitimate e-mail from.

And I would be surprised if you found any legitimate e-mail coming from 
an open-proxy, open-relay, or known dialup equivalent I.P. address.

Sorry to run on like this, but I used to just delete the spam I got 
until the porn advertisements started showing up.

QSL.NET is a free e-mail relay service for licensed amateur radio 
operators.  The owner pays for the bandwidth out of donations.  He said 
that he had to either institute aggressive spam blocking, or he would 
have to shut down the service as he noticed that about 30% of the 
bandwidth he was paying for was spam, and that was before the explosion 
of spam that started last fall.

While there will be some holdouts for filtering instead of blocking, the 
economics are against it.

Big companies and ISPs are using blocking lists.  Some will not admit it 
because they do not want to be accused of censorship, and they will 
black hole suspect spam instead of bouncing it.  They just claim 
ignorance as to why the e-mail does not show up.  Since they are usually 
not the only one blackholing the domain, it looks to all that the 
problem is with the sending ISP.

So when someone gets a bounce message, it usually means that their ISP 
has a problem.

I have basically espressed all my thoughts on this subject, so unless 
there is a direct question to me about any of this, I intend to go back 
to just mailing list topic of RSYNC issues.

wb8tyw at
Personal Opinion Only

More information about the rsync mailing list