Re: Spammers hapless fate = ISP toil and sweat
Hello, I normally just lurk around this mailing list, but I think I'll contribute my two cents this time... Spamming is a serious problem. Here at Esoterica where I am, unsolicited email was about one half of total email traffic - which is quite a lot. Thus, our postmaster has dedicated all his available time to implement anti-spamming measures. What he found out is this: Firstly, far from being "mindless robots", the companies in the spamming business are cold-hearted professionals. They have teams of professional programmers spending all their time just to develop new and more effective ways of illegally sending out unsolicited email - using several clever relaying mechanisms. They work full-time on the job. They are a strong force which will easily overthrow any basic measures taken against spamming - like simply filtering up domains, or blocking traffic from relaying machines. Secondly, they are vindictive and protect their own jobs. This means that if an ISP tries to agressively implement anti-spamming mechanisms, they will fight back! And how they do this? For instance, they send out forged emails with these ISP's addresses. What happens? Entities receiving the forged emails will complain to the ISP in question. The ISP replies telling that the emails are forged, trying to make them understand that this is the "spammer's revenge". Most of these entities either don't care or don't believe, so they just shut the ISP off their firewall (especially if on the next day they get a new lot of unsolicited email apparently coming from the same forged addresses...). This forces the ISP to open up themselves to spamming from this particular company, hoping that they won't forge spamming attempts in the future... As you see, they're quite clever. Their businesses and jobs depend on their cleverness. How can ISP's successfully "fight back"? First, and foremost, they need to assume that the "threat" is serious. Secondly, allocate resources to the job - this means a *lot* of time. But thirdly, and I think that's the major issue here, by sticking together. While a single postmaster probably won't be able to do much work single-handedly, having a group to coordenate the work is helpful. Some free time taken from a group of postmasters adds quickly up to a "task force" of some magnitude... Basically, what our postmaster found out is that denying access is not a good measure - spamming companies will try every trick of the trade to get through or else they will try to hurt the blocking ISP in some way. UUNet, for instance, has publicly announced their "zero tolerance" towards spammers - it's no wonder that perhaps half of the spammers use now forged emails (and dial-up accounts) coming from UUNet to spam the net. Their hope is getting enough ISPs blocking UUNet's traffic so that UUNet is "forced" to "open" their machines to spamming again... (in our case, as a transit customer of UUNet I obviously can't block traffic through them :-) ) Better is just to difficult their action. Remember that their jobs depend on getting as many messages through as possible (using third-party relayers). If a sendmail configuration just lets a few messages through, or selectively blocks some domain for a while, this means that this machine will only deliver a few messages - when spammers rely on tens of thousands to be delivered. This is uninteresting to them. They will thus use other machines as relays. Of course, this also means that your own users will see a delay on the sending of their own, legitimate messages. It's a tradeoff. By using a combination of these tricks one can try to keep the spammers away for a while - until they develop a new creative method for spamming again. We have seen all sorts of very clever and ingenious methods to get through. Who knows what else they will invent next? By keeping a mailing list with several postmasters' contacts it's possible not only to exchange domains from where the spammers usually attack, but anti-spamming techniques and tricks. There are some steps being taken at a national base here in Portugal (from where I'm writing :-) ) but, as shown by the traffic generated on this list on this topic of spamming, I'm going to make the suggestion again, at this level... Do you think that there is some interest in mantaining a mailing list for all postmasters from the LRs for the sole purpose of discussing anti-spam techniques and listing spamming domains and relay machines? Would RIPE be interested in "sponsoring" this mailing list? BTW, searching through the RIPE's Web site, the only mention to spam is on RIPE-162, chapter C2.1. This basically states the commitment of RIPE to mantain the mailing lists spam-free. I wonder if there is already a "task force" in place for anti-spamming measures. We're aware of some efforts on an international basis - mostly some Web sites with interesting information and data on anti-spamming measures, with associated mailing lists - but to my personal knowledge, there is no such coordinated effort at RIPE (so far :-) ). There is also an issue of local laws. Filtering out spam *could* be illegal on some countries (it violates freedom of speech). In Portugal, spamming is actually illegal - it's "unsolicited email", and this is an abuse of a third party's infrastructure, ie. using computational (and telecommunications) resources that you aren't allowed to. This makes it a crime according to Portuguese law. There is a case of mail bombing (a particular kind of spamming...) brought to court - it will take ages to be ruled and probably the offender will get away with some community work :) but it will be judged in court. Of course, on other countries, freedom of speech may be more important than using others' telecommunications resources. I wonder if local laws will actually work *against* a RIPE-based global effort across Europe. On 12-Sep-97 "Scott A. Marlin" wrote:
Which basically means that any customer is free to spam. The ISP is there to take the rap and clean up afterward. I think for such matters, the "spammer" should be held responsable ... like being charged a flat or hourly rate for the cleanup job.
This is the case around here. Of course, catching the spammer and actually condemning him/her in court in order to charge him/her that rate is another story, especially if we're talking about an international incident. Better to prevent him/her to spam on the first place.
Incidently, in the cited case, I sent a mail to an address mentioned in the ad asking them to stop sending the ads. What I got back was another mail from another source (obviously from a blind mail-robot) with *lots* of info about their services.
At the bottom of the e-mail was an URL address for those who wished to stop the ads from being sent. Waaaay down at the bottom of this web site plugged full of promotional information was the opportunity to "register" my name in the database of those who didn't want to receive any more spam (the name of the link was a baby crying "mommy ... they thpammed me again".) Really !
One of the major issues about spamming customers is knowing how many people were actually reached by a spamming effort. Spamming companies have found out that these two tricks - "send email here to be deleted from our database" and "click here to remove yourself from our database online" - are the best to know if you're reaching people. Also, many postmasters will contact the spamming company in order to complain. Based on all this feedback, spamming companies can determine a "success rate" for their spamming efforts. This keeps their own customers happy... A better way to deal with this is simply ignore the message, and make sure that all your users ignore the spam, too. In the long end, this means a lower "success rate" for a particular domain/spamming technique, so the spamming companies will probably try somewhere else.
The entire operation took about 30 minutes. I haven't heard from them since. But I have recieved at least 10 unsollicited e-mails since then.
My bet is, they will try again and again and again. The problem is, each time your address is found on a Usenet post, on a subscription web site or on a mailing list, there is a high probability of someone "selling" your email address to a spamming company. For instance, I'm receiving spam to addresses that have been disconnected 2 and 3 years ago... DejaNews and other public sites with lots and lots of addresses are a perfect place to get all those addresses for the spamming lists... - Luis Sequeira ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms@esoterica.pt http://www.esoterica.pt/
In message <XFMail.970916173833.lms@esoterica.pt>, Luis Miguel Sequeira writes:
Hello,
I normally just lurk around this mailing list, but I think I'll contribute my two cents this time...
Spamming is a serious problem. [...]
Thanks to Luis! I totally agree, we need to handle these assholes seriously. Yes, I belive this is a place where RIPE could be used as a forum. It's clear that the non-USA part of the world will have to deal with this in a different way that USA, firstly because we're not so afraid of the "censor" word, but mostly because we have no chance of legally assaulting these people. A mere passive role in other words. My personal filtering technique is to accept the email and never deliver it. Interestingly enough, some of the spammers have one "control" address on each email they send, typically the last, so one will se an email being sent to 50 AOL users and the 51st address goes somewhere else. It this last address doesn't receive the email in some timewindow, it will be sent again. I have yet to think of the right way to exploit this fact. (Should any of you want study material, I can provide you with about three months of non-delivered emails.) The other thing we could try is more political: Have RIPE send a formal letter to AGIS and the IEMMC who houses most of these creep, and tell them that either they will cease to send spam to the following list of top level domains: {be, dk, ...} effectively today or the RIPE will orchestrate a pan-european filtering of all AGIS and IEMMC member networks until such filtering is in place. It should be pretty simple to simply filter all routes based on AGIS AS#(s), and maybe inject a bogus route for the IEMMC members networks. This is somewhat close to shooting while wearing a black hat.. but they disregard common courtesy, so maybe we need to do so as well to teach them a lesson. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop."
On 17 Sep 97 at 16:01, Poul-Henning Kamp wrote: - snip -
a pan-european filtering of all AGIS and IEMMC member networks until such filtering is in place. It should be pretty simple to simply filter all routes based on AGIS AS#(s), and maybe inject a bogus route for the IEMMC members networks.
I wouldn't recommend that. They will receive our routing and then their ip-packets will still get here - and we will all experience something very nasty.... It's pretty close to SYN-flooding. What should be done is to have our transit operators stop announcing our networks to AGIS/IEMMC. Then they will not get their packets over the atlantic and we wouldn't have to bother. But they will probably set other american hosts as relays and go from there... /Jorgen
In message <199709171559.RAA27727@nix.swip.net>, "Jorgen Ericsson" writes:
On 17 Sep 97 at 16:01, Poul-Henning Kamp wrote:
- snip -
a pan-european filtering of all AGIS and IEMMC member networks until such filtering is in place. It should be pretty simple to simply filter all routes based on AGIS AS#(s), and maybe inject a bogus route for the IEMMC members networks.
I wouldn't recommend that. They will receive our routing and then their ip-packets will still get here - and we will all experience something very nasty.... It's pretty close to SYN-flooding.
No worries: 1. AGIS will act swiftly to get this fixed, they also have serious customers. It would make a very bad dent in their reputation to be locked out of a continent. 2. Your host will receive "host unreachable" and not keep the TCP session block around.
What should be done is to have our transit operators stop announcing our networks to AGIS/IEMMC. Then they will not get their packets over the atlantic and we wouldn't have to bother.
That is far more complex and probably downright impossible to orchestrate.
But they will probably set other american hosts as relays and go from there...
Well, then somebody else in America will take action, because we'll just move over and block them next if they don't act. Remember, making their IP numbers useless is the hardest way we can hit them, get new IP# are not easy (the fact that you're on this mail-list means that you know that :-) For this to work, we need to get europe to work as a block, if the bigger party blocks the smaller, the smaller has a problem. If the smaller party blocks the bigger, nobody cares. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop."
Remember, making their IP numbers useless is the hardest way we can hit them, get new IP# are not easy (the fact that you're on this mail-list means that you know that :-)
This is a bit off topic, but I disagree. If you're as unscrupulous as these guys, getting new IP numbers is as easy as this: : interface Ethernet0 : ip address 219.1.1.1 255.255.0.0 : : router bgp xxxx : network 219.1.0.0 netmask 255.255.0.0 : : ip route 219.1.0.0 255.255.0.0 Null0 254 Hey presto: you've just got a /16 block which will probably get routed to most Internet sites. If the block doesn't get routed everywhere, it's not the end of the world. Hey, it's only spam -- 90% saturation is almost as good as 100%. This is one reason why address-based inbound filtering of customer BGP announcements is critically important. Mario, I like your solution, but does it scan individual email messages, or just mail logs? If it's the former, does it chew system resources? Nick
In message <199709171729.SAA00329@beckett.earlsfort.iol.ie>, Nick Hilliard writ es:
Remember, making their IP numbers useless is the hardest way we can hit them, get new IP# are not easy (the fact that you're on this mail-list means that you know that :-)
This is a bit off topic, but I disagree. If you're as unscrupulous as these guys, getting new IP numbers is as easy as this:
: interface Ethernet0 : ip address 219.1.1.1 255.255.0.0 : : router bgp xxxx : network 219.1.0.0 netmask 255.255.0.0 : : ip route 219.1.0.0 255.255.0.0 Null0 254
Hey presto: you've just got a /16 block which will probably get routed to most Internet sites. If the block doesn't get routed everywhere, it's not the end of the world. Hey, it's only spam -- 90% saturation is almost as good as 100%.
This is why we should filter on the AS number rather than the IP#. AS numbers and peering sessions are even harder to get than IP#... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop."
Poul-Henning Kamp wrote:
: router bgp xxxx : network 219.1.0.0 netmask 255.255.0.0 : : ip route 219.1.0.0 255.255.0.0 Null0 254
Hey presto: you've just got a /16 block which will probably get routed to most Internet sites. If the block doesn't get routed everywhere, it's not the end of the world. Hey, it's only spam -- 90% saturation is almost as good as 100%.
This is why we should filter on the AS number rather than the IP#.
AS numbers and peering sessions are even harder to get than IP#...
You should filter both ideally. --Tony
Mario, I like your solution, but does it scan individual email messages, or just mail logs? If it's the former, does it chew system resources?
It just scans the tail of the mail logs (the queue log) every 15 minutes to inspect if there's a spam going on (msgs from a certain list of known spammers, a repetition of the same message from the same domain, msgs from numeric domains like 34534.com). It cleans all the domains blocked and blocks the ones that are in offense. From what we were able to gather, CPU consumption is not high. C U! MV
Spamming is a serious problem. [...]
Thanks to Luis! I totally agree, we need to handle these assholes seriously.
My personal filtering technique is to accept the email and never deliver it. Interestingly enough, some of the spammers have one
As postmaster for Esoterica together with Paulo Laureano (who's on holiday) I and Paulo have been responsible for dealing with the spammers. There are two distinct problems: one is your local users being hit by spam. I dont mean one or two or ten. I mean when someone gets a hold of your list of users (/etc/passwd or mailing lists or scanning Usenet) or (like we had in the past) have someone create a program to generate all the permutations of 8 letters and try do deliver mail to permutationN@esoterica.pt. The other problem is your email server being used as a relay for spamming. Someone delivers mail on your server saying it is destined for somewhere else. Not only do you spend computation and bandwidth resources, but you also appear to be the origin of the spam, and thus get bothered a lot by other sysadms. This last problem was quite simple to solve, since there are patches and configurations for sendmail to do relay for only a list of machines. The second problem we dealt with by detecting which spams were being sent and blocking email coming from such domains or addresses. The problem with this approach is that there's still a conection being made; there's still a process launched on your machine. The next solution was to block packets coming from those addresses to port 25 of any machine on our network. This, together with the no-relay change, worked wonders. Our spammer friends didnt like this at all. They started sending out spam through other mail servers with fake From addresses ending in @esoterica.pt; we've had no end of complaints from people thinking we were the origin of spam and had to do no end of explanation. Our current solution is quite devious :-) We receive mail from anywhere!....Yes...But we have a daemon running that checks the incoming mail queue for certain patterns of use, domains, volume of messages, etc. If a spam is detected, the daemon at once, using Linux's ipfwadm ( firewall/packet blocking tools), blocks reception of packets from the address/domain originating the spam for about 15 minutes. After that the reception is restored. This means that normal mail comes in; even very frequented mailing lists are no problem; but a repeated message, from the same address with the same size puts up a red sign; some of the messages are received; but then reception is blocked and for 15 minutes no more messages can be delivered; for the spammers it looks like a network congestion or lack of connectivity, so they give us no problems; 15 minutes later, reception is reestablished, for normal recepetion of email (even from the previous offending domain) or for another 15 minutes of blocking. This has worked wonders. We still receive unsolicited email, but no more heavy duty spams. C U! -- Mario Valente
At 17:16 17.09.97 +0100, Mario Valente wrote:
There are two distinct problems: one is your local users being hit by spam. I dont mean one or two or ten. I mean when someone gets a hold of your list of users (/etc/passwd or mailing lists or scanning Usenet) or (like we had in the past) have someone create a program to generate all the permutations of 8 letters and try do deliver mail to permutationN@esoterica.pt.
This is one of the worst, in my experience as abuse/postmaster. It's difficult to block mails to our own customers, since we don't really know whether it's a legal mail or not. The chance is not that big, but it's there. One of the nastiest things I've seen, was someone using finger permutationN@site.no to find addresses to spam. It was not _one_ finger-connection... The server wasn't happy with several hundred finger-connections at the same time, and decided to take a vacation.
The other problem is your email server being used as a relay for spamming. Someone delivers mail on your server saying it is destined for somewhere else. Not only do you spend computation and bandwidth resources, but you also appear to be the origin of the spam, and thus get bothered a lot by other sysadms.
This last problem was quite simple to solve, since there are patches and configurations for sendmail to do relay for only a list of machines.
Only, it takes some time to do the neccessary changes, especially when you're acting as secondary mailserver to a lot of domains. :(
The next solution was to block packets coming from those addresses to port 25 of any machine on our network.
That's what we're doing now. Since our router can throw away packets faster than they can send them (usually), it solves most of the problem. Except, of course, new spam-domains pops up every day. We did this to one of the larger American domains (come to think of it, we still do). In approximately 48 hours, we got the following figures: connections to the mailserver that was accepted: 1 200 000 connections refused from that domain: 980 000 connections refused from other known spamdomains: 100 000 I also opened for their mailservers, but there were _no_ connections from those. Not one single try.
This has worked wonders. We still receive unsolicited email, but no more heavy duty spams.
I haven't seen much since we started blocking certain IP-blocks in USA. It was _not_ CyberPromo, since we've been blocking them for several months. -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS
The next solution was to block packets coming from those addresses to port 25 of any machine on our network.
That's what we're doing now. Since our router can throw away packets
This has worked wonders. We still receive unsolicited email, but no more heavy duty spams.
I haven't seen much since we started blocking certain IP-blocks in USA. It was _not_ CyberPromo, since we've been blocking them for several months.
Remember, what has worked wonders was not blocking IP addresses totally and 24 hours a day at the routers but blocking them intermitently at the mail machine. C U! -- Mario Valente
Ina, At 20:39 17-09-1997 +0200, Ina Faye-Lund wrote:
[...] We did this to one of the larger American domains (come to think of it, we still do). In approximately 48 hours, we got the following figures:
connections to the mailserver that was accepted: 1 200 000 connections refused from that domain: 980 000 connections refused from other known spamdomains: 100 000
I also opened for their mailservers, but there were _no_ connections from those. Not one single try.
How do you know their "submitting/outgoing mail servers" list? Note that the DNS MX RR list points to their incoming mail servers. Some people have different pools of servers to process outgoing email. Could this be the reason why you don't get a single email from a "large American domain"? You might be blocking their "email-out" servers... Just a wild guess. kind regards,
Ina Faye-Lund
--- pedro ramalho carlos Pedro.Carlos@co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2
At 22:37 18.09.97 +0100, Pedro Ramalho Carlos wrote:
How do you know their "submitting/outgoing mail servers" list? Note that the DNS MX RR list points to their incoming mail servers. Some people have different pools of servers to process outgoing email. Could this be the reason why you don't get a single email from a "large American domain"? You might be blocking their "email-out" servers... Just a wild guess.
Of course, I might. What happened, was I wanted to shut out those who used our mailserver directly. I called Psi and asked them if they could tell me what IP-addresses their mailservers had. I explained that I planned to shut out most of their addresses, but that I would let their mailservers through. She wouldn't tell me, so I would either have to accept the spam, or shut out all mailservers not registered. However, I do receive the standard replies when I complain about spam to abuse@psi.net, so they have at least one mailserver that we do accept mail from, and that they use to send mail out. What I said was that we didn't receive any mail from them in that specific 48 hours. -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS
The problem of spam is not just with the Internet community. COLT Telecommunications are recieving more and more complaints about random people being called by spamming fax machines, we also recieve them and I personally have been stuck with out a phone because some PITA fax machine kept calling my phone. The problem needs technical and legislative solutions. Regards, Neil. -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil@COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>
At 16:01 17.09.97 +0200, Poul-Henning Kamp wrote:
Have RIPE send a formal letter to AGIS and the IEMMC who houses most of these creep, and tell them that either they will cease to send spam to the following list of top level domains: {be, dk, ...} effectively today or the RIPE will orchestrate a pan-european filtering of all AGIS and IEMMC member networks until such filtering is in place. It should be pretty simple to simply filter all routes based on AGIS AS#(s), and maybe inject a bogus route for the IEMMC members networks.
That sounds like a good idea. Hmm... What about rejecting in the router; access-lists? That's what we mostly use, and that would drop SMTP-connections, and make the spammer wait for timeout on every SMTP-connection. Also, he won't get a "Connection Refused", so as far as he knows, he might just have a bad link, or a server might be down in the other end. The problem about fighting spam, is that most things we do, also affects legitimate users. And that would ruin the point about everybody standing together against spam. Also, blocking for relaying is against the RFC. Perhaps someone should write a new one, that only deals with spam and how to prevent it, and what to prevent? Would this be a good task for this forum? -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS
In message <3.0.1.32.19970917202718.0190e980@online.no>, Ina Faye-Lund writes:
At 16:01 17.09.97 +0200, Poul-Henning Kamp wrote:
Have RIPE send a formal letter to AGIS and the IEMMC who houses most of these creep, and tell them that either they will cease to send spam to the following list of top level domains: {be, dk, ...} effectively today or the RIPE will orchestrate a pan-european filtering of all AGIS and IEMMC member networks until such filtering is in place. It should be pretty simple to simply filter all routes based on AGIS AS#(s), and maybe inject a bogus route for the IEMMC members networks.
That sounds like a good idea. Hmm... What about rejecting in the router; access-lists? That's what we mostly use, and that would
Simply deny all routes that originate in AS4200 :-) -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop."
Ina Faye-Lund <ifl@online.no> wrote:
Also, blocking for relaying is against the RFC. Perhaps someone should write a new one, that only deals with spam and how to prevent it, and what to prevent? Would this be a good task for this forum?
Work is going on in this area in the IETF "Responsible Use of the Network (run)" <ietf-run@mailbag.intel.com> and "Detailed Revision/Update of Message Standards (drums)" <drums@cs.utk.edu> working groups. See, for example: | Internet-Draft Intel Corp. | draft-ietf-run-spew-01.txt Albert Lunde | Expires September, 1997 Northwestern University | | | DON'T SPEW | A Set of Guidelines for Mass Unsolicited | Mailings and Postings (Spam*) | | | Abstract | | This document provides explains why mass unsolicited electronic mail | messages are not useful in the Internetworking community. It gives a | set of guidelines for dealing with unsolicited mail for users, for | system administrators, news administrators, and mailing list | managers. It also makes suggestions Internet Service Providers might | follow. and | INTERNET-DRAFT John C. Klensin, Editor | Expires in six months Dawn P. Mann, Co-Editor | July 30, 1997 | | | Simple Mail Transfer Protocol | | draft-ietf-drums-smtpupd-06.txt | [...] | 0. Abstract | | This document is a self-contained specification of the basic protocol | for the Internet electronic mail transport, consolidating and | updating | | * the original SMTP specification of RFC 821 [RFC-821], | * Domain name system requirements and implications for mail | transport from RFC 1035 [RFC-DNS] and RFC 974 [RFC974], | * the clarifications and applicability statements in | RFC 1123 [RFC-1123], and | * material drawn from the SMTP Extension mechanisms [SMTPEXT]. | | It replaces RFC 821, RFC 974, and the mail transport materials of RFC | 1123. However, RFC 821 specifies some features that are not in | significant use in the Internet of the mid-1990s and (in appendices) | some additional transport models. Those sections are omitted here in | the interest of clarity and brevity; readers needing them should | refer to RFC 821. | | It also includes some additional material from RFC 1123 that required | amplification. This material has been identified in multiple ways, | mostly by tracking flaming on the header-people list [HEADER-PEOPLE] | and problems of unusual readings or interpretations that have turned | up as the SMTP extensions have been deployed. Where this | specification moves beyond consolidation and actually differs from | earlier documents, it supersedes them technically as well as | textually. The full text of these documents is available from your local internet-draft archive (e.g. ftp://ftp.ripe.net/internet-drafts/). James ----- ___ - James Aldridge, Senior Network Engineer, ---- / / / ___ ____ _/_ -- EUnet Communications Services BV --- /--- / / / / /___/ / --- Singel 540, 1017 AZ Amsterdam, NL -- /___ /___/ / / /___ /_ ---- Tel: +31 20 530 5327; Fax: +31 20 622 4657 - ----- 24hr emergency number: +31 20 421 0865
At 17:38 16.09.97 -0000, Luis Miguel Sequeira wrote:
job. They are a strong force which will easily overthrow any basic measures taken against spamming - like simply filtering up domains, or blocking traffic from relaying machines.
Would think that a "nospam" in the address would tell them that we're not interested, but... :(
Secondly, they are vindictive and protect their own jobs. This means that if an ISP tries to agressively implement anti-spamming mechanisms, they will fight back! And how they do this? For instance, they send out forged emails with these ISP's addresses. What happens? Entities receiving the forged emails will complain to the ISP in question. The ISP replies telling that the emails are forged, trying to make them understand that this is the "spammer's revenge". Most of these entities either don't care or don't believe, so they just shut the ISP off their firewall (especially if on the next day they get a new lot of unsolicited email apparently coming from the same forged addresses...).
Well, I usually get positive replies when I answer that it's a forged header. Now, abuse@online.no always replies manually to every mail we get, and that might help, of course. Also, I always point out how to read the header, and where they got it wrong. That too seems to help.
This forces the ISP to open up themselves to spamming from this particular company, hoping that they won't forge spamming attempts in the future...
It depends on the ISP. In those cases where people shut our domain out, I've contacted the sys-admin at the remote site, and so far, we've been able to figure out a solution.
Do you think that there is some interest in mantaining a mailing list for all postmasters from the LRs for the sole purpose of discussing anti-spam techniques and listing spamming domains and relay machines?
I at least would be interested. It would be far less public, and thus far less exposed to harassment, than news.admin.net-abuse.* Those who post regulary there, will discover that spammers pick up their address and subscribe them to lots of spamming-lists, or just mailbomb them.
There is also an issue of local laws. Filtering out spam *could* be illegal on some countries (it violates freedom of speech).
Portuguese law. There is a case of mail bombing (a particular kind of spamming...) brought to court - it will take ages to be ruled and probably
I though that "freedom of speech" only gave you the right to say what you wanted without fearing punishment from the government, but not where you want. Now, I don't know the laws in all countries. Does anybody know of any country with such laws? the
offender will get away with some community work :) but it will be judged in court. Of course, on other countries, freedom of speech may be more important than using others' telecommunications resources. I wonder if local laws will actually work *against* a RIPE-based global effort across Europe.
For a while, it might. But I think a change in local law will come in most countries, when the authorities understand the problem with this.
A better way to deal with this is simply ignore the message, and make sure that all your users ignore the spam, too. In the long end, this means a lower "success rate" for a particular domain/spamming technique, so the spamming companies will probably try somewhere else.
I don't agree. There will always be new spammers, and I don't think ignoring the spam will make it go away. But since most of the spam comes from USA, one effective way is to say that you regard this as a "Denial of Service"-attack. The US law is pretty strict on this. en -- Regards, Ina Faye-Lund Abuse Telenor Nextel AS
There is also an issue of local laws. Filtering out spam *could* be illegal on some countries (it violates freedom of speech).
I though that "freedom of speech" only gave you the right to say what you wanted without fearing punishment from the government, but not where you want. Now, I don't know the laws in all countries. Does anybody know of any country with such laws?
No, there is no way in hell it can ever be illegal to filter out commercial messages sent without paying for the service. All you have to do is to put in your bussiness rules that you take payment of USD1 for delivering advertising material via email. Check with your local laywer. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop."
The Internet needs unforgeable addresses, IP and "caller ID" equivalent. Nii Luis Miguel Sequeira wrote:
Hello,
I normally just lurk around this mailing list, but I think I'll contribute my two cents this time...
Spamming is a serious problem. Here at Esoterica where I am, unsolicited email was about one half of total email traffic - which is quite a lot. Thus, our postmaster has dedicated all his available time to implement anti-spamming measures.
What he found out is this:
Firstly, far from being "mindless robots", the companies in the spamming business are cold-hearted professionals. They have teams of professional programmers spending all their time just to develop new and more effective ways of illegally sending out unsolicited email - using several clever relaying mechanisms. They work full-time on the job. They are a strong force which will easily overthrow any basic measures taken against spamming - like simply filtering up domains, or blocking traffic from relaying machines.
Secondly, they are vindictive and protect their own jobs. This means that if an ISP tries to agressively implement anti-spamming mechanisms, they will fight back! And how they do this? For instance, they send out forged emails with these ISP's addresses. What happens? Entities receiving the forged emails will complain to the ISP in question. The ISP replies telling that the emails are forged, trying to make them understand that this is the "spammer's revenge". Most of these entities either don't care or don't believe, so they just shut the ISP off their firewall (especially if on the next day they get a new lot of unsolicited email apparently coming from the same forged addresses...). This forces the ISP to open up themselves to spamming from this particular company, hoping that they won't forge spamming attempts in the future...
As you see, they're quite clever. Their businesses and jobs depend on their cleverness.
How can ISP's successfully "fight back"? First, and foremost, they need to assume that the "threat" is serious. Secondly, allocate resources to the job - this means a *lot* of time. But thirdly, and I think that's the major issue here, by sticking together. While a single postmaster probably won't be able to do much work single-handedly, having a group to coordenate the work is helpful. Some free time taken from a group of postmasters adds quickly up to a "task force" of some magnitude...
Basically, what our postmaster found out is that denying access is not a good measure - spamming companies will try every trick of the trade to get through or else they will try to hurt the blocking ISP in some way. UUNet, for instance, has publicly announced their "zero tolerance" towards spammers - it's no wonder that perhaps half of the spammers use now forged emails (and dial-up accounts) coming from UUNet to spam the net. Their hope is getting enough ISPs blocking UUNet's traffic so that UUNet is "forced" to "open" their machines to spamming again... (in our case, as a transit customer of UUNet I obviously can't block traffic through them :-) )
Better is just to difficult their action. Remember that their jobs depend on getting as many messages through as possible (using third-party relayers). If a sendmail configuration just lets a few messages through, or selectively blocks some domain for a while, this means that this machine will only deliver a few messages - when spammers rely on tens of thousands to be delivered. This is uninteresting to them. They will thus use other machines as relays. Of course, this also means that your own users will see a delay on the sending of their own, legitimate messages. It's a tradeoff.
By using a combination of these tricks one can try to keep the spammers away for a while - until they develop a new creative method for spamming again. We have seen all sorts of very clever and ingenious methods to get through. Who knows what else they will invent next?
By keeping a mailing list with several postmasters' contacts it's possible not only to exchange domains from where the spammers usually attack, but anti-spamming techniques and tricks. There are some steps being taken at a national base here in Portugal (from where I'm writing :-) ) but, as shown by the traffic generated on this list on this topic of spamming, I'm going to make the suggestion again, at this level...
Do you think that there is some interest in mantaining a mailing list for all postmasters from the LRs for the sole purpose of discussing anti-spam techniques and listing spamming domains and relay machines?
Would RIPE be interested in "sponsoring" this mailing list?
BTW, searching through the RIPE's Web site, the only mention to spam is on RIPE-162, chapter C2.1. This basically states the commitment of RIPE to mantain the mailing lists spam-free. I wonder if there is already a "task force" in place for anti-spamming measures. We're aware of some efforts on an international basis - mostly some Web sites with interesting information and data on anti-spamming measures, with associated mailing lists - but to my personal knowledge, there is no such coordinated effort at RIPE (so far :-) ).
There is also an issue of local laws. Filtering out spam *could* be illegal on some countries (it violates freedom of speech). In Portugal, spamming is actually illegal - it's "unsolicited email", and this is an abuse of a third party's infrastructure, ie. using computational (and telecommunications) resources that you aren't allowed to. This makes it a crime according to Portuguese law. There is a case of mail bombing (a particular kind of spamming...) brought to court - it will take ages to be ruled and probably the offender will get away with some community work :) but it will be judged in court. Of course, on other countries, freedom of speech may be more important than using others' telecommunications resources. I wonder if local laws will actually work *against* a RIPE-based global effort across Europe.
On 12-Sep-97 "Scott A. Marlin" wrote:
Which basically means that any customer is free to spam. The ISP is there to take the rap and clean up afterward. I think for such matters, the "spammer" should be held responsable ... like being charged a flat or hourly rate for the cleanup job.
This is the case around here. Of course, catching the spammer and actually condemning him/her in court in order to charge him/her that rate is another story, especially if we're talking about an international incident.
Better to prevent him/her to spam on the first place.
Incidently, in the cited case, I sent a mail to an address mentioned in the ad asking them to stop sending the ads. What I got back was another mail from another source (obviously from a blind mail-robot) with *lots* of info about their services.
At the bottom of the e-mail was an URL address for those who wished to stop the ads from being sent. Waaaay down at the bottom of this web site plugged full of promotional information was the opportunity to "register" my name in the database of those who didn't want to receive any more spam (the name of the link was a baby crying "mommy ... they thpammed me again".) Really !
One of the major issues about spamming customers is knowing how many people were actually reached by a spamming effort. Spamming companies have found out that these two tricks - "send email here to be deleted from our database" and "click here to remove yourself from our database online" - are the best to know if you're reaching people. Also, many postmasters will contact the spamming company in order to complain. Based on all this feedback, spamming companies can determine a "success rate" for their spamming efforts. This keeps their own customers happy...
A better way to deal with this is simply ignore the message, and make sure that all your users ignore the spam, too. In the long end, this means a lower "success rate" for a particular domain/spamming technique, so the spamming companies will probably try somewhere else.
The entire operation took about 30 minutes. I haven't heard from them since. But I have recieved at least 10 unsollicited e-mails since then.
My bet is, they will try again and again and again. The problem is, each time your address is found on a Usenet post, on a subscription web site or on a mailing list, there is a high probability of someone "selling" your email address to a spamming company. For instance, I'm receiving spam to addresses that have been disconnected 2 and 3 years ago... DejaNews and other public sites with lots and lots of addresses are a perfect place to get all those addresses for the spamming lists...
- Luis Sequeira
____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms@esoterica.pt http://www.esoterica.pt/
The Internet needs unforgeable addresses, IP and "caller ID" equivalent.
This is a good point, but unfortunately, we're still stuck with ipv4, which is completely forgeable. If you've got even one rogue BGP site, they can inject anything the feel like into the internet routing tables and do all sorts of horrible things. I'm almost surprised that spammers haven't cottoned on to this yet -- they could inject some temporary routes into the internet, use hosts on these address ranges to bounce their spam off a 3rd-party relay site and then withdraw the announcements. This would be almost totally untraceable and would circumvent routing black holes completely -- for those who are using routing black holes to try to control spamming. DNS for these addresses could be set up with an extremely short TTL, if necessary. Nick
On 17-Sep-97 Nick Hilliard wrote:
I'm almost surprised that spammers haven't cottoned on to this yet -- they could inject some temporary routes into the internet, use hosts on these address ranges to bounce their spam off a 3rd-party relay site and then withdraw the announcements. This would be almost totally untraceable and would circumvent routing black holes completely -- for those who are using routing black holes to try to control spamming.
DNS for these addresses could be set up with an extremely short TTL, if necessary.
Scary thoughts, Nick. :-( The only thing they do so far is to register as many domain names with random characters at the InterNIC as possibly, and spam from these domains (you can get a reply for those domains to test out how well your "spamming success rate" went). As you know, the InterNIC takes some time to setup a domain name, then some time more to bill you, and some weeks until they decide that the customer is not going to pay and unregister the domain. But in the mean while the spamming companies have a "window" of about one month to six weeks during which they have a "valid" temporary domain to spam and use as feedback. The best thing being that after a few weeks the domain name disappears anyway and you can't fight back/protest/whatever. Your trick manipulating router tables at the backbone is too scary to contemplate. I fail to understand from where these guys get Internet connectivity. It would violate almost any AUP I know of... - Luis ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms@esoterica.pt http://www.esoterica.pt/
Nick, At 16:53 17-09-1997 +0100, Nick Hilliard wrote:
The Internet needs unforgeable addresses, IP and "caller ID" equivalent.
This is a good point, but unfortunately, we're still stuck with ipv4, which is completely forgeable. If you've got even one rogue BGP site, they can inject anything the feel like into the internet routing tables and do all sorts of horrible things.
I'm almost surprised that spammers haven't cottoned on to this yet -- they could inject some temporary routes into the internet, use hosts on these address ranges to bounce their spam off a 3rd-party relay site and then withdraw the announcements. This would be almost totally untraceable and would circumvent routing black holes completely -- for those who are using routing black holes to try to control spamming.
To do this they would have to BGP peer with somebody that does NOT filter prefixes from a customer connection (and that is a Bad Thing (tm)). Unless the spammer is an NSP itself. Ok, there are ways around this but I wouldn't even think of them, much less discuss them on a list :-) kind regards, --- pedro ramalho carlos Pedro.Carlos@co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2
One thing we should keep in mind when implementing anti-spam solutions is to not try to solve the problem like was done with news. Since people started rejecting massive cross-postings, the spammers just sent a new article to each of the groups. Most of the spam is binary pictures trying to attract people to their site, so the amount of news traffic skyrocketed with dozens of copies of the same stuff. Score: spammers 1 isps 0 I don't have a solution, but a wise man once said "don't try to squeeze water in your hands without freezing it first." -- Mickey Coggins Mobile: +41-79-210-3762 Technical Support Group Internet Prolink SA Tel: +41-22-788-8555 AG/BE/BS/GE/GR/SG/VD/ZH ICC - CP 1863 Fax: +41-22-788-8560 "Get connected today!" CH-1215 Geneva 15 Data: +41-22-788-8585 http://www.iprolink.ch/ Mickey Coggins Technical Support Group "Get Internet Prolink SA Mobile: +41-79-210-3762 connected 55 Rue Auguste Piccard Tel: +33-450-42-0223 today Technoparc Gessien Fax: +33-450-42-0286 in F-01630 St. Genis Pouilly http://www.iprolink.fr/ France!"
At 10:20 19-09-1997 +0200, Mickey Coggins wrote:
One thing we should keep in mind when implementing anti-spam solutions is to not try to solve the problem like was done with news.
Since people started rejecting massive cross-postings, the spammers just sent a new article to each of the groups. Most of the spam is binary pictures trying to attract people to their site, so the amount of news traffic skyrocketed with dozens of copies of the same stuff. Score: spammers 1 isps 0
Well, in this case and in what it concerns Esoterica, its spammers 0 - isp -1 We have a filter on incoming articles that not only detects ECP ( Excessive Crossposting) but also detects EMP (Excessive Multi Posting). By maintining a list of the last 5000 or 6000 articles, we can check using Subject, Lines and From headers if there's a repetition of the same article being sent to several newsgroups; if it is, we refuse the article. Since we're a node of Usenet II, this is indeed mandatory for the net.* hierarchy This filter is refusing something like 50000 articles per day. ( Does it show that I, as postmaster/newsmaster of Esoterica, have a thing with spammers ? I guess it does :-) C U! -- Mario Valente
participants (12)
-
Dr. Nii Narku Quaynor -
Ina Faye-Lund -
James Aldridge -
Jorgen Ericsson -
Luis Miguel Sequeira -
Mario Valente -
Mickey Coggins -
Neil J. McRae -
Nick Hilliard -
Pedro Ramalho Carlos -
Poul-Henning Kamp -
Tony Barber