Forgot your password?
typodupeerror
Spam Your Rights Online

Fighting the Hydra -- A Spam Warrior's Tale 333

Posted by timothy
from the damned-either-way dept.
Selanit writes "Salon has an interesting article about the battle against spam from the viewpoint of Suresh Ramasubramanian, a sysadmin working in Hong Kong. His most interesting complaint concerns the fragmentation of anti-spam forces: not only does he have to deal with spammers, but also with anti-spammers who assume because his company is Chinese that he isn't doing anything about spam. Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"
This discussion has been archived. No new comments can be posted.

Fighting the Hydra -- A Spam Warrior's Tale

Comments Filter:
  • A Spam Warrior's Tale..
    When is the sequel out? A Spammers Tale? I can't wait!
  • Could this be the start of a grass roots organization similar to the WTO, UN, EU and other multi-national groups that are surposed to help with global issues? Can't you see it now the "United Spam Busters" USB!
    • by Anonymous Coward
      I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being. Since most of the spam originates in the USA, how likely is "USB"?
      • by BrookHarty (9119) on Friday March 28, 2003 @07:33AM (#5614373) Homepage Journal
        I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being.

        First.

        Get off the USA bashing kick, all countries look after their own economic needs. (aka, sweat shops are illegal in the USA, but the WTO says that in 3rd world countries as its the only work available, they are legal...)

        Second.

        The USA (aka Federal Government) has nothing to do with Spam guidelines unless its a Federal Law. (Which could be considered a violation of Interstate Commerce, thats part of the reason no laws are passed at the Federal level... btw, IANAL...) This is also why we are trying to pass State level laws for Spam.

        But, if ISPs who want to deal with SPAM can join blacklists, whitelists, coalition, etc. Nothing is stopping them. But on the Other side, there is money to be made in Spam, and companies willing to make a buck will do it. (All around the world, not just the USA or Hong Kong.)
  • by rf0 (159958) <rghf@fsck.me.uk> on Friday March 28, 2003 @05:06AM (#5613946) Homepage
    I think this article does bring up a good point that people do tar Asia with the same brush in that you can just block them and have no problems. Its nice to see someone doing a decent job. For more fun on fighting spam see NANA [google.com]

    rus
    • by arvindn (542080)
      For more fun on fighting spam see NANA

      Fun? The article repeatedly made the point that fighting spam is no fun at all.

      • by BrokenHalo (565198) on Friday March 28, 2003 @05:35AM (#5614033)
        fighting spam is no fun at all.

        Tell me about it. I got so fed up with my spam that when I changed my ISP I made damn sure nobody I didn't want to hear from had my address. One travel firm (an Asian outfit) managed to get my address anyway, but I haven't heard from them since I put up a little web-page at Tripod saying "I am willing to opt-in to all bulk or commercial mail at..." and listed all of their contact addresses I could find.

        Childish, I know, but it did the trick.

    • by Reziac (43301) on Friday March 28, 2003 @01:36PM (#5616757) Homepage Journal
      Way back when, I used to get a ton of spam from one particular IP address in Taiwan. One day I took the trouble to whois it and noted that it belonged to a university. I forwarded one of the spams to the admin contact... and never got another spam from that server.

      Another point that brings up -- just because someone doesn't KNOW their system is being used for spamming doesn't mean they don't CARE. It pays to notify before you condemn.

  • by millwall (622730) on Friday March 28, 2003 @05:08AM (#5613951)
    No matter what he does, he can't please everyone. According to Tiffiany Mork, senior abuse engineer at Allegiance Internet, a very thick skin is a requirement for an abuse-desk worker. Her typical day includes verbal harassment, screaming, threats, and "all manner of nasty things."

    Like that is different from working in any other kind of helpdesk!
    • Like that is different from working in any other kind of helpdesk!

      It's not different from not not working in any helpdesk either, but being the one most your colleguas call because the helpdesk "refuse" to help them... like if I can help them recover they didn't save before shutting down the day before by pulling out the powercord.

      That aside, I think there would be a lot less stress overall for the people working for any sort of helpdesk if we users remembered to be polite, and that in turn would mean b

      • Hell yeah. Only problem is, one bad user can ruin a tech for everyone else.

        One user didn't like it when I told her that I couldn't send her a Win98 CD, so she called up Customer Service and told them I insulted her and made her cry and demanded that I be fired on the spot. The call wasn't recorded, and my company's policy is to belive the customer before the employee, so when I came into work the next day all my stuff was packed up in a box. Only after poking holes in her lies with other evidence, timestam

        • > I work for a shitty ISP whose main userbase is the scum of the earth from every backwoods trailer park in the US that other ISPs won't touch.

          I'm probably not seeing the full picture, because I preemptively block inbound SMTP from netspace that doesn't terminate spammers. The biggest chunks are 4.0.0.0/8 (open DSL proxies from Genuity/Verizon/LVLT depending on who's bankrupt this week), 12.0.0.0/8 (ditto in AT&T space), and 24.0.0.0/8 (ditto, but with cablemodems) and 200.0.0.0/6 (all of LACNIC

    • Not my helpdesk (Score:3, Insightful)

      by Christopher Bibbs (14)
      When I worked the PC support desk back in the late 90's, I never had a user give me lip. I think assuming that kind of behavior is normal or acceptable is half the problem.

      The other half is that people tend to hire tech support based on technical knowledge without considering communication skills. During my relatively short tech support stint (5 years with different companies) I went to half a dozen communication classes. Validate, empathize, assert. Solves most problems and diffuses even the wrost att
  • by product byproduct (628318) on Friday March 28, 2003 @05:08AM (#5613952)
    ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?

    Yes, it's like the horde of trolls striking while other people are trying to discuss the subject at hand.
    • decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?

      No spam article is complete without a comparison to Terrorists or Nazis. I give it a 1 out of 2 stars.
  • by heretic108 (454817) on Friday March 28, 2003 @05:11AM (#5613960)
    This whole spammers versus spamblockers has proven to be a destructive arms race.

    Many legitimate machines and users - even whole ISPs - unfairly end up on blacklists, while the spammers just find another way through.

    The spamblocker tools and their heuristics get smarter, but don't forget that spammers keep up with these tools and constantly find new ways around them.

    I was using Razor and SpamAssassin for months. Formidable combination - networked blocklists plus pattern matching. Gave me a bit of peace. Very few false negatives. But in the last month, I've seen a whole new generation of spam coming through that the filters don't even touch.

    Peace has finally come from a package called Active Spam Killer [paganini.net], a package which works from a white list, and provides a convenient way for new correspondents to get themselves onto the whitelist.

    There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up.

    Result?
    Spams to my mailbox have gone from 40 a day to zero.
    • by Tailhook (98486) on Friday March 28, 2003 @05:35AM (#5614034)
      Peace has finally come from a package called Active Spam Killer [paganini.net], a package which works from a white list, and provides a convenient way for new correspondents to get themselves onto the whitelist.

      You're adding an authentication layer to your specific mail account. Now, all we need to do is implement 4.1234E13 different mail account authentication systems. Each with it's own bugs, weirdo assumptions (HTML only, perhaps? Imagine how Mickysoft might do this...) and other deficiencies. Everyone you correspond with will have a different one. What fun!

      Authentication is the only feasible solution to spam. If we could collectively decide on a method of implementing it in a standard fashion we could avoid the mess.

      Don't hold your breath.
      • Um, if the authentication is standardized wouldn't it be easier for a spammer to get authorized? I'd prefer a different authentication method for every e-mail account, kinda like a spam Turing test.
        • Yeah, but (Score:3, Interesting)

          by autopr0n (534291)
          1) you would have their real email address and
          2) you could use a 'what number is this a picture of' type questions. The problem is figuring out how to make it multilingual.

          But really it dosn't need to be standardized at all, since these things are going to have to be handled by real people, rather then computers.
          • Re:Yeah, but (Score:3, Insightful)

            by Tailhook (98486)
            But really it dosn't need to be standardized at all, since these things are going to have to be handled by real people, rather then computers.

            You are correct. It doesn't have to be standardized.

            Now prepare yourself. Microsoft will implement a system whereby you get the challenge mail that contains a link to a page with a Palladium enabled ActiveX control that you must cope with to get authenticated. It will stop spam and be highly successful, popular and integrated with Outlook version 32.010155a and
          • Re:Yeah, but (Score:3, Insightful)

            by ncc74656 (45571)
            1. you would have their real email address and
            2. you could use a 'what number is this a picture of' type questions. The problem is figuring out how to make it multilingual.

            Why would it have to be multilingual? I speak English; why would I want to receive mail in a foreign language? (Hell, maybe it'd help block the Brazilian spam I've been getting lately...)

    • by PigleT (28894) on Friday March 28, 2003 @05:53AM (#5614102) Homepage
      "There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up."

      And how do you feel about making all innocent senders of mail do extra work, while spammers simply ignore it and move on?

      I simply cannot justify that, based on the redistribution of workload and increased aggravation - you send me a bounce message, I consider your email address invalid whether that bounce is "500 address unrouteable" (a valid, understandable error) *or* "500 I Don't Like You" - which I consider frankly offensive.

      Go back to SpamAssassin, get 2.50 or better, which includes Bayesian analysis as well as all the above. Or just shove a Bayesian filter in the way after SA; here, I have outright regexp-based rejection and SA in exiscan, followed by bogofilter in procmail - very few spams get past the first hurdle (From: headers snarfed from Usenet) and those that do are caught either by SA and/or bogofilter.
      This way happiness lies.
      • And how do you feel about making all innocent senders of mail do extra work, while spammers simply ignore it and move on?

        Well, If someone took the time and extra work to send me an email in the first place, then I think they can take a few seconds to verify their humanity.

        If you think spending a few seconds for each person (not each message) you want to communicate with is to much work you're obviously trying to mail to many people (and thus, are a spammer). If I had to verify myself to everyone I mai
        • "then I think they can take a few seconds to verify their humanity"

          And this is what I disagree with. A lot. The work required to send an email should be exactly that; you type it and push Send, that's quite enough. Having to go through extra hoops because someone defaults to assuming you're a bad-guy is totally uncalled-for.

          "(and thus, are a spammer)."

          You really do have an offensive view of the world, don't you know? Without thought for people's modes of operation or needs, you tar everyone a baddie unti
          • How many spams do you get per day?

            How many times per day do you email someone you've never emailed before?

            If the second number is higher, then you're probably a spammer and even if you're not an email from you wouldn't be very special. If the first number is higher, you would have far less annoyance in your life if everyone adopted this system.

            I'd rather have a few people's computers think I was guilty of spamming until proven otherwise then have to deal with deleting Spam, and for me, its a choic
            • Often enough. I'd be furious if I sent an email to my vet, doctor, financial advisor, father overseas, or any other of the people I periodically email from whatever account I happen to have handy (mine, my wives, work address) on my way to work and came home to find a verification message. Once email takes as much time as calling someone, and requires me to check back periodically to make sure it's actually been sent, ALONG with assumptions about how I'm viewing my email (pictures enabled, html enable, or
            • One of the biggest problem of spam is that you could lose legitimate mail because is lost in the big amount of spam you received or got deleted with all the spam you deleted, or spam filled your mail quota and legitimate mail got rejected.

              Putting some obstacle on the reception of legitimate mail (er, like "you should pay an stamp to send mail to me") will have the same effect, so you are changing the definition of the problem, but not really solving it. It can be minimized using friendly or not troble-mak

          • You really do have an offensive view of the world, don't you know? Without thought for people's modes of operation or needs, you tar everyone a baddie until they take the trouble to prove otherwise.

            Does your home have locks and keys? Not everyone wishes to break in. How offensive of you to secure your property against me. How dare you force me to knock and wait outside for you to answer! What do you think I am, some sort of thief?

            If you take offense at being asked to verify yourself with me exactly o
        • A part of the atraction of doing business on the web is the potential to highly automate the process. A part of doing this automation is that machines have to respond to humans conducting legitmate business with the machine, often this requires a confirmation Email to the human.

          I'm not sure that I'd want to add the additional layers of programming to get my Email's through the filters. I shouldn't have to eithier, nor should I have to recieve the 13 MB of spam a week we get either.
    • by gujo-odori (473191) on Friday March 28, 2003 @09:09AM (#5614655)
      Many legitimate machines and users - even whole ISPs - unfairly end up on blacklists, while the spammers just find another way through.

      I spent five years working for ISPs, and during that time the only case of blocking I can think of that you could even possibly argue is unfair is the case of a certain major telco in the western United States which was (and AFAIK still is):

      * Lumping its business DSL customers and home DSL customers together in the same pool;

      * Not provding reverse DNS services to its business customers (their forward lookup might say mail.example.com, but the reverse still said host-aaa.bbb.ccc.ddd-spammydsl.sometelco.net)
      * Doing, as far as we could tell, nothing at all about spammers in their DSL pool, which was a major source of spam;
      * Doing, as far as we could tell, nothing about open relays & open proxies in their DSL pool.

      This led to the situation of us blocking their entire DSL pool based on reverse DNS.

      You could make the argument that it was unfair to said telco's business DSL customers to have their legitimate mail blocked, but I would then ask you, "Who was it that was being unfair to them? My employer, when we had no way to distinguish legitimate from illegitimate mail in that DSL pool from which most mail was illegitimate, or said telco, which was not providing proper service to its business DSL customers, who were paying a large premium over what residential DSL customers were paying and apparently getting little in exchange for their money?" My answer, of course, would be "Not my (then) employer."

      Please note that we did not consider blocking of residential DSL customers to be unfair in any way, ditto for ordinary dial pool customers. It is normal for ISPs (and the telco in question did so) to provide outbound SMTP hosts for use by their customers. All those affected, including the business DSL customers, could make use of them either directly or as a smarthost. It is not unfair to tell a residential customer "Use your provider's outbound SMTP hosts. That's what they are their for." I'm not convinced that it's unfair to say that to a business DSL customer either, although I understand how they would like to be able to send mail directly instead of smarthosting through their provider. However, if the telco's position is essentially that a DSL line, because it doesn't cost like a leased line, does not include the normal services that come with a leased line (such as reverse DNS service), that is an issue to be settled between the telco and the customer.

      I also question whether or not it is "unfair" to anyone to refuse their mail, on the grounds that delivering mail to any domain is a privilege, not a right. It is, of course, customary to extend that privilege to anyone who has not violated it or is not a member of a group of IP addresses where violation of that privilege is the norm (as in the case above), but no domain can be ordered to accept mail from any other domain. Refusing mail may have consequences for the refuser, of course, but that is their choice to make.

  • by fanatic (86657) on Friday March 28, 2003 @05:12AM (#5613966)
    From the article: expert spammers can also switch IP addresses as quickly as the blocks are applied.

    A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly, then discard it. It's not a trivial programming task, since the spam would have to be recognized, then treated differently from that point on from regular email. But it's feasible, I think and would help fight the large scale attack noted at the beginning of the linked article.
    • by Anonymous Coward
      You're reinventing the "teergrube" [iks-jena.de].
    • A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly

      You know this is trivial to defeat right? A simple heuristic to detect the honeypots would have no trouble dealing with this. Spammers are highly motivated at defeating stuff. Excessively slow server detection will be a standard feature of all next generation spam software. Bet on it.
      • "Excessively slow server detection will be a standard feature of all next generation spam software"

        Let's hope so. Then I'd just accept all mail slowly and spam would go away!

        Seriously there are flaws in this kind of defense. First, I'm already seeing several spammers who already send mail slowly, probably to avoid setting off statistical trappers and to make it harder to scan through log files. Also don't forget that the spammers usually have much more bandwidth than the recipient; you can never win

    • by kasperd (592156) on Friday March 28, 2003 @05:29AM (#5614018) Homepage Journal
      A honeypot for spam - mentioned here previously, I think - would be one answer.

      I have previously mentioned a honeypot here, but not the one you are talking about. I try to receive the spam as fast as possible in the hope that every spam ending up in my honeypot is one less spam to end up elsewhere. But I feel it is getting harder to attract spam. Though I have been working hard to make my honeypot attract lots of spam, and in the process managed to get my IP on OpenRelayCheck [openrelaycheck.com], I only got 1.3 million yesterday. My record from october 2002 was 36 million in 4 days.
      • by flonker (526111) on Friday March 28, 2003 @06:47AM (#5614267)
        I run a program that just listen on port 25, pretending to be an open relay, and logs all relay tests to a file. I get scanned by testers using the following two email hosts constantly. The 21cn.com one has been using the same exact address for months now. Almost makes me want to mailbomb them.

        Mar 27 08:07:18 [210.222.196.141:27910]
        ehlo ll-nidaf2xx5kn9
        Rset
        Mail from:<china9988@21cn.com>
        RCPT to:<china9988@21cn.com>
        Data
        From: china9988@21cn.com
        Subject: 68.22.196.106
        To: china9988@21cn.com
        Date: Thu, 27 Mar 2003 23:20:51 +0900
        X-Priority: 3
        X-Library: Indy 8.0.25
        t_Smtp.LocalIP
        .
        Quit

        Mar 27 19:23:10 [210.222.196.133:58885]
        HELO hanmail.net
        MAIL FROM:<jkdsa@hanmail.net>
        RCPT TO:<mg0108@hanmail.net>
        DATA
        Message-ID: <20820-2200335282014339@hanmail.net>
        X-EM-Version : 6, 0, 0, 4
        X-EM-Registration: #0010630410721500AB30
        Reply-To: rolliey@hotmail.com
        From: "good" <jkdsa@hanmail.net>
        To: mg0108@hanmail.net
        Subject: 68.22.196.106
        Date: Fri, 28 Mar 2003 11:00:14 +0900
        MIME-Version: 1.0
        Content-Type: text/html; charset=KS_C_5601-1987
        Content-Transfer-Encoding: quoted-printable
        <HTML>
        <HEAD>
        <META NAME=3D"GENERATOR" Content=3D"Microsoft DHTML Editing Control">
        <TITLE></TITLE>
        </HEAD>
        <BODY>
        <P></ P>
        </BODY>
        </HTML>
        .
        QUIT
        • by kasperd (592156) on Friday March 28, 2003 @08:26AM (#5614509) Homepage Journal
          I run a program that just listen on port 25, pretending to be an open relay, and logs all relay tests to a file.

          That is also what I do, and your probes sure look familiar. Occationally I actually relay the probes to see what they are actually up to, and then I get loads of spam. I also run another program on ports 1080, 3128, 6588, 8000, and 8080 that pretends to an open proxy which can be used to connect to an open relay. Next step would be to automatically report received spam to razor.
        • Those netblocks are filled with open proxies. The problem is so widespread in (South) Korea that there are days when I think the number of machines that aren't open proxies is in the minority. This is particularly true about boxes at Korean schools.

          A quick nmap of those two IPs leaves me fairly convinced that they are being used for spam relay without the permission of their owners. Mailbombing them would not be terribly productive, and would almost certainly get you in trouble with your upstream if any

          • While it is interesting that the IPs are open proxies. (I had wondered why they changed so quickly and often, and bounced around so much.) You're wrong. Mailbombing wouldn't affect the open proxies. Mailbombing would affect the mail dropboxes they use to pick up replies from the open mail servers.

            The path of a typical successful test:
            [Client]->[Open Proxy]->[Open Relay]->[Their Mailserver]->[Client]

            Mail bombing would affect the mailbox on their mailserver, (which is most likely an innocent,
        • The incoming ports looks like coming from a NAT. Real IPs in the AsiaPac are hard to find so so methinks that you are seeing two ISPs nats and quite likely the real culprits are quire different.
        • Good to know it's not just me. I get at least a once per day attempt from there checking my mailserver for an open relay. Attention stupid spammers: It wasn't an open relay last year, it wasn't one last month, it wasn't one yesterday, and it's NOT GOING TO BE ONE TOMORROW. Grrrr....
    • Teergrube (Score:4, Interesting)

      by KjetilK (186133) <kjetil@@@kjernsmo...net> on Friday March 28, 2003 @06:26AM (#5614209) Homepage Journal
      I have a few honeypots (trollboxes or spamtraps, you may call them), and they do get a lot of spam. For example, I code things like

      <link rel="DoNotEmail" href="mailto:aa0u@kjernsmo.net" />

      (yeah, that's a real, living trollbox, spambots, do your worst! :-) ) Very few users will ever see this, but the spambots will harvest it. It is clear that many of them do.

      The other thing you mention, I think that is what is meant by a Teergrube [iks-jena.de]. Marc Merlin has some good stuff [merlins.org] on using Exim and SpamAssassin to reject messages or making spammers stick in a teergrube. He has some debs too.

      Unfortunately, I haven't had time and I haven't been feeling adventurous enough to try all this, but clearly, it works well.

    • Tarpits are great ideas for people who think they are mail server admins because they have sendmail running on their red hat box at home. For real mail servers they are, to put it kindly, retarded (pun intended). Consider the thousands of concurrent inbound connections a large mail service has. Now apply the stuff you hopefully know about concurrency to half those connections. Yum.
    • verrry slowly (Score:3, Interesting)

      by germinatoras (465782)

      Heh...I run sendmail on a 486DX/33. I accept everything very slowly. :-)

      But in all seriousness - I expect that some day, somebody will find a security hole which I've overlooked. However, when that day comes, my little 486 certainly won't be much of an asset. If a spammer finds a way to exploit sendmail, and tries to relay 5 bazillion e-mails, my box would certainly crash. I consider it a boon to the internet if I make myself very difficult to exploit, and sticking a just-barely-does-the-job server up

  • by sql*kitten (1359) on Friday March 28, 2003 @05:13AM (#5613972)
    Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?

    I don't know if this is a "Lord of the Rings" reference or a "War on Saddam" reference.
  • 75 million? (Score:4, Insightful)

    by Lynn Benfield (649615) on Friday March 28, 2003 @05:14AM (#5613979)
    Every day, 80 percent of all incoming mail to Outblaze is rejected as spam and filtered out before Ramasubramanian and his team have to deal with it. Out of the remaining 15 million messages per day that do pass through Outblaze servers

    So if 15 million messages is 20% of what they get, they receive 75 million individual messages a day? That seems a little high...
  • Think about it...the dictionary spammers have not gotten as far as sramasubramanian@hotmail.com
  • Simple solution (Score:4, Insightful)

    by azav (469988) on Friday March 28, 2003 @05:40AM (#5614054) Homepage Journal
    Time for all responsible ISPs to assign their own anti spam reps, reach out, get a list of ALL isps, contact their anti spam reps and take action.

    Get organized and form a plan but first, get organized on a global level.

    Then kick some ass and pool for legal action against the thieves. :]

    • You've missed an important point - ISPs don't always have a clear business need to stop spam either being generated from, or entering, their networks.

      This is the real world, not Noddyland. Abuse departments cost money.
  • disgusting (Score:3, Interesting)

    by danbuhler (661233) on Friday March 28, 2003 @05:40AM (#5614055)
    Just the thought of this makes me sick.. Almost as sick as those who make spamming profitable.

    Now that I've thought about it. How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?
    • Re:disgusting (Score:3, Insightful)

      by sql*kitten (1359)
      How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?

      The economics of spam work because of the huge imbalance between what a spammer pays, and the price of the products bing sold. One sale per million messages probably makes the whole undertaking feasible. I think it was PT Barnum who said no-one ever went bust underestimating the intelligence of the public.
    • Now that I've thought about it. How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?

      IRL (in real life) we call them Commission Salesman, Tele Marketers, or in corporations we call them the "Marketing department"...

    • Who said it was profitable? If you think spam exists because people are making money you're wrong. There are a few chumps that the media like to cover making it seem as if there are only about 3 spammers sending everything out. In reality most spam comes from people running spam programs from their broadband connections. Think how much spam you could send out for the 8-16 hours a day your computer isn't being used. Now all you have to do is run a program that spams the hell out of the world and you get
  • by io333 (574963)
    ...decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?

    Oh so I get it, fighting spam is like saving the Galaxy!

    I had no idea it was THAT important. I'm on the edge of my seat now!
  • Outblaze, huh? (Score:5, Interesting)

    by Pathwalker (103) <hotgrits@yourpants.net> on Friday March 28, 2003 @05:51AM (#5614097) Homepage Journal
    Those guys have to run the most annoying relay tester I've seen. Every time it tests you, it sends a burst of 30 messages or so, all with return addresses on the box they are testing so they don't have to deal with bounces.

    Now, some people may feel it's my own fault for taking advantage of the part of RFC 2821 [roxen.com] which states that if a mailserver defers checking to see if it can relay or deliver the mail then "These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6.".

    But, I guess they feel that everyone runs sendmail, so every time they test my mailserver, I end up with another batch of relay rejected messages intended for them sitting in my postmaster mailbox.

    There are two parts of this that bug me:
    1. If a mail server does not relay mail, it is rude for a test to result in mail to the administrators of that server
    2. It is possible for the username they use in their test to actually deliver mail to a real user. I consider it as bad as spamming if their test drops dozens of messages in the account of an innocent user with no idea of what is happening, or control over the mail server.
  • Anti-chinese bias (Score:3, Insightful)

    by autopr0n (534291) on Friday March 28, 2003 @05:54AM (#5614104) Homepage Journal
    Yeah, these people blocking all mail from Chinese and korean subdomains are idiots. How are they supposed to work with anti-spammers there if they can't even talk to them?

    I mean, I guess it'll help cut down on the spams they get, but it won't help stop the problem.

    Anyway, the true way to stop spam is challange-response for the first message from a new person. Easy to implement, and it dosn't require any software for the sender.
    • Re:Anti-chinese bias (Score:2, Interesting)

      by DOsinga (134115)
      > Yeah, these people blocking all mail from Chinese and korean
      > subdomains are idiots. How are they supposed to work with anti-spammers
      > there if they can't even talk to them?

      While spam might come from Chinese or Korean subdomains, it usually is about American products to the degree that the stuff offered is completely useless for someone from the Netherlands. They might at least filter on the target email address you'd think.
      • I get huge amounts of spam from South Korea, China and Russia. Almost all of it is in the language of the source country, advertising products or services that would only be of interest to people from those countries.
      • stuff offered is completely useless for someone from the Netherlands

        The Netherlands - where all the men are 12", all the women have no need of breast enhancement, and sexual potency runs rampant! Sounds like my kind of country...
  • The bounce problem (Score:5, Informative)

    by dmeranda (120061) on Friday March 28, 2003 @06:00AM (#5614123) Homepage

    If 50% of all mail in the US is spam, then the other 50% must be the bounces for all that undeliverable mail!

    I run a mail gateway for a medium sized company, and although not on the scale of a large ISP, I see many of the same problems. Dealing with spam on a gateway level is quite different from dealing with a single personal mailbox. And spam flooding has gotten much worse in the last few months. Getting over a 1000 messages in under a minute can really start to tax your infrastructure. Actually from my own observations, I'd say that at least 75% of all mail is spam, and 80% of that is undeliverable.

    Of course one of the big problems as Ramasubramanian points out is that spammers are getting very sophisticated at impersonating other entities. This results in a large number of bounces being directed back to the wrong guy. So not only are you getting spammed, but you are also indirectly spamming the poor guy who is being impersonated with your flood of bounces. And the bounces also cause other problems because it tends to fill up your outbound mail spools, as well as making the required postmaster account near useless sometimes.

    One thing I've learned is that a mail administrator must be very careful about constructing blacklists and filters. I use sendmail [sendmail.org] and make heavy use of it's milter [milter.org] programatic filter interface. It's amazing how being able to analyze the mail at the protocol level (such as the HELO command) helps identify impersonated mail that can't just be done by only looking at mail headers or the message body. It is also possible to help correlate large volumes of nearly identical inbound mail from a large number of different servers, as well as correlate them with large number of undeliverable outbounds. I'm also very careful to check whois an other registrar databases before adding blacklist entries, to help prevent blacklisting the wrong guy. But I do admit that for a few of the most audacious flood attacks, I actually have to resort to iptables [netfilter.org] firewall blocks to stop it even before sendmail sees it. I really dislike having to disobey the SMTP standards, but spam floods are IMHO just as destructive as worms and viruses!

    The thing I fear most as a mail administrator is not the inbound spam, but that some spammer may start impersonating my company! We'd start getting placed on blacklists and blocked, plus we'd start getting flooded with all those bounce messages (probably an order of magnitude more than direct spam). How can one possibly protect against that?

    • by Hellkitten (574820)

      One possible solution to the problem of bounce messages is to not send them.

      When an undeliverable mail arrives check against a set of criteria, and if the mail looks like spam then don't send the bounce, since the adresses are likely to be faked anyway. This way the poor sod that got his adress used as the sender won't recieve (as many) bounces. The disadvantage is the possibility for false positives, that a legitimate mail might be tagged as spam and the sender won't see the bounce. Anyway for a large mai

  • by Boss, Pointy Haired (537010) on Friday March 28, 2003 @06:15AM (#5614175)
    If this "whitelist" mechanism, with a challenge response requirement to get yourself onto the whitelist takes off, how is the situation where two people are using the same [or the same but different] systems handled?

    Alice sends email to Bob.

    Bob's mail server sends a challenge to Alice.

    Alice's mail server challenges the challenge and sends a challenge to Bob.

    Bob's mail server challenges the challenge of the challenge and sends a challenge to Alice.

    Ad infinitum.

    How is this resolved without allowing SPAM through the same mechanism?
    • by MavEtJu (241979) <slashdot@mave[ ].org ['tju' in gap]> on Friday March 28, 2003 @06:42AM (#5614247) Homepage
      It's not that difficult. You only send one (1) reply per user/domain pair you receive. You don't do it for all the emails you receive from one user/domain pair.

      *shudders when thinking at the vacation-wars*
    • Several people mentioned whitelisting people you send mail too, which is a good idea, but not infallible (people often reply from a different address than you sent, due to forwarding, etc...)

      You can also use tagged reply addresses to ensure replies get through. or message i.d's, which is more heuristic.

      People curious about whitelist systems may find the TMDA faq helpful This specific question is discussed in this entry [tmda.net]

    • This is resolved by adding the recipient address to a whitelist, so that you can automatically receive a reply (or a challenge). If you are sending to a recipient whom you do not yet trust, then one approach is to create a special email alias for them alone to use in mail to you. If they turn out to be a slimy spammer, you just kill the alias and move on.

      Ecco Ping! Ecco Pong! Ecco Pang!
  • The guy (Suresh Ramasubramanian) obviously has been polymorphed into a Dragon (think nethack).
  • by t0qer (230538) on Friday March 28, 2003 @06:47AM (#5614261) Homepage Journal

    The spammer [slashdot.org]
    I knew has moved to the Philippines. Supposedly it's the next big shelter for
    these roadhogs. China has a lot of business interest in the US so they are doing what they can do eliminate the problem.


    • China has a lot of business interest in the US so they are doing what they can do eliminate the problem.

      Like putting spammers on the death row and selling their organs afterwards? Sweet. The death penalty is a bit too harsh though. I'd be content with the organs.
  • I use Outblaze's mail.com redirection service and almost all the spam that arrives in my work inbox is sent to that address.

    At the same time, I've just had to stop using that address as the destination for several perfectly respectable mailing lists on which I lurk because Yahoo Groups keeps suspending delivery because of spurious bounce messages generated by Outblaze.

    I'm tending to the opinion that if it was addressed to me, then it should be delivered to me and I'll choose what to do with it.

    • I'm tending to the opinion that if it was addressed to me, then it should be delivered to me and I'll choose what to do with it.

      This is what I do. I get amazingly little spam in my primary account. I think this is because I do not give out that address lightly. I try to avoid having that address displayed in a public space. And it works for me. I only get maybe 5 spam messages per day, usually less.

      I also do not allow javascript to run in my mail client. This prevents spam messages from communicating wit
  • by salesgeek (263995)
    Spam was the topic of Gary Varvel's (a syndicated editorial cartoonist) cartoon yesterday:

    http://www.indystar.com/opinion/varvel/2003-03-2 7. html

    Pardon the karma whoring.

    $G
  • by PaschalNee (451912)
    Sometimes the spam is highly objectionable, ads for things like bestiality, child porn and cracked software

    Not saying I agree with cracked software but it's kind of strange to see it lumped in with bestiality and child porn?
  • Suresh... (Score:2, Funny)

    by thesilverbail (593897)
    I knew Suresh Ramasubramaniam personally a long time ago when he worked for Intel. Wow, I had no idea he was into spam-waring know.

    Caution to all would-be spammers: Suresh is a guns and rifles enthusiast and has a very nice collection of assorted weapons and ammunition. Who knows what he might do to a spammer as a last resort...
  • by tsvk (624784) on Friday March 28, 2003 @07:46AM (#5614410)

    Shuresh is also a regular poster in the newsgroup news.admin.net-abuse.email, a discussion forum about e-mail abuse.

    Check his postings from the Google Groups archive [google.com].

  • by wowbagger (69688) on Friday March 28, 2003 @09:12AM (#5614660) Homepage Journal
    There was something about the article that bothered me - perhaps it was just unclear reporting, or perhaps it wasn't.

    According to the article, this guy is having to block off a flood of mail from spammers to his system. The way I read the article, this flood is not for Outblaze users, but just for relaying. Why the bleep does his mail server even accept this mail? Any modern sensible set up mail server should follow a ruleset like:

    if (sender is one of my users)
    accept
    else if (recepient is one of my users)
    accept
    else
    bugger off spammer
    endif


    Ideally, the mail server would log system that were trying to send mail that didn't pass that test and tell the router to drop packets from them for a few hours.

    Bam! 90% of problem solved.

    Having received spams relayed by Outblaze servers, I don't think that's what is happening. I think they are running open mail servers, and trying to keep the spammers from using them.

    I could be wrong, but that's how I read the article.
    • by Anonymous Coward
      >According to the article, this guy is having to >block off a flood of mail from spammers to his >system. The way I read the article, this flood >is not for Outblaze users, but just for >relaying. Why the bleep does his mail server >even accept this mail? Any modern sensible set >up mail server should follow a ruleset like:

      Don't put words in Suresh's mouth. He said he was trying to deal with a flood of BOUNCES to his system because the spammers FORGED addresses serviced by Outblaze.
  • "The challenge we face is the same challenge little Hans Brinker faced when he stuck his finger into that dam," Ramasubramanian said. "We know that as soon as we let our collective fingers slip out of the thousands of tiny holes we are plugging we will drown in a massive sea of spam."

    Maybe that's exactly what we need to get the attention of the Governments of the world to get serious about spam. Let the dam break for a couple days all over the world. Don't block anything. When people get thousands of spam
  • I see! (Score:4, Funny)

    by HarveyBirdman (627248) on Friday March 28, 2003 @10:30AM (#5615112) Journal
    Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"

    Which, of course, raises the possibility of dropping "bunker busters" on the offices of spammers. ;-)

    I fully support this idea.

  • At least from the last months, the main source of spam is not china based open relays, but anywhere in the world.

    But if I would give a spam score to mails based in content, I would mark as spam all that in the text have mails or websites whose IPs are located inside China.

This is a good time to punt work.

Working...