This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters [paulgraham.com] will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters [sourceforge.net] will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.
This is sad.:-( But! On the flip side. Can I buy a block of "scorched" IPs for cheap? To maybe host gaming servers? Lots of good profit making ways to use IPs; that don't include email.
Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs.
Duh, they just as quickly UNLEARN those same addresses when the sewage stops spilling. Bayesian classifiers have NOTHING to do with "scorched earth" network blocks, and never have.
The real problem is private access_db blacklists that someone tosses an address into, and forgets about it. The next guy that takes his admin job doesn't even know it's there.
In an ideal world, Bayesian filters would unlearn the suspicious hosts and for those users savvy enough to be set up with one (or for those who use Mozilla), all would be good.
The problem is, once you've got your filter trained to > 99% accuracy and you're simply not accustomed to seeing false positives, you tend to rely on it too much.
My first email address was ads@netcom.com because my initials are ADS, and I've been dealing with spam since 1995 -- needless to say I'm good at manually filtering the s
We ned something like Carfax for cars...list all the possible natural disasters and possible damage to an IP block, get a complete list of past owners and a concise list of previous uses. Get an idea of what you're getting into with a block.
Well said... I was hoping this recommending was down this thread.
As I read through the responses here regarding blacklists, Obviously it will be inherent that at least a good portion of mail administrators will quickly block the block...
Here's my 2 cents... have groups like ARIN who control the IP's and are informed as to when an IP hijacking has occurred... why don't they create a ~whitelist~ of sorts.
Effectively a centralized database of recently restored IP blocks that have been used illegally and
"Well hello there Charlie Brown, you blockhead."
-- Lucy Van Pelt
Spammers, scorched earth and stolen subnets (Score:5, Interesting)
This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters [paulgraham.com] will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters [sourceforge.net] will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.
Re:Spammers, scorched earth and stolen subnets (Score:3, Interesting)
But! On the flip side. Can I buy a block of "scorched" IPs for cheap? To maybe host gaming servers? Lots of good profit making ways to use IPs; that don't include email.
Point me in the right direction; I'm ready!
Re:Spammers, scorched earth and stolen subnets (Score:3, Informative)
Duh, they just as quickly UNLEARN those same addresses when the sewage stops spilling. Bayesian classifiers have NOTHING to do with "scorched earth" network blocks, and never have.
The real problem is private access_db blacklists that someone tosses an address into, and forgets about it. The next guy that takes his admin job doesn't even know it's there.
Re:Spammers, scorched earth and stolen subnets (Score:2)
The problem is, once you've got your filter trained to > 99% accuracy and you're simply not accustomed to seeing false positives, you tend to rely on it too much.
My first email address was ads@netcom.com because my initials are ADS, and I've been dealing with spam since 1995 -- needless to say I'm good at manually filtering the s
Re:Spammers, scorched earth and stolen subnets (Score:2)
Why not a whitelist? (Score:1)
As I read through the responses here regarding blacklists, Obviously it will be inherent that at least a good portion of mail administrators will quickly block the block...
Here's my 2 cents... have groups like ARIN who control the IP's and are informed as to when an IP hijacking has occurred... why don't they create a ~whitelist~ of sorts.
Effectively a centralized database of recently restored IP blocks that have been used illegally and