Anti-Spammers DDoSed Out Of Existence 677
Anonumous Coward writes "Not one, but two anti-spam services announced their closure yesterday due to DDoS attacks, massive Joe jobs, threats, and the total lack of interest shown by law enforcement. monkeys.com pulled the plug at midnight with an announcement that makes you think of a suicide note. Short time later compu.net went the very same way. So, when will we see a distributed RBL that can stand up to distributed attacks?"
distributed.net rides again? (Score:4, Interesting)
just wondering...ank
Re:distributed.net rides again? (Score:2)
Re:distributed.net rides again? (Score:4, Interesting)
How about a DNS name that resolves to one of 20 (50? 100? 1000?) different machines all of which are kept synchronized between themselves with RBL lists. Anyone who asks for RBL information, gets any one of the machines in the cluster. Including the DDOSers. How many machines can they DDOS simultaneously? (that's why I kept cranking up that number in the first parentheses) Not all of them, I hope, but the way to find out is to build up a DRBLnet. There has to be a positive use for all those Linux/BSD boxes attached to DSL and cable lines
Then if the RBL-client side is modified so that if it doesn't get a response very quickly it asks again (probably getting a machine that isn't currently being attacked...).
just spouting ideas...ank
Re:distributed.net rides again? (Score:4, Insightful)
Excellent idea! (Score:5, Interesting)
Why not kill 2 birds with one stone - promote a valid use of p2p, which removes some of the RIAA threat, while simultaneously frustrating spammers.
Re:Excellent idea! (Score:5, Insightful)
And then there's the nuisance factor...script kiddies chucking up their enemys' domains as spammers, adding aol.com, etc.
In order to establish trust, you'd have to have one of two things: 1) a trust authenticator, which is a central organization which can be shut down using DDOS and invalidated or 2) a web of trust, requiring admins to opt in to certain zone administrators' records, which would take quite a bit of time and would be very fallible.
Neither is that great an idea.
What IS a good idea is a distributed network of blocklists not like Kazaa, but like an IRC network or DNS. Trusted submitters are given powers like unto moderators to push information to a core set of servers, from which other servers pull their spam blocklists.
We could do this now, using the server mirroring system that already exists for things like Linux kernels. Hell, we could even maintain versioning, to back off mistakenly blacklisted domains.
Of course, the best idea will always be not to publish your email address and to guard it like a hawk. I get maybe 5 spam emails per day and that doesn't bother me at all.
Re:Excellent idea! (Score:3, Interesting)
Peer-to-Peer approaches to DNS-RBLs (Score:3, Insightful)
such as Usenet and Freenet and Gnutella and probably Kazaa, and it's not too hard to develop efficient data formats for baseline and incremental update and detail records (easier for IPv4 blocking than IPv6
Re:Excellent idea! (Score:3, Informative)
All you need to do is put a PGP signature on the list.
Re:Excellent idea! (Score:3, Interesting)
Consider that the exploit was in the wild for several weeks before the worms went out...
It`s safe to assume that people seriously interested in launching ddos attacks would have quickly begun compromising hosts as soon as they got hold of the exploit, and most likely patching those hosts against furthur compromise (to prevent the victims from cracking the hosts themselves and deleteing the ddos software)
So, lets assume a spammer compromises 20,0
Re:distributed.net rides again? (Score:3, Insightful)
If you can have distributed attackers, why not distributed targets?
See guys, (Score:3, Funny)
Re:See guys, (Score:3, Insightful)
I have an uncle who is a trucker. He was amused by this comment. He said the worst time on CB in his memory was from ~1977 to ~1982 or so, before that, truckers primarily used it, with respect for each other and some unwritten "rules". Then it became popular culture and was destroyed. After it "died", you would find it used primarily by truckers, with respect for each other......
Anyone use USENET or IRC before 1997? Gee, it would suck if the Internet died like this.
The Heavy Hitters Are Still Around (Score:5, Informative)
I'd never even hear of the two sites that closed down. Personally, I use Spamcop's DNSBL [spamcop.net], DSBL [dsbl.org], and ORDB [ordb.org].
-Lucas
Re:The Heavy Hitters Are Still Around (Score:3, Informative)
Re:The Heavy Hitters Are Still Around (Score:5, Informative)
Re: SpamCop paying $30K / year (Score:5, Insightful)
The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.
And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.
And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.
Nice going.
It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.
Proletariat of the world, unite to kill spammers
Re: SpamCop paying $30K / year (Score:4, Interesting)
Uh, No.
RoadRunner here in austin is now blocking spoofed packets, I'm sure they arnt the only one.
Most big name bandwidth providers are now rate limiting icmp.
Before anyone cries about this not being enough, I never said it was, I'm just arguing that they are doing something.
I'd rather they do too little than too much, and everyone here(slashdot, specificly your rights online section) should feel the same way. Which would you rather have, DDoS kiddies or every isp limiting you to port80 connections that arnt allowed to stay open longer than a minute and no more than 5 connections/min allowed?
Give us the choice and let the few abuse it and the many enjoy it.
Re: ISPs not doing enough (Score:3, Interesting)
But the ISPs on that netblock (Cox, Charter, Bellsouth, Adelphia, Verizon, et.al.) can not.
You should see my firewall logs...day after day, the same IPs from the same ISPs are hammering me. It is CLEAR nothing's being done.
Proletariat of the world, unite to kill spammers
Re:Can't ISPs do something? (Score:5, Interesting)
Exactly. This is what the Sobig trojan writer was commissioned to do, in my own personal belief. I've read some extensive analysis of what the Sobig trojan and some of the other recent worms that have been crushing the net, and they were explicitly designed to become tools of spammers and denial-of-servicing fleabags.
The sad part is that Ron Guilmette, the fellow who ran monkeys.com, has tried to get law enforcement and the ISP's where the DDoS was coming from interested in this problem and was pretty much rebuffed outright. FBI won't look at it, the ISP's are signing pink contract at double the usual rates at least to keep spammers connected and ignore complaints. No one is interested in helping with this and it's sad.
It's getting more and more like the Wild, Wild West every time I hook up to the 'net anymore. There are people complaining that they don't like the vigilante justice involved with running the DNSBL's. Imagine what your spam load would look like *without* the DNSBL's.
Or imagine the Pandora Project [sitetamer.com] coming to life.
Re:Can't ISPs do something? (Score:3, Informative)
Yeah, that's what we expect, but what the hell, the ISP's are part of the problem, they don't mind raking in the extra bux from the spammers to keep them connected. It's just *business* after all. **spit**
ISP's make money hosting spammers so ergo to put spamme
Re:The Heavy Hitters Are Still Around (Score:5, Insightful)
The blacklister provides information to various people who choose, on their own, to say "I do not like what you are doing, Mr. Spammer, and I will not allow you to use MY system to do it."
The DDOSer says "I don't like what you're doing, and I will not allow you to use YOUR system to do it."
Re:The Heavy Hitters Are Still Around (Score:3, Insightful)
Sure, and from a crook's point of view, the police are a DDOS. Conversely, if you find that argument reasonable, you are probably a crook.
The notion that providing information that individual ISP's are free to use as they choose is in some how equivalent to illegally hacking into private computers and using them to shut down somebody else's internet access is one that only a criminal would take seriousl
Sounds like a good use for Freenet (Score:5, Interesting)
Re:Sounds like a good use for Freenet (Score:4, Insightful)
Re:Sounds like a good use for Freenet (Score:4, Insightful)
If you don't trust it, don't use it.
Why is this concept so damn hard for people to understand? These lists are VOLUNTARY. Mail server admins are not forced to use them. They CHOOSE to use them because they are EFFECTIVE.
Your arguement about putting these lists on freenet hold no water. There's no way these files would go online without a PGP signature, and people downloading them would be stupid not to verify that signature. So long as you trust the signer, you're fine. If you don't trust the signer, don't use the file.
The distribution of the files can be completely automated to the point where an automated script can download the file, verify the signature, and load the contents of the file into a locally running DNS server (I'll even be so bold as to suggest rbldns, which comes with the djbdns distribution). The distribution network would be all but impervious to denial of service, since the only way to bring it down would be to DDoS anything running the freenet client.
Funny how people conveniently forget about these little details when it doesn't suit their arguement...
Re:Sounds like a good use for Freenet (Score:4, Insightful)
By the way, I don't have any beef with RBL lists. But I have a big problem with ISPs using these lists to reject mail. They should be used by end users, or perhaps by a mailadmin to reject mail to an entire domain. Or they should be used to mark mail as possibly being spam.
ISPs that use these lists to reject mail are being irresponsible, and are most likely doing it without the knowledge of their users. One false positive that gets dropped is one too many when your users don't know it is happening.
Re:Sounds like a good use for Freenet (Score:3, Informative)
It doesn't need to be anonymous, just available. SpamCop isn't anonymous. Spamhaus isn't anonymous. SPEWS is anonymous, but they probably don't need to be, and they already have someone who is *NOT* anonymous distributing their lists via PGP signed e-mail (see http://groups.yahoo.com/group/spews [yahoo.com]).
ISPs that use these lists to reject mail are being irresponsible, and are most likely doing it without the knowledge of their users. One false
Re:Sounds like a good use for Freenet (Score:3, Interesting)
Now there I disagree. It think it should be on by default, but with an easy way to turn it off, and the customer should be informed. Why? Simple, spammers spam because it is profitable. It is profitable because a small fraction of a percentage of lusers are stupid enough to send money for whatever product is being pitched. Those that are stupid enough to buy said products will probably not be able to figur
Re:Sounds like a good use for Freenet (Score:3, Informative)
And you would trust this file enough to block email based on it's contents??? Accountability is the biggest problem with RBLs, and moving it to a completely anonymous system would loose the last level of trust that they currently have...
Freenet is not a "completely anonymous system" in the sense you seem to be using it. While you can not trace a file back to the owner
Re:Sounds like a good use for Freenet (Score:3, Interesting)
Performance and robustness was evidently Waaaaaay down on the list of immediate goals for freenet.
I like the idea of freenet, but its got along way to go before it can withstand any kind of intelligent attack.
probable cause (Score:5, Insightful)
Re: (Score:3, Insightful)
Lively Hood (Score:3, Funny)
There better be no muthafuckaz tryin' to perp' shit against *my* homies in *my* lively 'hood. Might have to pop a cap in somebody's ass.
Re:Lively Hood (Score:3, Funny)
Lack of community... (Score:3, Insightful)
ANOTHER problem (Score:5, Insightful)
A lot, if not the vast majority of infected zombie attackers out there are located in asia pacific. Trying to track down the responsible admin, and then trying to get a response is -near impossible-. Language barriers, general apathy, it's all there. On top of that a lot of hosts in Korea have awesome pipe.
Seriously, people keep bandying about the idea of using freenet for distribution of blackhole lists, but it's probably absolutely THE best solution to the problems we're facing. The ISPs can only do so much, and when the lists are distributed from a central, known source.. well, we've seen the results of this.
I suggest one of us take up the cause of creating this freenet distribution system. It could revolutionize the way trusted data is passed if it works successfully for an RBL. I'd do it myself, but I'm beyond short of time, and brains for that matter :)
Freenet implementation is downright *trivial* (Score:3, Informative)
You're not short of time; creating the system you describe (assuming good client software) hardly takes longer then typing your post did.
Look on the bright side... (Score:5, Funny)
Like it or not... they work (Score:5, Insightful)
Using a spamtrap that using weighted scoring, like SpamAssassin or the like, you can use the data they provide combined with your other heuristics (and whitelists and bayes) to provide a much more accurate view of the overall picture.
--D
The US Constitution might give us an idea... (Score:3, Interesting)
Are we now supposed to "take up arms" against the SPAMmers ourselves?
William
massive Joe jobs? (Score:2, Insightful)
Re:massive Joe jobs? (Score:4, Informative)
Re:massive Joe jobs? (Score:5, Informative)
Re:massive Joe jobs? (Score:5, Insightful)
Think of spending all your time, energy, heart and soul developing a business (or organization), providing for it, gaining credibility and referrals, making a name and niche for yourself, however small. Imagine you're attempting to support and educate a family via that business.
Now imagine it all wiped away with no thought at all by anonymous monsters of greed.
That's precisely what happened to me. I'm actually not illiterate. I exercised care in building my site, selecting a host for it, making sure it ran Linux
Then I made the mistake of becoming ill. Over Christmas I spent six days in the hospital, and when I came home, a corresponding several days downstairs. They struck during that time. I returned to hundreds and hundreds of bounced messages, angry complaints, bitch-outs, whatever.
A call to the tech support people actually put a stop to the whole thing rather quickly. The spammers were using Sprint, and apparently Sprint lacks tolerance for these issues. I wrote to each and every person who'd bitched, swallowed my pride and explained who I was and what had happened. Some wrote back.
On the practical side, I have now a trusted friend who will look after things for me if I ever become ill again, and I will do the same for him. In fact the two of us may lease a server from a reputable company. That's a huge cost, but it may well be worth it.
On the emotional or impractical side, even eight months later I have an enormous amount of anger. Anger is often un-helpful, but I entertain visions of finding ways to inujure these people (not physically or by violence, but in their ability to do this). I visualize them financially ruined, humiliated in public, hounded out of their neighborhoods. I visualize attacks on their servers. That's all quite counterproductive. In order to deal with the anger part, I spend my spare time writing a novel in which a spammer is murdered. It's not half bad.
Regards,
Anne
Re:massive Joe jobs? (Score:5, Funny)
I'm half-wondering how you're going to work that out. My first thought was "murder mystery" but I found myself thinking that it would wind up something like this:
It seems sad on the surface, but I won't miss 'em (Score:3, Insightful)
Most (all?) of the "anti-spam" systems out there are very poorly thought out. The ratio of "collateral damage" to actual spams stopped is way too high. And who appointed these guys worldwide "email cops" anyhow? I know I didn't.
There has to be a better way to block spam than blackhole lists and the like! Maybe making it a Federal crime to buy anything from a spammer? Voila, no one buys from spammers, so spammers stop spamming the US...
Re:It seems sad on the surface, but I won't miss ' (Score:5, Insightful)
I myself had a runing with Anti Spam sites. For some bizzare reason the IP of my mail server was listed as a spam server. Which is BS as it's only ever used for personal mail.
It took 5 emails and 3 days to get my server IPs of the list.
It's a real bitch. Your mail bounces, you call the ISP that bounced your mail and they tell you that "such and such list", now you got to go to that list and request a removal. The problem is that many of the lists mirror additions but NOT removals. So you get added to one list and tada you're in 20 and got to remove yourself one by one...
Re:It seems sad on the surface, but I won't miss ' (Score:3, Insightful)
Hear, Hear. Effective blacklists with no practical collatarate damage actually exist, even if all the attention seems to gather around the overzealous(SPEWS) and stupid(AOL) blocklists.
dsbl.org [dsbl.org] open proxy/relay list, easy to get out once you fix the problem. very effective.
spamhaus.org [spamhaus.org] lists IP addressess known to belong to spammers. Not as effective as dsbl, but a nice compliment in case spammer decides to send mail directly inst
DDOS counters? (Score:2)
The zombie machines have been compromised by any number of holes or emails. It cold take quite a long time to build a solid network that could send out such coordinated attacks.
However,
Who's in control of e-mail? (Score:3, Interesting)
What I think is going to need to happen eventually is that e-mail is goin gto have to become a closed-system where ISPs have to pay to gain admission and risk ejection if the fail to control the Spam or other abuses coming out from their sources.
The fact is, any time you have an open unregulated communication system, the lowlifes are gonna be the ones who take it over...
Two Wrongs Make a Right (Score:3, Insightful)
Now, knowing that law enforcement WON'T do anything against this, what happens when we decide on vigilante justice and return the favor onto the spammers who DDOoSed them (it's an assumption)? Will the law suddenly perk up and seek those who struck back?
And what sort of example is this proving? That Law Enforcement doesn't matter/work with technology as the internet? Is this foreshadowing for the California Anti-Spam bill?
This is your typical example of hitting your little brother/sister back after s/he hit you and your mom catching you only citing "It's always the second person who gets caught."
Re:Two Wrongs Make a Right (Score:5, Insightful)
Does anyone know if law enforcement was even CONTACTED?
As a state prosecutor, I can charge DDoSers with felonies, but I need to be able to track them down, and I need a victim to report the crime.
So, when will we see a distributed RBL... (Score:3, Informative)
Re:So, when will we see a distributed RBL... (Score:3, Insightful)
Re:So, when will we see a distributed RBL... (Score:3, Insightful)
A digital signature on the RBL seems like an obvious solution? I'd trust a list signed by monkey.com but not by I'm-a-big-bad-spammer.com
Of course how the initial trust of the signer (not of the digital signature which would be chained) is established is a question but that question exists today.
Here's what cracks me up (Score:5, Insightful)
We've had a succession of Washington suits yakking on about Information Security, and Cyber War and The Great Potential Threat To Our Infrastructure, and yet when DDoS attacks actually happen, what do they do?
You guessed it. Squat.
There's no votes and no budget in actually fighting crime. There's plenty of capital to be made in selling up the threat, and in promising that you'll fix it, given just a little more time in office, and a slightly larger personal empire.
What I'd like to see is our Dictator of Homeland Security pinned down and made to explain why he's not doing something about the attacks that are happening now. If we can't defend monkeys.com from a DDoS from malicious assholes, how does he expect to believe that we're able to defend safety or economic critical infrastructure from the same kind of attack launched by the truly malevolent?
Re:Here's what cracks me up (Score:5, Interesting)
Suppose that the DDoS zombies used use a internet name instead of IP addresses.. Why not change the DNS for monkeys.com & compunet to a nice NSA or FBI address range
Then sit back and wait for this law-enforcement stuff to finaly kick in
Re:Because (Score:3, Interesting)
True, at least at first. But it wouldn't take them long to work it out.
A better solution, IMHO, would be to transfer the domain name to someone outside of the US, who he trusts, and let them point it to the FBI or something.
Re:Here's what cracks me up (Score:5, Informative)
From a google groups post here [google.com]:
If this is correct, I have no indication that it should not be, it looks like a total FBI fuck up.
(more info here [google.com])
Good riddance (Score:5, Interesting)
I'm sorry but some of these list maintainers are anal, (VERY) self-righteous, awful people who will not listen, not even when the person at the other end of the line is polite, patient, and takes a polite and amicable approach to the issue of getting removed from the blacklist (and punches a pillow after the phone calls and emails instead of being rude to the person).
I'm sorry but with the hell I had to go through to get removed (too much unwarranted ass-kissing, too much putting up with the "I'm only a volunteer" crap) I am only glad to see these anal a-holes go.
Re:Good riddance (Score:3, Insightful)
Hey buddy, I did not take away anything from you... You don't really believe what you are saying, do you? I think your statement is missing the element of reason.
I just hope you remember this the day someone steps in and forces it upon you what you can and cant do with your system.
The spam blockers already did, and that is what my message is all about. Did you know, for example, that some business are hosted by Earthlink an
What are we going to do? (Score:5, Insightful)
How can we take it back? If we can't, how can we replace it with something more resistant to these electronic malignancies?
I want instant communication with friends and colleagues all over the planet, but I don't want UCE. I want instant access to the world's knowledge on all topics, from crucial news to movie trivia, but I want it without viruses, interstitial ads, popups, spyware, and all that other crap.
By using Linux with some other specialized software, I have erected a defensive perimeter around my internet existence, so the tidal wave of garbage largely passes me by. But the walls need maintenance, and there always seems to be some new leak that needs plugging.
It's regrettable that we need to take such drastic measures, but what really worries me is that the need is increasing with time. Can you imagine the situation where 99% of your email is spam? Is there an alternative to giving up email entirely at that point?
Re:What are we going to do? (Score:3, Interesting)
For the time being, why not ressurect gopher, archie and implement a new IPv6 and a new trusted mail system (or even UUCP *icky!*), and just not tell anyone about it?
We're the geeks who run the mail servers. Who is to know if their MTA is changed, so long as users get their mail, they won't notice.
Re:What are we going to do? (Score:3)
The world isnt perfect. People certainly are not. If the biggest worry you have is virii, ads, spyware and other "problems" which are easily solved with a little common sense, go open a beer and enjoy your afternoon in the sunshine.
While millions starve and havent heard of computers.
Re:What are we going to do? (Score:3, Funny)
Re:What are we going to do? (Score:3, Interesting)
While I agree about the effect spamming has had on the Internet, I cannot disagree more about commercialization. Many sites, including Slashdot, could not exist without advertising.
For that matter, do you think access fees cover the cost of the backbone? If the entire Internet were paid for by access fees, everyone's connection would easily cost double or triple what it does n
I want X, but I don't want Y (Score:3, Insightful)
The unstated (but pervasively implied) follow-up to the above statement is "... but I don't want to actually have to pay for any of it".
Sure it's sad to see a service that you're familiar with and like to use (like the
Sorry sir, your wallet is too thin (Score:5, Insightful)
If a MMORPG gets cracked and the rich owners get inconvenienced for half a day, the FBI flips out and immediately mounts an investigation.
However, these guys are repeatedly DDoS'd and nobody cares.
It would seem that the government only cares about cybercrime when big cash is involved.
Re:Sorry sir, your wallet is too thin (Score:3, Informative)
Ron Guillemate (sic?)
compu-net
Steve Linford
Where's the hiding there?
I have the solution to spam. (Score:3, Interesting)
Instead of outlawing spamming, outlaw the purchace of products advertised with spam.
You could enforce this in a similar way to recent online gambling regulations that prohibit credit card companies from honoring transactions for online gambling. So if you sell your products using spam, you can't collect on the payment.
Also, you solve the jurisidction problem of outlawing spamming. Instead of just moving the spammers out of the country, you now discourage spammers from ever sending spam into the country because it would then become illegal for anyone to purchace their products.
And finally, it would discourage the 0.001% of people who are idiotic enough to respond to this crap. "You'll go to jail if you buy this." is just the kind of simplistic message that would get through to these people. When spammers stop getting replies, they won't have anyone to sell thier service to.
This is just an idea, so I'm sure there's a few problems with it. But maybe in order to combat spam, we need to stop trying to go after the spammers and start trying to just make it unprofitable for them to operate in the first place.
Re:I have the solution to spam. (Score:3, Insightful)
Instead of outlawing spamming, outlaw the purchace of products advertised with spam.
Sounds like a great way of killing competition - companies would just send spam pretending to be from companies with similar products.
Monkeys.com (Score:5, Interesting)
Really, if RBL's can be tricked to block good ISPs, and you get get the IP blocks removed, its flawed and needs to end service.
BTW, I know many people who are switching to whitelists, and even at work, whitelists for internal mail only cuts spam almost 100%. Even earthlink etc, sell whitelist features as a value added service.
Equality under the law (Score:3, Insightful)
But I understand that, especially now during our war against terrorism, law enforcement must prioritize, and go after bigger threats to our well-being.
I applaud John Ashcroft for realizing this, and using our scarce law enforcement resources to attack the real threats: Tommy Chong, the bong seller [dangerouscitizen.com], and porn that personally offends him [tvbarn.com].
If these anti-spammers were serious, they'd do the right thing and incorporate as for-profit companies and make the campaign contributions that would purchase them real police protection. That they haven't makes it clear to me that they have no reason to expect law enforcement to take them seriously.
Good Riddance (Score:3, Interesting)
They couldn't run the damn things right, its probably disgruntled ISP's and not spammers who are DoS'ing them right now. And rightly so.
Here is an idea!! (Score:3, Funny)
This guy just can't catch a break.
I won't miss email black lists. (Score:5, Informative)
As you might have guessed I have no love for RBL type services. I think their hearts are in the right place, but I'm tired of getting caught in the cross-fire. Since at some point, in order to benefit spammers have to be contacted by consumers, law enforcement should be able to track them down. I'd love to see that sort of thing become common. I can't see a technological solution even with a complete overhaul of how email works. I like the fact that a stranger can email me if they like. I just want to see legal limitations on that contact to prevent spam.
The FBI (Score:3, Informative)
High time for MTA licensing. (Score:3, Insightful)
I think we need to implement a system where operators of MTA software need to be licensed, just like radio operators. The licensing should be open to anyone. The rules need to be:
1. The licensee's MTA is only allowed to receive email from their own network to forward, and only receive email from other licensed MTAs from outside their network.
This means that licensed MTAs will reject email from adsl-1-2-3-4.somebigisp.com, but will accept email from mail.somebigisp.com. A cryptographically signed list is distributed containing the list of MTAs that are licensed.
2. If a licensed MTA operator's MTA is used to send spam or viruses, the MTA operator has their license suspended. Egregious violations can be punished by fines, or in extreme cases, imprisonment.
3. ISPs (as opposed to an MTA run by an individual or a small company) would have to be licensed themselves to send email, and hire only licensed MTA operators to run the mail gateway. If an ISP is guilty of allowing spam or malware through their MTA, they can lose their MTA license, and in egregious cases, be fined.
Licensing exams must relate to MTA operation best practise, rather than the specifics of operating a particular piece of MTA software. Licensees will be expected to learn how to properly configure and test their software before putting it online. Hopefully, the risk of a license suspension/revocation will provide ample incentive to ensure the MTA is configured correctly.
Licensing rules would have to be agreed by international treaty. The licensing authority should probably be national governments, but could be the administrator of the DNS TLD for the full DNS name of the MTA in question.
Effectively, licensing will be a big whitelist of mail server operators who have a minimum mandated level of clue, and a code of conduct enforced by the rule of law.
In the early days of road vehicles, there were no drivers licenses. However, you'd have to be nuts to argue that driver's licenses (and most are internationally recognised) are a bad thing these days. The same really needs to go for mail servers - doing nothing at all is no longer an option. In the last 48 hours, Exim on my server has rejected just under 3000 instances of the Swen worm and SpamAssassin has canned 400 spam emails. Indications are that it will ONLY get worse. Rewriting SMTP won't help - we need proper rules about email, and proper remedies that can be applied (license revocations, fines, imprisonment) when people fail to follow those rules. With proper MTA licensing, ISPs will ensure they can properly identify all users and can so punish people who try and abuse their MTA, instead of just ignoring the problem like they do now. I'm beginning to wonder if email is worth it any more unless measures like this are put in place.
In the short term, ISPs can help by blocking all outbound port 25 access apart from their mail gateway. Slashbot whiners who don't like this can stump up for a business broadband account and a static IP if they really must run their own MTA.
Distributed RBLs (Score:3, Insightful)
More to the point, given that it's certainly doable with plain old DNS: why don't we have one already?
Let's say I run a DNSBL server on a domain I own, "bl.dnsblacklist.com" say. How hard would it be to allow volunteers, preferably at large corporates and ISPs to download the entire zonefile contents via DNS AXFR (or whatever), in return for hosting a mirror server complete with another A record for "bl.dnsblacklist.com"?
I would get to vet the applicants, because they would need to contact me first to acquire the necessary permissions required get access to the zonefile. If I don't trust the applicant to be 100% legit, or get evidence they have misused the data (which, at then end of the day is just a list of IPs that have sent spam), then it's access denied. There are some potential problems with this that I can see though. We still have a limited number of IPs for the distribution of the zone files to the slaves, so it would possible to DDOS those, unless that role could be safely distributed too.
Note: this occurred to me while reading the article, so I almost certainly have missed some potential holes. Still, it does seem a way for a DNSBL provider to gain some resiliance for free if those holes can be plugged. Comments?
I'm taking my ball and going home (Score:5, Interesting)
*WARNING* If you're the type of person that can't handle any critism of the open-source/technical community, even from within, you might want to skip to the next message.
There's a funny thing that's been going through my head for years now which these two closures seems to be a part of.
Technical people don't make good administrators.
Years ago when I was in high school I used to run a BBS (bulletin board service - pre popular internet networks of computers). Every few months a SysOp (System Operator, the people in charge) would have a meltdown, send out a message telling everyone how much he'd (there were no women ;-) suffered, how ungrateful the users were and that he was shutting down to teach everyone a lesson.
Nobody ever learned a lesson, and I never felt the lesson they were trying to teach was particularly valuable.
I'm suspicious that this is a natural weakness of any system that relies on volunteer labour. If people don't have a strong (unfortunately usually economic) incentive to continue something, they're more ready to throw in the towel when the seas get rough.
We've all seen open-source projects die where the maintainer spits bile about no one contributing, no companies offering them cushy jobs where they can work on the project, etc, etc, etc. See the story about the Linux Router Project [slashdot.org] for an example of this.
As a non-technical example, a friend of mine was a volunteer firefighter and he got into the profession when just about every firefighter in his small town quit and they needed to replace the force. A baby had died at a fire they were fighting, and none of them had been able to deal with it, so they quit. Professional firefighters have all undoubtedly had the experience of someone dieing in a fire they were fighting, but you wouldn't expect their whole department to give up afterwards...
With both of these lists, sure denial of service sucks. Given. When you rovide a service for free you expect acolades, guys buying you beers and women offering you their virginity. Best case, sure. But sometimes things aren't going to go your way and it seems so easy to close up shop, which can really screw people there were relying on you.
If Slashdot started suffering sustained dos attacks, you can be sure that they'd figure out a way to get through it, or just button down the hatches until the attacks end. They're earning their livelihoods from this site, so they aren't going to give up on it easily.
Maybe this is something that we should be upfront about as a community. When a service/product is free (as in speech), future extension/maintenance/existance are never guaranteed, and the only thing you're actually getting of value is whatever is there right now. If the service is something necessary that becomes worthless the instant it stops being maintained (rare, but certainly the case in some instances, such as with these two lists or with things like BBSes), than maybe volunteer labour isn't the way to provide it.
So why are you compounding the disincentive? (Score:4, Insightful)
Who wants to become a volunteer in a world where if your efforts fail you will be seen as a failure and if they succeed you will be seen as an entitlement?
Re:I'm taking my ball and going home (Score:4, Insightful)
1) While his servers are under a DDoS attack, nobody can use them, which means the blacklist is basically useless. This is why it's called "denial of service" - the ability to use the service is being denied.
2) The only technical way to withstand a DDoS attack while still continuing to provide service is to increase your bandwidth so you have enough to handle both the attack and legitimate requests. This costs a LOT of money. Another poster mentioned that SpamCop spent $30,000 on this. SpamCop has paid subscriptions (I'm a subscriber myself); Monkeys.com does not. Do you have an extra $30,000 lying around that you could donate? I don't.
3) The non-technical solution is to go through law enforcement. He contacted the FBI, and they didn't know what he was talking about. Perhaps he should keep trying, but due to the nature of the attack, I'm not sure the FBI could help if they wanted to - there's no way to track who is responsible for the attacks, so there's nobody to prosecute for a crime.
Law enforcement. (Score:3, Insightful)
Lets put the effort into stuff that works (Score:4, Interesting)
The ideal (in my mind) anti-Spam 'tool chain' would be RMX and Bayesian filtering along with per-user white listing for messages that are flagged by those systems. A per-domain blacklist of "sites vouch for Spam via RMX" could be created and done on a somewhat distributed system, rather then an IP based system.
Anyway, here's how I would design a distributed blacklist type system. First of all, it would be based on RMX rather then IP space. That way people who are forced to share IP space with spammers don't get screwed. Users of the system could flag mail as 'legitimate' or they could flag it as 'Spam' legit email is sent in only as a counter, and actual Spam is forwarded to a central system. Unlike Kazza or whatever, we wouldn't need to worry about getting shut down by the RIAA so some centralization is OK.
No one person would decide what to 'blacklist' rather, simple counts of spam/non-spam could be retrieved by users. People running mail servers could see the Spam that they supposedly sent and, erm, repent
How do you prevent DDoS? Well, honestly I think the best solution would be to have users pay a small fee going towards hosting on something like Akami. That would be a lot simpler then trying to setup and manage the security of a distributed redistribution system.
We might also have an identity verification system to prevent spammers from faking thousands of accounts to fuck up the averages.
Monkeys.com/Ron Guilmette did TWO useful things (Score:5, Insightful)
Ron made periodic posts to news.admin.net-abuse.email in which he listed the top 40 proxy abuse-source IPs. He also contacted the ISPs from which the abuse originated and was successful in getting many of these to boot the spammers (which is a big reason spammers wanted to put him out of business, it would seem.)
Ron was making real and substantial progress toward ridding the net of spam - even if you never heard of him he was helping you, and the help I speak of had none of the flaws of blocklists.
Spammers look about everywhere on the net, seeking abusable open proxies. That means proxypots will succeed almost anywhere on the net. Just about anyone can help identify spammer IPs and get the spammers thrown off their ISPs. Ron's Top 40 list was a nice bonus and it helped show which ISPs were responsive and which protected spammers. Similar information from a single site (yours, if you'd do it) would be also have great value.
I'd direct you to the Bubblegum proxypot web page but that, too, seems to be down. There's still something you can do even if you don't run a proxypot. If you have a software firewall on your system you can find the log entries for rejected proxy connection attempts. Chances are great that those were made by a spammer. Report the attempt to the appropriate ISP. I'd also suggest letting your ISP know: if spammers are looking in your ISP's space for abusable proxies the ISP can take protective actions. Your ISP also may have greater clout with the spammer's ISP - at least it's worth a shot.
To the mattresses! (Score:3, Interesting)
The only solution is all out war!
The problem is that spammers have a significant financial motivation to act in the ways that they do.
Spam fighters, on the other hand, are fighting back and providing services mostly out of the goodness of their hearts. (Check me if I'm wrong, but i've never seen an article on the lavish lifestyles built by opposing spam.) This means that unless we can come up with an *unbreakable* technological solution the spammers will always win the war: they have a financial motivation to fight harder than we do.
The solutions I've heard proposed sound more like problems than solutions: central governing bodies, a regulated internet, pay-per-email, etc all make my crypto-libertarian instincts nervous. If we don't want our commons taken away, we have to defend it ourselves!
So how can we win against an enemy with superior motivation? We need to take away their motivation! We can't ever win by fighting the spammers, so lets start fighting the people funding them!
We need to (legally) DOS the resources of those who are benefitting from spam. This is going to require maturity and restraint in the heat of battle, but if we attack the wrong people, we will be no better than the spammers. Let me propose the following:
Benefits and prerequisites... :) This is where it is key to have high profile trusted and respected figurehead. If Joe Blow organises this on his dsl line, his access gets cut off and the feds disapprove. If an innocent party is wronged than he probably goes to jail. If, on the other hand, ESR organises it, public opinion on the net will massively oppose federal pressure against him and commercial pressure (ie his access being cut off) is much less likely.
Speed is of the essence. Attack must respond to take down target before any profit is made. Scale is important as well. Volume of traffic must decimate servers even on fat pipes (or at least cause high bandwidth $$$ usage). It might even be possible to DOS 1-800 numbers if every subscriber was willing to place a call and complain.
Would all this be illegal? Certainly as a whole the intent is to DOS the target and therefore is illegal. I could even imagine RICO coming into play (this is after all an organized conspiracy to commit a crime). However the actions of those subscribing to the service are not illegal (IANAL, someone else comment). After all, I (as subscriber) am just saving a highly recommended commercial resource for later perusal!
I realise that there is lots of hand waving going on here. But I firmly feel that this may be an instance to fight fire with fire, fight outlaws with vigilante justice, etc. We need to claim our space for our productive use and not for other's pollution and decimation. Fighting spammers directly is like "fighting terrorism". Attacking those who provide the incentive is like taking the battle to host countries of terrorism; a much more likely strategy.
Anti-spam is Not rocket science .. (Score:3, Informative)
Our institution has a central broadcaster for corporate info. Any email for the general worker population is sent via that broadcaster. That's one filter. Coworkers another filter. Personal address book another filter.
That's it. Anyone else goes to Junk and that is checked every couple of days in a dedicated time slot. Nothing gets missed. And time isn't a factor because when was the last time you received some kind of deadline item from someone you didn't know?
Maybe a business has a few machines that really can't implement such a filtering scheme (eg. sales) but not everyone in a business has to be subject anonymous email solicitations. But at home it makes no sense that you have to be inconvenienced by spam. Just look at it statistically, how many emails have you had from addresses you didn't know, that mattered? OK maybe that Nigerian general with the account
Re:Double-edged sword (Score:2)
Re:Double-edged sword (Score:5, Informative)
Re:Double-edged sword (Score:2)
Re:Double-edged sword (Score:5, Funny)
Wasn't it the anti-spam service that got hit? (Score:2, Insightful)
got hit here. The spammers won, or am I missing something?
Magnus.
Re:Heh heh (Score:2)
So I say DDoS them Back! Spammers have always operated outside the realm of good-and-proper. And people act like that generally meet an unfortunate end.
There was a
Re:SPEWS RIP? (Score:2)
If those lists start going down, I may have to set up a DNS locally and download/make my own zone files. Now, how many admins are probably going to be doing something similar? How many of those are ISPs that have cleaned up their act going to have to contact? How many are actually going to remove those IPs?
Re:SPEWS RIP? (Score:2)
Comment removed (Score:4, Interesting)
Re:SPEWS RIP? (Score:3, Interesting)
I presume your ISP was harboring spammers. That's assuming you are not a spammer. ISPs that harbor spammers do get a chance to terminate them (unless it is a well known spam gang). If they don't, it's probably because the ISP needs a financial incentive to do so. SPEWS provides that. All customers of such ISPs are indirectly supporting the harbored spammers when they pay their ISP bill.
You don't have to use SPEWS if you don't want to. The opportunity to know and understand how SPEWS works, so those w
Re:DDos (Score:3, Interesting)
Why not create some form of public repository to display IP's currently being used in Zombie-based DDOS attacks?
If anyone wants to help me form something more concrete, my jibberished email address should be display above.
How about contacting SANS or maybe Security Focus? (Would this work best as a mailing list perhaps?)
Re:Good. (Score:3, Insightful)
A lot of the mail I sent out was comming back with notes that it was sent from a black-listed server and therefor was not going to be delivered. As it turned out my host company, was guilty of having open ports and had at one time hosted a spam site. The result was that every IP in their IP block ended up on a black list including mine.
Since my host won't fix their servers, and I can't get my IP removed from the black lists, I'm moving the website to a better host.