[linux-elitists] Re: are cursed IPs contagious?

Chip Salzenberg chip@pobox.com
Thu Jan 22 10:26:35 PST 2004


According to Eugen Leitl:
> Spammers do use anonymous remailers, though probably not too many
> (not too many know how to create a properly formattted message).

Spammers are smarter on average than they used to be, mostly due to
natural selection -- the stupid ones can't keep up with the arms race.
But there aren't enough anonymous remailers in the world to make them
a generally attractive target, esp. compared to the virus/proxy vector
that's been working so well for spammers.  So I agree you won't be
under constant abuse; whack-a-mole is probably a workable strategy.

> There's a valid abuse address and a simple method to block
> (block-destination) to prevent harassment from that egress point,
> though that's opt-out.

Here's my advice: Don't even *mention* or *hint* to complainers that
opt-out is in any way a viable way to deal with spammers.  It doesn't
scale, from the victim's point of view, and they're sick of hearing it
from spammers and spammer apologists.  I know that I go from irritated
to angry when somebody tells me to opt out when I never opted in.

> I haven't looked at what gets delivered, but there's been a high
> worm/virus load on the address, which imo was clearly malicious in
> intent. I blocked all Windows executables at MTA level, and the
> problem has gone away.

Good.  You may also want to block incoming mail using the automatic
traffic-driven blocklists, e.g. CBL (cbl.abuseat.org, also available
as xbl.spamhaus.org) and Spamcop.  There's no vindictive or predictive
listing with them, AFAIK, they're all about blocking IPs where spam or
an 0wn3d machine have been actually observed.  Not that Spamcop doesn't
make mistakes.  AFAICT, the CBL has never had a false positive for me.

> I don't mind if the second IP gets blacklisted. It's in the nature of the
> thing. What I'm wondering is whether there's a way of telling that the IP is
> bound to an interface also hosting another IP.

There are ways to make it's a little harder to see that the two IPs
are one machine.  Make sure that SMTP banners, telnet banners (if
any), and ssh keys are different.  Make sure that SMTP bounces look
different, too, depending on the source IP.  Hell, you'd probably be
well-advised to run different *daemons* (e.g. postfix and exim).
-- 
Chip Salzenberg               - a.k.a. -               <chip@pobox.com>
"I wanted to play hopscotch with the impenetrable mystery of existence,
    but he stepped in a wormhole and had to go in early."  // MST3K



More information about the linux-elitists mailing list