30% of email is spam
John Navas
--
Best regards,
John Navas <http://navasgrp.home.att.net/>
CABLE MODEM/DSL GUIDE: <http://Cable-DSL.home.att.net/>
Kelsey Cummings
>
> <http://www.msnbc.com/news/846241.asp>
I'd say that is quite conservative, frankly. Sonic's inbound spam
volume exceeds 30% by a long shot, probably closer to 2/3, if not
higher. (Don't feel like doing the math right now.)
As you can see, the messages rejected at our MTA (non rfc, sender domain
resolution, RBL and our locally maintained blacklists) at times even
exceeds the volume of mail that is accepted for delivery.
Now, after that, we see an additionall 60% is tagged as Spam by
SpamAssassin.
We don't have a good explaination why Sonic sees so much more SPAM
volume than what other ISPs report. We speculate that this could be due
to our age and long term customer base but we really don't have a clue.
-k <k...@sonic.net>
John Higdon
Kelsey Cummings <k...@microshaft.org> wrote:
> I'd say that is quite conservative, frankly. Sonic's inbound spam
> volume exceeds 30% by a long shot, probably closer to 2/3, if not
> higher. (Don't feel like doing the math right now.)
A rough check of my two MTA hosts indicates somewhere around 5:1 to 10:1
rejection. In other words for every ten connections attempted for
delivery of email to my network, one is actually accepted for delivery.
Of those that are actually accepted for delivery, around one in five is
spam.
> As you can see, the messages rejected at our MTA (non rfc, sender domain
> resolution, RBL and our locally maintained blacklists) at times even
> exceeds the volume of mail that is accepted for delivery.
At my site, that is always the case. The rejects (based upon similar
checks as you mention, e.g. non-rfc-conforming, bad sender domain, RBL,
and local reject list) always exceed delivered messages by at least
five-to-one...and as indicated above tends toward twice that ratio.
> We don't have a good explaination why Sonic sees so much more SPAM
> volume than what other ISPs report. We speculate that this could be due
> to our age and long term customer base but we really don't have a clue.
We are not an ISP, but handle a goodly amount of email traffic for a
teapot operation. We have been handling email since the late eighties.
An associate who maintains an MTA for a .mil site reports to me that he
started getting nailed with spam in about the same ratios as we are a
number of months ago. Before then, he had very little. Apparently, the
spamming community has decided that .mil addresses are no longer charmed
and are open season with the rest of us.
--
John Higdon | Email Address Valid | SF: +1 415 428-COWS
+1 408 264 4115 | Anytown, USA | FAX: +1 408 264 4407
Jeffrey Siegal
> We don't have a good explaination why Sonic sees so much more SPAM
> volume than what other ISPs report. We speculate that this could be due
> to our age and long term customer base but we really don't have a clue.
Less customer turnover too, probably. I've used the same email address
for almost 10 years and have a few others forwarded that are closer to
20 years old and they all get massive amounts of spam. Mail addresses
seem to go on spam lists but never come off, so the longer an address
has been active, the more spam it is going to get (though beyond 10
years or so it probably doesn't matter).
koala
wrote:
>Less customer turnover too, probably. I've used the same email address
>for almost 10 years and have a few others forwarded that are closer to
>20 years old and they all get massive amounts of spam. Mail addresses
>seem to go on spam lists but never come off, so the longer an address
>has been active, the more spam it is going to get (though beyond 10
>years or so it probably doesn't matter).
Yep, IMO there are 3 golden rules in dealing with spam:
1) Get a good ISP which efficiently rejects the worst of the mass
attacks. In my recent experience, Sonic is good, Pacbell and Earthlink
are ho-hum, and AOL is awful.
2) Have a junk email address which you give to anybody you don't
trust. (Usenet, or any non-reputable e-commerce site, for example).
Check this email only when you expect something specific. I use AOL
for this purpose, because it lets me delete the junk email addresses
and create new ones, in a few seconds.
3) Change your "real" (precious) email address every 2 years or so.
This takes considerable effort in informing all legitimate
correspondents, but it's ultimately the only sure way to avoid the
ravages of mailing list entropy.
John Higdon
koala <mindof...@aol.com> wrote:
> 2) Have a junk email address which you give to anybody you don't
> trust. (Usenet, or any non-reputable e-commerce site, for example).
> Check this email only when you expect something specific. I use AOL
> for this purpose, because it lets me delete the junk email addresses
> and create new ones, in a few seconds.
I've never understood what good this does. Only check it when you are
expecting something? In twenty years of email, I have discovered that
the unexpected email sometimes carries the greatest impact. So it would
appear that in using a "junk email address", you are going to have to
choose between wading through the spam anyway to make sure you don't
miss anything, or let some possibly important communications slip
through the slats. I don't see either option as particularly useful.
> 3) Change your "real" (precious) email address every 2 years or so.
> This takes considerable effort in informing all legitimate
> correspondents, but it's ultimately the only sure way to avoid the
> ravages of mailing list entropy.
And what do you do with the old address? Have it just bounce emails so
that you appear to vanish off the face of the earth without a trace?
Again, I receive unexpected emails from senders about whom I have
forgotten. Sometimes these emails contain important news of past
associates, or more significantly, opportunities for legitimate work or
investment.
It would appear that those two suggestions would be useful only to those
who don't actually find email to be an essential form of communication.
Jeff Liebermann
wrote:
>We don't have a good explaination why Sonic sees so much more SPAM
>volume than what other ISPs report. We speculate that this could be due
>to our age and long term customer base but we really don't have a clue.
>
>-k <k...@sonic.net>
I have an anecdotal guess(tm). It's the length of the email address.
I've had the same email address je...@comix.santa-cruz.ca.us since
before Al Gore invented the internet and messages were delivered with
a bang(!). I get a moderate amount of spam which gets filtered by
various rule sets. However, I also have several other email addresses
that are equally well known and much shorter in length. They easily
get over four times as much spam. It's been like this for at least
the last 10 years. My guess(tm) is that the email harvesting
algorithms are somehow ineffective, indecisive, or buggy on longer
email addresses. Perhaps it's the number of periods in the address
that breaks the email address harvesters software. Dunno.
Also, I have a secret X.400 email address that gets zero spam. My
guess(tm) that's because the conversion to domain addressing results
in a 50 character email address. The address also changes depending
upon what I'm sending and what I'm trying to accomplish with the
message. Of course, few mailers know what to do with an X.400 email
address and everything goes through an email gateway.
http://www.sprintbiz.com/small_business/messaging/about.html
http://www.alvestrand.no/~hta/x400/
Therefore, to reduce spam, it would be necessary for Sonic.net users
to complicate their email addresses by adding multiple sub-domains.
Since almost everything is done with a mouse click instead of a
keyboard these daze, methinks it would not be a serious inconvenience.
Some concern on limiting line lengths for mailing lists might be worth
watching.
Something like:
je...@five.four.three.two.one.sonic.net
would probably be effective.
Drivel: Many years ago, I had this really clever idea. Then I
assigned a printer name, I also assigned an email address to the
printer so that email addressed to print...@mycustomer.com would end
up getting printed directly to the printer. It was handy and had many
uses, especially for computer phobic upper managers. The feature was
imbedded in my SCO OSCR5 admin scripts.
Then came dictionary spam attacks, where the spammer would try various
common user names at a companies mail server. Eventually, someone
threw in common printer names and all hell broke loose. Some printers
started belching spam directly. Spam email printouts were interleaved
between accounting report sections and pick lists. Even the UPS
shipping printer was belching dot matrix spam. I was just out of the
hospital at the time and not thinking very clearly. Somehow, I got
the idea that the spammers had figured out how to imbed a print
command in their junk mail. Eventually, I figured out what happened
and disarmed the direct email -> printer feature.
--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
(831)421-6491 pgr (831)336-2558 home
http://www.LearnByDestroying.com WB6SSY
je...@comix.santa-cruz.ca.us je...@cruzio.com
Mike Kincaid
> 2) Have a junk email address which you give to anybody you don't
> trust. (Usenet, or any non-reputable e-commerce site, for example).
> Check this email only when you expect something specific. I use AOL
> for this purpose, because it lets me delete the junk email addresses
> and create new ones, in a few seconds.
>
> 3) Change your "real" (precious) email address every 2 years or so.
> This takes considerable effort in informing all legitimate
> correspondents, but it's ultimately the only sure way to avoid the
> ravages of mailing list entropy.
one could also consider disposable address services such as Sneakemail.
Give out the "real" address only to personally known correspondents and
other trusted sources. Any sort of list, usenet posting, etc gets its
own separate address. If managed properly, this can basically eliminate
spam to the real address, changing the disposables when they get
particularly flooded, and also has the advantage of showing you which of
the places you give out your address lead to the most spam harvesting (
Usenet is among the worst, but a simple address munge works surprisingly
well).
John Higdon
Mike Kincaid <kz7y...@unspam.sneakemail.com> wrote:
> If managed properly, this can basically eliminate
> spam to the real address, changing the disposables when they get
> particularly flooded, and also has the advantage of showing you which of
> the places you give out your address lead to the most spam harvesting (
> Usenet is among the worst, but a simple address munge works surprisingly
> well).
This is the conventional wisdom, but it is becoming increasingly
obsolete. I have never munged my Usenet return address, so I have been
able to track spamming attempts pretty well. Usenet is now down in the
noise when it comes to harvesting from what I can see. I could count on
the fingers of one hand the amount of spam addressed to my Usenet
identity in the past couple of years.
What I have seen is a major upswing in supposedly reputable companies
selling email addresses. I can track this because I give every company
with which I do business a unique email address. For instance, one of
the worst is Cingular. Give them your email address at your peril. You
will be deluged with weight loss scams, refinancing frauds, and all the
usual spam-o-rama in addition to a constant barrage of Cingular
promotions.
The bulk of spam today, by far, comes from spam houses who have set up
major email servers systems for the express purpose of filling your
mailbox with crap. The kitchen table spammer who uses open relays or
stealth programs is becoming extinct, but he is rapidly being replaced
with well-financed operations that send spam out into cyberspace with
more fury than ever before.
Many ISPs regularly (PacBell is one) market their user lists to these
spam factories. What this means is that no matter how dilligently you
protect your email address, the spammers will get it anyway.
Bill Pitz
> I'd say that is quite conservative, frankly. Sonic's inbound spam
> volume exceeds 30% by a long shot, probably closer to 2/3, if not
> higher. (Don't feel like doing the math right now.)
I agree. They're also projecting that the number of spam messages will
exceed the number of legitimate messages (as an aggregate statistic)
sometime next year. I think that's a pretty clear sign that there needs
to be some significant restructuring not only on the legal front but also
on the technology front. And I don't mean more filtering. Filtering is
great, but it still means that an enormous amount of bandwidth and cpu
time are wasted. The SMTP protocol is by its very design over-trusting.
That was fine in its original application, where everyone on the network
knew each other.
As I see it, the biggest problem is that we are essentially stuck with this
antiquated protocol because so many people are already set up to use it.
A new mail protocol would require *everyone* to change their software, which
is not exactly feasible. But, in order for the spam problem to go away,
that's what's going to have to happen. And it would happen at the expense
of some privacy, which is another problem. As is usually the case, severe
commercialization ruins just about everything.
Filtering is great, but it irritates me that so many resources have to be
wasted on it. It's not like postal junkmail, either, since the "postal
spammers" actually pay postage to send their crap.
[snip]
> We don't have a good explaination why Sonic sees so much more SPAM
> volume than what other ISPs report. We speculate that this could be due
> to our age and long term customer base but we really don't have a clue.
I suspect that's most of it. I've had one of my personal domains for about
7 years now and it receives an enormous amount of spam. One address in
particular, which has been valid for the entire time, received more spam
than all of my other domains combined. When I eliminated that address, I
eliminated most of my inbound spam along with it. It's amazing how much
the spammers attach to the old-but-still-valid addresses. My hope is that
after a few years of bouncing everything sent to that address, it will
eventually become usable again. Wishful thinking, I'm afraid.
-Bill
Bill Pitz
> We are not an ISP, but handle a goodly amount of email traffic for a
> teapot operation. We have been handling email since the late eighties.
> An associate who maintains an MTA for a .mil site reports to me that he
> started getting nailed with spam in about the same ratios as we are a
> number of months ago. Before then, he had very little. Apparently, the
> spamming community has decided that .mil addresses are no longer charmed
> and are open season with the rest of us.
Perhaps a change to the standards is in order. GPS coordinates of the
sender must always be included in the message header. Let's see how many
people spam .mil addresses then... ;-)
-Bill
Bill Pitz
> 2) Have a junk email address which you give to anybody you don't
> trust. (Usenet, or any non-reputable e-commerce site, for example).
> Check this email only when you expect something specific. I use AOL
> for this purpose, because it lets me delete the junk email addresses
> and create new ones, in a few seconds.
I've been doing this for years. I have a domain that I use specifically
for the purpose. Every time I register for something or order something
that requires an e-mail address, I create a new address at that domain.
Eventually, I'm going to put together a s*** list of who is the worst about
selling their list of addresses.
-Bill
dane
: Many ISPs regularly (PacBell is one) market their user lists to these
: protect your email address, the spammers will get it anyway.
Do you have anything to back up this claim? I've never heard of cases where
it could be substantiated that a "real" ISP did anything like this - most
have privacy policies that would forbid it. Of course, I'd guess that free
and other ad-supported ISP offerings probably do this sort of thing.
--
Dane Jasper Sonic.net, Inc.
(707)522-1000
mailto:da...@sonic.net http://www.sonic.net/
Key fingerprint = A5 D6 6E 16 D8 81 BA E9 CB BD A9 77 B3 AF 45 53
John Higdon
dane <da...@sonic.net> wrote:
> Do you have anything to back up this claim? I've never heard of cases where
> it could be substantiated that a "real" ISP did anything like this - most
> have privacy policies that would forbid it. Of course, I'd guess that free
> and other ad-supported ISP offerings probably do this sort of thing.
I don't have court documents, but many people have told me that they
have received spam for addresses days after creating them and before
giving them to anyone. Some deep-throat types have indicated that
PacBell participates in such activities, and indeed, that was one of the
providers named by those who reported early spam.
As far as privacy policies go (and a very substantial item on my list of
reasons I don't trust ISPs with my Internet housekeeping), such
documents are merely legal protection when the ISP turns over one's
private information, in the domain of "you were warned". Every one I
have ever read is a laundry list of ways the ISP will violate the
customer's privacy for marketing and other purposes. The latest one I've
read is the infamous Yahoo "privacy policy", which should actually be
labelled a "marketing policy" or "data mining policy".
Ken
no-...@amadeus.kome.com says...
>
>I don't have court documents, but many people have told me that they
>have received spam for addresses days after creating them and before
>giving them to anyone. Some deep-throat types have indicated that
>PacBell participates in such activities, and indeed, that was one of the
>providers named by those who reported early spam.
Hell, at Sirius (who probably made a bundle selling the name to the
internet radio outfit), I requested a second address whenm they offered it.
Instead of setting it up in a couple of hours, they took over 24 hours and a
couple of phone calls. I had sent one test message to it before thet opened it
up. Due to the delay and the phone calls, the Sirius tech also sent two test
messages.
When I opened the box for the first time, it contained my test message,
the two from the tech and three pieces of spam. Andreas, their then (and last)
CEO, who used frequently to answer support questions in person, elected not to
answer my e-mail where I asked if he had a kinder explanation than someone
inside selling the address as fast as it was generated.
Jeffrey Siegal
used as the target of email though a major ISP's SMTP server, and was
not findable via a dictionary attack. Either the ISP marketed the email
addresses they harvasted from their email logs (or sniffed off the net),
or those email addresses got sold out the back door somehow.
John R Pierce
>major email servers systems for the express purpose of filling your
>mailbox with crap. The kitchen table spammer who uses open relays or
>stealth programs is becoming extinct, but he is rapidly being replaced
>with well-financed operations that send spam out into cyberspace with
>more fury than ever before.
nearly half the spam I filter is from asia and in asian (korean and
chinese predominantly.
Ken
says...
Lucky you -- the brazilians haven't found you yet. Since I have no
foreign contacts to speak of, I now filter .ch, .tw. .kr, .br, .za (another
recent heavy hitter) plus the jerk at humboldt1.com who apparently has me on
his Klez-A-Day list.
Kevin McMurtrie
>John Higdon <no-...@amadeus.kome.com> wrote:
>: Many ISPs regularly (PacBell is one) market their user lists to these
>: spam factories. What this means is that no matter how dilligently you
>: protect your email address, the spammers will get it anyway.
>
>Do you have anything to back up this claim? I've never heard of cases where
>it could be substantiated that a "real" ISP did anything like this - most
>have privacy policies that would forbid it. Of course, I'd guess that free
>and other ad-supported ISP offerings probably do this sort of thing.
Tech companies don't give a crap about privacy and security. It's the
industry I'm in.
Sales Department: "Company XYZ is complaining that you only sent them
3000 e-mail addresses."
Me: "Only 3000 people opted-in."
Sales Department: "We sold 20 million addresses."
Me: "I can't do that. The legal department just had me upgrade the
opt-in system and it would clearly violate the privacy contract there.
Besides, we don't have 20 million e-mail addresses anyway."
Sales Department: "Send it anyway."
Me: "No. Call the legal department."
Cubicle neighbor on phone: "...Sure, I can make that list. I bet Kevin
could do it faster... OK, but I'm really busy so it will take a
while..."
Me: "Hey! Wait a minute!"
Repeat the above conversation with six different PHBs, an executive or
two, and then repeat again in a large meeting. Company lawyer comes
back from lunch and gets pounced by angry PHBs.
Tim Pozar
> I've received spam at an address that was never exposed except by being
> used as the target of email though a major ISP's SMTP server, and was
> not findable via a dictionary attack. Either the ISP marketed the email
Keep in mind that many spammers will use account names/logins on
different domains. If you have an account name that others may
have, you can expect spam when you may have done "all the right
things" in avoiding name harvesting.
Tim
--
"A mass in movement resists change of direction. So does the world
oppose a new idea. It takes time to make up the minds to its value
and importance. Ignorance, prejudice and inertia of the old retard
its early progress. It is discredited by insincere exponents and
selfish exploiters. It is attacked and condemned by its enemies.
Eventually, though, all barriers are thrown down, and it spreads
like fire. This will also prove true of the wireless art."
- Nikola Tesla in 1908
Bill Pitz
Hmm. I assume you mean .cn, which is China. .ch is Switzerland. On my
personal mail server (which handles mail for myself, a few friends, and
some family members), I not only block all of these TLDs (in addition to
a few others), but I also block (via firewall rules) all of the addresses
allocated to the APNIC. I wouldn't dream of doing something that drastic
on a public server, but it's worked wonders for me since I implemented it.
Just since yesterday when I rebooted my mail server, I've already blocked
about 250 attempts by spammers in Asia.
The problem is that the ISPs in foreign countries simply don't care at all
about spam. By far, the worst are Korea, China, Brazil, and Taiwan. Mexico
is not too far behind either.
I first started firewalling the Korean addresses about 4 years ago when I
was running my mail server on a dedicated 33.6k dial-up connection. They
would frequently try and send mail to a, aa, aaa, aaaa, aaaaa, ab, abb, etc.
which put a pretty severe performance damper on my limited connectivity.
That's the beauty of being the "network dictator," I suppose.
-Bill
John Higdon
That goes along with what I've read. The US spam factories actually
distribute from overseas points because they have trouble finding
domestic providers that will continue to provide them with bandwidth.
Kevin McMurtrie
John Higdon <no-...@amadeus.kome.com> wrote:
>In article <eieqvukh94k8uiqq5...@news.lmi.net>,
> John R Pierce <sp...@is.invalid> wrote:
>
>> >The bulk of spam today, by far, comes from spam houses who have set up
>> >major email servers systems for the express purpose of filling your
>> >mailbox with crap. The kitchen table spammer who uses open relays or
>> >stealth programs is becoming extinct, but he is rapidly being replaced
>> >with well-financed operations that send spam out into cyberspace with
>> >more fury than ever before.
>>
>> nearly half the spam I filter is from asia and in asian (korean and
>> chinese predominantly.
>
>That goes along with what I've read. The US spam factories actually
>distribute from overseas points because they have trouble finding
>domestic providers that will continue to provide them with bandwidth.
China is a major source of US spam. The ISPs there are poorly organized
and staffed by clueless admins so they're easy to use to abuse. China
at least tries to stop spam.
Korea is its own massive spam factory. ISPs there encourage it, even
offering spamming tools and services. Korea's spamming lists are still
young but they send much more spam to each e-mail address than the rest
of the world combined. I still can't believe that my ISP hasn't blocked
them yet.
Kevin McMurtrie
Are you sure that the .ch spam wasn't actually Verio's unipxnet.ch
spamhaus? That has nothing to do with Switzerland. ARIN record
NET-66-97-96-0-1 is entirely fake.
Steve Fenwick
> John Higdon <no-...@amadeus.kome.com> wrote:
> : Many ISPs regularly (PacBell is one) market their user lists to these
> : spam factories. What this means is that no matter how dilligently you
> : protect your email address, the spammers will get it anyway.
>
> Do you have anything to back up this claim? I've never heard of cases where
> it could be substantiated that a "real" ISP did anything like this - most
> have privacy policies that would forbid it. Of course, I'd guess that free
> and other ad-supported ISP offerings probably do this sort of thing.
Dotster used to, but apparently doesn't now. Too late; they ruined one
of my favorite addresses, so I'm with DomainDiscover now.
Steve
--
Steve Fenwick Anti-spammed address: steve (at) stevefenwick (dot) com
Patti Beadles
John Higdon <no-...@amadeus.kome.com> wrote:
>I don't have court documents, but many people have told me that they
>have received spam for addresses days after creating them and before
>giving them to anyone.
As a test, I set up a couple of new hotmail accounts a while ago.
The username on one of them is, well, let's call it USER1. From the
web searches I've done, USER1@anything has never existed, except that
there was one Usenet posting from US...@my-deja.com a couple of years
ago. The combination is unusual enough that I have no reason to
believe that it ever existed anywhere else.
The username for the second account, USER2, is a basically random
combination of numbers and letters, and I have no reason to believe
that it has ever been used anywhere at any time.
For both accounts, I was extremely careful to opt out of anything that
might publish or share my address with anyone.
US...@hotmail.com has received 102 pieces of spam since July 1, and
started receiving spam within 48 hours of the account creation.
US...@hotmail.com has never received a single piece of spam.
What can we conclude from this? Well, it seems quite likely that
spammers are trying every-user...@hotmail.com, and almost
certainly at other major ISPs and email providers. That's not
really news, though... it's been happening for a while now.
We can't conclude that PacHell *isn't* selling addresses, though we've
certainly proven that there are ways that an unpublished email address
could get near instantaneous spam, with no wrongdoing on the part of
the ISP. In fact, if your address was sold, it seems likely that
there would be a longer lag between creation-time and spam-time. It
seems more likely that anyone selling addresses would be grabbing a
monthly database dump, rather than handing out individual addresses as
they're created.
OTOH, databases can be sold without the inovlvement of the
corporation. All it really takes is one rogue sysadmin who is pissed
at the company, or who just wants some extra money, and boom... your
address is a commodity. In fact, I'd be wililng to bet that this is a
much more common scenario than legit businesses selling your address.
-Patti
--
Patti Beadles |
pat...@gammon.com |
http://www.gammon.com/ | If you're not living on the edge
or just yell, "Hey, Patti!" | you're taking up too much space.
John R Pierce
my filters consist of spamassassin 2.43 + RBL + njabl + 1 extra
spamassasin recipe that tags 'daily promotions'. now I need one for
eopinions. ;-/
Jeffrey Siegal
> In fact, if your address was sold, it seems likely that
> there would be a longer lag between creation-time and spam-time.
That's what I saw, FWIW. I started receiving spam some time after using
the address (a few times) via an ISP's SMTP server. It took me a while
to figure out how it could possibly be getting spammed, and that's the
only plausible explanation I could come up with.
dane
: What can we conclude from this? Well, it seems quite likely that
: spammers are trying every-user...@hotmail.com, and almost
: certainly at other major ISPs and email providers. That's not
: really news, though... it's been happening for a while now.
We call this a "Rumplestiltzkin attack". They're ongoing - we sense them
based upon number of bad guesses, and blackhole the harvester.
dane
: Korea is its own massive spam factory. ISPs there encourage it, even
: young but they send much more spam to each e-mail address than the rest
: of the world combined. I still can't believe that my ISP hasn't blocked
: them yet.
If you'd turn on our SpamAsssassin feature, they'll be blocked and placed in
a likely spam graymail box, as you know. Or, if you want to get fancy with
procmail, you can just route them to /dev/null!
Obviously, we can't blackhole a country - I'd think that some of our
customers have friends, relatives, and business associates there.
Tim Pozar
> In article <eieqvukh94k8uiqq5...@news.lmi.net>,
> John R Pierce <sp...@is.invalid> wrote:
>
>> >The bulk of spam today, by far, comes from spam houses who have set up
>> >major email servers systems for the express purpose of filling your
>> >mailbox with crap. The kitchen table spammer who uses open relays or
>> >stealth programs is becoming extinct, but he is rapidly being replaced
>> >with well-financed operations that send spam out into cyberspace with
>> >more fury than ever before.
>>
>> nearly half the spam I filter is from asia and in asian (korean and
>> chinese predominantly.
>
> That goes along with what I've read. The US spam factories actually
> distribute from overseas points because they have trouble finding
> domestic providers that will continue to provide them with bandwidth.
I documented this at the "Email Abuse Roundtable 3" (Falls Church,
Virginia) in October 6, 1999. At Brightmail, we noticed that a
significant percentage of spam was being relayed through machines
in South Korea and China. We didn't see that behavior about a year
earlier. It looked as this was a result of folks being more dilagent
about closing down open relays in the US and Europe. We still saw
spam coming in from dial-up accounts in US ISPs, but they were
relayed through Asian MXs.
There was some press coverage at this event then...
http://www.cnn.com/TECH/computing/9910/11/kill.spam.dead.idg/index.html
[...]
Another trend indicates growth in spam originating outside
the U.S., according to Pozar, who cited South Korea as one
of the current countries of choice for foreign spammers.
[...]
It actually should have said "foreign distribution of spam".
We still see this method of distribution today. The candidate for
California governor in the last election, Bill Simon, infamous spam
was distributed in this manner.
Tim
--
Snail: Tim Pozar / LNS / 1978 45th Ave / San Francisco CA 94116 / USA
POTS: +1 415 665 3790 Radio: KC6GNJ / KAE6247
John Higdon
dane <da...@sonic.net> wrote:
> Patti Beadles <pat...@mauve.rahul.net> wrote:
> : What can we conclude from this? Well, it seems quite likely that
> : spammers are trying every-user...@hotmail.com, and almost
> : certainly at other major ISPs and email providers. That's not
> : really news, though... it's been happening for a while now.
>
> We call this a "Rumplestiltzkin attack". They're ongoing - we sense them
> based upon number of bad guesses, and blackhole the harvester.
I blackhole address guessers as well. However, a couple of months ago,
there was a dictionary attack on my servers for a particular domain.
Every hour, there would be hundreds of failed "RCPT TO:" commands with
every name you can imagine...on both servers. The origin IP would be
dutifully blocked and then the next hour there would be another wave,
but from a different address that was unrelated to the previous one.
According to ARIN, these IP addresses not only had nothing in common,
they were assigned to different countries.
In essence, there was no way to shut this attack down. Every hour, it
was a whole new ballgame. After a week of this (twenty-four hours a
day), I turned off "verify" for that particular domain, meaning that my
servers would appear to accept any username for delivery. Within a day,
the dictionary attacks stopped.
This incident (not repeated since) convinced me that today's spammers
are a very sophisiticated and dedicated lot.
DMF
> John Higdon wrote:
> : Many ISPs regularly (PacBell is one) market their user lists to these
> : spam factories. What this means is that no matter how dilligently you
> : protect your email address, the spammers will get it anyway.
>
> Do you have anything to back up this claim? I've never heard of cases where
> it could be substantiated that a "real" ISP did anything like this - most
> have privacy policies that would forbid it. Of course, I'd guess that free
> and other ad-supported ISP offerings probably do this sort of thing.
FWIW, I have a Pacbell email address that has never been used for
anything and the only spam I get at this address is a monthly Pacbell
newsletter. Also, I used to modify my email reply address for usenet
posting with an extra .no.spam., etc but that trick is not as effective as
it used to be. I found that spam to my account would skyrocket every
time I posted to usenet.
Regards,
David
John Higdon
"DMF" <m...@sans.spam.com> wrote:
> FWIW, I have a Pacbell email address that has never been used for
> anything and the only spam I get at this address is a monthly Pacbell
> newsletter. Also, I used to modify my email reply address for usenet
> posting with an extra .no.spam., etc but that trick is not as effective as
> it used to be. I found that spam to my account would skyrocket every
> time I posted to usenet.
I think the address harvesters are now smart enough to remove "no.spam"
munging from Usenet addresses. In my case, if they do that, they have
lost the entire local part of the address!
John Fitzgerald
news:_kjL9.55105$Ik.16...@typhoon.sonic.net...
> Kevin McMurtrie <mcmu...@sonic.net> wrote:
> : Korea is its own massive spam factory. ISPs there encourage it, even
> : offering spamming tools and services. Korea's spamming lists are still
> : young but they send much more spam to each e-mail address than the rest
> : of the world combined. I still can't believe that my ISP hasn't blocked
> : them yet.
>
> If you'd turn on our SpamAsssassin feature, they'll be blocked and placed
in
> a likely spam graymail box, as you know. Or, if you want to get fancy
with
> procmail, you can just route them to /dev/null!
>
> Obviously, we can't blackhole a country - I'd think that some of our
> customers have friends, relatives, and business associates there.
I know for a fact this is the case. A couple of months ago we had to remove
a Korean spamhaus from our blocking list because a customer absolutely had
to receive mail from business associates there.
--
John Fitzgerald
Sonic.net
Tech Support
707.547.3400
--
Kevin McMurtrie
"John Fitzgerald" <j...@sonic.net> wrote:
My pitty ran out a long time ago. This problem has been developing over
two years so nobody should be suprised when their
Kornet/Hanaro/Daum/GNG/Samsung e-mail is no longer accepted. Maybe they
should ask their ISP to stop supporting spammers. I can not understand
anybody continuing to accept data from such a rogue set of telecoms that
has no intention of improving.
Mike Kincaid
>> Do you have anything to back up this claim? I've never heard of
>> cases where it could be substantiated that a "real" ISP did anything
>> like this - most have privacy policies that would forbid it. Of
>> course, I'd guess that free and other ad-supported ISP offerings
>> probably do this sort of thing.
>
> I don't have court documents, but many people have told me that they
> have received spam for addresses days after creating them and before
> giving them to anyone. Some deep-throat types have indicated that
> PacBell participates in such activities, and indeed, that was one of
> the providers named by those who reported early spam.
It would be interesting to know the word on the street with regards to
Yahoo's practices, since SBC is now sharing subscriber data, and mail
hosting, with them.
dane
: I blackhole address guessers as well. However, a couple of months ago,
: Every hour, there would be hundreds of failed "RCPT TO:" commands with
: every name you can imagine...on both servers. The origin IP would be
: dutifully blocked and then the next hour there would be another wave,
: but from a different address that was unrelated to the previous one.
: According to ARIN, these IP addresses not only had nothing in common,
: they were assigned to different countries.
: In essence, there was no way to shut this attack down. Every hour, it
: was a whole new ballgame. ...
We had a similar incident about a month ago. It was so heavy that it
impacted interactive performance of the mail servers, and was quite a
nuisance. One of our sysadmins wrote a tool to watch for it, and
temporarily blackhole the source IP.
: This incident (not repeated since) convinced me that today's spammers
: are a very sophisiticated and dedicated lot.
Obviously, the potential for earnings has drawn some good talent, and I'd
guess that all the layoffs haven't helped.
dane
: My pitty ran out a long time ago. This problem has been developing over
: Kornet/Hanaro/Daum/GNG/Samsung e-mail is no longer accepted. Maybe they
: should ask their ISP to stop supporting spammers. I can not understand
: anybody continuing to accept data from such a rogue set of telecoms that
: has no intention of improving.
Why kill a fly with a shotgun? We filter the spam, and allow the legitimate
communication to flow. I think this is really the fundamental roll of an
ISP with regards to email and spam.
Of course, you can't please all of the people all of the time - you'd have
us blackhole a country (or the continent?), and I'm sure that wouldn't make
sense for another sector of our customer base.
I would suggest you use the filtering, and stop fretting about it.
Bill Pitz
> Kevin McMurtrie <mcmu...@sonic.net> wrote:
> : My pitty ran out a long time ago. This problem has been developing over
> : two years so nobody should be suprised when their
> : Kornet/Hanaro/Daum/GNG/Samsung e-mail is no longer accepted. Maybe they
> : should ask their ISP to stop supporting spammers. I can not understand
> : anybody continuing to accept data from such a rogue set of telecoms that
> : has no intention of improving.
> Why kill a fly with a shotgun? We filter the spam, and allow the legitimate
> communication to flow. I think this is really the fundamental roll of an
> ISP with regards to email and spam.
It's not really a fly. It's more like a four ton beast...
-Bill
Rahul Dhesi
>I blackhole address guessers as well. However, a couple of months ago,
>there was a dictionary attack on my servers for a particular domain.
>Every hour, there would be hundreds of failed "RCPT TO:" commands with
>every name you can imagine...on both servers. The origin IP would be
>dutifully blocked and then the next hour there would be another wave,
>but from a different address that was unrelated to the previous one.
>According to ARIN, these IP addresses not only had nothing in common,
>they were assigned to different countries.
I think some of these dictionary attacks are being done through open
proxies. An open proxy let you connect to it via TCP/IP and make a
fresh TCP/IP connection to another host.
http://www.monkeys.com/anti-spam/filtering/proxies.html
--
Rahul
Ken
mcmu...@sonic.net says...
>
>Are you sure that the .ch spam wasn't actually Verio's unipxnet.ch
>spamhaus? That has nothing to do with Switzerland. ARIN record
>NET-66-97-96-0-1 is entirely fake.
Oh, man! Someone's been screwing around with my keyboard again. I
suspect one of the two new cats. Shoulda been .cn, not .ch.
Ken
>
>Eventually, I'm going to put together a s*** list of who is the worst about
>selling their list of addresses.
At the reat things are going, it will probably be a 30-way tie for
first.
John Higdon
c.c....@78.usenet.us.com (Rahul Dhesi) wrote:
> I think some of these dictionary attacks are being done through open
> proxies. An open proxy let you connect to it via TCP/IP and make a
> fresh TCP/IP connection to another host.
That is exactly what it looked like. It was either that, or an
international conspiracy of spam facilitation. I don't think we have
reached that point YET.
Mike Stump
>based upon number of bad guesses, and blackhole the harvester.
We need a BL with all the harvesters on it, and for this to be updated
into core IP filters, fast...
ab...@mix.com
> nearly half the spam I filter is from asia and in asian (korean and
> chinese predominantly.
In my domain this holds true for the older usernames (10+ years) but
the newer ones (created just over the past few years) don't get any.
Instead they get hammered by the newer American spam houses like temd.
It had gotten so bad for me I was denying 202.0/7, 210.0/7, etc...
I recently started trying Postini (I'll have more to say about them
when I eventually get though this thread) and from that discovered
many asian spam houses don't bother refreshing their dns caches
either. Postini's service requires routing your incoming mail thru
their facilities so now it's pretty obvious who's not doing lookups.
Billy Y..
Roy
The standard Postini setup is to leave your own mail server in the MX list
at a lower precedence (Higher number) in case Postini fails. Spammers
routinely use the whole MX list so this is a bit counter productive. I
only have a backup server in the MX list.
ab...@mix.com
> That goes along with what I've read. The US spam factories actually
> distribute from overseas points because they have trouble finding
> domestic providers that will continue to provide them with bandwidth.
Well... Sprintlink, Worldcom, Verio and Concentric all have plenty of
spam house customers and none of them, Sprintlink in particular, will
do a damn thing about complaints. I'm a Worldcom customer and even at
that I get no help from them either.
Billy Y..
John Higdon
> I recently started trying Postini (I'll have more to say about them
> when I eventually get though this thread) and from that discovered
> many asian spam houses don't bother refreshing their dns caches
> either. Postini's service requires routing your incoming mail thru
> their facilities so now it's pretty obvious who's not doing lookups.
I STILL get email attempts to my servers for domains that I haven't MXed
for in years. I even got a "rumplestiltskin" attack, hundreds upon
hundreds of tries with different usernames, on a stale domain. All of
the attempts were refused as relay violations, but I doubt that anyone
at the other end even looks at logs.
John Higdon
wrote:
> Quick note on Postini setup.
>
> The standard Postini setup is to leave your own mail server in the MX list
> at a lower precedence (Higher number) in case Postini fails. Spammers
> routinely use the whole MX list so this is a bit counter productive. I
> only have a backup server in the MX list.
I'll go farther than that. My logs indicate that many spammers
intenionally use MX hosts in reverse order. Presumably, spammers expect
that lower precedence hosts will have less fortification against spam,
accepting junk when the primary host won't.
ab...@mix.com
> We need a BL with all the harvesters on it, and for this to be updated
> into core IP filters, fast...
Yes I am 100% convinced the only way we'll ever see any progress here is
right after all these weasals don't have any IP connectivity left.....
Billy Y..
Jeffrey Siegal
> I'll go farther than that. My logs indicate that many spammers
> intenionally use MX hosts in reverse order. Presumably, spammers expect
> that lower precedence hosts will have less fortification against spam,
> accepting junk when the primary host won't.
My guess would be that whoever wrote that particular piece of "spam
blaster" software just implemented the MX precedence wrong.
ab...@mix.com
> Obviously, we can't blackhole a country - I'd think that some of our
> customers have friends, relatives, and business associates there.
As an ISP maybe not but you should give some thought to allowing your
users to do that. I don't know what Panix is using but they do allow
individual users to opt in to an IP blacklist that actually rejects at
the time the spammer is attempting to send the junk, _before_ it even
gets accepted for delivery by Panix's mta.
Billy Y..
ab...@mix.com
> My pitty ran out a long time ago. This problem has been developing over
> two years so nobody should be suprised when their
> Kornet/Hanaro/Daum/GNG/Samsung e-mail is no longer accepted. Maybe they
> should ask their ISP to stop supporting spammers.
Or maybe they should just buy service from one of the world's countless
decent and not ba=lacklisted ISPs.
> I can not understand
> anybody continuing to accept data from such a rogue set of telecoms that
> has no intention of improving.
Me neither...
Billy Y..
ab...@mix.com
> I STILL get email attempts to my servers for domains that I haven't MXed
> for in years.
Well, thanks for the bad news. Silly me, I figured a couple years of no
MX records would be enough...
It was mentioned to me in mail some spammers are smart enough to strip out
one's own domain from the Postini MX records, which look like this -
MIX.COM. IN MX 1 mix.com.mail1.psmtp.COM.
MIX.COM. IN MX 2 mix.com.mail2.psmtp.COM.
MIX.COM. IN MX 3 mix.com.mail3.psmtp.COM.
MIX.COM. IN MX 4 mix.com.mail4.psmtp.COM.
Yea it would be a piece of cake, except the only machine that now answers
to mix.com is a web server that doesn't do mail.
Of course this hardly matters when the damn spammers don't ever refresh
their address caches... but if I decide to stay with Postini I can easily
hose all mail from the outside world that doesn't go through them.
As for Postini -- wow, it is inexpensive to say the very least. Just
50 cents/month/user and that includes all the aliases for any one guy
too. The down side of that is they have a $300/month minimum, so you
need 600 users (or must be willing to pay more for each one).
The way Postini works is your route all your mail though them. I'm
currently trying just their content filtering - they scan the message
ala Spam Assassin, score the results and compare that against some
choices you've made regarding how to evaluate said scores.
Now that I've had this running for a week, I can say it is pretty
damn effective and especially with the few things that used to slip
through my own blacklists. That is there will always be some yet
undiscovered open relays, and Postini is pretty good at catching
stuff thus originated.
But - not perfect. Once in a while some piece of spam slips though.
They claim 95% effectiveness, I'd say that's about right after some
use so they've had a chance to build their filtering based on what
one accepts or rejects..
All 'suspicuous' mail is quarantined at Postini and must be reviewed
by connecting to their web site. A user is notified by email when
there are items present for their scrutiny (not really necessary at
my domain, we always get plenty, heh).. During business days (even
right now) the site can be frustratingly slow, although otherwise it's
pretty zippy. Messages are displayed 25 per page with little check
boxes to select individual items, and after a list is built you can
either dump them or send them on to yourself. When throwing stuff
out you have to then go to a another page to actually delete them,
or you can just ignore that and Postini will do it 14 days later.
One problem for me with this is there are tons of things to go through
every day. And _everything_ gets listed here, nothing is just tossed,
even when it's from well known spammers you've placed on your Postini
list of people to ignore. I haven't yet pursued their other services
which seem to include those sorts of options, but I will after the
holidays.
From Postini's point of view I suppose this is a safer scheme, plus
it does demonstrate how much crap they're catching for you - but it
also means there is a lot of maintenance work to be done...
Their web site also allows one to enter lists of good guys and bad
guys, although when doing that for one of my users I discovered a
limit of just 64 lines for the bad ones. He's now getting along ok
with 63 entires and I could probably even remove some more based on
how well the content filtering catches stuff, but I still think it's
a bit too small a limit here.
One other point worth mentioning is Postini uses a pop3 login to one's
own mail server to verify your logging in to their web site. So it
would be good to let those who review activity logs know it's not some
intruder, heh.....
I also looked at Brightmail - my problem there is they only support
the more widely used OSs and MTAs, while I'm still receiving mail on
a VMS cluster using PMDF. Spam Assassin can run under VMS but so far
I'd rather spend the 50 cents than hassle doing maintenance on it too.
Billy Y..
dane
We provide GUI based tools where customers can tweak rules for filtering,
plus procmail for the more shell based folks.
Philip J. Koenig
sp...@amadeus.kome.com (John Higdon) writes...
> In article <atmicd$8d0$1...@blue.rahul.net>,
> c.c....@78.usenet.us.com (Rahul Dhesi) wrote:
>
> > I think some of these dictionary attacks are being done through open
> > proxies. An open proxy let you connect to it via TCP/IP and make a
> > fresh TCP/IP connection to another host.
>
> That is exactly what it looked like. It was either that, or an
> international conspiracy of spam facilitation. I don't think we have
> reached that point YET.
Don't know what your definition of "international conspiracy" is,
but it should be common knowledge at this point that the more
dedicated spammers have operations in various parts of the world
specifically in an attempt to circumvent detection and/or prosecution.
More to the point, I suspect that 90% of the "foreign spam" we
get here actually originates from a U.S. source, but is being
distributed by foreign entities either by exploiting insecure
offshore systems, or by simply hiring them.
Even back before the modern spam explosion, it came out that
AGIS was playing games with rotating address-space for our
beloved spam-pioneer Sanford Wallace, to try to help him
avoid being blackholed.
--
Philip J. Koenig The Electric Kahuna Organization [anti-spammed]
----------------Computers & Communications for the New Millennium--------------
* To send email, remove numbers and spaces: pjkusenet64 @ ekahuna27 . com *
* Civilians killed in WTC attack: 2,797 Afghan civilians killed by US: 3,767 *
*http://news.bbc.co.uk/low/english/world/south_asia/newsid_2141000/2141975.stm*
* Simple answers are for simple minds. Try a new way of looking at things. *
Philip J. Koenig
writes...
One tactic which I haven't seen anyone discuss, but which I
think might be useful, is monitoring DNS queries.
There is a significant amount of info that can be garnered by
watching who is poking on the DNS records for a domain. Spammers
think that by forging headers they can escape detection, but
at one point or another their network provider has to do DNS
lookups to ascertain how to deliver their spam.
Coming up with a system which correlates incoming spam attempts
with DNS queries might help track down the network-providers of
spammers, even when the spammers themselves are hard to nail.
Just a thought.
Philip J. Koenig
sp...@amadeus.kome.com (John Higdon) writes...
> In article <gf3mvu0b5u67vlkoo...@4ax.com>,
> koala <mindof...@aol.com> wrote:
>
> > 2) Have a junk email address which you give to anybody you don't
> > trust. (Usenet, or any non-reputable e-commerce site, for example).
> > Check this email only when you expect something specific. I use AOL
> > for this purpose, because it lets me delete the junk email addresses
> > and create new ones, in a few seconds.
>
> I've never understood what good this does. Only check it when you are
> expecting something? In twenty years of email, I have discovered that
> the unexpected email sometimes carries the greatest impact.
Yep - precisely why I oppose "high collateral damage spam-guessing
systems", particularly when they are imposed on users without their
knowledge or control.
The email you weren't expecting is often A) quite important and B)
the collateral-damage of systems described above.
Philip J. Koenig
m...@sans.spam.com (DMF) writes...
> Dane wrote...
> > John Higdon wrote:
> > : Many ISPs regularly (PacBell is one) market their user lists to these
> > : spam factories. What this means is that no matter how dilligently you
> > : protect your email address, the spammers will get it anyway.
> >
> > Do you have anything to back up this claim? I've never heard of cases where
> > it could be substantiated that a "real" ISP did anything like this - most
> > have privacy policies that would forbid it. Of course, I'd guess that free
> > and other ad-supported ISP offerings probably do this sort of thing.
>
> anything and the only spam I get at this address is a monthly Pacbell
> newsletter.
Another data point: the address I created for the sole purpose
of subscribing to (for a year), and then unsubscribing from,
the Harris Poll mailing list, gets no spam whatsoever. :-)
> Also, I used to modify my email reply address for usenet
> posting with an extra .no.spam., etc but that trick is not as effective as
> it used to be. I found that spam to my account would skyrocket every
> time I posted to usenet.
Spamware has gotten better at unmunging Usenet addresses. If
you want to munge on Usenet, you have to do better than just
something like appending "nospam" to your address.
My munge works extremely well, but I was really surprised one day
when some Chinese spammer actually unmunged it. All told however,
it's received a sum-total of about 3 spam messages in the several
years I've been using it.
(They would have to have unmunged it from my .sig obviously. Or
it's possible that it was unmunged somewhere at some point - ie
by some crusader in NANAE that wanted to annoy me. This has
happened before.)
Philip J. Koenig
> I now filter .ch, .tw. .kr, .br, .za (another recent heavy hitter)
plus the jerk at humboldt1.com who apparently has me on his
> Klez-A-Day list.
If the return-address on those Klez care-packages is
@humboldt1.com, there is a very high chance it has no
relationship to the actual sender of the trojan. Klez
randomizes From: addresses when it sends itself out.
(which is why it's been so difficult to stamp out -
damn hard to let someone know they're infected when you
can't tell who sent it to you)
Philip J. Koenig
mcmu...@sonic.net (Kevin McMurtrie) writes...
> In article <atjgfn$1m2$1...@blue.rahul.net>, ka...@rahul.net (Ken) wrote:
>
> >In article <eieqvukh94k8uiqq5...@news.lmi.net>, sp...@is.invalid
> >says...
> >>
> >>>The bulk of spam today, by far, comes from spam houses who have set up
> >>>major email servers systems for the express purpose of filling your
> >>>mailbox with crap. The kitchen table spammer who uses open relays or
> >>>stealth programs is becoming extinct, but he is rapidly being replaced
> >>>with well-financed operations that send spam out into cyberspace with
> >>>more fury than ever before.
> >>
> >>nearly half the spam I filter is from asia and in asian (korean and
> >>chinese predominantly.
> >
> >
> >foreign contacts to speak of, I now filter .ch, .tw. .kr, .br, .za (another
> >his Klez-A-Day list.
> >
>
> spamhaus? That has nothing to do with Switzerland. ARIN record
> NET-66-97-96-0-1 is entirely fake.
Very interesting. ARIN now indicates on the whois record that
the info has been reported as bogus.
On the other hand, that should be obvious since ARIN shouldn't
have any zone records for European IP address space anyway.
Furthermore, those addresses appear not to be in any routing
tables, so I don't see how they'll do anyone much good. (of
course, they could just announce them during a spam run :-)
Philip J. Koenig
writes...
Not sure about that. I've seen the same pattern, and I have
a feeling it's intentional.
If you think about it, you will realize that even if you
implement a DNS RBL type of blocking system on the primary
MX, there is a much lower likelihood that all of your
backup MX's do the same thing. (oftentimes sites have
3rd parties acting as their MX backup)
The upshot is, since DNS-based RBLs act only upon the IP
address of the final-hop delivery host, if a spammer delivers
to one of your backup MX's, and there is no RBL checking on
it (often the case because these hosts typically do SMTP
backup for multiple domains/entities) that spam will pass
through your local RBL because it comes from a trusted
host.
Yep, content-based blocking will still occur, but it seems
that such a tactic might indeed succeed at circumventing
some traditional DNS-based RBL checking.
Philip J. Koenig
writes...
[info about Postini removed]
>
> I also looked at Brightmail - my problem there is they only support
> the more widely used OSs and MTAs, while I'm still receiving mail on
> a VMS cluster using PMDF. Spam Assassin can run under VMS but so far
> I'd rather spend the 50 cents than hassle doing maintenance on it too.
I thought Brightmail limited themselves primarily to really
big accounts too - since among other things they want someone
with enough reach to contribute back to their "probe network".
Anti-spam services are a big business right now, not surprisingly.
Along with long-time companies like Brightmail and MessageLabs,
there's a bunch of newer companies like Postini, Cloudmark,
Mailshell, Corvigo, etc etc. That's not to mention all the
client-side solutions these days.
Philip J. Koenig
writes...
> Kevin McMurtrie <mcmu...@sonic.net> writes:
>
> > My pitty ran out a long time ago. This problem has been developing over
> > two years so nobody should be suprised when their
> > Kornet/Hanaro/Daum/GNG/Samsung e-mail is no longer accepted. Maybe they
> > should ask their ISP to stop supporting spammers.
>
> Or maybe they should just buy service from one of the world's countless
> decent and not ba=lacklisted ISPs.
To be blacklisted doesn't necessarily imply automatically that one
is "rogue".
<sarcasm>Of course, there's never been a site 'wrongly' blacklisted.</sarcasm>
Let us also remember that Korea has the highest percentage of people
online of anywhere in the world, for starters. And if you were a resident
of a country outside the USA, you would learn that the vast majority of
spam in the world originates HERE, not the other way around.
> > I can not understand
> > anybody continuing to accept data from such a rogue set of telecoms that
> > has no intention of improving.
>
> Me neither...
I think you'd be hard-pressed to prove that Korean telecom
companies "have no intention of improving". Maybe if people
made a better effort to understand things like ie how to
communicate with them in their own language, it might lend
a little different perspective.
"Dagnabbit Martha, I shore dun unnerstand why them dam
Kree-uns don't wanna listen to me, I repeated my demand
(in english) twice, and when they still had a puzzled
look on their face, I even yelled it at 'em, but they
still ignored me.."
Philip J. Koenig
Fitzgerald) writes...
> "dane" <da...@sonic.net> wrote in message
> news:_kjL9.55105$Ik.16...@typhoon.sonic.net...
> > Kevin McMurtrie <mcmu...@sonic.net> wrote:
> > : Korea is its own massive spam factory. ISPs there encourage it, even
> > : offering spamming tools and services. Korea's spamming lists are still
> > : young but they send much more spam to each e-mail address than the rest
> > : of the world combined. I still can't believe that my ISP hasn't blocked
> > : them yet.
> >
> > If you'd turn on our SpamAsssassin feature, they'll be blocked and placed
> in
> > a likely spam graymail box, as you know. Or, if you want to get fancy
> with
> > procmail, you can just route them to /dev/null!
> >
> > Obviously, we can't blackhole a country - I'd think that some of our
> > customers have friends, relatives, and business associates there.
>
>
> a Korean spamhaus from our blocking list because a customer absolutely had
> to receive mail from business associates there.
LOL .. and you act *surprised*?
Philip J. Koenig
writes...
> I agree. They're also projecting that the number of spam messages will
> exceed the number of legitimate messages (as an aggregate statistic)
> sometime next year. I think that's a pretty clear sign that there needs
> to be some significant restructuring not only on the legal front but also
> on the technology front. And I don't mean more filtering. Filtering is
> great, but it still means that an enormous amount of bandwidth and cpu
> time are wasted. The SMTP protocol is by its very design over-trusting.
> That was fine in its original application, where everyone on the network
> knew each other.
>
> As I see it, the biggest problem is that we are essentially stuck with this
> antiquated protocol because so many people are already set up to use it.
> A new mail protocol would require *everyone* to change their software, which
> is not exactly feasible. But, in order for the spam problem to go away,
> that's what's going to have to happen. And it would happen at the expense
> of some privacy, which is another problem. As is usually the case, severe
> commercialization ruins just about everything.
SMTP authentication has existed for a while now, it's just that
getting all the ISPs and users in the world to switch over to it is
a major undertaking. (remember our conversion to the metric system,
which was supposed to happen, oh, 20 yrs ago?)
If all SMTP boxes refused to relay messages unless you had an account
on the machine, it would help greatly. Unfortunately this scenario
won't take place anytime soon.
> Filtering is great, but it irritates me that so many resources have to be
> wasted on it. It's not like postal junkmail, either, since the "postal
> spammers" actually pay postage to send their crap.
Once again, if filtering were as widespread as SMTP itself, then
we might get somewhere. I think the key is when the time comes
that Microsoft embeds standardized filtering mechanisms in all
of their freebie email clients, it will start to put a big dent
in the economic viability of spamming. (you will start seeing
something along these lines very soon, I hear)
Already, spammers are beginning to discover that users are
starting to change their attitude about email advertising --
and sleazeball entities like the DMA are having to start
re-thinking their strategy because very shortly people
aren't going to want to open ANYTHING that looks *remotely*
like an advertisement.
John Higdon
Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
> I think you'd be hard-pressed to prove that Korean telecom
> companies "have no intention of improving". Maybe if people
> made a better effort to understand things like ie how to
> communicate with them in their own language, it might lend
> a little different perspective.
So if we all learn Korean, that will handle Korean spam? Do we have to
learn all the other languages in the world as well (or else we deserve
the spam)?
John R Pierce
>getting all the ISPs and users in the world to switch over to it is
>a major undertaking. (remember our conversion to the metric system,
>which was supposed to happen, oh, 20 yrs ago?)
1970, wasn't it? Nearly 33 years ago.
ab...@mix.com
> > I think you'd be hard-pressed to prove that Korean telecom
> > companies "have no intention of improving". Maybe if people
> > made a better effort to understand things like ie how to
> > communicate with them in their own language, it might lend
> > a little different perspective.
This is nothing but yet more argument merely for the sake of arguing
itself - the actual facts have obviously had no effect on the proponent
of all this nonsense..
> So if we all learn Korean, that will handle Korean spam? Do we have to
> learn all the other languages in the world as well (or else we deserve
> the spam)?
Which facts are whilst the government run telecom company does have an
English language web page saying maybe sometime in the future they might
back off, in Korean it's still one big email free for all over there.
And not at all coincidentally they're also easily leading the league in
my list of who never flushes their lousy MX caches....
Billy Y..
Ken
See_email_@ddress_below.This_one_is.invalid says...
>
>In article <atjgfn$1m2$1...@blue.rahul.net>, ka...@rahul.net (Ken) writes...
>
>
>> I now filter .ch, .tw. .kr, .br, .za (another recent heavy hitter)
>plus the jerk at humboldt1.com who apparently has me on his
>> Klez-A-Day list.
>
>
>If the return-address on those Klez care-packages is
>@humboldt1.com, there is a very high chance it has no
>relationship to the actual sender of the trojan. Klez
>randomizes From: addresses when it sends itself out.
>(which is why it's been so difficult to stamp out -
>damn hard to let someone know they're infected when you
>can't tell who sent it to you)
True, but their abuse@ and similar addressees are 100% unresponsive.
Ken
See_email_@ddress_below.This_one_is.invalid says...
>
>Already, spammers are beginning to discover that users are
>starting to change their attitude about email advertising --
>and sleazeball entities like the DMA are having to start
>re-thinking their strategy because very shortly people
>aren't going to want to open ANYTHING that looks *remotely*
>like an advertisement.
Which can be a problem in itself. Last year, Wells Fargo changed their
envelopes to look like multi-colored crap-o-grams. I noticed the name in the
upper left some time between when, ripped in half, it left my hand and hit the
garbage can. Then I had to find the scotch tope to make the statement and the
emvelope mailable.
Philip J. Koenig
You mean ab...@humboldt1.net?
Well I will surmise that:
A) they are a very small ISP (located in the sleepy town of Arcata CA)
B) they have nothing to do with the infected computer, Klez just pulled
the return-address off the infected PC's addressbook
C) they've gotten hundreds of complaints just like yours, when it
has nothing to do with them
D) they simply don't have the time to respond to them all
Now if they were a big ISP, I imagine the only difference would be
that you'd have gotten a bunch of auto-responses to your complaints.
Would that be better?
If it's really an issue, why don't you just call them: 707-825-4638.
But unless the first or last hop in the trojan-infected messages was
in their IP address space, I'd expect them to be annoyed by the call.
Philip J. Koenig
sp...@amadeus.kome.com (John Higdon) writes...
> In article <MPG.1874401b9...@corp.supernews.com>,
> Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
>
> > I think you'd be hard-pressed to prove that Korean telecom
> > companies "have no intention of improving". Maybe if people
> > made a better effort to understand things like ie how to
> > communicate with them in their own language, it might lend
> > a little different perspective.
>
> So if we all learn Korean, that will handle Korean spam? Do we have to
> learn all the other languages in the world as well (or else we deserve
> the spam)?
Let's just say that I am of the impression that a disproportionate
amount of blame is assigned by Americans on "foreign countries"
or "foreign ISPs" when they haven't made even a modest effort to
effectively communicate with the alleged perpetrators.
As Tim Pozar pointed out earlier, the spam itself generally
originates here, it just often gets relayed through non-US
relay-points because ISPs in many non-US places have been
slower to close down open relays and so forth. (the technology
is newer there, the resources are less, there are language
barriers, etc etc)
Philip J. Koenig
It's OK, now that BofA and Wells are both owned by various
midwesterners, they've turned into even bigger crap-o-gram
companies. Probably not much there worth saving anyway. :-)
John Higdon
Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
> As Tim Pozar pointed out earlier, the spam itself generally
> originates here, it just often gets relayed through non-US
> relay-points because ISPs in many non-US places have been
> slower to close down open relays and so forth. (the technology
> is newer there, the resources are less, there are language
> barriers, etc etc)
Of that there is no doubt. Most spam is US originated, since except for
notable exceptions, there is little point in off-shore people spamming
Americans. But those off-shore ISPs that see relaying junk for US spam
houses as a desirable business need some re-education. An incentive to
effect those changes might be to have many US sites refusing connections
from them until they start tossing spammers like their domestic
colleagues do.
John R Pierce
wrote:
>
>Of that there is no doubt. Most spam is US originated, since except for
>notable exceptions, there is little point in off-shore people spamming
>Americans. But those off-shore ISPs that see relaying junk for US spam
>houses as a desirable business need some re-education. An incentive to
>effect those changes might be to have many US sites refusing connections
>from them until they start tossing spammers like their domestic
>colleagues do.
A significant amount, perhaps as much as 50%, of the spam I trap is *in*
Korean and/or Chinese. I heavily doubt that crap is US originated.
Quite a lot of the asian relayed domestic spam I was seeing last year, at
least, seemed to be bounced off of Solaris machines running crappy SunOS
sendmail 5.x default configurations which had no anti-relay controls at
all... When I installed better spam filtering, I stopped paying close
attention to the headers
Philip J. Koenig
(John R Pierce) writes...
> On Thu, 26 Dec 2002 17:42:36 -0800, John Higdon <no-...@amadeus.kome.com>
> wrote:
>
> >
> >Of that there is no doubt. Most spam is US originated, since except for
> >notable exceptions, there is little point in off-shore people spamming
> >Americans. But those off-shore ISPs that see relaying junk for US spam
> >houses as a desirable business need some re-education. An incentive to
> >effect those changes might be to have many US sites refusing connections
> >from them until they start tossing spammers like their domestic
> >colleagues do.
>
> A significant amount, perhaps as much as 50%, of the spam I trap is *in*
> Korean and/or Chinese. I heavily doubt that crap is US originated.
True, but this is why it's interesting to hear from different
quarters on this. In my personal case (and typically for the
sites I administer) asian-language spam is a very low percentage
of total spam received.
> Quite a lot of the asian relayed domestic spam I was seeing last year, at
> least, seemed to be bounced off of Solaris machines running crappy SunOS
> sendmail 5.x default configurations which had no anti-relay controls at
> all... When I installed better spam filtering, I stopped paying close
> attention to the headers
This comes under the category of "fewer resources, technology is newer
there" as mentioned previously. Many places in the world simply don't
have access to, or the resources/funding to run the latest and
greatest versions of things. Even if you're running freeware you
have to pay someone to keep it upgraded.
Perhaps the moral of the story here is, if the email portion of
the net will fall down on its face and cause havoc because the
whole world isn't running the latest code, then we have to look
at how to ensure that the system is more globally fault-tolerant.
There simply is no way to ensure that everyone in the world is
always at the latest patch-level.
(one way that people address this problem in the corporate
sphere, as pertains to general security, is to run firewalls -
which can help keep most of the bad guys out until you have a
chance to patch this weeks security holes in your server boxes)
John Higdon
John R Pierce <sp...@is.invalid> wrote:
> A significant amount, perhaps as much as 50%, of the spam I trap is *in*
> Korean and/or Chinese. I heavily doubt that crap is US originated.
Interesting. I don't doubt you (I've heard this from others) but for all
the spam this site receives, I have yet to see one of those!
John Higdon
Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
> This comes under the category of "fewer resources, technology is newer
> there" as mentioned previously. Many places in the world simply don't
> have access to, or the resources/funding to run the latest and
> greatest versions of things. Even if you're running freeware you
> have to pay someone to keep it upgraded.
You mean people in other countries are blocked from downloading the same
wares the rest of us do? And people in those countries can write viruses
but they cannot write and maintain proper email-handling wares? This
doesn't sound like a "resources issue"; it is more of a cultural issue,
it would seem.
> Perhaps the moral of the story here is, if the email portion of
> the net will fall down on its face and cause havoc because the
> whole world isn't running the latest code, then we have to look
> at how to ensure that the system is more globally fault-tolerant.
> There simply is no way to ensure that everyone in the world is
> always at the latest patch-level.
You don't have to have "the latest patch-level" to keep from innundating
the net with spam.
> (one way that people address this problem in the corporate
> sphere, as pertains to general security, is to run firewalls -
> which can help keep most of the bad guys out until you have a
> chance to patch this weeks security holes in your server boxes)
And, significantly, it is occasionally the corporate site with its
unlimited resources that is the biggest offender in this country.
Where there's a will...
do...@78.usenet.us.com
> In article <tahn0vghths56nktk...@news.lmi.net>,
> John R Pierce <sp...@is.invalid> wrote:
>> A significant amount, perhaps as much as 50%, of the spam I trap is *in*
>> Korean and/or Chinese. I heavily doubt that crap is US originated.
> Interesting. I don't doubt you (I've heard this from others) but for all
> the spam this site receives, I have yet to see one of those!
I was getting several unreadable spams per day from .tw for a while, but it
has stopped. It may be due to some filtering at my ISP, but I'm still
getting plenty of other junk.
--
---
Clarence A Dold - do...@email.rahul.net
- Hidden Valley (Lake County) CA.
Kevin McMurtrie
Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
>In article <au7hal$j33$5...@reader1.panix.com>, ab...@MIX.COM (ab...@MIX.COM)
>writes...
>> Kevin McMurtrie <mcmu...@sonic.net> writes:
>>
>> > My pitty ran out a long time ago. This problem has been developing over
>> > two years so nobody should be suprised when their
>> > Kornet/Hanaro/Daum/GNG/Samsung e-mail is no longer accepted. Maybe they
>> > should ask their ISP to stop supporting spammers.
>>
>> Or maybe they should just buy service from one of the world's countless
>> decent and not ba=lacklisted ISPs.
>
>
>To be blacklisted doesn't necessarily imply automatically that one
>is "rogue".
>
><sarcasm>Of course, there's never been a site 'wrongly' blacklisted.</sarcasm>
>
>
>Let us also remember that Korea has the highest percentage of people
>online of anywhere in the world, for starters. And if you were a resident
>of a country outside the USA, you would learn that the vast majority of
>spam in the world originates HERE, not the other way around.
Korea has smaller mailing lists but they send the highest volume of spam
to each address. Korea sends me five times more spam than the rest of
the planet. They've sent over 300KB in last 3.5 days.
>
>> > I can not understand
>> > anybody continuing to accept data from such a rogue set of telecoms that
>> > has no intention of improving.
>>
>> Me neither...
>
>
>I think you'd be hard-pressed to prove that Korean telecom
>companies "have no intention of improving". Maybe if people
>made a better effort to understand things like ie how to
>communicate with them in their own language, it might lend
>a little different perspective.
>
>"Dagnabbit Martha, I shore dun unnerstand why them dam
>Kree-uns don't wanna listen to me, I repeated my demand
>(in english) twice, and when they still had a puzzled
>look on their face, I even yelled it at 'em, but they
>still ignored me.."
I'd have an extremely easy time proving that Korean telecoms have no
intention of improving. First, most KRNIC contacts for the telecoms are
fake or bounce. Second, those who speak Korean agree that the telecoms
don't read complaints. Third, translated press releases say that the
telecoms are working on ways to collect more money from spam.
Serverbank is the one Korean hosting company I've found that terminates
spammers. I challenge you to fine one more. Lets make it easy, find
one that even gives spammers warnings
ab...@mix.com
> > A significant amount, perhaps as much as 50%, of the spam I trap is *in*
> > Korean and/or Chinese. I heavily doubt that crap is US originated.
It's not from the USA - it's primarily Korean, then Taiwanese. As in -
! Korea
! Content-type: text/html; charset=euc-kr
! Content-type: text/html; charset=ks_c_5601-1987
!
! Taiwan
! Content-type: text/plain; charset=big5
! Content-Type: text/plain; charset=gb2312
> Interesting. I don't doubt you (I've heard this from others) but for all
> the spam this site receives, I have yet to see one of those!
You are truly lucky. I don't think they've been updating their lists
though... If they ever have at all, heh..... Maybe the new owner of
ATI.COM is getting hammered by them instead?
Billy Y..
John Higdon
> You are truly lucky. I don't think they've been updating their lists
> though... If they ever have at all, heh..... Maybe the new owner of
> ATI.COM is getting hammered by them instead?
Ah, that might explain it. Ninety-five percent of the spam I get is
directed toward one of two addresses (the other five percent goes to the
ringer addresses I use to trap spamming companies on the net). Those two
above mentioned addresses were created in 1999, the year I shed my old
domain.
Heh...I know that some big executive at a certain company was just
itching to use his new email address (my first name @ the domain
mentioned above). What he didn't know was that the address was a major
spam destination. It had existed since the eighties and was on every
list everywhere in the universe.
I imagine it still is.
Ken
See_email_@ddress_below.This_one_is.invalid says...
>
>> >If the return-address on those Klez care-packages is
>> >@humboldt1.com, there is a very high chance it has no
>> >relationship to the actual sender of the trojan. Klez
>> >randomizes From: addresses when it sends itself out.
>> >(which is why it's been so difficult to stamp out -
>> >damn hard to let someone know they're infected when you
>> >can't tell who sent it to you)
>>
>>
>> True, but their abuse@ and similar addressees are 100% unresponsive.
>
>
>You mean ab...@humboldt1.net?
No, .com
>
>Well I will surmise that:
>
>A) they are a very small ISP (located in the sleepy town of Arcata CA)
Arcate. No discount for the town being sleepy.
>B) they have nothing to do with the infected computer, Klez just pulled
> the return-address off the infected PC's addressbook
>C) they've gotten hundreds of complaints just like yours, when it
> has nothing to do with them
>D) they simply don't have the time to respond to them all
They should find it.
>
>Now if they were a big ISP, I imagine the only difference would be
>that you'd have gotten a bunch of auto-responses to your complaints.
>Would that be better?
No, complete failure to respond is worse.
>If it's really an issue, why don't you just call them: 707-825-4638.
>But unless the first or last hop in the trojan-infected messages was
>in their IP address space, I'd expect them to be annoyed by the call.
Screw their annoyance. They're in the first received header -- the from
part.
ab...@mix.com
> Find a US spam in here. This is Korean spam sent to a single e-mail
> address between the morning of Dec 24 and the afternoon of Dec 27.
This is all too typical of what I'm seeing too, having shut off my
local blacklists so I can see what Postini's catching or missing.
Postini is pretty good at catching this junk, but unfortunately not
all of it gets sent to them, some of it is still coming to the last
MX address, not the current one.
Billy Y..
ab...@mix.com
> Korea has smaller mailing lists but they send the highest volume of spam
> to each address. Korea sends me five times more spam than the rest of
> the planet. They've sent over 300KB in last 3.5 days.
Yes they are pumping it out like there's no tomorrow...
> I'd have an extremely easy time proving that Korean telecoms have no
> intention of improving. First, most KRNIC contacts for the telecoms are
> fake or bounce.
Correct.
> Second, those who speak Korean agree that the telecoms
> don't read complaints. Third, translated press releases say that the
> telecoms are working on ways to collect more money from spam.
Plus it generates a healthy amount of exit traffic which could make
peering with other nets somewhat easier, although I sure as hell hope
they are customers of the USA's nets, not peers....
> Serverbank is the one Korean hosting company I've found that terminates
> spammers. I challenge you to fine one more. Lets make it easy, find
> one that even gives spammers warnings
Not to mention one that even responds at all, period. Or for that matter
try to even get a response out of any of the sleezy American nets who are
providing the Koreans with the means to distribute their crap here.
Billy Y..
ab...@mix.com
> An incentive to
> effect those changes might be to have many US sites refusing connections
> from them until they start tossing spammers like their domestic
> colleagues do.
There is no might be about it - this is the only way to impliment change,
period. All the filtering after the fact will never do a damn thing to
actually stop anything - that only leads to either continual maintenance
work on said filters or having to pay someone to do it for you - forever.
Billy Y..
Mark Roberts
| I was getting several unreadable spams per day from .tw for a while, but it
| has stopped. It may be due to some filtering at my ISP, but I'm still
| getting plenty of other junk.
I have a Yahoo account that is unusable because of all the non-latin
spam it gets (on the order of 400+ per week). I am tempted to let
it go, let the disk fill up, and be done with it. Yahoo offers very
poor, ineffective filtering tools.
Hotmail seems to have employed moderately effective filtering, in
addition to somewhat useful blocking by domain name. I'm seeing
1-6 spams per day there, all in English.
The gold standard for me is procmail that I am running on my shell
account. Spam stats at http://www.cosmos-monitor.com/nospam (still
a work in progress).
--
Mark Roberts |"Isn't whining about not getting a fair shake from the media
Oakland, Cal.| about 50% of what it means to be a conservative in America?"
NO HTML MAIL | -- Josh Marshall, _Talking Points Memo_, 12-5-2002
John Higdon
mark...@hotmail.com (Mark Roberts) wrote:
> do...@78.usenet.us.com <do...@78.usenet.us.com> had written:
>
> | I was getting several unreadable spams per day from .tw for a while, but it
> | has stopped. It may be due to some filtering at my ISP, but I'm still
> | getting plenty of other junk.
>
> I have a Yahoo account that is unusable because of all the non-latin
> spam it gets (on the order of 400+ per week). I am tempted to let
> it go, let the disk fill up, and be done with it. Yahoo offers very
> poor, ineffective filtering tools.
I got my first Korean spam this very morning. It was sent to
"mailer-daemon" at one of my domains. I have no idea what product it was
promoting. I can't think of anything more useful than targeting
indecipherable junk to "mailer-daemon" at random domains.
> Hotmail seems to have employed moderately effective filtering, in
> addition to somewhat useful blocking by domain name. I'm seeing
> 1-6 spams per day there, all in English.
It would appear that Korean spam can be effectively filtered by simply
keying on any special characters that are used in the language. We'll be
setting that up shortly!
Bill Pitz
[snip]
> I got my first Korean spam this very morning. It was sent to
> "mailer-daemon" at one of my domains. I have no idea what product it was
> promoting. I can't think of anything more useful than targeting
> indecipherable junk to "mailer-daemon" at random domains.
You sure that it was actually sent to mailer-daemon and was not one of the
'bounce' type spamming techniques? Not that I'd be surprised if they sent
it to mailer-daemon, but I've seen a ton of spam that is intended to be
bounced (to the intended recipient) and usually finds its way to
mailer-daemon at the destination server.
-Bill
John Higdon
Bill Pitz <remove....@nospam.svn.net> wrote:
According to my server log, its envelope RCPT TO: was "mailer-daemon".
Examination of the header revealed no iterim stops.
But I'm curious: what is "bounce spamming"? I suppose one could put the
actual intended recipient in the From: line, but most MTAs refuse to
accept misaddressed email so such an attempt wouldn't get out of the
starting gate.
Bill Pitz
> actual intended recipient in the From: line, but most MTAs refuse to
> accept misaddressed email so such an attempt wouldn't get out of the
> starting gate.
From what I can tell (since I'm not a spammer, I can't confirm this as
the exact method), they set From/Reply-to to the intended recipient's
address. Then, they send it somewhere that will bounce it. (*Most* MTAs
refuse this sort of thing, but not all.) Near as I can tell, they find
these spam-friendly mail servers and abuse them much like they do with
open relays.
-Bill
ab...@mix.com
> I got my first Korean spam this very morning. It was sent to
> "mailer-daemon" at one of my domains.
My impression is they do this thinking it will be not be trashed
because it contains some important error message.....
Anyway you can catch most all of this crap on the charsets I
mentioned, if you don't want to just off the whole country...
You may have to take care to catch embedded content-type headers,
although SA should have at least one way to handle those too.
Billy Y..
John Higdon
> Anyway you can catch most all of this crap on the charsets I
> mentioned, if you don't want to just off the whole country...
> You may have to take care to catch embedded content-type headers,
> although SA should have at least one way to handle those too.
Indeed, I think I may have discovered why my percentage of
Korean-language spam is so low. My servers reject lots of email with
defective "HELO" arguments that appear to be meaningless eight-bit
characters.
Philip J. Koenig
mcmu...@sonic.net (Kevin McMurtrie) writes...
> In article <MPG.18754545f...@corp.supernews.com>,
> Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
>
> >In article <no-spam-E9B61C...@equine.announcetech.com>, no-
> >sp...@amadeus.kome.com (John Higdon) writes...
> >> In article <MPG.1874401b9...@corp.supernews.com>,
> >> Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> wrote:
> >>
> >> > I think you'd be hard-pressed to prove that Korean telecom
> >> > companies "have no intention of improving". Maybe if people
> >> > made a better effort to understand things like ie how to
> >> > communicate with them in their own language, it might lend
> >> > a little different perspective.
> >>
> >> So if we all learn Korean, that will handle Korean spam? Do we have to
> >> learn all the other languages in the world as well (or else we deserve
> >> the spam)?
> >
> >
> >Let's just say that I am of the impression that a disproportionate
> >amount of blame is assigned by Americans on "foreign countries"
> >or "foreign ISPs" when they haven't made even a modest effort to
> >effectively communicate with the alleged perpetrators.
> >
> >As Tim Pozar pointed out earlier, the spam itself generally
> >originates here, it just often gets relayed through non-US
> >relay-points because ISPs in many non-US places have been
> >slower to close down open relays and so forth. (the technology
> >is newer there, the resources are less, there are language
> >barriers, etc etc)
>
>
>
> address between the morning of Dec 24 and the afternoon of Dec 27.
How about Dutch?
<a href="http://aity.tux.nu">
<a href="http://dity.iscool.net">
Both of those domains are redirected or hosted by a dutch site.
So you got on some Korean spamlists. As the discussion in this
thread has shown, there are clearly vastly differing experiences
as far as this Korean stuff is concerned. Personally I get
virtually ZERO Korean-originated spam. I have one site that I
administer that gets a little (mostly from the same site over and
over), but that's about it as far as I know.
The point I am making is simply that to assign blame to some
miscellaneous foreign entity is an all-too-common lazymans
excuse. I don't dispute you get Korean spam, maybe you get
a lot. But I really don't think you can lay responsibility
for the spam problem primarily on the Koreans, or any other
country entity. Certainly more spam originates in the USA,
on the whole, than anywhere else in the world. If you think
that's a good reason for the rest of the world to blackhole
anything you try sending to them, you're welcome to that
opinion. (I don't share it)
Philip J. Koenig
First read about the trojan. Quoting:
> Similar to the other KLEZ variants, this worm can change or
> spoof the original email address in the FROM: field. It obtains
> the email addresses that it places in the FROM: field from the
> infected user's address book. This causes a non-infected user's
> name to appear as the person who has sent this worm's malicious
> email. It does this to hide the real sender of the infected email.
(URL Wrapped)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_KLEZ.H&VSect=T
Re: "they should find it".. find what? Please show me the
relevant headers - only if the IP address (not the "From:"
string) is in the ISP's address space should it be any of
their concern.
Even if so, I doubt that most ISPs have the time to investigate
every single instance of someone getting a virus sent by one of
their users.
Even the "good" ISPs rarely in my experience send any kind of
human correspondence back in reply to much more important
abuse complaints than this. The usual boilerplate is an auto-
response pointing out that it's unlikely you'll get a real reply.
If that makes you all warm'n fuzzy, hey whatever works for ya.
(doesn't work for me, in that case)
The only time I bother with Klez complaints is when A) I am
positive I know which entity to contact re: what network it
originates on and B) if I or some system I'm responsible for
is getting repeated copies of it for days/weeks at a stretch.
It's just not worth my time (or the ISPs, I suspect) to get
our panties in a twist over each message.
I'll tell you what makes *me* warm'n'fuzzy though: the
knowledge that Klez would be nonexistent if boneheads
didn't use Billware for their email client.
Ken
See_email_@ddress_below.This_one_is.invalid says...
from
>> part.
>
>
>First read about the trojan. Quoting:
>
>> Similar to the other KLEZ variants, this worm can change or
>> spoof the original email address in the FROM: field. It obtains
>> the email addresses that it places in the FROM: field from the
>> infected user's address book. This causes a non-infected user's
>> name to appear as the person who has sent this worm's malicious
>> email. It does this to hide the real sender of the infected email.
Note that I dod not say ir was in the From: header. I said it was in
the Received: header in the "from" part, as opposed to the "by" part.
>Re: "they should find it".. find what? Please show me the
>relevant headers - only if the IP address (not the "From:"
>string) is in the ISP's address space should it be any of
>their concern.
See above.
>Even the "good" ISPs rarely in my experience send any kind of
>human correspondence back in reply to much more important
>abuse complaints than this. The usual boilerplate is an auto-
>response pointing out that it's unlikely you'll get a real reply.
>If that makes you all warm'n fuzzy, hey whatever works for ya.
>(doesn't work for me, in that case)
Recognizing one's existence is better than tossing the correspondence
on the floor.
>The only time I bother with Klez complaints is when A) I am
>positive I know which entity to contact re: what network it
>originates on and B) if I or some system I'm responsible for
>is getting repeated copies of it for days/weeks at a stretch.
The site in question was informed of the frequency. I chose not to
harrass them each time one appeared.
>I'll tell you what makes *me* warm'n'fuzzy though: the
>knowledge that Klez would be nonexistent if boneheads
>didn't use Billware for their email client.
Agreed. Unfortunately it ain't gonna get better anytime soon.
ab...@mix.com
> Note that I dod not say ir was in the From: header. I said it was in
> the Received: header in the "from" part, as opposed to the "by" part.
> >Re: "they should find it".. find what? Please show me the
> >relevant headers - only if the IP address (not the "From:"
> >string) is in the ISP's address space should it be any of
> >their concern.
> See above.
When one of my users was pumping the stuff out she was all too easy to
find simply by looking at the logs to see who was using the IP address
at the time. I assign them from a pool, just like the typical ISP, and
log said assignments, again just like the typical ISP. As far as I can
tell Klez makes a direct connection to where-ever on port 25, it doesn't
get any easier.
The only really distressing thing in all this was out of bazillions of
Klez infected letters sent I only got one complaint........
And while we're on the subject, the morons at AT&T bounce Klez complaints
because the letter has a virus in it... Doh!!!
By the way my solution to all this is I'm now virus filtering inbound mail,
before it ever even gets near a windows pc.
Billy Y..
Mark Roberts
|
| Indeed, I think I may have discovered why my percentage of
| Korean-language spam is so low. My servers reject lots of email with
| defective "HELO" arguments that appear to be meaningless eight-bit
| characters.
Hmmm...I don't have control over the e-mail server that I am using
at my ISP, but I've only ever seen one e-mail with a koi8r (IIRC)
character set. Maybe that's why....