[CLUE-Talk] Oh No! Not Again! (spam spam spam spam ...)

Charles Oriez coriez at oriez.org
Wed Apr 16 11:59:17 MDT 2003 

At 08:38 AM 4/16/2003 -0600, Charles Oriez wrote:

>At 07:59 AM 4/16/2003 -0600, you wrote:
>
>>So, Maureen from IBM one of the "thieving scum who are trying to steal a
>>communications medium and make it worthless..."
>>
>>Huh.  <dumbfounded>
>
>
>if she's spamming, yes

I'd like to apologize for this response.  I made it hurriedly on my way out 
the door to an appointment.  I started a sub thread which is a distraction, 
and I'd like to retract it and focus on the main core of the debate.  While 
most spammers are in fact convicted criminals, criminals currently under 
indictment, or criminals who just haven't gotten caught yet ( about 95% of 
my spam over the last month by my count, including people hijacking 
servers), painting with too broad a brush and too little thought is 
inappropriate.

Notice where David and I didn't disagree though.  He didn't disagree with 
the proposal to report spammers to their ISPs.  We don't even disagree on 
the principle of just hitting delete, although we probably disagree on 
where and how to delete.  I include a quote below from 
news.admin.net-abuse.email which I think is appropriate.  By using blocking 
lists on the servers, the different people and ISPs reporting spam are 
deleting faster and cheaper.  We also notify the ISP the spam is coming 
from that we are not accepting their traffic, which gives them the 
opportunity to terminate the spammers and get their traffic 
unblocked.  Checking logs at rmc.sierraclub.org, I notice that I once 
deleted 2430 pieces of spam targeting about 200 mailboxes in a one half 
hour period (same source, with each spam attempting to convince the 
recipient to held the sender smuggle embezzled money out of Nigeria - the 
famous 419 scam).  Each of those deletions sent a connection refused 
message back to the connecting server.  A competent sysadmin can then fix 
his problem (in that case an open relay exploit from the looks of it).  Far 
better than each of those users hitting delete multiple times and not 
advising the sending system of the problem.  Also, because the refused 
connections were based on spamcop, we didn't even have to file reports, 
because a couple of hundred people had already done so.  And as long as the 
reports kept coming in, the server remained blocked.  By my own logs, 
spammer attempts to touch my server only succeed in delivering their junk 
to my mail box about 1 time in 30, because almost every server used to 
deliver spam has already been listed as an open relay or proxy, known to be 
coming from a spam friendly ISP, or otherwise has confirmed spam sign (such 
as unicode spam: ^Subject: \=\?big5\?.* or ^Subject: \=\?gb2312\?.*)

But the key principles are these: spam should be reported before being 
deleted.  ISPs who don't terminate spammers when they get complaints should 
be blocked until the spammers are terminated or the ISP goes out of business.

In my opinion, global block lists are better than a million local block 
lists, because it is easier for an ISP who decides to mend his ways to get 
off the global lists.  A study I did one month found that any given piece 
of spam I blocked came from a server on about 14 global lists.  However, as 
Michael Rathbun said long ago, "I think it likely that when the successor 
to IPV6 is just about to be deployed throughout the Solar System there will 
still be null routes and deny table entries for 205.199.212.0/24 in an 
uncountable number of places."





charles oriez          coriez at oriez.org
39  34' 34.4"N / 105 00' 06.3"W
**
"You want us to hit delete.  A blocking list is basically a diesel delete
key.  A blocking list is the bulk delete response to unwanted bulk email.
When we use a blocking list, we are hitting delete, as you ask us to
do.  Why do you object?"  -- David Canzi

More information about the clue-talk mailing list