[linux-elitists] Spam spam spam spam

Karsten M. Self kmself@ix.netcom.com
Fri Feb 18 20:28:43 PST 2005 

on Fri, Feb 18, 2005 at 03:42:32PM -0600, Rob McGee (list+Elite@nodns4.us) wrote:
> On Friday 18 February 2005 12:53, Aaron Sherman wrote:
> > On Thu, 2005-02-17 at 23:30, Karsten M. Self wrote:
> > > Spamhaus's dossier on MCI is here:
> 
> Thanks, Karsten, and another interesting page is the Top 10 list. 
> Without looking I bet anyone can guess who's Number One.
> 
> > >     http://www.spamhaus.org/sbl/sbl.lasso?query=SBL24036
> > >
> > >     157.130.205.94/32 is listed on the Register Of Known Spam
> > > Operations (ROKSO) database as being assigned to, under the control
> > > of, or providing service to a known professional spam operation run
> > > by Alan Ralsky.
> >
> > Damn. I was using Spamhaus specifically because they only listed
> > people who were known to originate spam (either because they were
> > zombies (XBL) or spam sources (SBL)). Either I was wrong, or they've
> > changed their policy to list groups punitively.
> 
> I don't see that as a punitive listing. The IP is known to be under 
> control of Alan Ralsky. If he or Ruslan Ibragimov or any other known, 
> unrepentant spammer was to sit at his computer and type a personal 
> message just to me, I would see nothing wrong with blocking it.

Agreed.  Aaron's reading w/o comprehension.
 

> > So, I'm back to the drawing board. Does anyone know of a DNSBL that
> > ONLY lists IPs that are known to be actively originating bulk UCE? I
> > really do want to be able to get legitimate mail, even if it's from
> > an email list retailer, spam software vendor, spammer's home system,
> 
> Here's where we apparently won't agree. Yes, it is true, at least in 
> theory, that a spammer might occasionally have something useful to 
> offer to me or to some other life form. I simply do not accept that 
> they have the right to access MY mail server unless / until they are 
> proven to be out of the spam business.

I'll go one step higher.

I've been using ASN and CIDR to track spam sent to my single-point ISP
account for the past year.  Caveats apply:  this is one non-average
Joe's experience, and I don't know what filtering my ISP is providing.

That said:

  - Fully 15% of all spam originates from a single identifiable ASN.  It
    happens to be KORnet, AS 4766.

  - In any given month, *25%* of spam originates from 3-8 ASNs (the
    number's been increasing of late, indicating less concentration).
    Though there's some fluidity here, but these are typically a mix of
    Chinese, Korean, and major US / EU / AU broadband providers.

  - *Half* of all spam comes from the top 25 - 30 sources.

By focussing antispam efforts on a *handful* of sources, we're talking a
major cut in all spam.  Extend that to both hands, feet, and maybe a
friend's digits, and you've got most of it.

I subscribe to the network hygiene theory of abuse:  spam, open relays,
bots, and other attacks originate from networks which can not or will
not clean up their neighborhoods.  It's up to the _rest_ of the Net to
clean up for them, and we _do_ have the tools to do so.

 

> > a child molester, delinquent dad, or someone who speaks out against
> > the government.
> 
> I agree that some of the RBL's I've seen do go overboard. AHBL, the  
> late monkeys.com, RFC-ignorant, five-ten-sg, JammDNS, UCEProtect, and 
> of course SPEWS. (I am SPEWS[1], BTW.) 

(*I* am SPEWS[1])

> Oh, and the worst I think I came across was Blars. But I disagree that
> it's wrong to prohibit direct access to email from known spam gangs.

In a world of probabalistic predictive spam filters such as
SpamAssassin, the more DNSBLs the better.  Each has a predicitve value,
positive or negative.  Calibrated against a spam corpus, they can be
useful.  *And* the disposition need not be a block.  Delays or other
forms of countermeasures can be effective, and may be more useful at
getting dirty Nets to clean up (performance impedence).

Note too:  a DNSBL meets its listing policy.  RFC-Ignorant *IS* *NOT* a
list of spamming IPs.  It's a list of domains and IPs for which
RFC-required registration addresses are nonexistant or nonfunctional.
The predictive value of a postmaster/abuse listing is relatively low,
but it's generally not a good sign.

More examples of reading/playing without comprehension.  And you call
yourself elitists?

 
> Back to the Boulder Pledge: economic damage is really the only way 
> possible to stop spam. It has to begin to cost them more than they get 
> from it. With the cooperation of the providers on that Top Ten list, 
> it's really possible. Make and enforce punitive TOS. If someone spams 
> they're contractually bound to pay a huge fine. Shut 'em down and 
> collect.

Right.
 
> What this whole Cerf thing comes down to is that we are trying to apply 
> some pressure on MCI. I agree, it feels like we're unfairly singling 
> out Cerf, and I'm certain Vint is the kind of geek I would really like 
> to meet.
> 
> We discussed this on SPAM-L, too. It FEELS kind of mean, but it really 
> is justified. Everyone on Earth has ethical obligations. Cerf is in a 
> position where he could do some real damage to spammers. He's not doing 
> it, and in fact, making lame excuses as to why not.
> 
> I am hoping that this kind of ethical pressure on Cerf and MCI will do 
> some good. It might not. We'll see.

Right.
 
> > I'm so tired of the punitive responses of listing those "providing
> > service", "advertized by spam", netblocks with innocent users,
> > netblocks which are "not valid mail sources" according to whatever

Your call Aaron.  As is frequently stated on NANAE:  your network, your
policy.  My network.  My policy.

 
> I feel guilty about blocking dynamic IP space, but unfortunately it's 
> very effective, what with so much spew coming from zombies. Thanks to 
> Send Safe et al!

On this:  I griped loudly when AOL started implementing this.  I've
changed my PoV largely.  I *still* think that blanket blocks absent
signs of abuse should be avoided if possible.  However the measure is
effective.  The consequence is:  if you want to run your own SOHO
mailserver, buy service from an ISP who'll provide you with an IP
outside DUL/DYN space *and* clean from spam sources.  Yes, you'll
probably have to pay extra for this (though you may get lucky).

The average Joe, and even the average corp, has no business running a
mailserver, absent clue.  Sad but true.


--------------------
Notes:

1.  SLAPP Prevention Electronic Whitenoise System:
    http://twiki.iwethey.org/Main/SLAPPPreventionElectronicWhitenoiseSystem

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    It is kinda awkward to have this "vote stuffing" feature.
    - Diebold Electronic Voting Machine memos.
      http://www.scoop.co.nz/mason/stories/HL0309/S00106.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050218/cbc76e54/attachment.pgp

More information about the linux-elitists mailing list