[linux-elitists] Spam spam spam spam
Karsten M. Self
Fri Feb 18 20:28:43 PST 2005
on Fri, Feb 18, 2005 at 03:42:32PM -0600, Rob McGee (list+Elite@nodns4.us) wrote:
> On Friday 18 February 2005 12:53, Aaron Sherman wrote:
> > On Thu, 2005-02-17 at 23:30, Karsten M. Self wrote:
> > > Spamhaus's dossier on MCI is here:
> Thanks, Karsten, and another interesting page is the Top 10 list.
> Without looking I bet anyone can guess who's Number One.
> > > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL24036
> > >
> > > 126.96.36.199/32 is listed on the Register Of Known Spam
> > > Operations (ROKSO) database as being assigned to, under the control
> > > of, or providing service to a known professional spam operation run
> > > by Alan Ralsky.
> > Damn. I was using Spamhaus specifically because they only listed
> > people who were known to originate spam (either because they were
> > zombies (XBL) or spam sources (SBL)). Either I was wrong, or they've
> > changed their policy to list groups punitively.
> I don't see that as a punitive listing. The IP is known to be under
> control of Alan Ralsky. If he or Ruslan Ibragimov or any other known,
> unrepentant spammer was to sit at his computer and type a personal
> message just to me, I would see nothing wrong with blocking it.
Agreed. Aaron's reading w/o comprehension.
> > So, I'm back to the drawing board. Does anyone know of a DNSBL that
> > ONLY lists IPs that are known to be actively originating bulk UCE? I
> > really do want to be able to get legitimate mail, even if it's from
> > an email list retailer, spam software vendor, spammer's home system,
> Here's where we apparently won't agree. Yes, it is true, at least in
> theory, that a spammer might occasionally have something useful to
> offer to me or to some other life form. I simply do not accept that
> they have the right to access MY mail server unless / until they are
> proven to be out of the spam business.
I'll go one step higher.
I've been using ASN and CIDR to track spam sent to my single-point ISP
account for the past year. Caveats apply: this is one non-average
Joe's experience, and I don't know what filtering my ISP is providing.
- Fully 15% of all spam originates from a single identifiable ASN. It
happens to be KORnet, AS 4766.
- In any given month, *25%* of spam originates from 3-8 ASNs (the
number's been increasing of late, indicating less concentration).
Though there's some fluidity here, but these are typically a mix of
Chinese, Korean, and major US / EU / AU broadband providers.
- *Half* of all spam comes from the top 25 - 30 sources.
By focussing antispam efforts on a *handful* of sources, we're talking a
major cut in all spam. Extend that to both hands, feet, and maybe a
friend's digits, and you've got most of it.
I subscribe to the network hygiene theory of abuse: spam, open relays,
bots, and other attacks originate from networks which can not or will
not clean up their neighborhoods. It's up to the _rest_ of the Net to
clean up for them, and we _do_ have the tools to do so.
> > a child molester, delinquent dad, or someone who speaks out against
> > the government.
> I agree that some of the RBL's I've seen do go overboard. AHBL, the
> late monkeys.com, RFC-ignorant, five-ten-sg, JammDNS, UCEProtect, and
> of course SPEWS. (I am SPEWS, BTW.)
(*I* am SPEWS)
> Oh, and the worst I think I came across was Blars. But I disagree that
> it's wrong to prohibit direct access to email from known spam gangs.
In a world of probabalistic predictive spam filters such as
SpamAssassin, the more DNSBLs the better. Each has a predicitve value,
positive or negative. Calibrated against a spam corpus, they can be
useful. *And* the disposition need not be a block. Delays or other
forms of countermeasures can be effective, and may be more useful at
getting dirty Nets to clean up (performance impedence).
Note too: a DNSBL meets its listing policy. RFC-Ignorant *IS* *NOT* a
list of spamming IPs. It's a list of domains and IPs for which
RFC-required registration addresses are nonexistant or nonfunctional.
The predictive value of a postmaster/abuse listing is relatively low,
but it's generally not a good sign.
More examples of reading/playing without comprehension. And you call
> Back to the Boulder Pledge: economic damage is really the only way
> possible to stop spam. It has to begin to cost them more than they get
> from it. With the cooperation of the providers on that Top Ten list,
> it's really possible. Make and enforce punitive TOS. If someone spams
> they're contractually bound to pay a huge fine. Shut 'em down and
> What this whole Cerf thing comes down to is that we are trying to apply
> some pressure on MCI. I agree, it feels like we're unfairly singling
> out Cerf, and I'm certain Vint is the kind of geek I would really like
> to meet.
> We discussed this on SPAM-L, too. It FEELS kind of mean, but it really
> is justified. Everyone on Earth has ethical obligations. Cerf is in a
> position where he could do some real damage to spammers. He's not doing
> it, and in fact, making lame excuses as to why not.
> I am hoping that this kind of ethical pressure on Cerf and MCI will do
> some good. It might not. We'll see.
> > I'm so tired of the punitive responses of listing those "providing
> > service", "advertized by spam", netblocks with innocent users,
> > netblocks which are "not valid mail sources" according to whatever
Your call Aaron. As is frequently stated on NANAE: your network, your
policy. My network. My policy.
> I feel guilty about blocking dynamic IP space, but unfortunately it's
> very effective, what with so much spew coming from zombies. Thanks to
> Send Safe et al!
On this: I griped loudly when AOL started implementing this. I've
changed my PoV largely. I *still* think that blanket blocks absent
signs of abuse should be avoided if possible. However the measure is
effective. The consequence is: if you want to run your own SOHO
mailserver, buy service from an ISP who'll provide you with an IP
outside DUL/DYN space *and* clean from spam sources. Yes, you'll
probably have to pay extra for this (though you may get lucky).
The average Joe, and even the average corp, has no business running a
mailserver, absent clue. Sad but true.
1. SLAPP Prevention Electronic Whitenoise System:
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
It is kinda awkward to have this "vote stuffing" feature.
- Diebold Electronic Voting Machine memos.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050218/cbc76e54/attachment.pgp
More information about the linux-elitists