Man gets nine years for spamming

Discussion in 'Computer Security' started by Jim Watt, Apr 9, 2005.

  1. First understand that if you get on this list (it does not go by domains, it
    goes by IP address) it was because you spammed someone. 99% of the time it
    is from a poor IT staff and bad IT policies...(ie malware, not block
    desktop access out via port 25, forwarding enabled on email gateway, etc)

    To alleviate this, whitelist your company's partners...that's it...
    Again, you simply whitelist your company's partners. Also, it is untrue to
    say it does not leave an audit trail because:

    1) When you configure your DNSBL you also configure the bounce message. When
    someones email get block, you send back why and how to fix it. Here is mine
    home servers config snippet:
    FEATURE(`enhdnsbl', `sbl-xbl.spamhaus.org', `"550 Mail from "$&{client_addr}
    " rejected. You are blocked see: http://spamhaus.org" $&{client_addr}',
    `t')dnl

    ....as you can see above, I send a bounce message of "You are blocked see
    http://spamhaus.org&<your IP address>"

    2) In the logs I can review EVERY bounced email address. It is trivial...In
    fact I have a script that summaries this and emails it to me everyday.


    ....it is cake guys...
    Michael
     
    Michael Pelletier, Apr 13, 2005
    #41
    1. Advertisements

  2. I do not block any IP addresses/IP address blocks. I just do not like the
    idea of blocking potentially legitimate email. Honestly, the techniques I
    have been using, I do not have to.

    There is also a DNSBL that specializes in servers that send out
    viruses...Again, though, PEOPLE MUST report SPAM. The more people that do
    the more effective it is.

    Michael
     
    Michael Pelletier, Apr 13, 2005
    #42
    1. Advertisements

  3. Jim Watt

    Leythos Guest

    This is not always realistic - many of my clients with their own email
    servers have their client base centered around the public - meaning that
    some are utility companies, some are medical centers, some are staffing
    firms..... Wait till you have to create rules that allow inbound resume's
    from all forms of users, or have to let email from every ISP inbound....
    It's not possible to white-list every possible client.
     
    Leythos, Apr 13, 2005
    #43
  4. Read the other posting. When you bounce a message you send back the reason
    and the place to go to fix it. Believe me, people want to do business they
    will fix it...

    Michael
     
    Michael Pelletier, Apr 13, 2005
    #44
  5. Jim Watt

    Jim Watt Guest

    Not really, because it does not stop them sending, its just
    covering up the symptoms of the illness.

    We use the legal process to discourage criminality and this
    is just a modern crime that needs traditional thinking;

    Yes you fit your house with locks and where appropriate
    bars on the windows to keep people out, but you also rely
    on the state prosecuting and locking up thieves.
     
    Jim Watt, Apr 13, 2005
    #45
  6. Jim Watt

    Jim Watt Guest

    Thats my experience too, had some trouble recently sending to AOL
    because they started doing a reverse check on the IP and my local
    ISP had not set up its DNS correctly.

    Took two weeks to resolve.
     
    Jim Watt, Apr 13, 2005
    #46
  7. Jim Watt

    winged Guest

    Michael Pelletier wrote:

    Yup, some of the folks we deal with have little or no direct IT dept
    dedicated support. While this problem is being worked, we still have to
    do business. With IE having a number of known holes that causes
    zombies, as well as ignorant users who don't have safe hex it is
    problematic to resolve. Even when a zombie gets identified and
    corrected quickly, it can spew a lot of spam in a short period of time
    causing it to get blacklisted.

    But we have to be able to communicate with them, tis the nature of my
    world. Additionally I have to be able to communicate worldwide with a
    wide variety of entities. In some cases the need for communication
    overshadows the Spam issue. I don't have the luxury to whitelist
    everyone who may have the requirement to communicate, so I must find
    other methods. Our methods seem to work fairly well with less than .01%
    of volume able to get through protections. When we were working with
    blacklisting, some time ago, there were a number of incidents where
    legitimate sites were being blacklisted by spammers spoofing the
    blacklists.

    While shooting spammers is probably a bit extreme, perhaps drafting them
    to patrol Baghdad with no escort and 1 bullet is more appropriate; not
    sure if we should provide the revolver.

    Winged
     
    winged, Apr 14, 2005
    #47
  8. Yes, I find these "IT" people frustrating to say the least. We have a joke
    about these "shops" where we have to think what is worse, the SPAMMERs,
    Virus writter of the fools that allow them to do their "work"...
    Was this a while ago? Most Blacklists have personnel that review each
    complaint so as NOT to allow this sort of thing to happen. Do you remember
    the DNSBL it was? I have never had that problem...
    Sweet idea....I really like it...
    Michael
     
    Michael Pelletier, Apr 14, 2005
    #48
  9. Jim Watt

    Leythos Guest

    I've read about compromised RBL's there would return a rejection code for
    ALL queries. We got hit by that once, used about 7 RBL's, found that one
    of them was causing us to reject everything...

    Now I limit it to two commercial companies and seem to reject only bad
    emails.
     
    Leythos, Apr 14, 2005
    #49
  10. Jim Watt

    Moe Trin Guest

    Spend some time reading the news.admin.net-abuse.blocklisting newsgroup.
    It's a fairly common problem. Some people want to send mail directly from
    a generic address like 69-173-133-233.agstme.adelphia.net, and don't want
    to pay for a real domain with proper rDNS. Before we put the Draconian
    rules on the firewall and mail servers, nearly 90 percent of the spam we
    were getting was from hosts with no rDNS, or compromised home systems
    with an address like above.
    Hope you took a horse-whip to 'em. RIR rules are supposed to require that
    every host connected to the Internet be resolvable in both directions.
    Generating zone files for the DNS should not be a time-consuming effort,
    and maintaining them should be transparent. For years. ISC Bind has come
    with a dumb script to take the raw data normally seen in a hosts file,
    and make the appropriate zonefiles automagically. The other DNS servers
    like djbdns or Posadis may use a slightly different format for their zone
    files, but that's just simple one-time tweaks to the script.

    For that matter, see alt.humor.best-of-usenet, and look for an article that
    was posted Wednesday with the subject "[news.admin.net-abuse.email] Re: Need
    help with 144.137.117.33".

    Old guy
     
    Moe Trin, Apr 14, 2005
    #50
  11. Jim Watt

    winged Guest

    That was well worth the effort, THAT was the best laugh I have had all
    day! Some good ideas too. Tho I am trying to think of what 2nd item is
    in "And today Jeopardy's Daily Double is: "Name two events with the
    probability lower than a snowstorm in hell".

    Thanks for that.

    Winged
     
    winged, Apr 15, 2005
    #51
  12. Not at all. They send SPAM because they CAN! Their emails get delivered, and
    they get paid. If you stop them from being able to accomplish their task,
    there will no longer be money in it. Remember SPAMMERS are all about money
    and nothing else. Remove their source of income (who is going to pay
    spammers when spammers can not longer spam millions of people) it becomes a
    dead resource to use for advertising.
    Won't work. I wish it could but, it will not. Remember you are dealing with
    the Internet. The only way you can implement a law is to do it with every
    country on the planet. Traditional thinking must be updated to the present.
    For traditional crimes sure. The Internet does not fit into the
    "traditional" model. It is a global entity. Requiring Global
    (international) laws...

    The thing I do no get, and I must be honest here, is people cry about this
    but, yet, do nothing. If people are angry about it why do they do nothing?
    It reminds me of conversation about politics. There is always one guy in
    the crowd who whines about say the president, or Congress, or whatever. You
    ask him who he voted for and he says "no one". Right there I lose repsect.
    You can not complain about some if you do not get off your butt and do
    something about it. Now, I do not mean you personally, I am talking in
    general.

    To anyone who reads this: If SPAM is making you crazy, DO SOMETHING ABOUT
    IT! Report it. Report it to the ISP. Report it to a DNSBL (even if you do
    not use one). Get off your ass and do something about it or shut the hell
    up and stop your damn whinning....

    Michael
     
    Michael Pelletier, Apr 15, 2005
    #52
  13. Jim Watt

    Jim Watt Guest

    On Thu, 14 Apr 2005 20:39:28 -0700, Michael Pelletier

    There are plenty of other transnational networks, shipping
    traditional telecom, airlines etc Electronic crime and nuisances
    are just adaptions of well tried and tested concepts, like the
    419 was originally conceived as 'The Spanish prisoner'

    In terms of reporting, feel free to tell me about anyone spamming
    from Gibraltar and it will stop. These days our ISP's have a strong
    no-spam policy. In the past the telephone operator would disconnect
    people sending unsolicited fax's - this was made illegal in some
    European countries.

    The problem with the current email is that the basic system
    is technically flawed.Simply hiding the problem with filtering is not
    the final solution.
     
    Jim Watt, Apr 15, 2005
    #53
  14. No sure exactly what you mean can you give me an example?
    Sure. I also and very strict about it at work or on my home network.
    However, yo and I may take it seriously, but it is the "potato head" IT
    shops that screw things up...

    Again, the problem with "Policing" the Internet is that there is no
    International laws that govern it. I live in the US. Now, if I were a
    SSPAMMER knowing that the US laws are starting to take it seriously, I will
    just move to say, Brazil. Now what are you gonna do? I start a business up
    in Brazil, make sure to pay off the authorities and guess what? What are
    you going to do?

    Here are the problems with SPAM (in general)
    1) No internation laws the govern (or define) SPAM
    2) The "Internet" is not hierarchical which respect to addressing. Thus
    making spoofing quite easy.
    3) Most ISPs are more concerned about revenue than security.
    4) Windows. Yes, that is right I said it. Windows. Windows makes it hard for
    users to login WITHOUT local administrator privs. This is the core of the
    Windows problem. Since most users login with local administrator privs they
    click on something and guess what? That malicious app they clicked on is
    also a local administrator. Bang! The app is installed and the email bot is
    running. MS should figure out a way to prevent this problem. All to offen
    this is the first step....
    5) Cheesy companies thinking they can get cheap IT help with out any
    penalties. Here is a good example. A lot of the SPAM I nuke is "potato
    head" IT shops that:
    1) Do not block outgoing port 25 (except for their email gateways)
    2) Allow their users to be a local administrator (this blame is equally
    with Microsoft and some applications that are not written correctly)
    3) Do not run a Application level firewall (to filter out active-x, java
    and the downloading of applications)
    4) Do not patch their systems in a timely way
    5) DO not actively and periodically scan their systems looking for security
    holes and validate that the patch actually installed correctly.
    6) ..and finally my favorite. Take the time to report SPAM.


    Yes, you are correct. The current email system does not validate natively,
    it does log, who it is receiving email from. That is why people use, for
    example DNSBLs. You can think of a DNSBL as a validation subsystem. If the
    IP address is not listed then it is allowed to send mail to you. It is
    simplistic but, very effective if you know what your doing.

    Now here is the big problem with redesigning the email (more specifically
    the SMTP protocol):

    Let's be honest. We are in the age where companies want to own everything.
    For example, Microsoft just got busted the other day for trying to sneak
    the patient for IPv6 through the system. This is the environment we live
    in. No longer are companies trying to compete with their rivals by making
    the best quality software at the fairest price. They instead have become
    dumb and lazy. They try to compete by illegal price fixing and anti trust
    techniques. So, let me get to the point. A new email (SMTP Protocol) system
    will never happen because rival software companies would not buy into a
    protocol that their rival owns. The only way that will happen is if it is
    public license based.


    Michael
     
    Michael Pelletier, Apr 15, 2005
    #54
  15. Jim Watt

    Leythos Guest

    That's a simple one, I would do like I do now, I block foreign countries
    subnets that abuse our network connections. I would just block Brazil if
    we found a reason for it - as we don't do business there. If we started
    doing business there we would create an exception list that encompasses
    our business partners in that location.
     
    Leythos, Apr 15, 2005
    #55
  16. Jim Watt

    Jim Watt Guest

    The person repeatedly adding messages about nonconsensual sex to my
    technical message board does so from Comcast who don't give a shit.
     
    Jim Watt, Apr 15, 2005
    #56
  17. Jim Watt

    Leythos Guest

    We have a technical message board for our clients, anyone can read, but
    only registered (and approved) members can post. While it doesn't really
    allow the public to participate, those that do register with a real email
    address and we can verify them, are welcomed. You might implement the same
    method.
     
    Leythos, Apr 15, 2005
    #57
  18. Jim Watt

    Moe Trin Guest

    Actually, such threats are not all that uncommon. The response is one of
    the better ones.

    ]I'm sure that you, and your attack chihuahua make quite a formidable attack
    ]force.

    The image is just perfect.

    Old guy
     
    Moe Trin, Apr 16, 2005
    #58
  19. Jim Watt

    winged Guest

    Odd, I have found COMCAST admins very responsive when I report spammer
    zombies abusing their networks, not sure what they do but usually I hear
    nothing from the same zombie again. They have actually been one of the
    better networks when zombie spammers are reported properly. Most of the
    large ISPs respond fairly quickly when one reports zombies. Of course
    you have to provide the evidence in a concise professional manner.

    I am not sure why COMCAST would give a shpti about what gets posted to a
    message boards by a user, seems like blocking that user from posting
    would be an easier solution if it were a problem....I must be missing
    something here. If you don't want comcast users posting, block their
    subnets. But I would never respond to someone complaining about a
    message post sexual or otherwise. Comcast isn't out to cut a paying
    customers throat. It is not reasonable to expect otherwise,

    Most zombie customers don't realize they are zombies and they can eat
    tremendous bandwidth and cause blacklist issues. It is in their best
    interest to fix the problem. If their customer is using your resource
    but not impacting the network, why would they respond? I would think
    that would be the board owners issue.

    Winged
     
    winged, Apr 16, 2005
    #59
  20. What about Columbia, or Argentina or Eastern Europe. The problem with
    blocking countries, and why I refuse to do it, is because you are blocking
    legit users also. Wasn't it you who said, that using blacklists could
    prevent a "good" user access? And I said white list your customers and use
    blacklists also.

    Sorry, but blocking countries when there are clearly better ways to handle
    the problem is just foolish...

    If you are going to go that route, why not just allow your customers and
    block everyone else. That you be a block list that is easier to maintain.
    By the way, I am being sarcastic... :)

    Disagree with that technique...Will not me implemented where I work...

    Michael
     
    Michael J. Pelletier, Apr 16, 2005
    #60
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.