How to avoid getting UCEPROTECT ed
holger....@xing.com
we're running multiple datacenters with mailhosts for office mail,
customer care and customer subscribed newsletters / customer to
customer email / customer notifications.
Last week, I received the information from customer care that one of
our customers complained about the mails we sent him being rejected
due to uceprotect level 1. He runs his own mailservers, so he told me
that only the IP used for customer mails seems to be affected. The
mails from customer care are fine and he was wondering why we are on
the uceprotect at all as we're sending out no spam at all. More
specific, we're even whitelisted by many of the bigger providers to
avoid blocks for expected emails.
Looking into what uceprotect is doing, it seems that every of our
customer would be able to get us on that list by simply using a
honeypot email-address.
If I'm right, it would be interesting to know how we could avoid that
abuse of blacklisting. Testing every mail address our customers are
using won't fit, as we would get listed for every hit.
Any recommendations, perhaps from the maintainers of that list, as
they mentioned that list for discussions about their policies?
Kind regards in advance for any help
Holger
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
E-Mail Sent to this address will be added to the BlackLists
> Looking into what uceprotect is doing, it seems that every
> of our customer would be able to get us on that list by
> simply using a honeypot email-address.
That is likely true of many (most?) DNSbls.
> If I'm right, it would be interesting to know how we could
> avoid that abuse of blacklisting. Testing every mail address
> our customers are using won't fit, as we would get listed
> for every hit.
Check your logs, it is very obvious when you hit one of their
spamtraps, then investigate why it happened?
--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>
will be added to the BlackLists.
Claus v. Wolfhausen
holger....@xing.com says...
>
>Hi all,
>
>we're running multiple datacenters with mailhosts for office mail,
>customer care and customer subscribed newsletters / customer to
>customer email / customer notifications.
>Last week, I received the information from customer care that one of
>our customers complained about the mails we sent him being rejected
>due to uceprotect level 1. He runs his own mailservers, so he told me
>that only the IP used for customer mails seems to be affected. The
>mails from customer care are fine and he was wondering why we are on
>the uceprotect at all as we're sending out no spam at all. More
>specific, we're even whitelisted by many of the bigger providers to
>avoid blocks for expected emails.
>
>Looking into what uceprotect is doing, it seems that every of our
>customer would be able to get us on that list by simply using a
>honeypot email-address.
Not really, if you have working PTR's, which i assume you have.
According to our policy for Level 1 you need to hit at least 50 traps to
trigger a Level 1 listing.
>If I'm right, it would be interesting to know how we could avoid that
>abuse of blacklisting. Testing every mail address our customers are
>using won't fit, as we would get listed for every hit.
>Any recommendations, perhaps from the maintainers of that list, as
>they mentioned that list for discussions about their policies?
UCEPROTECT-Networks makes it very easy for you to track down which emails have
lead to nominations at our database.
To track down single IP's click on Query database at our website and select IP
or simply use:
http://www.uceprotect.net/en/rblcheck.php?ipr=XXX.XXX.XXX.XXX
where XXX.XXX.XXX.XXX is the IP you want to get informations.
You will find Time and Date of last impact +/- 10 minutes and earliest
automatic expiration date under the tab LISTING-RISK.
In case you are looking for all IP's listed under your ASN, click
on Query Database at our website and select ASN or simply use
http://www.uceprotect.net/en/rblcheck.php?asn=XXXXX
where XXXXX is your AS-Number.
Click Test and wait for the page has fully loaded.
Then scroll down to the end of that page and you will find a link
which is called:
"Details about IP's involved and dates of impacts can be found here."
Click it.
A new tab will open in your browser with all IP's listed in Level 1 for this AS
with times of listings +/- 10 minutes and expected expirationdates.
If that information isn't enough to track down guilty users, simply search your
smtp-logs for permanent rejected recipients at that timeframes (Delivering
errors starting with a 5 such as 550 No such user and similar messages).
Everyone of that ones could be the spamtrap or invalid address that got your IP
listed.
Reading the texts of those rejections carefully, it shouldn't be a problem to
find out which was the one that triggered the listing.
In general it makes no sense to send mail to emailaddresses that result in a
permanent failure (5XX Error) again. If you are running a mailinglist, you
should unsubscribe such addresses immediatley.
If you need exact times and dates of impacts and you want to be alerted on
listings of your IP, IP's inside your netrange or ASN,
feel free to subscribe our feedback-loop.
See: http://monitoring.uceprotect.net for details.
Doing so you should be able to track down customers sending to spamtraps and
emailaddresses no longer in use for at least 2 years, during the last 7 days.
Preventing to get listed is also VERY easy for hosting providers:
1. Check your new customers before giving complete /24 nets to them.
Use http://www.domaintools.com to check history for your new customers domains.
If they had multiple other hosters within a short timeframe before or if they
have multiple brand new domains then you should be very carefull before
allowing them to send unlimited emails.
2. Secure your servers so that even dumb customers can't get hacked so easy.
A good idea to realize this is to install MODSECURITY on all servers.
Modsecurity is free and it can prevent the usual attacks against unpatched
servers running insecure scripts, if configured well.
You can get Modsecurity here: http://www.modsecurity.org
3. Monitor and manage your outgoing mails.
You can prevent abusers to get your mailservers listed in DNSBL's by running a
simple script that monitors the smtp-log and interacts with a database.
Use for e.G MYSQL and define a database where entries will be counted down 1
per hour and being removed if counter is 0.
Now let your script monitor your outgoing maillog and add every user to the
database which manages to send a mail which results in a 550 "No such user" at
the targetsystem.
As soon as a User has a score of 10 temporary disable his smtp access by giving
450 errors to him.
What will happen then?
If a brave user just did misspell an emailaddress nothing will happen, he will
get a counter of 1 in your database, nothing else.
If a spammer sends his crap, he will have tons of invalid addresses in his
database and so he will get over your limit within some seconds or latest
minutes and then he will no longer be able to send mail for an hour.
After an hour his counter goes back to 9 and he can send emails again, but that
will not help the spammer, because he will almost immediatly get to 10 again by
sending mail to the next invalid user, resulting in another hour of waiting ...
I hope you have seen it is really such easy to stay off ourlists (and most
others too).
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
holger....@xing.com
> Not really, if you have working PTR's, which i assume you have.
> According to our policy for Level 1 you need to hit at least 50 traps to
> trigger a Level 1 listing.
That sounds good, thanks for clarifying this.
>
> UCEPROTECT-Networks makes it very easy for you to track down which emails have
> lead to nominations at our database.
>
> To track down single IP's click on Query database at our website and select IP
> or simply use:
>
> http://www.uceprotect.net/en/rblcheck.php?ipr=XXX.XXX.XXX.XXX
> where XXX.XXX.XXX.XXX is the IP you want to get informations.
>
> You will find Time and Date of last impact +/- 10 minutes and earliest
> automatic expiration date under the tab LISTING-RISK.
>
Ok, I'll ask my people to check for that and find a solution to avoid
getting cought by your traps.
Kind regards
Holger
Seth
<holger....@xing.com> wrote:
>Looking into what uceprotect is doing, it seems that every of our
>customer would be able to get us on that list by simply using a
>honeypot email-address.
Why is your user sending mail to honeypot addresses? Are you sure you
want to retain that customer?
Seth
Steve Watt
>In article <8d1af119-ea08-4cf8...@i20g2000prf.googlegroups.com>,
> <holger....@xing.com> wrote:
>
>>Looking into what uceprotect is doing, it seems that every of our
>>customer would be able to get us on that list by simply using a
>>honeypot email-address.
>
>Why is your user sending mail to honeypot addresses? Are you sure you
>want to retain that customer?
I just learned (the hard way) that their honeypot addresses are rather
too easy to find.
I ran a test with blacklistalert.org on my multi-A-record system. I got
back the result warning that my rDNS was inconsistent because they had
failed to check both A records; they just did the first one they got.
So I thought I'd send them a note alerting to that fact. Since there's
no obvious contact address, I tried "webm...@blacklistalert.org"...
Feb 23 18:17:50 wattres sm-mta[54186]: n1O2HjCs054184: to=<webm...@blacklistalert.org>, ctladdr=<st...@Watt.COM> (1001/100), delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=31236, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0, stat=Service unavailable
I don't have the exact text from the DSN handy (deleted it already),
but I still thought I had a bug, so I looked in the whois, noticed that
it's admins.ws, and tried postm...@admins.ws. After some time of
TCP-connection-unanswered presumably greylisting, my mailserver got
through...
Feb 24 06:32:01 wattres sm-mta[84071]: n1O2KSlN054428: to=<postm...@admins.ws>, ctladdr=<st...@Watt.COM> (1001/100), delay=12:11:32, xdelay=00:00:03, mailer=esmtp, pri=2371439, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0, stat=Service unavailable
That DSN came back:
.. while talking to unimatrix.admins.ws.:
>>> RCPT To:<postm...@admins.ws>
<<< 571 Your IP is BLACKLISTED at UCEPROTECT-LEVEL 1 - See: http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130
554 5.0.0 Service unavailable
>>> DATA
<<< 421 Service no longer available for you, closing transmission channel
So, it's apparently quite possible for a human to send a single message
to a reasonably-guessed account and get blacklisted by UCEPROTECT.
That's not what I'd call responsible blacklist operation. I eventually
found a path into the UCEPROTECT trouble ticketing system, so they did
hear about the script problem. Got a typically rude response, as they
seem to assume all who contact them are spammers, and not normal people.
And, amusingly, their script now correctly deals with my DNS and no
longer complains.
So, yeah, it _is_ possible for a well-meaning human to hit their
spamtraps.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
grin
Steve Watt <st...@Watt.COM> wrote:
> So, it's apparently quite possible for a human to send a single message
> to a reasonably-guessed account and get blacklisted by UCEPROTECT.
Well webmaster@ is in the RFC, too, so the guess would be extremely
"reasonable". Dunno about its honeypotness, though. I'd say it'd be
pretty rude to use it as a honeypot. YMMV.
--
One of the hunters being hunted.
Hal Murray
>Well webmaster@ is in the RFC, too, so the guess would be extremely
>"reasonable". Dunno about its honeypotness, though. I'd say it'd be
>pretty rude to use it as a honeypot. YMMV.
If you don't have a web site, why would anybody (other than a
spammer) send mail to webmaster?
--
These are my opinions, not necessarily my employer's. I hate spam.
Steve Watt
> <holger....@xing.com> wrote:
>
>>Looking into what uceprotect is doing, it seems that every of our
>>customer would be able to get us on that list by simply using a
>>honeypot email-address.
>
>Why is your user sending mail to honeypot addresses? Are you sure you
>want to retain that customer?
I just learned (the hard way) that their honeypot addresses are rather
too easy to find.
I ran a test with blacklistalert.org on my multi-A-record system. I got
back the result warning that my rDNS was inconsistent because they had
failed to check both A records; they just did the first one they got.
So I thought I'd send them a note alerting to that fact. Since there's
no obvious contact address, I tried "webm...@blacklistalert.org"...
Feb 23 18:17:50 wattres sm-mta[54186]: n1O2HjCs054184: to=<webm...@blacklistalert.org>, ctladdr=<st...@Watt.COM> (1001/100), delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=31236, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0, stat=Service unavailable
I don't have the exact text from the DSN handy (deleted it already),
but I still thought I had a bug, so I looked in the whois, noticed that
it's admins.ws, and tried postm...@admins.ws. After some time of
TCP-connection-unanswered presumably greylisting, my mailserver got
through...
Feb 24 06:32:01 wattres sm-mta[84071]: n1O2KSlN054428: to=<postm...@admins.ws>, ctladdr=<st...@Watt.COM> (1001/100), delay=12:11:32, xdelay=00:00:03, mailer=esmtp, pri=2371439, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0, stat=Service unavailable
That DSN came back:
.. while talking to unimatrix.admins.ws.:
>>> RCPT To:<postm...@admins.ws>
<<< 571 Your IP is BLACKLISTED at UCEPROTECT-LEVEL 1 - See: http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130
554 5.0.0 Service unavailable
>>> DATA
<<< 421 Service no longer available for you, closing transmission channel
So, it's apparently quite possible for a human to send a single message
to a reasonably-guessed account and get blacklisted by UCEPROTECT.
That's not what I'd call responsible blacklist operation. I eventually
found a path into the UCEPROTECT trouble ticketing system, so they did
hear about the script problem. Got a typically rude response, as they
seem to assume all who contact them are spammers, and not normal people.
And, amusingly, their script now correctly deals with my DNS and no
longer complains.
So, yeah, it _is_ possible for a well-meaning human to hit their
spamtraps.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
--
E-Mail Sent to this address will be added to the BlackLists
> I just learned (the hard way) that their honeypot
> addresses are rather too easy to find.
> Feb 23 18:17:50 wattres sm-mta[54186]: n1O2HjCs054184: to=<webm...@blacklistalert.org>, ctladdr=<st...@Watt.COM>
(1001/100), delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=31236, relay=unimatrix.admins.ws. [194.95.224.137],
dsn=5.0.0, stat=Service unavailable
>
> I don't have the exact text from the DSN handy (deleted
> it already), but I still thought I had a bug, so I
> looked in the whois, noticed that it's admins.ws, and
> tried postm...@admins.ws. After some time of
> TCP-connection-unanswered presumably greylisting, my
> mailserver got through...
>
> Feb 24 06:32:01 wattres sm-mta[84071]: n1O2KSlN054428: to=<postm...@admins.ws>, ctladdr=<st...@Watt.COM> (1001/100),
delay=12:11:32, xdelay=00:00:03, mailer=esmtp, pri=2371439, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0,
stat=Service unavailable
>
> That DSN came back:
> .. while talking to unimatrix.admins.ws.:
>>>> RCPT To:<postm...@admins.ws>
> <<< 571 Your IP is BLACKLISTED at UCEPROTECT-LEVEL 1 - See: http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130
> 554 5.0.0 Service unavailable
>>>> DATA
> <<< 421 Service no longer available for you, closing transmission channel
>
> So, it's apparently quite possible for a human to send a
> single message to a reasonably-guessed account and get
> blacklisted by UCEPROTECT.
(Shrug) Perhaps.
Although I don't see
<http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130>
Listed,
Nor in the
"Details about IP's involved and dates of impacts can be found here"
popup? {Stuff in there as old as the 20th.}
I think you may have to do some more research to be certain
of what you think you are seeing.
... or actually have several conversations with UCEprotect.
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
======================================= MODERATOR'S COMMENT:
apologies for missing this earlier in my mailbox...
Steve Watt
> <holger....@xing.com> wrote:
>
>>Looking into what uceprotect is doing, it seems that every of our
>>customer would be able to get us on that list by simply using a
>>honeypot email-address.
>
>Why is your user sending mail to honeypot addresses? Are you sure you
>want to retain that customer?
I just learned (the hard way) that their honeypot addresses are rather
too easy to find.
I ran a test with blacklistalert.org on my multi-A-record system. I got
back the result warning that my rDNS was inconsistent because they had
failed to check both A records; they just did the first one they got.
So I thought I'd send them a note alerting to that fact. Since there's
no obvious contact address, I tried "webm...@blacklistalert.org"...
Feb 23 18:17:50 wattres sm-mta[54186]: n1O2HjCs054184: to=<webm...@blacklistalert.org>, ctladdr=<st...@Watt.COM> (1001/100), delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=31236, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0, stat=Service unavailable
I don't have the exact text from the DSN handy (deleted it already),
but I still thought I had a bug, so I looked in the whois, noticed that
it's admins.ws, and tried postm...@admins.ws. After some time of
TCP-connection-unanswered presumably greylisting, my mailserver got
through...
Feb 24 06:32:01 wattres sm-mta[84071]: n1O2KSlN054428: to=<postm...@admins.ws>, ctladdr=<st...@Watt.COM> (1001/100), delay=12:11:32, xdelay=00:00:03, mailer=esmtp, pri=2371439, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0, stat=Service unavailable
That DSN came back:
... while talking to unimatrix.admins.ws.:
>>> RCPT To:<postm...@admins.ws>
<<< 571 Your IP is BLACKLISTED at UCEPROTECT-LEVEL 1 - See: http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130
554 5.0.0 Service unavailable
>>> DATA
<<< 421 Service no longer available for you, closing transmission channel
So, it's apparently quite possible for a human to send a single message
to a reasonably-guessed account and get blacklisted by UCEPROTECT.
That's not what I'd call responsible blacklist operation. I eventually
found a path into the UCEPROTECT trouble ticketing system, so they did
hear about the script problem. Got a typically rude response, as they
seem to assume all who contact them are spammers, and not normal people.
And, amusingly, their script now correctly deals with my DNS and no
longer complains.
So, yeah, it _is_ possible for a well-meaning human to hit their
spamtraps.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
--
Steve Watt
Hal Murray <hal-u...@ip-64-139-1-69.sjc.megapath.net> wrote:
>
>>Well webmaster@ is in the RFC, too, so the guess would be extremely
>>"reasonable". Dunno about its honeypotness, though. I'd say it'd be
>>pretty rude to use it as a honeypot. YMMV.
>
>If you don't have a web site, why would anybody (other than a
>spammer) send mail to webmaster?
But they did (and do) have a web site, that of "blacklistalert.org".
If you believe you find a bug in the behavior of that site, it's
very hard to locate a contact address (I couldn't on a cursory try),
and there's no "contact us" page with either a web form or an email
address, hence the attempt at the (seemingly obvious) webmaster@.
By the way, the DSN I got back the first time is:
>>> RCPT TO:<webm...@blacklistalert.org>
<<< 571 Your IP will be reported to the UCEPROTECT-Network - better watch out next time.
Elsethread,
In article <0bnpl.13671$D32....@flpi146.ffdc.sbc.com>,
E-Mail Sent to this address will be added to the BlackLists <Nu...@BlackList.Anitech-Systems.invalid> wrote:
>Although I don't see
> <http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130>
> Listed,
It's been fixed. The second time around the ticketing system I
got someone with slightly less attitude.
And yes, I did have a conversation with someone from UCEPROTECT.
Twice.
I'll admit that it lowered my opinion of their service a great
deal.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
--
Claus v. Wolfhausen
>
>In article <spOdnU93x-7r0jrU...@megapath.net>,
>Hal Murray <hal-u...@ip-64-139-1-69.sjc.megapath.net> wrote:
>>
>>>Well webmaster@ is in the RFC, too, so the guess would be extremely
>>>"reasonable". Dunno about its honeypotness, though. I'd say it'd be
>>>pretty rude to use it as a honeypot. YMMV.
>>
>>If you don't have a web site, why would anybody (other than a
>>spammer) send mail to webmaster?
>
>But they did (and do) have a web site, that of "blacklistalert.org".
>If you believe you find a bug in the behavior of that site, it's
>very hard to locate a contact address (I couldn't on a cursory try),
>and there's no "contact us" page with either a web form or an email
>address, hence the attempt at the (seemingly obvious) webmaster@.
That website is a multi-dnsbl lookup tool only.
If we would enable webmaster there then we would get some hundret additional
messages as "Please remove me from your list - I'm no spammer" to find out that
those lusers are listed at other dnsbls outside our control.
Whois contacts are working and also the link to our company's main website,
which has a contac form too, so there was no reason to play around.
>By the way, the DSN I got back the first time is:
>
>>>> RCPT TO:<webm...@blacklistalert.org>
><<< 571 Your IP will be reported to the UCEPROTECT-Network - better watch out
ne
>xt time.
>
Exactly: Your IP got reported - and firewalled for the next hour.
>Elsethread,
>
>In article <0bnpl.13671$D32....@flpi146.ffdc.sbc.com>,
>E-Mail Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anit
>ech-Systems.invalid> wrote:
>>Although I don't see
>> <http://www.uceprotect.net/rblcheck.php?ipr=66.93.133.130>
>> Listed,
>
>It's been fixed. The second time around the ticketing system I
>got someone with slightly less attitude.
My ticket system told me that you were both times talking to the same person,
namely Mr. Hielder.
The only difference were that you did not chose wordings as "broken system"
in your second message and therfore his answer to you were also more
friendly.
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
--
Claus v. Wolfhausen
steve.re...@Watt.COM says...
>
>In article <go17hv$afe$1...@reader1.panix.com>, Seth <se...@panix.com> wrote:
>>In article
<8d1af119-ea08-4cf8...@i20g2000prf.googlegroups.com>,
>> <holger....@xing.com> wrote:
>>
>>>Looking into what uceprotect is doing, it seems that every of our
>>>customer would be able to get us on that list by simply using a
>>>honeypot email-address.
>>
>>Why is your user sending mail to honeypot addresses? Are you sure you
>>want to retain that customer?
>
>I just learned (the hard way) that their honeypot addresses are rather
>too easy to find.
Did we ever claim that they would be hard to find?
>I ran a test with blacklistalert.org on my multi-A-record system. I got
>back the result warning that my rDNS was inconsistent because they had
>failed to check both A records; they just did the first one they got.
Blacklistalert.org is a lookup page only, but of course we want people to
follow best practises therfore we are giving additional hints on DNS too.
Indeed there is not even an requirement in any RFC that you must have a PTR,
but it is best practise to have one unique PTR set per IP used for email.
Having unique PTR's per IP does not interferre with legit reasons
(renundancy or loadbalancing) to have hostnames which have multiple A Records.
While your actual setup seems to be (watt.com zone):
wattres A 199.33.193.130
wattres A 66.93.133.130
And PTR's in your
133.93.66.in-addr.arpa:
130 PTR wattres.watt.com.
193.22.199.in-addr.arpa:
130 PTR wattres.watt.com
You could have setup'd following better instead:
in your watt.com DNS:
wattres A 199.33.193.130
wattres A 66.93.133.130
wattres1 A 199.33.193.130
wattres2 A 66.93.133.130
And correlating PTR's in your
133.93.66.in-addr.arpa:
130 PTR wattres2.watt.com.
193.22.199.in-addr.arpa:
130 PTR wattres1.watt.com
As you can see that doesn't interferre with Multi homed hosting and it would
have costed you 2 additional lines in your DNS only.
Most other multi-homed systems out there have such good setups.
I know from expirience that only about 1 multi-homed system of 10000 has that
"lazy" kind of setup that you have done.
Logic says that people which are too lazy to write 2 additional DNS lines
might also have been too lazy to care about their systems security.
At least it is a strong indicator.
Blacklistalert.org therefore defines an PTR as inconsistent if it points to an
hostname which leads to multiple IP's (A-Records) or more worse to C-Name
records or if the hostname does not lead to the correct IP and vice versa.
>So I thought I'd send them a note alerting to that fact. Since there's
>no obvious contact address, I tried "webm...@blacklistalert.org"...
Your second fault. What do you think are whois records for?
Guessing emailaddresses is never a good option.
Needless to say that people like you which are posting emailaddresses unmunged
in newsgroups are the reason why that webmaster emailaddress doesn't exist.
>Feb 23 18:17:50 wattres sm-mta[54186]: n1O2HjCs054184:
to=<webmaster@blacklistal
>ert.org>, ctladdr=<st...@Watt.COM> (1001/100), delay=00:00:04,
xdelay=00:00:04,
>mailer=esmtp, pri=31236, relay=unimatrix.admins.ws. [194.95.224.137],
dsn=5.0.0,
> stat=Service unavailable
>I don't have the exact text from the DSN handy (deleted it already),
>but I still thought I had a bug, so I looked in the whois, noticed that
>it's admins.ws, and tried postm...@admins.ws. After some time of
>TCP-connection-unanswered presumably greylisting, my mailserver got
>through...
Your IP did get firewalled for 60 minutes only.
>Feb 24 06:32:01 wattres sm-mta[84071]: n1O2KSlN054428:
to=<postm...@admins.ws>
>, ctladdr=<st...@Watt.COM> (1001/100), delay=12:11:32, xdelay=00:00:03,
mailer=e
>smtp, pri=2371439, relay=unimatrix.admins.ws. [194.95.224.137], dsn=5.0.0,
stat=
>Service unavailable
>
>That DSN came back:
>.. while talking to unimatrix.admins.ws.:
>>>> RCPT To:<postm...@admins.ws>
Thank you for posting another role account unmunged :-(
People like you don't have to wonder why we are also filtering abuse and
postmaster addresses like they would be any other valid account here.
><<< 571 Your IP is BLACKLISTED at UCEPROTECT-LEVEL 1 - See:
http://www.uceprotec
>t.net/rblcheck.php?ipr=66.93.133.130
>554 5.0.0 Service unavailable
>>>> DATA
><<< 421 Service no longer available for you, closing transmission channel
>
>So, it's apparently quite possible for a human to send a single message
>to a reasonably-guessed account and get blacklisted by UCEPROTECT.
We did never say it is not possible to get listed for hitting one invalid
address.
There were multiple factors that did lead to a listing in Level 1 and they were
told to you in detail by our staff.
1. 66.93.133.130 was detected to be a DSL-Connection which is not really bad,
but it indicates a homeserver and not a big ISP's MTA hosting tousands of
customers. In general a DSL-Line is a dialup connection, even if it has a
static IP.
Hitting a non existing emailaddress from a Dialup connection is clearly
matching Level 1 Listing criterias.
See: http://www.uceprotect.net/en/index.php?m=3&s=3
2. Your DNS has a "lazy" setup, which did not increase your IP's trustworthy.
3. Your domains watt.com is using Nameservers categorized as spammy here:
We did only see lots of spam but never ham from domains which also have
everydns.net nameservers.
In special you can say thank you to qualitymedlists.com, ssteens.com,
sexygoa.com and the other spammers sharing those everydns.net nameservers with
you, so our system had real reasons to believe that you would also be a
spammer.
I can't speak for other blocklists out there, but if we would configure our
system to ignore such serious reasons as told above, then we would probably
miss lots of spammers.
After you did contact us using the form on our website and an operator reviewed
your case you got immediatley removed free of charge, so what are you
complaining about?
We did never claim an automatic system as UCEPROTECT would be 100% error free.
In fact shit can happen and we are the only blocklist that is publishing their
hits and also their false positives.
See here: http://stats.uceprotect.net
You will also see that there are some lists having less false positives than
ours, while having less hits on the other hand and more important:
There is really NO ONE with 0,000% false positives.
The graphic shows you the real mailflow of those of our customers that have
freely chosen to enable "report spammers and false positives" in their
appliances / software.
Those customers are mostly located in Germany, Austria and Switzerland, but you
will find interesting paralells to AL Iversons's stats at
http://stats.dnsbl.com who is measuring his personal constructed mailflow with
a complete different methodics than we do.
This is how we are counting Spamtrap hits and also False positives:
All Lists are queried at every connection after RCPT TO:
Spamtrap hits (Displayed in green):
Every mail send to a spamtrap is counted as hit for those blocklists that
reports the IP / domain as listed.
False positives (Displayed in red):
Every mail send to an existing recipient is counted as false positive for those
blocklists that report the IP / domain as listed and the sender is in
the recipients automatic or manual whitelist.
Counters for the nonexisting (virtual) zone: uceprotect.combined are counted
ONE only according to the description above if any of the 4 real existing
dnsbl-*.uceprotect.net zones would report listed.
>That's not what I'd call responsible blacklist operation. I eventually
>found a path into the UCEPROTECT trouble ticketing system, so they did
>hear about the script problem. Got a typically rude response, as they
>seem to assume all who contact them are spammers, and not normal people.
Oh i have seen the Ticket where you wrote us about our "broken system".
Mr. Hielder who answerd it were not unfriendly to you - He just told you the
facts.
>And, amusingly, their script now correctly deals with my DNS and no
>longer complains.
I know for sure that there were no modifications to that website.
You know what a 50/50 chance in combination with a DNS cache can lead to?
>So, yeah, it _is_ possible for a well-meaning human to hit their
>spamtraps.
Never said something different. If you look suspect enough by using the same
DNS as notorius spammers and you are sending mail from a Dialup-Line to a
nonexisting emailaddress, then yes, you can get listed at Level 1, but that's
also explained that way in the Level 1 policy:
http://www.uceprotect.net/en/index.php?m=3&s=3
Again: What are you complaining about?
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
--
MrD
> In general a DSL-Line is a dialup connection, even if it has a static
> IP.
Not really. Dialup is dialup, DSL is DSL. Dialup connections are
intermittent; DSL connections are continuous (as long as the router is
switched on - same as any internet connection, really).
--
MrD.
Hal Murray
>>>Well webmaster@ is in the RFC, too, so the guess would be extremely
>>>"reasonable". Dunno about its honeypotness, though. I'd say it'd be
>>>pretty rude to use it as a honeypot. YMMV.
>>
>>If you don't have a web site, why would anybody (other than a
>>spammer) send mail to webmaster?
>
>But they did (and do) have a web site, that of "blacklistalert.org".
>If you believe you find a bug in the behavior of that site, it's
>very hard to locate a contact address (I couldn't on a cursory try),
>and there's no "contact us" page with either a web form or an email
>address, hence the attempt at the (seemingly obvious) webmaster@.
I was commenting on the general case rather than something
specific.
I agree that if you have a web site it would be unreasonable
to use webmaster as a spamtrap. I occasionally send comments
to webmasters, usually about bugs in web pages.
But if a site doesn't have any web pages, is there any
need for a webmaster mailbox? Who would send to it other
than a spammer?
I wonder how many SEO hits per day one would get. :)
--
These are my opinions, not necessarily my employer's. I hate spam.
--
Martijn Lievaart
[ not snipping to much, context is important ]
I just see that you are blacklisted. Nowhere do I see that one of the
actions above got you blacklisted. I think you are drawing false
conclusions.
M4
AntiSpam
Claus v. Wolfhausen <use-reply-...@remove-this.com> looked something like:
> In general a DSL-Line is a dialup connection, even if it has a
> static IP.
>
> Hitting a non existing emailaddress from a Dialup connection is clearly
> matching Level 1 Listing criterias.
Defining DSL as "dial-up" is, to put it mildy, a stretch.
A DSL connection with static IP addressing (and appropriate PTR records)
should be treated no differently than any other layer 2 link - because
that's exactly what it is.
Just my .02
--
Current Peeve: The mindset that the Internet is some sort of school for
novice sysadmins and that everyone -not- doing stupid dangerous things
should act like patient teachers with the ones who are. -- Bill Cole, NANAE
E-Mail Sent to this address will be added to the BlackLists
> stats.uceprotect.net
> This is how we are counting Spamtrap hits and also False positives:
>
> Every mail send to a spamtrap is counted as hit for those blocklists that
> reports the IP / domain as listed.
>
> False positives (Displayed in red):
> Every mail send to an existing recipient is counted as false positive for those
> blocklists that report the IP / domain as listed and the sender is in
> the recipients automatic or manual whitelist.
Interesting.
Even more interesting would be to see the SBL in that same comparison.
{Although that may be unlikely due to the Spamhaus pricing schedule
for "Commercial Filter Service/Appliance/Data Integrator".}
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
MrD
> That website is a multi-dnsbl lookup tool only. If we would enable
> webmaster there then we would get some hundret additional messages as
> "Please remove me from your list - I'm no spammer" to find out that
> those lusers are listed at other dnsbls outside our control.
So discard mail to the webmaster role, if that's what you want to do.
But it's really pretty crap to make a spamtrap out of a role account.
I'm not impressed.
--
MrD.
Claus v. Wolfhausen
Nu...@BlackList.Anitech-Systems.invalid says...
>
>Claus v. Wolfhausen wrote:
>> stats.uceprotect.net
>> This is how we are counting Spamtrap hits and also False positives:
>>
>> Spamtrap hits (Displayed in green):
>> Every mail send to a spamtrap is counted as hit for those blocklists that
>> reports the IP / domain as listed.
>>
>> False positives (Displayed in red):
>> Every mail send to an existing recipient is counted as false positive for
thos
>e
>> blocklists that report the IP / domain as listed and the sender is in
>> the recipients automatic or manual whitelist.
>
>Interesting.
>
>Even more interesting would be to see the SBL in that same comparison.
>
> {Although that may be unlikely due to the Spamhaus pricing schedule
> for "Commercial Filter Service/Appliance/Data Integrator".}
As you said: We could not measure the Spamhaus for exactly that reason.
Also any other list that would require that you do register can not be measured
in our comparison.
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
--
Claus v. Wolfhausen
Anti...@blarg.net says...
>Defining DSL as "dial-up" is, to put it mildy, a stretch.
>
>A DSL connection with static IP addressing (and appropriate PTR records)
>should be treated no differently than any other layer 2 link - because
>that's exactly what it is.
I really wished i could do so, but unfortunable there is a hugh difference
between an providers outgoing mailrelay handling 500000 emailaddresses and
a SoHo system used by mom, dad, 2 children and their dog :-)
Listing that SoHo System you will mostly get those that have caused the problem
by their lack of security measures.
Listing that providers mailrelay will result in hugh false positives and loud
whining about the bad UCEPROTECT-Lists.
I believe you have now a better understanding why we handle them a little bit
different.
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
--
Shmuel (Seymour J.) Metz
this case I am forced to agree with the listee ABOUT THE SPECIFIC
ISSUE. That does not mean, of course, that I see anything amiss about
listing him for other reasons.
In <gohqp9$eej$1...@ulm.shuttle.de>, on 03/02/2009
at 11:48 PM, use-reply-...@remove-this.com (Claus v. Wolfhausen)
said:
>Indeed there is not even an requirement in any RFC that you must have a
>PTR,
RFC 1035 says "The intent of this domain is to provide a guaranteed method
to perform host address to host name mapping," which suggests a
requirement. RFC 1912 says "For every IP address, there should be a
matching PTR record in the in-addr.arpa domain." While these don't use
RFC 2119 language, the intent seems clear.
>You could have setup'd following better instead:
How is it better for him to invent and use extraneous host names instead
of the proper host names?
>193.22.199.in-addr.arpa:
193.33.199.in-addr.arpa:, Shirley.
>As you can see that doesn't interferre with Multi homed hosting and it
>would have costed you 2 additional lines in your DNS only.
And looked like deliberate obfuscation.
>I know from expirience that only about 1 multi-homed system of 10000 has
>that "lazy" kind of setup that you have done.
Sometimes the mob is wrong.
>Logic says that people which are too lazy to write 2 additional DNS
>lines might also have been too lazy to care about their systems
>security.
Logic also says that sometimes a perception of laziness is misguided. In
this case he seems to have DTRT.
>Blacklistalert.org therefore defines an PTR as inconsistent if it points
>to an hostname which leads to multiple IP's (A-Records)
Now *that* sounds lazy.
>or more worse to C-Name records
There we agree, since RFC 1912 say not to.
>Your second fault. What do you think are whois records for?
They're for fallback when other types of contact aren't appropriate.
>Guessing emailaddresses is never a good option.
Sending to an RFC 2142 address is hardly "guessing".
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
E-Mail Sent to this address will be added to the BlackLists
> RFC 1035 says "The intent of this domain is to provide a
> guaranteed method to perform host address to host name
> mapping," which suggests a requirement.
> RFC 1912 says "For every IP address, there should be a
> matching PTR record in the in-addr.arpa domain."
That "should" in RFC 1912 you quoted is "RFC 2119 language",
RFC 2119, RFC Key Words, Abstract,
3. SHOULD This word, or the adjective "RECOMMENDED" ...
> While these don't use RFC 2119 language, the intent seems clear.
Although RFC 2119 was created a year later.
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
--
Shmuel (Seymour J.) Metz
at 11:51 AM, hal-u...@ip-64-139-1-69.sjc.megapath.net (Hal Murray)
said:
>But if a site doesn't have any web pages, is there any
>need for a webmaster mailbox?
None whatsoever. But using it as a spamtrap raises the potential risk that
you might put up a web site at a future date and forget to remove the
filter.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> In <yO-dnZmTf8vCCjHU...@megapath.net>, on 03/03/2009
> at 11:51 AM, hal-u...@ip-64-139-1-69.sjc.megapath.net (Hal Murray)
> said:
>
> >But if a site doesn't have any web pages, is there any
> >need for a webmaster mailbox?
>
> None whatsoever. But using it as a spamtrap raises the potential risk that
> you might put up a web site at a future date and forget to remove the
> filter.
I think you shouldn't mix up "need to have" and "used as a spamtrap".
First yes, you do not need to have it, you may, your choice.
Second, you have to decide why do you operate spamtrap addresses at
all.
If your intent is to receive only spam there, so you can block
spammers, and only spammers, then you must not use it as a trap.
Nonspammers may very possibly use it following RFCs intents, and you
may hurt the innocent.
If your intent is to block anyone who dares to use your precious
non-existant administrative address, to demonstrate that you're free to
block whoever you please, to show us mortals that it's you who decide
who's spammer and who's not in the universal sense, then you may use it
as a spamtrap, or use postmaster, or any address you please, really.
It's highly ineffective, rude to the administrative community in
general, but you're completely free to do that. It's your address, your
blocklist. Just please tell others about your practices, so they can
avoid to use it.
<g>
--
One of the hunters being hunted.
Larry M. Smith
> On Thu, 5 Mar 2009 23:08:33 GMT
> "Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
>
>> In <yO-dnZmTf8vCCjHU...@megapath.net>, on 03/03/2009
>> at 11:51 AM, hal-u...@ip-64-139-1-69.sjc.megapath.net (Hal Murray)
>> said:
>>
>>> But if a site doesn't have any web pages, is there any
>>> need for a webmaster mailbox?
>> None whatsoever. But using it as a spamtrap raises the potential risk that
>> you might put up a web site at a future date and forget to remove the
>> filter.
>
> I think you shouldn't mix up "need to have" and "used as a spamtrap".
>
> First yes, you do not need to have it, you may, your choice.
>
> Second, you have to decide why do you operate spamtrap addresses at
> all.
>
> If your intent is to receive only spam there, so you can block
> spammers, and only spammers, then you must not use it as a trap.
> Nonspammers may very possibly use it following RFCs intents, and you
> may hurt the innocent.
>
I disagree with this somewhat. Sure, you don't want to set it up in
such a way that any single email to any RFC-2142 address (spam or not)
will result in a listing without further checks. Without giving away
anything here that the spammers might want to avoid, you can check an
email message to ensure that it is both spam and not relayed via a real
MTA. In such cases you might be able to safely list an IP address
hitting your webmaster account.
> If your intent is to block anyone who dares to use your precious
> non-existant administrative address, to demonstrate that you're free to
> block whoever you please, to show us mortals that it's you who decide
> who's spammer and who's not in the universal sense, then you may use it
> as a spamtrap, or use postmaster, or any address you please, really.
Beware DNSBL operators! You would need to make very sure that you are
not listing something that has simply been misaddressed. I have seen
the following cases where that my traps have seen non-spam email;
* Users misspell addresses all the time, including domains.
* Users configure their client's Reply-to field to your trap domain.
* Typos in data entry.
* Forged signups result in closed-loop probes to traps.
* Responses to old list-serv, Usenet posts, documents on the web.
I'm sure there are other examples, but these should be enough to point
out that just because an email hits a trap, it doesn't mean that it
should automatically be a listable event. If you have more than a few
hits from a single source, perhaps. If you have a living breathing
person reviewing your trap hits, sure why not. If you can prove that it
was sent direct-to-mx from spammer rat-ware, you betcha! But a single
message that may be a misaddressed email, not really.
> It's highly ineffective, rude to the administrative community in
> general, but you're completely free to do that. It's your address, your
> blocklist. Just please tell others about your practices, so they can
> avoid to use it.
I would think that a single email to webmaster shouldn't trigger a
listing, unless it can be otherwise proved to be spam... But if it
does, then you are correct; The DNSBL operator should disclose that
policy and the DNSBL really shouldn't be used on production mail streams.
SgtChains
Shmuel (Seymour J.) Metz
at 07:49 PM, E-Mail Sent to this address will be added to the
BlackLists <Nu...@BlackList.Anitech-Systems.invalid> said:
>That "should" in RFC 1912 you quoted is "RFC 2119 language",
No, because it's in the wrong case. But the intent is still clear.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
Shmuel (Seymour J.) Metz
at 08:18 AM, grin <newsp...@grin.hu> said:
>If your intent is to receive only spam there, so you can block spammers,
>and only spammers, then you must not use it as a trap. Nonspammers may
>very possibly use it following RFCs intents,
How, if there's no web site?
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> In <20090306103...@narya.grin.hu>, on 03/06/2009
> at 08:18 AM, grin <newsp...@grin.hu> said:
>
> >If your intent is to receive only spam there, so you can block spammers,
> >and only spammers, then you must not use it as a trap. Nonspammers may
> >very possibly use it following RFCs intents,
>
> How, if there's no web site?
SgtChains told us (some possible causes) 2 days ago, I trust you to check it again
in this thread.
But it's true that nobody should really block on only one piece of email, and if there's
a lot from a same given source it's fairly acceptable to guess it's not friendly, and
kick it off the wire.
--
One of the hunters being hunted.
E-Mail Sent to this address will be added to the BlackLists
> it's true that nobody should really block on only one
> piece of email, and if there's a lot from a same given
> source it's fairly acceptable to guess it's not friendly,
> and kick it off the wire.
I need no more than one spam to locally blacklist,
(and no needed / wanted / expected messages).
Why would I give e.g. snowshoe spammers more than one bite
at the apple?
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
grin
E-Mail Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anitech-Systems.invalid> wrote:
> grin wrote:
> > it's true that nobody should really block on only one
> > piece of email, and if there's a lot from a same given
> > source it's fairly acceptable to guess it's not friendly,
> > and kick it off the wire.
>
> I need no more than one spam to locally blacklist,
> (and no needed / wanted / expected messages).
To be honest, as an individual it's completely irrelevant what you do.
You can block anyone and anything, and I won't even tell you it's
not fine. It is fine.
OTOH if "you" share your blocklist you should (but not forced to)
take some responsibility for your actions exported to the world in
general. In that latter case your list should be well defined as a
blacklist for mail unwanted by your subjectum. :-)
> Why would I give e.g. snowshoe spammers more than one bite
> at the apple?
Your person should not.
Your exported blacklist would because it wants to block
spammers instead of spammers + innocent bystanders + lots of
other non-scum-categorised people around. Your approach would not give
another bite to the spammer, and also would let the other half of the
less advanced population starve. Which is another approach of a known
problem, but many consider it a bit harsh. :-)
The main problem of mine are admins with good intentions, with
best-effort actions to prevent being listed getting sh-t thrown at them
by some people. If people blacklist random servers due to non-specific
reasons it makes admins work much less pleasant. (And it's much easier
not to give a sh-t, really, believe me. Lots of people do that, and
they only have minor problems. Being rude to fellow admins generally
make the net a worse place. I do know it's hard to please everyone,
kick spammers while court admins, but if someone doesn't feel like
taking the whole problem and try really hard to be fair, then s/he
should keep his/her blacklist to him/herself. We may lose responsible
admins at a high rate.)
I like automated, fast-list fast-forget type of systems, because they
usually fair in a sense that they list you if you have an outbreak and
automagicaly delist you after you've fixed it.
And I passionally hate those who list easy while make delisting close to
impossible, who blackmail and try to get money for whatever shiny
reasons, because spammers do not care while admins get angry and
frustrated.
<g>
--
One of the hunters being hunted.
E-Mail Sent to this address will be added to the BlackLists
> BlackList wrote:
>> grin wrote:
>>> it's true that nobody should really block on only one
>>> piece of email, and if there's a lot from a same given
>>> source it's fairly acceptable to guess it's not friendly,
>>> and kick it off the wire.
>>
>> I need no more than one spam to locally blacklist,
>> (and no needed / wanted / expected messages).
>
> To be honest, as an individual it's completely irrelevant
> what you do.
> You can block anyone and anything, and I won't even tell
> you it's not fine. It is fine.
>
> OTOH if "you" share your blocklist you should (but not
> forced to) take some responsibility for your actions
> exported to the world in general. In that latter case
> your list should be well defined as a blacklist for
> mail unwanted by your subjectum. :-)
>
>> Why would I give e.g. snowshoe spammers more than one
>> bite at the apple?
>
> Your person should not.
Spam me once shame on you, spam me twice, shame on me?
> Your exported blacklist would because it wants to block
> spammers instead of spammers + innocent bystanders + lots
> of other non-scum-categorised people around.
Why would I bother maintaining multiple?
So, what are your magic numbers for listing?
3/IP
3/IP/24hrs
>.0003%/messages/24hrs (@1M msg / day = 3 msg per IP)
{does it matter if that is 100 users @ 9.99k spam ea / day?}
Spam/Ham = seconds to list {1M spam/100 ham = 2.7 hrs?}
{perhaps long enough for spamware clients?
perhaps too long for shared ISP servers,
a enduser is waiting for a message from?}
...
What about escalations / expansions?
3IP/(/24)
1%/CIDR
...
What about delisting?
1 hour per occurrence
{large ISP shared mail servers could stay listed practically forever?}
1 minute per message {a 1M spam run would take nearly 2 years to delist?}
{seems too short for a small qty & too long for a large qty}
Recidivism?
exponential delisting periods?
...
Does the SpamCop or UCEprotect meet all your needs?
{They both seem to do something along these lines.}
If you have a DNSbl and all the answers,
please let us know. (tinu)
If you don't have a DNSbl run that way,
why not, you seem to think it is the best solution?
> Your approach would not give another bite to the spammer,
> and also would let the other half of the less advanced
> population starve. Which is another approach of a known
> problem, but many consider it a bit harsh. :-)
For me, I'd rather go with something more like scorched earth.
If it gets my attention,
and I don't perceive it as a source of ham,
it can be listed forever for all I care;
Selective whitelisting as necessary;
Escalate as /24s, CIDRs, ASNs, ISPs, countries, continents, regions, ...
manage to keep getting my attention.
"The other half of the less advanced population starve"ing
isn't my problem to solve.
{I wish, preventing abuse of recipients by spammers,
was never my problem to solve either.}
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
Shmuel (Seymour J.) Metz
at 08:21 PM, grin <newsp...@grin.hu> said:
>And I passionally hate those who list easy while make delisting close to
>impossible,
Delisting should only be easy if the listing is in error.
>blackmail
An expedited delisting fee is not blackmail.
>while admins get angry and frustrated.
When the delisting fee is less than the damage that their negligence has
caused, they should be the target of the anger. The operators of the DNSBL
are the ones that have legitimate cause for anger.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
Hal Murray
>> Why would I give e.g. snowshoe spammers more than one bite
>> at the apple?
>Your person should not.
>Your exported blacklist would because it wants to block
>spammers instead of spammers + innocent bystanders + lots of
>other non-scum-categorised people around. Your approach would not give
>another bite to the spammer, and also would let the other half of the
>less advanced population starve. Which is another approach of a known
>problem, but many consider it a bit harsh. :-)
How much ham comes out of clumps that look like snowshoers?
How much ham comes out of ISPs that have snowshoing customers?
--
These are my opinions, not necessarily my employer's. I hate spam.
--
AntiSpam
Shmuel (Seymour J.) Metz <spam...@library.lspace.org.invalid> looked something like:
> In <20090306103...@narya.grin.hu>, on 03/06/2009
> at 08:18 AM, grin <newsp...@grin.hu> said:
>
>>If your intent is to receive only spam there, so you can block spammers,
>>and only spammers, then you must not use it as a trap. Nonspammers may
>>very possibly use it following RFCs intents,
>
> How, if there's no web site?
Do the RFCs state that you must have a web site in order to have a
webmaster's address?
There are a lot of completely ignorant but innocent people roaming the
internet... if they can't find an email address for your domain name they're
highly likely to take a stab at "webmaster", simply because it is so
commonly in-use. Worse are the ones who just have no clue and email the
Webmaster with stuff like "hey I tried to email John but he's not answering,
can you ask him if he got my mail?" and equally naive (and completely
legitimate) mail.
Using webmaster as a trap would be... unwise IMO.
--
Current Peeve: The mindset that the Internet is some sort of school for
novice sysadmins and that everyone -not- doing stupid dangerous things
should act like patient teachers with the ones who are. -- Bill Cole, NANAE
--
grin
E-Mail Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anitech-Systems.invalid> wrote:
> >> Why would I give e.g. snowshoe spammers more than one
> >> bite at the apple?
> >
> > Your person should not.
>
> Spam me once shame on you, spam me twice, shame on me?
Again, is it you or your DNSBL/company? As an individual I very much
filter on first occasion. As an ISP (or as an exported DNSBL) I do not.
But I guess we agree on that.
> > Your exported blacklist would because it wants to block
> > spammers instead of spammers + innocent bystanders + lots
> > of other non-scum-categorised people around.
>
> Why would I bother maintaining multiple?
As a person you wouldn't. As a DNSBL you do because nobody would use
your first block-all-the-internet-and-their-dogs-too list. ;-)
> So, what are your magic numbers for listing?
I like your constructive approach. Thank you for that.
If you really want to start a discussion about possible "best" limits,
we may go on, but I see your comments rather just examples to show the
depth of the problem.
Basically your cited limits are okay, could be fine tuned, but maybe
not even had to.
> What about delisting?
> 1 hour per occurrence
> {large ISP shared mail servers could stay listed practically forever?}
>
> 1 minute per message {a 1M spam run would take nearly 2 years to delist?}
> {seems too short for a small qty & too long for a large qty}
Well in my experience there are two kinds of reasons behind a spam run
from a mailserver.
1) configuration errors. these must be fixed before delisting, so
relisting should not occur.
2) new kind of spam getting through the filters. (it happens to us
mortals.) this is tough, since it may or may not be possible to handle
the situation. normally what I do is to specifically toughen the
filtering shaped to that specific kind of spam, and hope no much
variance in the near future, it usually stops the outbreak, so no
relisting. but nowadays the amount of new spam is so high that it may
happen that the site gets relisted for a completely different kind.
So it's really hard to come up with a good solution. In my case it is
rare to get listed again in a few hours, but sometimes it happens the
next few days if coincidencs happen. Established ISPs should have the
possibility to delist at least once per day (mail can wait up to 5 days
you see, even if I agree that it's almost unaccptably long for wait one
day), while random netizens should have some more between delisting,
hard to say.
> Recidivism?
> exponential delisting periods?
> ...
With a moderate exponent. :-) And some upper limit, or by escalating
it to The Human. But basically yes.
> Does the SpamCop or UCEprotect meet all your needs?
> {They both seem to do something along these lines.}
Yes, they mostly do.
> If you don't have a DNSbl run that way,
> why not, you seem to think it is the best solution?
I'm not yet ready to be a ddos target you see. ;-) [any more than I
am now]
I was thinking to start one, but requires more time than I have on my
shelf. :-(
> > Your approach would not give another bite to the spammer,
> > and also would let the other half of the less advanced
> > population starve. Which is another approach of a known
> > problem, but many consider it a bit harsh. :-)
>
> For me, I'd rather go with something more like scorched earth.
Theoretically me too, but practically does not work.
> "The other half of the less advanced population starve"ing
> isn't my problem to solve.
Good for you. I want to visit your planet sometime. :-)
> {I wish, preventing abuse of recipients by spammers,
> was never my problem to solve either.}
*sigh* Tell me.
<g>
ps: sorry for disturbing the water here, people. :-)
--
One of the hunters being hunted.
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> >And I passionally hate those who list easy while make delisting close to
> >impossible,
>
> Delisting should only be easy if the listing is in error.
Depends on the purpose I guess. If the list's purpose is to list
spammers and hosts unwilling to prevent spam, then yes, I completely
agree with you, since it's an error to list hosts wanting to do
somwthing about it, so listing a helpful admin's host _is_ in error.
If the "purpose" is to list hosts which relayed or originated spam
regardless of its intent, amount and repetitivity, then I disagree,
since the listing may be correct (they got spam) but unjust (the spam
was due to config error / uncaught by filtering / other problem, and
it's been fixed). In this case the delisting process should not be
impossible, like in some cases is.
But to note an important fact: nowadays I believe most blacklists are
really friendly to admins, make it easy to delist and easy to be
relisted again if problem would persist on the contrary of delisting
promises. I agree with that method.
> >blackmail
>
> An expedited delisting fee is not blackmail.
I do not mean "do it NOW" demands. I mean sites like sorbs which asks
for money for _delisting_. Not express delisting, not "expedited",
whatever that means, but simply. I was not be able to delist hosts
listed for _years_ without even mailservers today; sure, I couldn't care
less, but they are in my reports, and I do not like that. I remember
days when it was useful, now I suggest everyone to avoid it. (They do.)
And there are some BLs like that.
I do not like uceprotect too much but its system (since you suggested
the word "expedited" which I ever seen on their site :)) is fair
enough, lists if there's spam and delist if it ceases. Okay for me,
even if I do not excessively agree with their expanded timeout of one
week. (And find completely ridiculous their level2 and level3 listing
criteria, but I cannot probably come up with better I grant that.)
> >while admins get angry and frustrated.
>
> When the delisting fee is less than the damage that their negligence has
> caused, they should be the target of the anger. The operators of the DNSBL
> are the ones that have legitimate cause for anger.
You try to explain why you do not care, which by no means will change
the way the world is. Apart from the fact that you're one of the few
who never ever make an error you fail to see you target your anger
towards people who try to _lower_ the amount of spam by fixing the
problems they possibly may not have been causing.
And please stop kidding. DNSBL operators mustn't be angry (at least
officially) since they don't do it for getting more angry but to stop
filth on the net. They may not be the largest victims of the spam,
instead they are the heroes who have the ability to save _others_ from
this plague. But if you are getting angry for being a hero then just
stop being a hero. Close your BL, and be happy. But do not come to me
and say "you're angry because someone have spammed someone, and you
have to list them, and it's your responsibility to be angry for them",
because you knew this would going on when you've started. Basically
you asked for it. :-)
Peace.
<g>
--
One of the hunters being hunted.
Claus v. Wolfhausen
Anti...@blarg.net says...
>There are a lot of completely ignorant but innocent people roaming the
>internet... if they can't find an email address for your domain name they're
>highly likely to take a stab at "webmaster", simply because it is so
>commonly in-use. Worse are the ones who just have no clue and email the
>Webmaster with stuff like "hey I tried to email John but he's not answering,
>can you ask him if he got my mail?" and equally naive (and completely
>legitimate) mail.
Yes we know that kind of people too (very nasty)...
>Using webmaster as a trap would be... unwise IMO.
I DID NOT SETUP WEBMASTER AS A TRAP WILLFULLY.
It was a configuration error at my end in combination with really spammy
looking settings at Mr. Watts end that ahs caused said listing.
I have explained it within this thread what happened...
1. I did setup "*@blacklistalert.org" as a trapdomain without thinking about
lusers that might get the idea to send mail to this domain which was never
used for email.
Mea culpa. But all other things were really outside of my control.
2. Mr. Watts IP is running a DSL connection.
3. Mr. Watts HELO was not FQDN
4. Mr. Watt has what we define as lazy multi-homed DNS
5. DNS-Servers of Mr. Watts sender domain are well known to host spammers.
The combination of 2,3,4 and 5 did look suspect enough for the UCEPROTECT
Server to trigger a Level 1 listing...
Mr. Watts did contact us (the correct way) after that and his listing was
reviewed and immediatley removed free of charge by one of my Team members.
So what?
Shit can happen, but those kind of shit luckily happens rare...
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
--
Steve Watt
Claus v. Wolfhausen <c.v.wol...@spamkiller.uceprotect.net> wrote:
>In article <slrngrgdtn....@blargman.internal.isomedia.com>,
>Anti...@blarg.net says...
>>Using webmaster as a trap would be... unwise IMO.
>
>I DID NOT SETUP WEBMASTER AS A TRAP WILLFULLY.
Thank you. You had not stated that clearly in the past. I'm glad
to hear that's the case.
>It was a configuration error at my end in combination with really spammy
>looking settings at Mr. Watts end that ahs caused said listing.
>
>I have explained it within this thread what happened...
>
>1. I did setup "*@blacklistalert.org" as a trapdomain without thinking about
>lusers that might get the idea to send mail to this domain which was never
>used for email.
I'll let pass the "lusers" comment. You provide a web service, there's
no instructions on that page about how to contact you. The RFCs name
a reasonable path that I tried to use. Since I care about email
connectivity, I will freely admit to reacting strongly to seeing a
blacklisting come about as a result.
>Mea culpa. But all other things were really outside of my control.
>2. Mr. Watts IP is running a DSL connection.
Along with a few hundred thousand other small businesses. At least
my ISP is quite well-behaved with regard to taking action against
spammers.
>3. Mr. Watts HELO was not FQDN
Hmm. ">>> EHLO wattres.watt.com". Seems FQDN to me.
>4. Mr. Watt has what we define as lazy multi-homed DNS
And what most of us define as normal, with no extraneous records.
Please show a domain that you do not control the DNS for that
has a configuration that a) has multi-homed hosts, and b) does
not meet your definition of "lazy multi-homed DNS".
I see no reason to add pointless RRs to my DNS zone to cope with
software that doesn't know how to handle multi-homed hosts.
I did indeed use the term "broken", though I believe I said something
to the effect of "somewhat broken". Would you prefer "buggy"?
It's quite well established that you need to check all of the A
records when you're doing the "does the reverse have a forward
that points at it?" check. I wrote code like that fifteen years
ago, back when doing firewalls with fwtk on unusual operating
systems. (Now I half-wonder what mjr is up to...)
>5. DNS-Servers of Mr. Watts sender domain are well known to host spammers.
The primary DNS server is the same machine. The secondary NSes are
indeed everydns.net, chosen pretty much at random because secondary.com
finally died. I will admit to not vetting everydns.net very carefully;
their service is functional. I may reconsider that decision, but
I'll take a look at their record first.
Remember that while it's often difficult to prevent spammers from
abusing services (see rule #1 - spammers lie), it's the actions
that a service takes after having the spammer pointed out to them
that speaks the loudest. That's what I'll have to look at for
everydns.net.
>Shit can happen, but those kind of shit luckily happens rare...
Indeed it does. And if you had been clear the first time
that it wasn't intentionally a spamtrap, I probably wouldn't
have posted here at all.
Regards,
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
grin
use-reply-...@remove-this.com (Claus v. Wolfhausen) wrote:
> >Using webmaster as a trap would be... unwise IMO.
>
> I DID NOT SETUP WEBMASTER AS A TRAP WILLFULLY.
Sorry to interrupt, I just wanted to mention that if it was a mistake,
why worry? You say (not scream) it was a mistake, you fixed it, no
problem, we can move on. Why do you have to _worry_ and get _angry_
over it? We _all_ make mistakes, right? :-)
Honestly I believe this thread isn't about your specific case, you have
neither to worry nor to defend yourself. (We still happen to have
a common goal, apart from regular nitpicking. Isn't that good?)
--
One of the hunters being hunted.
Larry M. Smith
> In article <gp9l6i$kd0$1...@ulm.shuttle.de>,
> Claus v. Wolfhausen <c.v.wol...@spamkiller.uceprotect.net> wrote:
>> In article <slrngrgdtn....@blargman.internal.isomedia.com>,
>> Anti...@blarg.net says...
> [ ... ]
>>> Using webmaster as a trap would be... unwise IMO.
>> I DID NOT SETUP WEBMASTER AS A TRAP WILLFULLY.
>
> Thank you. You had not stated that clearly in the past. I'm glad
> to hear that's the case.
>
>> It was a configuration error at my end in combination with really spammy
>> looking settings at Mr. Watts end that ahs caused said listing.
>>
>> I have explained it within this thread what happened...
>>
>> 1. I did setup "*@blacklistalert.org" as a trapdomain without thinking about
>> lusers that might get the idea to send mail to this domain which was never
>> used for email.
>
> I'll let pass the "lusers" comment. You provide a web service, there's
> no instructions on that page about how to contact you. The RFCs name
> a reasonable path that I tried to use. Since I care about email
> connectivity, I will freely admit to reacting strongly to seeing a
> blacklisting come about as a result.
>
Given what appears to be the chain of events, I think your reaction was
warranted.
>> Mea culpa. But all other things were really outside of my control.
>
>> 2. Mr. Watts IP is running a DSL connection.
>
> Along with a few hundred thousand other small businesses. At least
> my ISP is quite well-behaved with regard to taking action against
> spammers.
>
>> 3. Mr. Watts HELO was not FQDN
>
> Hmm. ">>> EHLO wattres.watt.com". Seems FQDN to me.
>
>> 4. Mr. Watt has what we define as lazy multi-homed DNS
>
> And what most of us define as normal, with no extraneous records.
> Please show a domain that you do not control the DNS for that
> has a configuration that a) has multi-homed hosts, and b) does
> not meet your definition of "lazy multi-homed DNS".
>
I had to review the full thread to see what this "lazy multi-homed DNS"
business was all about... While I might have done it differently, the
way you have chosen to implement it doesn't appear to be invalid;
host.example.com => 192.0.2.12, 10.2.0.12
192.0.2.12 => host.example.com
10.2.0.12 => host.example.com
Me, I would have done something more like;
host.example.com => 192.0.2.12, 10.2.0.12
192.0.2.12 => eth0.host.example.com
10.2.0.12 => eth1.host.example.com
eth0.host.example.com => 192.0.2.12
eth1.host.example.com => 10.2.0.12
This is only because I am somewhat anal retentive. Example: I have also
rewired the cat5 in the house and have no less than four different
colors of wire for patch cables to denote function (red, yellow, blue,
and green) with the wire in the walls being gray to denote
infrastructure wiring. But this is the way I do it, and you might want
less colors, or even just one... It wouldn't be wrong. Heck, I
wouldn't even call it lazy.
> I see no reason to add pointless RRs to my DNS zone to cope with
> software that doesn't know how to handle multi-homed hosts.
> I did indeed use the term "broken", though I believe I said something
> to the effect of "somewhat broken". Would you prefer "buggy"?
>
Ah, so given my wiring example above, you are correct; Just because you
might not have green and yellow cable in your house, this doesn't mean
that you can't just look at the wire's label or the port-map to see what
it connects to.
> It's quite well established that you need to check all of the A
> records when you're doing the "does the reverse have a forward
> that points at it?" check. I wrote code like that fifteen years
> ago, back when doing firewalls with fwtk on unusual operating
> systems. (Now I half-wonder what mjr is up to...)
>
This is also a correct statement, and the programmer should fix his code
instead of calling others "lazy" for not doing what the program expects.
>> 5. DNS-Servers of Mr. Watts sender domain are well known to host spammers.
>
> The primary DNS server is the same machine. The secondary NSes are
> indeed everydns.net, chosen pretty much at random because secondary.com
> finally died. I will admit to not vetting everydns.net very carefully;
> their service is functional. I may reconsider that decision, but
> I'll take a look at their record first.
>
> Remember that while it's often difficult to prevent spammers from
> abusing services (see rule #1 - spammers lie), it's the actions
> that a service takes after having the spammer pointed out to them
> that speaks the loudest. That's what I'll have to look at for
> everydns.net.
>
Everydns also hosts lots of non-spammers also... I've used them in the
past. Heck I'm sure I still have some domains there.
SgtChains
Shmuel (Seymour J.) Metz
at 03:13 PM, grin <newsp...@grin.hu> said:
>As a person you wouldn't. As a DNSBL you do because nobody would use your
>first block-all-the-internet-and-their-dogs-too list. ;-)
Nice straw dummy there. He wasn't asking about a block everything list, he
was asking why he should maintain two lists instead of just making his
private list publicly available.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
Shmuel (Seymour J.) Metz
at 09:41 PM, AntiSpam <Anti...@blarg.net> said:
>Do the RFCs state that you must have a web site in order to have a
>webmaster's address?
Do the RFC's state that you must have a webmaster address even if you
don't have a web site? That's the question that's relevant. Nobody claimed
that you couldn't have a webmaster address without a web site if you
*CHOOSE* to do so.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> In <20090312115...@narya.grin.hu>, on 03/12/2009
> at 03:13 PM, grin <newsp...@grin.hu> said:
>
> >As a person you wouldn't. As a DNSBL you do because nobody would use your
> >first block-all-the-internet-and-their-dogs-too list. ;-)
>
> Nice straw dummy there. He wasn't asking about a block everything list, he
> was asking why he should maintain two lists instead of just making his
> private list publicly available.
Ah. I see.
Many people publish their list with the disclaimer that they
reserve the right to outright block anyone without any reason
whatsoever, and explicitely state that the list is for their
and their close kook friends personal use. ;-) I have no
problem with blocking-all-the-net lists if this behaviour is
stated so.
<g>
--
One of the hunters being hunted.
Shmuel (Seymour J.) Metz
at 03:33 PM, grin <newsp...@grin.hu> said:
>If the "purpose" is to list hosts which relayed or originated spam
>regardless of its intent, amount and repetitivity, then I disagree, since
>the listing may be correct (they got spam) but unjust (the spam was due
>to config error / uncaught by filtering / other problem, and it's been
>fixed).
I don't agree that it's, both because the negligent admin caused damage to
the net at large and because the DNSBL operator has no way of knowing that
the problem actually has been fixed.
>In this case the delisting process should not be
>impossible, like in some cases is.
I don't know of any widely used list for which delisting is impossible. I
don't agree that delisting must be either easy or rapid.
>I do not mean "do it NOW" demands. I mean sites like sorbs which asks
>for money for _delisting_.
I don't know of any case in which the money they ask is even close to the
damage that the negligent admin caused.
>You try to explain why you do not care, which by no means will change
>the way the world is. Apart from the fact that you're one of the few who
>never ever make an error
Attributing to me things that I never wrote does not bolster your case.
I've admitted to errors in the past, but just because *you* believe that I
made an error doesn't mean that I did.
>And please stop kidding. DNSBL operators mustn't be angry (at least
>officially) since they don't do it for getting more angry but to stop
>filth on the net.
It's not about contents. And it's just as unproductive and unprofessional
for an admin to get angry about being listed as it is for anybody else to
get angry about things he can't change,perhaps more so.
>But if you are getting angry for being a hero
Strw dummy. I don't know of any DNSBL opertor who is angry about being a
hero; some are angry about being victims.
>But do not come to me and say "you're angry because someone have
>spammed someone, and you have to list them,
They don't come to you. If you choose to come to them then they are
entitled to tell you whatever they consider appropriate.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> In <20090312113...@narya.grin.hu>, on 03/12/2009
> at 03:33 PM, grin <newsp...@grin.hu> said:
>
> >If the "purpose" is to list hosts which relayed or originated spam
> >regardless of its intent, amount and repetitivity, then I disagree, since
> >the listing may be correct (they got spam) but unjust (the spam was due
> >to config error / uncaught by filtering / other problem, and it's been
> >fixed).
>
> I don't agree that it's, both because the negligent admin caused damage to
> the net at large and because the DNSBL operator has no way of knowing that
> the problem actually has been fixed.
You answered different questions.
I agree that the "negligent" admin (which, as far as I understand the
meaning of the word may be unjust since it suggests intention not to
care) may cause damage to the net. We agree here.
Telling whether it's fixed or not is of course the most tricky question
of them all, since here you had to differentiate between cooperative
and malicious correspondents. I am no oracle, I cannot tell you the
universal solution, but common sense usually suggests that there are
more cooperative people asking for delisting than other, but DNSBL ops
can really tell. My opinion is that if someone states he intended
to have fixed the problem it may be usually so. It is possible that it
wasn't completely successful, it's possible that the fix wasn't proper,
but I'd believe the intent, within certain limits already mentioned in
te thread.
But none of these answers the original question that it may be a listing
which is not erroneous by definition (since it lists systems originated
spam without considering whether they did it by intention and more
importantly whether they intend to change that) but still unjust, since
you declare that the problem was not, and will not be fixed, therefore
you make delisting hard.
My point was that it is technically correct to list these but then you
ignore the possibility of their good intent and actions, and making it
extremely hard to delist may be improductive.
> >In this case the delisting process should not be
> >impossible, like in some cases is.
>
> I don't know of any widely used list for which delisting is impossible. I
> don't agree that delisting must be either easy or rapid.
Maybe I should've used the word "infeasible". Last time I checked
SORBS satisfied this criteria.
I guess the root of our disagreement is the purpose of these lists. In
my view these list systems which would propagate unwanted email in
large proportions with very high probability, and by listing them we can
filter the unwanted mail.
I sense some people here believes that the purpose of these lists is to
punish, as you said, "negligent" admins or systems. The main difference
is that in this case the listing doesn't reflect that the system will
originate unwanted mail with high probability but that it has done so
in the far past and may originate a few one, with low probability. I
guess there are people who would like to subscribe such "behavioural"
lists, which lists people who made errors in the past, but I'd suspect
most of the end-users of DNSBLs want very much less: they want to have
a method to stop infected or spammy sites, those who do it now, not
those who have done in the far past and have low but larger than zero
probability to do so again.
If you follow my view then it is not good to have fixed systems listed.
If that's so it's not good to have very hard or very slow delisting
process.
And please do note that I already mentioned that I am not talking about
"immediate" and "unconstrained" delisting, or demands of that, but a
reasonable process which is already maintained by several (if not most)
DNSBL operators.
> >I do not mean "do it NOW" demands. I mean sites like sorbs which asks
> >for money for _delisting_.
>
> I don't know of any case in which the money they ask is even close to the
> damage that the negligent admin caused.
To them? Or do they distribute the money to the people who suffered
this said damage?
No. They earn money out of others damage. Some of us don't like it,
others may accept why it's so - I believe this point is futile to
debate.
> >You try to explain why you do not care, which by no means will change
> >the way the world is. Apart from the fact that you're one of the few who
> >never ever make an error
>
> Attributing to me things that I never wrote does not bolster your case.
> I've admitted to errors in the past, but just because *you* believe that I
> made an error doesn't mean that I did.
I don't fully understand the usage cases of "Straw dummy", but you
maybe would use it here. My point was that you ignore the fact that
helpful people may make errors, and deny the possibility that they fix
it. You intend to punish, not to prevent.
(My last sentence was about you acting like you wouldn't know that
people do make errors. It was not a direct quote you see.)
> >And please stop kidding. DNSBL operators mustn't be angry (at least
> >officially) since they don't do it for getting more angry but to stop
> >filth on the net.
>
> It's not about contents.
Pardon me? What is it about?
> And it's just as unproductive and unprofessional
> for an admin to get angry about being listed as it is for anybody else to
> get angry about things he can't change,perhaps more so.
It's a nice thing that we can agree on a point. Unproductive and
unprofessional for any of them.
> >But if you are getting angry for being a hero
>
> Strw dummy. I don't know of any DNSBL opertor who is angry about being a
> hero; some are angry about being victims.
I don't know about your dummy but let me quote you:
>>> The operators of the DNSBL are the ones that have legitimate cause for anger.
So you said you have the right to get angry because you're a DNSBL
operator ["hero"].
(And I mean "hero" in the positive sense, it may not be obvious due to
lack of metacommunications.)
> >But do not come to me and say "you're angry because someone have
> >spammed someone, and you have to list them,
>
> They don't come to you. If you choose to come to them then they are
> entitled to tell you whatever they consider appropriate.
In this present case you came to me and stated you're the one who have
the rights to be angry. No offense.
What I say with my past experience in public services and online
communities is that people who enroll for community work and easily
get annoyed are not very well received, get sour and sometimes even
cause more harm at the end than their original work was healing. It is
a sad, but very human way of life. (And granted that it requires plenty
of wasted(?) energy not to get angry.)
You have the right to say anything ("entitled to say anything stupid"),
and I have the right to offer my opinion to the masses, including you.
And you have the right to disagree.
And you have the right to miss my point about all the anger thing. And
the right to be angry. :-)
<g>
--
One of the hunters being hunted.
Shmuel (Seymour J.) Metz
at 04:44 PM, grin <newsp...@grin.hu> said:
>Telling whether it's fixed or not is of course the most tricky question
>of them all,
Arriving at a common understanding of what "fixed" means may be trickier.
Is it fixed if the admin is negligent and likely to make similar errors in
the future?
>but I'd believe the intent,
ObYoda
There is no intent, there are only results. The question is how long you
monitor before you decide that there really is a change.
>but still unjust,
In your opinion. Not in mine.
>since you declare that the problem was not, and will not be fixed,
Not even close to what I wrote.
>My point was that it is technically correct to list these but then you
>ignore the possibility of their good intent and actions,
I don't ignore it. I just want to see evidence prior to delisting.
>I guess the root of our disagreement is the purpose of these lists. In
>my view these list systems which would propagate unwanted email in large
>proportions with very high probability,
Defined how? That's vague both as to what you're measuring and as to what
your threshold is.
>I sense some people here believes that the purpose of these lists is to
>punish, as you said, "negligent" admins or systems.
There is no "these lists"; different lists have different purposes. As for
"punish", that's your word; I didn't use it.
>The main difference
Is that some lists are intended to indicate problems in real time, some
are intended to be early warning systems and some are intended to apply
pressure. If you consider an EWS to be overly aggressive, then don't use
it.
>is that in this case the listing doesn't reflect that the system will
>originate unwanted mail with high probability
I see no evidence of that claim, but since you haven't said what you
consider "high", it might be irrelevant even if true. Certainly negligent
operation of a server in the past is grounds for a lack of trust about
future behavior.
>If you follow my view
Your view suggests that you should not use an EWS to filter your mail. It
says nothing about those who do not share your view.
>reasonable process
There is no consensus as top what constitutes a reasonable process.
>To them?
To the net at large, but there are also costs associated with verifying
claims that a problem has been resolved.
>Or do they distribute the money to the people who suffered
>this said damage?
If you know of a viable way to do so I'm sure that there are a lot of
admins who would be willing to deploy it.
>No. They earn money out of others damage.
No. It's not the victims who are paying them.
>I believe this point is futile to debate.
Then don't debate it.
>My point was that you ignore the fact that
>helpful people may make errors,
Your "point" is in error.
>and deny the possibility that they fix it.
Also wrong.
>You intend to punish, not to prevent.
And wrong yet again.
>(My last sentence was about you acting like you wouldn't know that
>people do make errors. It was not a direct quote you see.)
Perhaps you would understand my position better if you actually read what
I wrote instead of pretending to be a telepath.
>Pardon me? What is it about?
Consent.
>I don't know about your dummy but let me quote you:
If you actually read what you quoted you would note that the word "hero"
does not appear in it.
>So you said you have the right to get angry because you're a DNSBL
>operator ["hero"].
ROTF,LMAO! Not even close.
>In this present case you came to me
I don't run a DNSBL. Further, you came to me and to every other reader of
this news group by posting an article here.
>and stated you're the one who have the rights to be angry.
Only if by "you" you mean the net at large; I was specifically referring
to the DNSBL operator.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
Matthias Watermann
> [...]
> You intend to punish, not to prevent.
Well, those two are not mutually exclusive, now, are they? And while using
a DNSBL that lists IP ranges (networks, ASNs etc.) could be interpreted as
"punishment" I personally feel just fine in doing so. Although I'd rather
call it educating not punishing. Anyway, those who support SPAMmers
(whether intentionally or not is besides the point) should indeed be
punished. And since the politicians around the globe are unwilling to do
anything serious against SPAM the only way to bring down the SPAMmer's
business model is to reject any mail from hosts and nets that either
support or tolerate SPAMming.
--
Matthias
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST M$ ATTACHMENTS
/ \
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> In <20090318140...@narya.grin.hu>, on 03/18/2009
> at 04:44 PM, grin <newsp...@grin.hu> said:
>
> >Telling whether it's fixed or not is of course the most tricky question
> >of them all,
>
> Arriving at a common understanding of what "fixed" means may be trickier.
I do not agree. Fixed means preventing originating of extreme amounts
of unwanted email. (Extreme: a lot. Not a few.)
> Is it fixed if the admin is negligent and likely to make similar errors in
> the future?
Since I do not agree with your wording here (negligent and likely):
yes, it is fixed if the admin fixed the error and do not intend to make
that same error again. I ain't no future teller to say how likely make
anyone another error with similar results, and I'd say no operator
possess this ability.
> >but I'd believe the intent,
>
> ObYoda
>
> There is no intent, there are only results.
Yes there are, since you yourself categorise people as "spammer" and
"negligent", and I suppose you have categories for "careful"
and "completely trusted" admins, too. That is intent.
(Yes, you did not use either word. If I mistook your internal world,
have mercy and explain.)
> The question is how long you
> monitor before you decide that there really is a change.
Depends on the way of monitoring. Some BLs simply delist immediately
and relist just as fast. That's one kind of monitoring: no monitoring
before delisting. There are other ways. You know many of them, I won't
go into it.
> >but still unjust,
>
> In your opinion. Not in mine.
But of course. Can I have my opinion please? Thanks.
> >since you declare that the problem was not, and will not be fixed,
>
> Not even close to what I wrote.
You just wrote, still quoted above, that you require monitoring until
you consider it fixed (so you declare it is not fixed) and most of your
debate implies that "negligent" admins (that's about anyone) will not
fix anything, so they have to kept listed. That's what you wrote and
what it implies. (Please try to avoid denying my wording unless there's
a problem with their meaning too.)
> >My point was that it is technically correct to list these but then you
> >ignore the possibility of their good intent and actions,
>
> I don't ignore it. I just want to see evidence prior to delisting.
Apart from having their "promise" that they fixed it, what evidence you
have on your mind? Apart from the spam stream ceasing which looks
pretty good evidence to me.
> >I guess the root of our disagreement is the purpose of these lists. In
> >my view these list systems which would propagate unwanted email in large
> >proportions with very high probability,
>
> Defined how? That's vague both as to what you're measuring and as to what
> your threshold is.
It is quite hard to make statistics out of false negatives: I cannot
really tell you how much spam our systems let through compared to the
amount of what they reject. I'm sure a few percent will get through
anyway at peaks, less on normal days. Maybe much less.
Large proportions are hundreds from a node per hour, or more magnitude
larger. It's the "you know it when you see it" kind of stuff.
(Since you seem to be mathematically inclined: yes, you are right that
I did not exactly defined it, but others did it just recently, as a
possible example.)
> Is that some lists are intended to indicate problems in real time, some
> are intended to be early warning systems and some are intended to apply
> pressure.
This is most probably the most valuable part of your reply. Yes, this
is true, and I am not aware of a good summary for "beginner" admins
which lists is part of which category. People are using lists at
random, from spam scoring to outrigh rejection, regardless of the
intentions of the given DNSBL.
I reply to you because I interpret your writing that your statements
cover all three kinds you defined above, while in my opinion what
you say should be true only for the last one.
> If you consider an EWS to be overly aggressive, then don't use
> it.
You ought to see that it's not that the victim admin uses it but
someone else, who blocks valid mail based on improper usage of a list
(or an improper list).
> >is that in this case the listing doesn't reflect that the system will
> >originate unwanted mail with high probability
>
> I see no evidence of that claim, but since you haven't said what you
> consider "high", it might be irrelevant even if true. Certainly negligent
> operation of a server in the past is grounds for a lack of trust about
> future behavior.
If the list is for "applying pressure", as you said. Not fit for lists
for "real-time problems" and "early warning".
> >If you follow my view
>
> Your view suggests that you should not use an EWS to filter your mail. It
> says nothing about those who do not share your view.
That's not even close to what I wrote.
> >reasonable process
>
> There is no consensus as top what constitutes a reasonable process.
On the other hand it's pretty easy for me to tell unreasonably hard
processes from the others.
> >To them?
>
> To the net at large,
I take this as a "no".
> but there are also costs associated with verifying
> claims that a problem has been resolved.
Sure. And I have costs for my keyboard replacement, so should I ask
money from you because you made me press them more?
Yes, everything costs money, operating a service even more. Any
service, DNSBL or not.
> >Or do they distribute the money to the people who suffered
> >this said damage?
>
> If you know of a viable way to do so I'm sure that there are a lot of
> admins who would be willing to deploy it.
There is none, and most probably never will be. This is one reason not
to act like they get money for anything else than providing their
service. Which is fine, I have nothing against MAPS, and they don't ask
money because "you have caused suffer to the net at large".
> >No. They earn money out of others damage.
>
> No. It's not the victims who are paying them.
No. It's the victims who would be forced to pay.
You remember? Spam is created by spammers, not by admins, negligent or
not. It is not the spammers who are paying them, by far. All others are
victims of different kinds.
> >My point was that you ignore the fact that
> >helpful people may make errors,
> Your "point" is in error.
> >and deny the possibility that they fix it.
> Also wrong.
> >You intend to punish, not to prevent.
> And wrong yet again.
It was based on what you have written.
(Note: "punish" is the same as "apply pressure".)
> >Pardon me? What is it about?
>
> Consent.
That seems to be beyond my English. Have they agreed to be angry? Is it
common sense that they must be angry?
> ROTF,LMAO! Not even close.
Not even close? Then why do you post here? Looks close enough to me. Or
maybe you mean you're spammer or troll? If so, sorry for bothering. :-)
> >In this present case you came to me
>
> I don't run a DNSBL. Further, you came to me and to every other reader of
> this news group by posting an article here.
This was a rather expected reply, so most probably you expect my answer
that this happens to be a public group, and I came to you just the same
as you came to me. With your reply you "came to me and to every other
reader of this group", etc.
And you may have noticed that I did not came to _you_, and I sincerely
hope you are not the center of this group either. :-)
> >and stated you're the one who have the rights to be angry.
>
> Only if by "you" you mean the net at large; I was specifically referring
> to the DNSBL operator.
I was specifically referred to your theoretical DNSBL operator, or you,
whatever role you possess.
By the way the subject just isn't appopriate anymore, since it's not
about uceprotect, which uses automagical delisting.
<g>
> <http://patriot.net/~shmuel>
PS: Mmh, I try to avoid checking on people to prevent prejudice but I
tend to remember your safe REXX article. Interesting.
--
One of the hunters being hunted.
Shmuel (Seymour J.) Metz
at 02:28 PM, grin <newsp...@grin.hu> said:
>I do not agree.
That doesn't changed the fact that we have *NOT* arrived at a common
understanding of what fixed means.
>Fixed means preventing originating of extreme amounts
>of unwanted email.
Blocking a negligent network fixes the problem for the admin doing the
blocking. Promising him that the problem has been fixed does not.
>(Extreme: a lot. Not a few.)
Replacing one ambiguous term by another does nothing to achieve a common
understanding. We obviously don't agree on what constitutes a few or on
what constitutes a lot.
>Since I do not agree with your wording here (negligent and likely):
If my server gets spam, that's a sign of negligence. If a spamtrap gets
spam, that's a sign of negligence. As for "likely", it doesn't matter
whether you agree with the wording unless and until we arrive at a common
understand of what "likely" means.
>yes, it is fixed if the admin fixed the error
Which error? Google for whack-a-mole. It isn't fixed until the underlying
cause is fixed.
>I ain't no future teller to say how likely make
>anyone another error with similar results,
Neither is the operator of the DNSBL, which is why he needs to be
sceptical.
>Yes there are, since you yourself categorise people as "spammer" and
>"negligent",
Negligent doesn't imply intent; the spam costs the same whether it is due
to incompetence or malice.
>(Yes, you did not use either word. If I mistook your internal world,
>have mercy and explain.)
I meant what I said and I said what I meant
A sysprog is faithfull, 100%
(Horton Hears an IPL, Dr. Seus)
My internal world is that unless the operator of an EWS has ESP, he is
stuck with a statistical approach. One of the predictors of future
negligence is past negligence. The aging rates and weights that are
appropriate depend on the judgement of the operator and on his data.
Now, I may not always trust the judgement of a DNSBL operator, but that
doesn't make it wrong for someone else to trust him.
>Can I have my opinion please?
Whatever listing criteria match the claims of the operator are just. It's
just for an admin to use whatever DNSBL that reduces his costs and the
costs of his users, including FP and FN costs. It's unjust for the
operator to misrepresent his criteria, and it's unjust to appropriate
someone else's resource in order to reduce you spam load.
It's also just to shift costs back to those that impose them, but that's
not relevant to an EWS.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
grin
Matthias Watermann <li...@mwat.de> wrote:
> On Wed, 18 Mar 2009 16:44:58 +0000, grin wrote:
> > [...]
> > You intend to punish, not to prevent.
>
> Well, those two are not mutually exclusive, now, are they?
They are not. (They are not necessarily come together either.)
> And while using
> a DNSBL that lists IP ranges (networks, ASNs etc.) could be interpreted as
> "punishment" I personally feel just fine in doing so. Although I'd rather
> call it educating not punishing.
Education expects the pupils to learn, and stop educating the same
lesson repeatedly if it's been already learned. Punishment does not
have this stupid limitation. :-)
> anything serious against SPAM the only way to bring down the SPAMmer's
> business model is to reject any mail from hosts and nets that either
> support or tolerate SPAMming.
By all means.
The problem is with the hosts and nets which neither support nor
tolerate spam, but get on the list. No, I correct myself, the problem
is when they _stay_ on the list. After the lesson has been learned, and
the problem fixed. But here is no disagreement between us I guess.
<g>
--
One of the hunters being hunted.
grin
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:
> at 02:28 PM, grin <newsp...@grin.hu> said:
>
> >I do not agree.
>
> That doesn't changed the fact that we have *NOT* arrived at a common
> understanding of what fixed means.
It actually defines that fact. Is there any point in continue this
debate? I see you have your view about what's fixed, I have mine, they
are dissimilar and do not seem to converge.
> Blocking a negligent network fixes the problem for the admin doing the
> blocking. Promising him that the problem has been fixed does not.
You state things easily proven false. Is it intentional?
Maybe you just like to make universal statements. You could've been
writing "fixing the problem *may not* fix the problem for the admin".
But to state it *does not* looks clearly an overshoot to me.
> >Since I do not agree with your wording here (negligent and likely):
>
> If my server gets spam, that's a sign of negligence. If a spamtrap gets
> spam, that's a sign of negligence. As for "likely", it doesn't matter
> whether you agree with the wording unless and until we arrive at a common
> understand of what "likely" means.
Since English is not my mother tongue, if someone uses a one-word
answer, or use sentences which contain words without useful context, I
have to fallback to my dictionary:
Usage: {Negligence}, {Neglect}. These two words are freely
interchanged in our older writers; but a distinction
has gradually sprung up between them. As now generally
used, negligence is the habit, and neglect the act, of
leaving things undone or unattended to. We are
negligent as a general trait of character; we are
guilty of neglect in particular cases, or in reference
to individuals who had a right to our attentions.
[1913 Webster]
negligence
n 1: failure to act with the prudence that a reasonable person
would exercise under the same circumstances [syn: {carelessness},
{neglect}, {nonperformance}]
Both sources show me that "negligence" implies continous, possibly
intentional lack of care. based on this your use of the word is in
error, since you cannot possibly prove that receiving a spam implies
that the source
a) have not done what is reasonable to expect from him under the
circumstances, and
b) have done it out of intention or continous characteristic
carelessness.
All you can say is that you, well, got a spam. Most of the time you are
not even able to say why did you receive it. You are often in no
position to prove that it was due to continous and possibly intentional
lack of care, or lack of attention.
Of course I'm aware that many people are using windows systems, which
is negligence in its finest; many uses software which is unfit for the
purpose, and this is rather lack of education or information; many uses
of computers without required knowledge, and that's possibly negligence.
It does not mean, however, that those who use secure OS, fit software,
configure it with intent to make it right, filtering to make it even
more right, and the spammers still get through until the system is
patched up to the new kind of malware, should be ever called negligent,
because they do what could be expected from them, or possibly even
more.
You fail to make this distinction, or at least your _postings_ do.
(And I am not sure whether you write with the knowledge that spammers
try to get through filtering continously. If you get a spam it may
very well mean that the given spammer scored a point, and it's the
antispam side's turn. But maybe you have the solution for the 100%
spam free world, in which case I beg you to start implementing it now.)
> >yes, it is fixed if the admin fixed the error
>
> Which error? Google for whack-a-mole. It isn't fixed until the underlying
> cause is fixed.
Okay, an example. End user install malware, starts to relay spam
through ISP which contains only ukrainian text and nothing else. The
headers look like a normal MUA. Gets 1.3 spam points, gets relayed.
Lots of those, limited by ratelimits and other goodies. User gets kickd
by sending limits. Still, some got out.
Admin see that, adjust filters to the specifics of the spam, so they
are filtered. (User gets warned, virusscanned, etc, we all know it's
of no use.) Spam stops flowing (until now at least).
I call this "admin fixed the problem" (not error, since there was none,
like I wouldn't call ``error'' if our virus filter let 0day worms
through), spam stopped flowing. I expect the server to be unlisted.
Fixing underlying problem means to stop spammers from [paying for]
making malware, to stop end users using insecure systems, to stop
spammers to actually send spam. I believe you can not expect the admin
to have done that.
> >I ain't no future teller to say how likely make
> >anyone another error with similar results,
>
> Neither is the operator of the DNSBL, which is why he needs to be
> sceptical.
That is your opinion, which may or may not coincide with anyone else's,
and definitely not mine.
> >Yes there are, since you yourself categorise people as "spammer" and
> >"negligent",
>
> Negligent doesn't imply intent;
See dictionary quotes above.
> the spam costs the same whether it is due to incompetence or malice.
Report that to the spammers. I could come up with several RealLife
examples where the law do not punish those whose property was
illegally used by third parties to make damage. What you say is true,
but not related.
<g>
--
One of the hunters being hunted.
E-Mail Sent to this address will be added to the BlackLists
> Okay, an example. End user install malware, starts to
> relay spam through ISP which contains only ukrainian
> text and nothing else. The headers look like a normal MUA.
> Gets 1.3 spam points, gets relayed. Lots of those,
> limited by ratelimits and other goodies. User gets kickd
> by sending limits. Still, some got out.
>
> Admin see that, adjust filters to the specifics of the spam,
> so they are filtered. (User gets warned, virusscanned,
> etc, we all know it's of no use.) Spam stops flowing
> (until now at least).
>
> I call this "admin fixed the problem" (not error, since
> there was none, like I wouldn't call ``error'' if our
> virus filter let 0day worms through), spam stopped flowing.
> I expect the server to be unlisted.
To the outsider,
when resources under control of "the admin",
are a repeated sources of abuse,
there is little difference between a new cause,
old causes not resolved, or intentional support of the abusers.
Despite "the admin's" intentions, recidivism is a good enough
reason to not delist (at least not rapidly or easily).
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
E-Mail Sent to this address will be added to the BlackLists
> "Shmuel (Seymour J.) Metz" wrote:
>> grin said:
> Fixed means preventing originating of extreme amounts of
> unwanted email. (Extreme: a lot. Not a few.)
After a IP demonstrates it is a source of abuse,
who is willing to continue to accept that abuse,
so it can be measured against "extreme amount"
and keep accepting the abuse, to tell if / when
the abuse returns from "extreme amount" to "a few".
To me it seems much easier to list on abuse,
null-route / block / reject listed,
delist on criteria (perhaps time * abuse qty),
and relist on further abuse, rinse, lather repeat.
Some would likely throw in expand / escalate listing,
based on qty abusive IP per /24 or per CIDR, ...
Another problem with "a few" abuse per x? is OK,
is that spammers created snowshoes to prevent
detection of large scale abuse;
As long as a" little abuse is acceptable",
spammers will continue to use the snowshoe tactic.
{Personally, once abused, no need to ever delist,
if you don't need / want / expect messages
from the previously detected source of abuse.
(Where source ~= domains, IP, CIDR, ASN, ISP,
country continent and or region.)}
...
> (negligent and likely)
...
> I ain't no future teller to say how likely make anyone
> another error with similar results, and I'd say no
> operator possess this ability.
History appears to be a great rule to measure against.
Is it more likely, you will experience future abuse,
from IPs / CIDRs / ASNs / ISPs / domains / ...
that you have experienced abuse from in the past,
than from those places you have never experienced abuse from?
> People are using lists at random, from spam scoring to
> outrigh rejection, regardless of the intentions of the
> given DNSBL.
...
> You ought to see that it's not that the victim admin uses
> it but someone else, who blocks valid mail based on
> improper usage of a list (or an improper list).
Plenty of evidence of that, like people using a DNSbl
that intentionally lists all IPv4 addresses, e.g.
2.0.0.127.nofalsenegative.stopspam.samspade.org
2.0.0.127.blocked.secnap.net
2.0.0.127.all.dnsbl.bit.nl
2.0.0.127.ipv4.fahq2.com
That some admin uses a DNSbl without researching,
and testing (perhaps scoring with a extremely small score)
and end up blocking message their endusers really
needed / wanted / expected, is no ones fault except
the negligent admin themselves.
> I have nothing against MAPS,
"MAPS RBL"?
MAPS got borged by Trend Micro a few years ago.
I'm not certain they were as useful,
after the 2000 / 2001 law suites.
{There has been a lot of churn in DSNbls since the late 90's.}
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
Matthias Watermann
> On Fri, 20 Mar 2009 11:59:19 GMT
> Matthias Watermann <li...@mwat.de> wrote:
>
>> On Wed, 18 Mar 2009 16:44:58 +0000, grin wrote:
>>
>> > [...]
>> > You intend to punish, not to prevent.
>>
>> Well, those two are not mutually exclusive, now, are they?
>
> They are not. (They are not necessarily come together either.)
>
>> And while using
>> a DNSBL that lists IP ranges (networks, ASNs etc.) could be interpreted
>> as "punishment" I personally feel just fine in doing so. Although I'd
>> rather call it educating not punishing.
>
> Education expects the pupils to learn, and stop educating the same
> lesson repeatedly if it's been already learned. Punishment does not have
> this stupid limitation. :-)
Exactly! Once a host (i.e. its administrator) learns that SPAMming is not
a good thing to do and in consequence stops it, there's no need for
further education (at least as far as this point is concerned). And since
the UCEPROTECT IP listings eventually expire the respective host is
automatically delisted and all's well :-)
>> [...]
>> the only way to bring down the SPAMmer's business model is to reject
>> any mail from hosts and nets that either support or tolerate SPAMming.
>
> By all means.
>
> The problem is with the hosts and nets which neither support nor
> tolerate spam, but get on the list.
I'd like to know how that could possibly happen. If a host does not send
SPAM there's no chance for it to get listed anywhere. And since the
UCEPROTECT levels two and three (which list ranges, ASNs) are
automatically generated based solely on IP-numbers that actually _did_
send SPAM there's no chance for an ASN to get listed if its IP range is
free of SPAMmers.
> No, I correct myself, the problem is when they _stay_ on the list. After
> the lesson has been learned, and the problem fixed. But here is no
> disagreement between us I guess.
Right. And again I don't see how that could happen. UCEPROTECT Level one
entries automatically expire after seven days (I believe). Each such
expiring entry will cause the level two and three lists to get
re-computed. Which means that in due course any range/ASN listing will
expire as well - assuming, of course, the SPAMming actually _did_ stop.
--
Matthias
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST M$ ATTACHMENTS
/ \
--
grin
E-Mail Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anitech-Systems.invalid> wrote:
> > I call this "admin fixed the problem" (not error, since
> > there was none, like I wouldn't call ``error'' if our
> > virus filter let 0day worms through), spam stopped flowing.
> > I expect the server to be unlisted.
>
> To the outsider,
> when resources under control of "the admin",
> are a repeated sources of abuse,
I would definitely differentiate, or use a sliding window/expiration
method to keep "repeated" within reasonable limits.
> there is little difference between a new cause,
> old causes not resolved, or intentional support of the abusers.
I completely agree with you.
I'd say unresolved issues can be differentiated from resolved ones by
observing the abuse to cease for a defined (not too short) period of
time. New causes shouldn't happen too often, I can agree with that
either.
But if it seems to be fixed (for a longer while anyway) I accept this
as a positive intent, and act accordingly. (Like I know some providers
around fighting with stupid users, they get spammy once in a few months
from time to time, but they fix it fast, so I trust their intents and do
not block 'em. But "I" have plenty of users, so I cannot block anyone at
will either.)
<g>
--
One of the hunters being hunted.
grin
Matthias Watermann <li...@mwat.de> wrote:
> On Fri, 20 Mar 2009 21:54:12 +0000, grin wrote:
>
> > On Fri, 20 Mar 2009 11:59:19 GMT
> > Matthias Watermann <li...@mwat.de> wrote:
> >
> >> On Wed, 18 Mar 2009 16:44:58 +0000, grin wrote:
> >> [...]
> >> the only way to bring down the SPAMmer's business model is to reject
> >> any mail from hosts and nets that either support or tolerate SPAMming.
> >
> > By all means.
> >
> > The problem is with the hosts and nets which neither support nor
> > tolerate spam, but get on the list.
>
> I'd like to know how that could possibly happen. If a host does not send
> SPAM there's no chance for it to get listed anywhere. And since the
> UCEPROTECT levels two and three (which list ranges, ASNs) are
> automatically generated based solely on IP-numbers that actually _did_
> send SPAM there's no chance for an ASN to get listed if its IP range is
> free of SPAMmers.
What I said "neither support nor tolerate", and not "did not ever
send". I do not support or tolerate, but spam occasionally gets through
my filters, so I may "send" them.
Another problematic use of words is "spammer" above because our net
only had one spammer in 10+ years. And his contract was terminated
after he was disconnected for almost half a year almost continously. :-)
Spam sources are not spammers but windows(r)(tm) users without a clue.
> > No, I correct myself, the problem is when they _stay_ on the list. After
> > the lesson has been learned, and the problem fixed. But here is no
> > disagreement between us I guess.
>
> Right. And again I don't see how that could happen. UCEPROTECT Level one
> entries automatically expire after seven days (I believe). Each such
> expiring entry will cause the level two and three lists to get
> re-computed. Which means that in due course any range/ASN listing will
> expire as well - assuming, of course, the SPAMming actually _did_ stop.
Yes, and since I created a system to automagicaly handle most of abuse
complaints plus made some magic with the almost useless CBL and
UCEprotect level-1 rsyncable listing (neither contains timestamps so
analysis based on manual statistics plus lots of luck), our ASN listing
on UCEprot went down seriously. :-) Which is a good thing. Unfortunately
it causes much larger pressure on the user support end to handle the
large amount of disconnected users, but that's the way it is.
<g>
--
One of the hunters being hunted.
grin
E-Mail Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anitech-Systems.invalid> wrote:
> grin wrote:
> > Fixed means preventing originating of extreme amounts of
> > unwanted email. (Extreme: a lot. Not a few.)
> After a IP demonstrates it is a source of abuse,
> who is willing to continue to accept that abuse,
> so it can be measured against "extreme amount"
Well no blocklist will stop spam, since DNSBL usage is a bit below
100%. :-) Of course if your spamtraps block on your own DNSBL you won't
get measures, but why should they? Bandwidth of email is still pretty
cheap.
> To me it seems much easier to list on abuse,
> null-route / block / reject listed,
> delist on criteria (perhaps time * abuse qty),
> and relist on further abuse, rinse, lather repeat.
And acceptable too.
> Another problem with "a few" abuse per x? is OK,
> is that spammers created snowshoes to prevent
> detection of large scale abuse;
> As long as a" little abuse is acceptable",
> spammers will continue to use the snowshoe tactic.
Yup that's another point I guess BL operators got familiar with. I'd
say a constant low amount of spam, especially if it's visibly not
filtered, may be a suspicious sign. However it's not easy to measure
and categorise that kind of data flow, I guess if I'd to make a filter
I'd check stable low raffic spam sources with a different heuristics.
(To come up with one probably would require to analyse some of such
flows.)
> {Personally, once abused, no need to ever delist,
That works for personal needs, but fails miserably once ISPs start
using the list. For personal use the collateral damage is pretty low
while for an ISP with thousands, or hundred thousands of users may
cause quite a problem.
> ...
> > (negligent and likely)
> ...
> > I ain't no future teller to say how likely make anyone
> > another error with similar results, and I'd say no
> > operator possess this ability.
>
> History appears to be a great rule to measure against.
>
> Is it more likely, you will experience future abuse,
> from IPs / CIDRs / ASNs / ISPs / domains / ...
> that you have experienced abuse from in the past,
> than from those places you have never experienced abuse from?
To answer literally: the latter. I get most abuse from newly registered
domains, new asian and american networks.
But you didn't mean that. To the real question my answer is that I
expect spam from anywhere where there are non-professional end-users
with crappy systems, regardless of history. There are minimal amount of
networks where no abuse ever originates, since we got abuse from the US
gov't to the local ones from anywhere, ISPs, companies, universities,
you name it. Half of the places have decent admins who aren't wizards
and cannot enchant people not to infect their machines, but ready to
kick'em off the net if they seem to be infected. I do not think their
past history gives anything about their futue behaviour.
Of course it's nice to have networks completely firewalled off and only
tcp80 open for the public, and surely nobody would really get
neither spam nor attacks from there, but that's just not the way the
world is.
> That some admin uses a DNSbl without researching,
Just think of DSBL.ORG, many people use it for outright rejection or to
check incoming connections. It's gone for half a year now. Now these
admins enjoy 30-90 sec DNS timeouts, and have funny problems, some of
these wasting my time.
> > I have nothing against MAPS,
>
> "MAPS RBL"?
Yeah, the one and only. ;-)
> MAPS got borged by Trend Micro a few years ago.
>
> I'm not certain they were as useful,
> after the 2000 / 2001 law suites.
Not really. Still, root of most of stuff we still use.
> {There has been a lot of churn in DSNbls since the late 90's.}
Do you feel old? ;-) Sometimes I do, when looking at the list of 100+
DNSBLs and wonder why do we _need_ such amounts. But then, we probably
do, it's just weird.
And naturally we get DoS and DDoS around, and all related stuff, not
that spam wouldn't be quite enough. I wonder how would internet feel
without abuse. I mean, hey, I'd be jobless. :-]
<g>
--
One of the hunters being hunted.
E-Mail Sent to this address will be added to the BlackLists
> Spam sources are not spammers but windows(r)(tm) users without a clue.
For unintentional sources of abuse, by far.
However, unsecured services are sometimes to blame,
(sometimes due to poor policy decisions),
and occasionally non-windows trojaned equipment.
In addition the endlusers don't have to be using windows,
to be socially engineered by a 419er to give up their
webmail password (seems college professors / staff
are a popular target).
The outsider doesn't necessarily know, and likely doesn't
care why a source of abuse is a source of abuse, just that
those responsible for it prevent it.
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
grin
E-Mail Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anitech-Systems.invalid> wrote:
> grin wrote:
> > Spam sources are not spammers but windows(r)(tm) users without a clue.
>
> For unintentional sources of abuse, by far.
Yes, and still we should possess a terminology to fit the different
sources, since they have to be handled differently. (They ought to...)
"Lusers" and "spammers" seem to differentiate. Just an example.
> However, unsecured services are sometimes to blame,
> (sometimes due to poor policy decisions),
> and occasionally non-windows trojaned equipment.
Yes, but I guess its amount is below my scale of preciscion. :)
> In addition the endlusers don't have to be using windows,
> to be socially engineered by a 419er to give up their
> webmail password (seems college professors / staff
> are a popular target).
Interesting. I usually see much often lusers using extremely stupid
passwords, which don't even require any force, brute or otherwise.
<g>
--
One of the hunters being hunted.