Anti-Spammers DDoSed Out Of Existence

Anonumous Coward writes "Not one, but two anti-spam services announced their closure yesterday due to DDoS attacks, massive Joe jobs, threats, and the total lack of interest shown by law enforcement. monkeys.com pulled the plug at midnight with an announcement that makes you think of a suicide note. Short time later compu.net went the very same way. So, when will we see a distributed RBL that can stand up to distributed attacks?"

The Heavy Hitters Are Still Around

[Nintendork]

So, when will we see a distributed RBL that can stand up to distributed attacks?

I'd never even hear of the two sites that closed down. Personally, I use Spamcop's DNSBL [spamcop.net], DSBL [dsbl.org], and ORDB [ordb.org].

-Lucas

Re:Double-edged sword

[nate1138]

Um, you got it wrong pal. It wasn't spammers getting DDOS'd, it was spam fighters getting knocked off the net. By spammers. You know, the bad guys.

Re:massive Joe jobs?

[beady]

A Joe Job is where some unsuspecting innocents email is placed as the "from" address in the email headers. Headaches ensue

So, when will we see a distributed RBL...

[LostCluster]

Never. Fact is, for a blacklist to have any credibity it has to come from a central source. If it doesn't, then how are you going to authenticate the real blacklist from a fake claiming to be the blacklist but actually blocking legit ISPs and letting spammers by. P2P isn't the solution to everything.

Re:massive Joe jobs?

[Anonymous Coward]

What exactly is a 'massive Joe job'?

A "joe job" is the term used when someone deliberately blackens the victim's name by false pretences. An example would be if I sent out millions of spam offering "cheap medications and porn and university diplomas, just contact MacBrave at www.accs.net/users/macbrave". You'd get outraged complaints from the recipient, and despite your protestations of innocence your online reputation would be irreparably damaged. That's a "joe job".

Re:The Heavy Hitters Are Still Around

[Havokmon]

Yeah, but look at OpenRBL [openrbl.org], DSBL references them..

Re:The Heavy Hitters Are Still Around

[frankie]

SpamCop is currently alive [google.com], but Julian had to blow a bunch of cash on upgraded servers after getting knocked down a couple months ago. Pretty much every site which offers any sort of blocklist has had several months of continuous DDoS [pcworld.com].

Re:massive Joe jobs?

[Rogerborg]

Where your send email purporting to be from someone else [techtv.com], or in this case when spammers send spam purporting to be from the anti-spam orgs. SMTP servers don't validate the From: field, you can put anything in there. Most lusers and a shocking number of clueless sysadmins don't realise this.

Re:massive Joe jobs?

[Anonymous Coward]

"Joe job" is a slang term for using a real email address for the From: header in your spam. That address is not the spammer, of course; it belongs to someone else. Thus, a check by the receiver to see if the sender exists will pass.

Naturally, the "Joe" selected gets a bit abused. Naive recipients of the spam send him hate mail. Naive anti-spammers put him on blacklists. And he gets bounces from all the bogus addresses in the database.

There's spam, and then there's spam. Clearly, actions like Joe jobs cross over into small-time identity theft and fraud, which goes way beyond merely annoying people with commercial email they don't want. Spammers are hated because they employ underhanded tactics, not just because they're annoying. And they know that their "service" is unwanted, or they wouldn't go to such lengths to disguise their identity.

IMO, part of the technical and legal solution to spam will need to be a requirement for a traceable signature so that you can locate the spammer and apply appropriate remedies for abuse. Another part has to be be a requirement for an "On-Behalf-Of" header so that the company paying for the spam can be located, and thus force them to take responsibility for the actions conducted on their behalf. Cockroaches will swarm all over as long as we stay in the dark.

I won't miss email black lists.

[Vic Metcalfe]

I'm sorry for the trouble these guys have had, but I've had more trouble with black lists then benefit. I've been black listed many times for stupid reasons. Like one of the sign-off's mentioned, I've had @mydomain.com used to send spams, had to handle the bounces and then been blacklisted on top of that. I've had spam link to a page I host even though the spam wasn't advertising the page, it was using the page to support the sale of its product. The page was about water safety, and posted by someone with no connection to the spammers. I've twice been blacklisted and once had UUNet filter my IP allocation because users had uploaded old vulnerable versions of FormMail.pl to their web sites and spammers found and abused the hole. Both times I had found and removed the offending script before getting shut down, only to be blacklisted/filtered AFTER fixing the problem.

As you might have guessed I have no love for RBL type services. I think their hearts are in the right place, but I'm tired of getting caught in the cross-fire. Since at some point, in order to benefit spammers have to be contacted by consumers, law enforcement should be able to track them down. I'd love to see that sort of thing become common. I can't see a technological solution even with a complete overhaul of how email works. I like the fact that a stranger can email me if they like. I just want to see legal limitations on that contact to prevent spam.

Re:Sorry sir, your wallet is too thin

[sqlrob]

Joe Jared
Ron Guillemate (sic?)
compu-net
Steve Linford

Where's the hiding there?

The FBI

[deblau]

If RFG can show that more than $5000 worth of damage was done to his computers or business, he can get the FBI involved. If they can track down who did this, there could be jail time for some of these bastards.

Re:Sounds like a good use for Freenet

[Anonymous Coward]

All you need is the hash key. You cannot get back 2 different pieces of data from the same hash key. Especially if the submitter cryptographically signs the list anyhow.

Re:Here's what cracks me up

[EinarH]

Wheter this is the responsibility of the DHS or the FBI I'm not sure about, but Ron Guilmette who runs the now closed monkeys.com actually tried to contact FBI.
From a google groups post here [google.com]:

I was also on the phone to Ron just a few minutes ago.

More specifically, the law enforcement issue is twofold:

First, he tried talking to his city police. He had to fight them to even take a written report of the incident. That was to be expected, of course.

Then, he tried calling the FBI. The receptionist who took the call apparently didn't understand a word of Ron's explanation of a "denial of service attack against his Internet servers" and asked him "Is that illegal?". Ron insisted that he must speak to somebody who is more capable of understanding the issue. The receptionist transferred the call to the duty officer, which turned out to be an answering machine.
Ron left a message, expecting to be called back, but no call so far.

If this is correct, I have no indication that it should not be, it looks like a total FBI fuck up.

(more info here [google.com])

Re:distributed.net rides again?

[Anonymous Coward]

Already done. It's called Freenet.

Re:Sounds like a good use for Freenet

[lx805]

Good point, but if it is signed, then it is not anonymous is it.

It doesn't need to be anonymous, just available. SpamCop isn't anonymous. Spamhaus isn't anonymous. SPEWS is anonymous, but they probably don't need to be, and they already have someone who is *NOT* anonymous distributing their lists via PGP signed e-mail (see http://groups.yahoo.com/group/spews [yahoo.com]).

ISPs that use these lists to reject mail are being irresponsible, and are most likely doing it without the knowledge of their users. One false positive that gets dropped is one too many when your users don't know it is happening.

I agree with you there 100%. ISPs *maybe* should offer it as an option, but shouldn't filter by default. I've seen some ISPs do some pretty stupid things with the blocklists (i.e. add the IP ranges to their core router's ACLs). Those admins should be shot.

Admittedly, though, I'm not nearly as concerned about false positives as most people. People tend to forget that e-mail in it's very nature is unreliable, and should never replace a phone call or good old fashioned face time.

Re:probable cause

[lx805]

I'm sure they are asking for it. We probably just don't see it. Did the NY mafia set up a hit on a rival by running a classified ad in the Times? Don't think so.

There are a number of "members only" spammer resources on the net. You hear about them every now and again in NANAE [google.com]. While I can't say for certain what goes on in those places, you can bet they aren't swapping recipes...

Re:Excellent idea!

[bdsesq]

Fogeries can easily be prevented.
All you need to do is put a PGP signature on the list.

Re:Sounds like a good use for Freenet

[Jerf]

sahalx partially replied to your point but to someone not already familiar with Freenet I'm not sure they'll understand why (s)he's right.

And you would trust this file enough to block email based on it's contents??? Accountability is the biggest problem with RBLs, and moving it to a completely anonymous system would loose the last level of trust that they currently have...

Freenet is not a "completely anonymous system" in the sense you seem to be using it. While you can not trace a file back to the owner necessarily, it is possible through the use of the SSK mechanism that sahalx mentioned to establish that a file came from the same source as another file.

Therefore, in conjunction with some of the other features of Freenet, once you decided you trusted a particular blocking list, perhaps one specifically mentioned on the former website of the blocking site, you can be reasonably confident that only that person is posting a block list to that file, short of someone breaking into their computer and stealing their key. (Which if they are good enough to not store the private key in their computer, perhaps by writing it down and typing it or eventually even just memorizing it, isn't possible either.)

Therefore, Freenet is perfectly capable of filling this role. You may not know that "Person X" is accountable, but you can know "Key 7ch3babf83jcn1qws9c://rbl.txt is reliable, and by extension the owner of key 7ch3babf83jcn1qws9c is reliable." and that's good enough for all but the most paranoid folk... and even if it DOES go bad, you tell your software to ignore it and move on to something else.

In fact, Freenet is probably superior to HTTP because of the signing, esp. w/ memorized or physically written keys. (Hopefully conventional RBLs are already signing their lists and hopefully you're using the signitures; I don't know what the state of the art is because I believe RBLs are censorship [jerf.org] and do not use them. But I recognize not everyone agrees with this so discussing how to do them better and more securely doesn't give me too much cognitive dissonance.)

Also see the Freenet FAQ [sourceforge.net]. (Freenet's documentation seems to come and go; right now it seems to be at a low period. I remember better discussion pages for "What is an SSK?" but I can't seem to find them from the site now and Google searching for it gets swamped by references to actual SSK-addressed files.)

Anti-spam is Not rocket science ..

[fygment]

...really. How many unsolicited personal emails do you get that are important? Even if you're in an organization with a network, how many corporate emails are not from the company domain? Just filter out anything not from a known source be it your personal or business address book.

Our institution has a central broadcaster for corporate info. Any email for the general worker population is sent via that broadcaster. That's one filter. Coworkers another filter. Personal address book another filter.

That's it. Anyone else goes to Junk and that is checked every couple of days in a dedicated time slot. Nothing gets missed. And time isn't a factor because when was the last time you received some kind of deadline item from someone you didn't know?

Maybe a business has a few machines that really can't implement such a filtering scheme (eg. sales) but not everyone in a business has to be subject anonymous email solicitations. But at home it makes no sense that you have to be inconvenienced by spam. Just look at it statistically, how many emails have you had from addresses you didn't know, that mattered? OK maybe that Nigerian general with the account ...

Re:distributed.net rides again?

[The Troll Catcher]

That certainly sounds like freenet....

Freenet implementation is downright *trivial*

[Jerf]

It could revolutionize the way trusted data is passed if it works successfully for an RBL. I'd do it myself, but I'm beyond short of time, and brains for that matter :)

You're not short of time; creating the system you describe (assuming good client software) hardly takes longer then typing your post did.

1. Download, install, and run Freenet.
2. Download and install fcptools [sourceforge.net].
3. Instead of having your RBL list sourced from the HTTP net, have the RBL-client download the list periodically by running a quick invocation of fcptools.

Somebody has to publish it, but you could start by simply mirroring an existing list. The publisher's life is a little harder; they need to learn how to use SSK keys, get one, and learn how to post periodic content, but we're still talking half an hour. Moreover, you won't even necessarily be personally identifiable.

A Freenet implementation is not a pipe-dream that would take months of highly-skilled developer time to implement, it's something anybody could do in about half-an-hour, if the RBL clients are configurable enough to take the RBL lists from varying sources like a shell script and not just HTTP. I don't believe in RBL lists because I believe they are censorship [jerf.org], so I'm not going to do this, but it would take so little effort you'll be astounded. You could do it over a lunchbreak.

Re:Can't ISPs do something?

[Eggplant62]

Let me get this straight. The blocklists lists ISP's in ever widening circles, until their entire userbase is blocklisted, and then the blocklists get DDoSed, and ask for help from the very same ISP's that they blocklist, and trash in NANAE????

Yeah, that's what we expect, but what the hell, the ISP's are part of the problem, they don't mind raking in the extra bux from the spammers to keep them connected. It's just *business* after all. **spit**

ISP's make money hosting spammers so ergo to put spammers out of business cuts them out of a goodly sum of cash to keep their already failing businesses alive. It's all *so* much bullshit.

Matthew Sullivan from Osirusoft has a long record of trashing posters in NANAE, I suppose he conviently forgot that fact when he reported the DDoS. Any good investigator would of asked him, "do you know of anyone that would do you harm?". He's probably still writing that list out! I don't condone DDoSing anyone, but, you get what you give.

Wrong, get your facts straight. Joe Jared runs Osirusoft. Matthew Sullivan runs SORBS.org. The only thing he gave was a general derision for all the Average Joe's who thought they could run mail servers competently by opening a Microsoft Exchange box and installing the CD, or any other software, without giving any thought to reading the friggin' manual, no thought for whether or not that software was set up securely or whether their systems were fully patched.

Yeah, we should automatically assume everyone on the 'net is as competent as Matt Sullivan. Yeah, that's the ticket!