Walling off Asian E-mail to Prevent Spam

SomeoneYouDontKnow writes: "Seems there's been lots of spam news lately. This piece from Wired describes how frustrated sysadmins in the West are responding to a torrent of Asian spam by simply refusing all e-mail from that part of the world. As anyone who's ever reported spam to Asian ISPs can attest, getting a response of any kind is almost impossible, so some ISPs are simply giving up on receiving any mail from them. Setting up barriers like this is regrettable, but when the originating ISPs refuse to take responsibility for the actions of their users or close their open mail servers, there would seem to be no other choice. Has anyone ever had any kind of constructive conversation with one of these ISPs to see why they are unable or unwilling to do anything?"

I can't disagree more

[MicroBerto]

As the Ex-AbuseDesk admin at a local ISP, I must say that I wanted to do that VERY badly, but wasn't allowed to. There's simply no way to get a response from them. I have absolutely no qualms about cutting communication off from them. It's just so frustrating for EVERYONE.

On the other end, if many of those domains are in the Orbz [orbz.org] or other blacklists, maybe just using those would be better.

Filtering email

[johnburton]

Well blocking whole areas is a start, but not an ideal solution. I'm going to start filtering my email so that unless it meets one of the following conditions it gets rejected and sent back to the sender :- 1. The mail claims to be From someone I have pre-approved. 2. It's from a mailing list I've registered with. 3. It's sent To: a special purpose address within a couple of days of creating that address. (So I can post to newsgroups with addresses like jb10202 which will be valid for a couple of days for replies only) 4. The email contains a special approval code to bypass the checking. The purpose of 4) is that when I get an email that is rejected it will send it back to the sender with an apology and a 4 digit random code which is valid only for a single mail from that address and only for 48 hours. They can simply forward the mail back to me and it will contain the code and get through. I get *so* much spam, and 99% of my real email is from the same few address that I need to block the junk, and I think this scheme will annoy relativly few people, and not too much but should cut ALL the spam. I've not implemented this yet, but it shouldn't be too hard to write.

An interesting counter point...

[Amarok.Org]

I run a small mail server, mostly providing mailing lists to the automotive community. While my lists weren't affected (I have reasonable anti-spam rules in place), a server in Taiwan was spamming every address it could find in my domain with dozens of unique spam per day.

The usual ip tracing ensued and I tracked it back to a small ISP. Hoping that I would reach someone who spoke (or wrote) English, I sent a copy of my logs and an explanation to "postmaster@", "abuse@", "webmaster@", and any other address I could think of. Amazingly enough, after about 12 hours, I received a reply (in somewhat broken English) asking for more logs, and a confirmation of the time zone I was using in my logs (UTC, for what it's worth). After I replied, I received an appology that one of their "clients" had bothered me and assured me it would be taken care of.

To this date, I have not received another piece of spam that I have attributed to that ISP. I realize that this is the exception and not the rule, but I thought it was worth noting that there really are reasonable sysadmins "over there".

Remember UUNet's "Death Sentence"

[biomech]

The first parallel that came to mind was the "death sentence" proposed against UUNet a few years ago for their fostering spamming activity.

The action represented the response of a group of responsible internet members that had finally tired of both the activity and the lack of response from a greedy company who seemed to have no respect for bandwidth and privacy issues.

It seemed to work then and maybe it's just what's needed now.

It's about time that some of these ISP's discover what happens when the fecal matter hits the oscillator.

Never get a response

[kill-hup]

From spam floods to network attacks, I have never gotten a response in 5 years. To be fair, I don't always get responses from everybody, but at least other areas of the world have a better track record.

I have resorted to blocking the offending network or ISP temporarily (until they get tired of getting no response from my networks and move on), but I really can't see blocking an entire segment of the world just to stop spam. It just goes against the grain of an "open" 'Net. I'd rather try something like SpamAssassin (no affiliation - I've just used it and it works great) than block nations for the actions of albeit many bad apples.

Constructive dialogs

[buss_error]

I turned in a complaint to hinet.cn, I think it was, about a system with Code Red banging away at one of my web servers. I included a snip of the web server log, along with a note that my servers are NTP sync'ed.

The response was "without full e-mail headers, we can't do anything."

Hmmm. It's not e-mail.
I am discussing with my employer the option of blocking all 202/8 203/8 210/8 211/8, all of Road Runner but the MX'es, *.cn, *.tw, *.ru, *.pl, and *.mx domains too. I don't know the ip range assigned to the domains, so if you do, post a follow up! (I have Road Runner netblocks, there are just too many to put them here.)

Re:Setback for the net?

[Zathrus]

No it's not a huge setback. Eventually the various Asian admins that are causing this will get the clue and fix their mail systems.

I get roughly 100 messages or so of SPAM a day on my Hotmail account -- I can't give an accurate number because I keep blocking entire domains (some jackhole, and I think I know who, decided to add me to various coupon and ad sites, which becomes a deluge as they share mailing lists). Of the 150 or so blocked domains, about 10% of them are Asian (surf to xyzzy.net and note that entire webpage is in a font I don't have installed).

Make a law? Sure. In which country? Or do you mean you want to outlaw SPAM in the US, and then somehow think you're going to be able to prosecute a company located entirely in North Korea under US Law? Things just aren't that easy. I'd like to see a reasonable way to legislate SPAM to be illegal, even if it only did affect the US, but I'm yet to see anything that has teeth AND makes logical sense.

Screw Asia... I blocked Hotmail

[ellem]

in fact for a few months I blocked:

Hotmail
Yahoo
MSN
USA.net

When those folks learn how to close their relays and strip a virus then we can deal with the Asians....

I like this quote:

[mESSDan]

While some spam being transmitted by Asian servers appears to be sent by the locals, Western spammers are exploiting Asian mail servers and using them to relay mail.Many Asian systems often run old software or software that hasn't been configured securely or patched properly, experts say.

Well, if people can exploit the problem and get a response from the sysadmins saying "I can't do anything about it", maybe instead of us blocking their servers (quite easy to do), someone should put on a blackhat and go patch some of those holes. (This came up and was heavily discussed during the Code Red and Nimda attacks.)

I dunno, but I think a moral hacker would find it quite rewarding to screw up a spam creaters cash cow.

Re:Setback for the net?

[wakebrdr]

What about getting laws that say that unsolicitated mail is illegal?

How much time do you expect a Chinese bureaucrat to spend prosecuting a fellow countryman because he made 1000 foreigners delete a bothersome message?

I hate spam, but the last thing I want is a bureaucratic solution. The free market will find a way grasshopper....

my ISP just did this

[option8]

the place where i colo is just now doing this after tracing the bulk of the spam coming into their own network from chinese ISPs and most especially china.com

rather than refusing email from the offending ISPs, they are going to the rather extreme measure of refusing connections entirely (at the router, i guess, though i'm not certain how the network is set up...) from the entire IP ranges of a number of the offenders.

so, now all my domains (and all those colo'd at my ISP) will basically be inaccessible to anyone in china. big deal. all the traffic i get from china is either spam or nimda requests. woo friggin hoo.

it has yet to go into effect, but i expect it will make a big difference in my monthly bills, as i pay for bandwidth, even if it's spam sent to people on my mail server.

as some folks are bound to say, it's more than a bit presumptuous to basically say "play by my rules or get off the field" where "my rules" are typically those of the mostly american, english speaking internet population, but in this case it's more a case of "play nice or go home"

The only way to go...

[toupsie]

I was surprised when I read this article on Wired yesterday. I thought I was the only one doing this. About two years ago, I cut off all of China from my mailserver at work -- we don't do business there. We were being flooded my SPAM on Chinese open relay servers. It got to the point where some users were getting more SPAM than legit mail. Once China was cut-off, the SPAM dropped off to a trickle. Then Korea became the next SPAM hot spot for us and I cut them off as well. Granted its some of the SPAM is from "white folk" that are using these open relays to SPAM Americans. If I could track them down and actually do something legal to them as opposed to beating them with a 2 by 4, I would. So far, the US Government has been pro-SPAM with the only legislation being introduced as "opt-out" systems.

The Asian nations would not be in this situation if they understood the proper way to run a mailserver and dropped the insane cultural notion that obnoxiously shoving a business card in someone's face is courteous and expected. I worked in Asia during the early 90s (mainly Singapore, Hong Kong and Taiwan) and from my experience of working with Asian businesses, this problem will not go away. Unless it's not hurting their bottom line, it doesn't matter if its hurting ours.

Procmail

[tiny69]

A few months ago my email address ended up on a Korean spam list. I've been using the following procmail rule since:

:0:
* (^From:.*\.kr |\
^.*ks_c_5601)
SPAM

It catches about 95% of the spam from Korea. It's sad that I've had to resort to filtering email from an entire country.

What has amazed me about the whole thing is the spam I receive from there is usually written in the ks_c_5601-1987 character set. Since Korean is not a really popular language throughout the world, the chances of someone understanding the spam is very slim (I haven't been about to find a good Korean to English translator that actaully works). IMHO, the spammers are just wasting their time.

Not SPAM per se, but constant attacks!

[agrounds]

At my last job, working for a NASA contractor, we suffered a constant barrage of attacks that all seemed to originate in Beijing, or Seoul. Blocking Class-C blocks at a time knocked out the Seoul communications, but China was another matter. This went on for some time, with myself sending e-mail after e-mail to China Net with no responses. The difficulty arose from our having offices in Shanghai, so a total block of all addresses was next to impossible. (Anyone who has worked with China Net before can attest to the difficulties of getting static IPs, or *anything* for that matter) Another difficulty arose from the dynamic assignment of IPs by China Net as packets cleared their network. It was difficult to trace and block, and eventually my edge router configurations wound up with quite a group of extended access-lists. We had to ship off a VPN solution to our Shanghai offices, and hold our breath while we punched down tightened controls. After a couple of months though, we finally managed to stop the assault. It was annoying to be forced to such extreme measures, that wound up costing the company significant dollars in manhours, equipment, and travel time just because of the lack of professional courtesy from across the ocean. On a positive note, at least it taught me to be entirely proactive with my blocks, and now I don't hesitate to toss people's packets into /dev/null. Cynical perhaps, but necessary IMHO.

Re:Screw Asia... I blocked Hotmail

[macdaddy]

I did something better. I don't block them on my servers but I do have a procmail recipe to quarentine mail from, say, hotmail.com that doesn't have a Received line with "hotmail.com" in it. You would be amazed at the sheer amount of spam that it caught. Now mind you this filters out legit mail from someone that sends mail from their ISP with a From: of their hotmail.com account. It blocks ebay and paypal mail of the like manner, with the From and Received not matching up. It did catch a lot of spam though. Someone with more procmail logic that I have could extend that to a scoring method that would work really well. Also, add eudoramail.com to you list.

I also filter message bodies for the common remove sites like autoremoveemail.com and others. That's garunteed to work.

I wouldn't like that

[phr2]

If I initiate an email conversation with a human being, I prefer to give an address that will keep working. So I use persistent addresses that I cycle about once a year. I'm careful not to use them on mailing lists or netnews. They still get a little spam, but it's not that bad.

Filtering on sender address is rude too. I wouldn't want to assign unique addresses to senders. People send from too many different addresses. If I email someone's personal account and they try to use my return address to email me from their work account, I don't want to bounce their mail.

I think if I quit publishing non-munged email addresses in my news posts and junkfile the incoming mail to the addresses I post news from, that should get rid of most of my spam.

Filtering Idea, comments requested

[mESSDan]

This is mostly on topic, but a little off because it doesn't soley deal with Asian address blocking.

The idea goes like this:
Why not have a sort of "Name" tag in email. This tag could be an MD5 Hash of anything you want. If the people who sent you the email knew your name, or any valid name tag that you gave them (Multiple Name tags would be simple, just sort them into folders) You could just supply the "Name" with your email address, something like "Yeah, email me at prudan@example.com, name tag (prudan)" Anything that doesn't have your name tag would be sorted into a spam / unknown folder, or you could even bounce it back saying that the name was invalid.

Some pros and cons to the idea:

Pros:

It will require more processing power for spammers to send out lots and lots of spam. Each message would need its own checksum if they are guessing at a valid name tag.

This would really make it so that you have different email addresses, without all the aliasing. You want to use a business address? Make one of your name tags "Business", and assign that nametag to a folder just for that.

Adding this to email clients would be a trivial task.

Done at the client level, so it adds no server processing overhead.

Cons:

Spammers will start trading name tags too, so changing your MAIN name tag every so often would probably be necessary.

Getting this to be accepted everywhere would be quite a chore.

Maybe this won't work. I don't know.

Two alternate solutions

[Fulton Green]

While I've been sorely tempted to wall off anything coming from the Pacific Rim or Latin America, it seems that there are two more constructive ways (OK, maybe only one :) to proceed:

1. Multilingual spam report generator. Seems as if there's already an autogenerator (which is probably English-centric). Why not add multilingual support to it, or build a new one? You don't have to add every language, just the major ones that affect spam traffic (Spanish, Chinese, Korean, and French and Japanese for good measure).

2. Enable open relay autoprobing for certain incoming SMTP requests. This may be slightly more problematic, but it'd be nice if I was to configure my MTA of choice to test the sender IP of an incoming messagefor an open relay hole. The check would only occur if the IP address was determined to be within the range for a certain group of countries. This might be a feasible solution for those who either can't or don't wish to subscribe to an RBL.

Re:Sadly, this is the only way to go

[walt-sjc]

While translation is a nice idea, I don't think it's worth my time to learn 20 different asian languages just so I can complain about spam. I'm sure not going to pay someone to translate for me to complain about spam. So what OTHER constructive steps can you come up with that are REALISTIC?

The bottom line is that if asia doesn't want to get firewalled, they need to get agressive about closing open relays. Note that I don't descriminate against asia, I descriminate against EVERYONE that sends me spam. This include many european and south american netblocks / TLD's too.

Basically I don't get ANY legit email from these countries. Not blocking them would be silly.

Re:Sadly, this is the only way to go

[Anonymous Coward]

While I agree with you in part, you have to realize that English is at this moment the official language of the internet. Also, ISP's in China have a large base of qualified Chinese & English speakers to choose from if they really decided to take the issue of Spam seriously. The only solution is to blacklist ISP's that do not make an effort to secure their servers and stop spam. Customers who want to email the US can then choose another ISP and hit irresponsible ISP's where it really hurts...in the pocket.

Re:Sadly, this is the only way to go

[jedrek]

Like actually bothering to translate your contact messages into various non-English languages. After all, when was the last time You, as a sysadmin, responded to an informative message to postmaster@your.org that was written in an Asian language??

The international language of snail mail is French. That's why air mail is par avion. It's like that all around the world and no one really complains. If the admin knows enough to postmaster@ he knows it should be in english. English is *the* offical language of email. Just look at the headers, I don't see a 'Od: instead of 'From:' or 'Temat:' instead of 'Subject:'.

Admins speak english, you can't really be a good admin if you can't communicate with your computer and 90% of software - even software created in non english speaking nations - is in english.

jedrek

Elcomsoft and spam tools

[Alioth]

You may be interested to know that our favorite software company, Elcomsoft (of Dmitry Skylarov fame) is a company that sells spamming tools. Take a look at their massmail.ru site [massmail.ru] for confirmation (scroll down and you'll see the (c) Elcomsoft bit). Their software looks quite comprehensive and does things like checking the email address you're about to spam is valid.

Funnily enough, when I submitted a story about this, the Slashdot editors rejected it within minutes :-)

It's not new, and not just email

[jc42]

Last summer, I did something similar with CGI scripts on one of my web sites. The site has a number of scripts that convert files in a compact notation to an assortment of output formats. What the data represents isn't too important; the problem arose from the fact that a single small file could be converted to things like PS or PDF or GIF or PNG or ...

I'd been reading about research at the big search sites that was working on the problem of "hidden" web pages; i.e., pages that are generated on the fly by scripts that read from databases. The idea was to learn what was in a site's databases by calling the CGI scripts to extract it all. I found myself thinking "Uh, oh; I'd better watch for this."

One day it happened. A search site suddenly started invoking my scripts, methodically trying to extract all the data that I had in all of the output formats that I supported. And it did this in parallel from a large number of machines. This brought my server down and kept it down.

So I added a "blacklist" to my code. Any requests from any of those IP addresses got only a small page saying that they were on my blacklist. I included my email address in case anyone wanted to discuss the situation. Over a few months, my blacklist grew to include a few dozen blocks of addresses.

I've never received any email from any of the search sites. However, a few weeks back I got a message from a person in Singapore who wanted to use my site, but only got a blacklist message. I checked, and sure enough, his address was an ISP in Singapore. No way of telling him apart from the search bot at the same address (but presumably on a different machine).

The ISP didn't respond sensibly to my query, so I have no choice but to continue the blacklist. All I have for identification is the ISP's IP address, so I have to block everything behind that address.

I don't like blocking everyone behind an ISP, but I can't think of any other way to prevent this sort of attack on my server.

(Yes, I do have a robots.txt file. And I know how to use it. ;-)

Another problem

[Ilgaz]

I was subscribed to a Korean shop network mail list accidentally. Someone did it I assume. One who did it knew I wouldn't get rid of it simply and subscribed me to it.

Now I get legal (non spam) mails to my Yahoo mailbox everyday. As I check, I figure its simply Korean mail advertising some t-shirts etc. Mail sent to MY e-mail, the one listed on Yahoo... I block it. Than next day I get mail from same company groups another company, of course, with another mail adress...

Guys aren't spamming me. Just they stupidly made a system easy to abuse. Like no verification like "Click YES or reply to this message" verification included.

I contacted them via Spamcop, they said they now figured I don't want those mails and they are investigating who subscribed me to that. The problem is, I believe those systems as Yahoo etc. has a system that after certain people click on "block e-mail adress" while reading mail, they a) automatically add them/their IP block to spammers list b) they investigate.

I don't think in such a closed country as China there aren'T people to abuse SMTP servers as they are owned by the goverment or companies really near goverment already.

anti-french sentiment

[JimmytheGeek]

True: in the waning months of WWII, when the city of Strasbourg was threatened by a German counter-offensive, DeGaulle insisted on a militarily unwise defense. Eisenhower then insisted on an offensive to clear the Germans west of the Rhine to end the threat. French troops made no progress. American reinforcements were necessary. DeGaulle angrily asked if Ike "questioned the valor of French troops." I think the question was settled in 1870, again in 1917, and for all time in 1940. 3 French divisions were then withdrawn without permission for "rest and refitting" (with American supplies) in spite of the fact that American divisions had just beaten back the Germans in the Battle of the Bulge and probably needed the rest more than the French. And then the Frogs ^H^H^H^H French disobeyed orders and attempted to seize additional occupation territory in Germany at the expense of the US/British plan. For some reason, Ike didn't simply cut off the supplies. It was American gasoline, food, and ammunition the French forces were using.

In addition, DeGaulle snubbed Roosevelt on FDR's return from Yalta. Staggering ingratitude, considering the American death toll for the Normandy campaign was 29,000, another 106,000 wounded/missing.

In Ike's place, I would have liberated Holland and Belgium, and invited the Germans back into France.

Re:Sadly, this is the only way to go

[Paul Komarek]

However, I expect that the former British Empire has a lot to do with the widespread familiarity with English. In this case, imperialism has a lot to do with it. For instance, the country of India uses English to overcome the many, many Hindi (and other?) dialects. This is clearly because of British Imperialism.

The other poster just had the wrong imperialist country. =-)

-Paul Komarek

Re:Watch out with that scheme

[4444444]

if everyone had the ability to run thier own dns and mail servers that might work but you really don't think everyone will go through that much trouble to fight spam do you?

Re:education is the solution

[4444444]

it's the company's selling spam services that are the real problem not the company trying to sell the product in your spam.