Man gets nine years for spamming

What about them? Who cares?

I haven't got any customers there and don't want any.

Unfortunately Russia is another matter, however the most
crap I see comes from the US.

Judging from the comments about identity theft the US lags
behind the EU in data protection legislation too,.

 

There are two things here:

1) If I don't do business in a country there is no reason to provide them
with access to my site.

2) Black list anything you want as long as it doesn't interfere with your
targeted audience.

As I've said many times, I don't black list ALL foreign countries, just
major parts of ones that have made repeated attempts to exploit a
known/unknown flaw in a system exposed to the public.

So, do you let Asian countries have access to your company LAN? Assuming
you're smart and say no, the same reasoning applies to your DMZ - if you
are not targeting them for your audience you should block them. It's
always a good idea to restrict access from those that don't need it.

Just because you/anyone has an internet connection does not entitle them
to view a site/service because "you/anyone" wants too, it's the site owner
that determines who/what can access their site/service.

 

You can safely assume I did that.

Their TOS does cover "Inappropriate Content - Distribution of content
which is inappropriate for its intended recipient."

The board owner has indeed taken action to proactivly respond;
Javascript is now disabled in postings and the offensive poster gets a
very special welcome message.

I assume the idea of the postings was to promote the scummy
website and to try and generate links to it in search engines
indexing my site.

So far porn free, time will tell.

 

Here is the problem with blocklisting countries. I travel a lot. In fact we
are in the age of International business (let's be honest it is a quest for
cheap labor and manufacturing). I am your customer, I travel to Brazil,
China or whereever for business. I use a local ISP and guess what? I can
not contact you like I normally do. Even worse I can not get access to the
resources I need. I am thousands of miles away to boot. PROBLEM!!! As a
customer I say "what the hell" and go to another company that is "more
professional". You should not blacklist countries because we live in a
World economy and have business people who travel aboard frequently.

Again, I do not and will not, blacklist countries. It is foolish when there
are many techniques that are equally and significantly better.

Read above. The "targeted audience" is everyone. Do you really want to
shrink your targeted audience?

The point I am making is that you do not need to. Run secure systems. Stay
away from windows if possible to anything on your DMZ.

No. DMZ resources do not equate to LAN resources. These are firewalled
resources that do not reside on you internal LAN. Now I have see in my time
"potato head IT" shops that had a router with ACLS and static NAT entries
to resources internal and claim it is a "DMZ". This type of setup DOES NOT
have a DMZ.

A DMZ is a construct consisting of a special LAN hanging off a firewall
where the servers on the said LAN are allowed to receive Internet packets
(new connections). The servers in the DMZ SHOULD NOT be dual homed back
into the internal LAN (I see a lot of this mostly from Windows admins,
sorry good windows guys). Furthermore, the DMZ LANs should be many.The
servers are logically grouped per DMZ LAN. In other words web servers are
located on DMZ LAN 1, Mail servers belong to DMZ Lan 2, etc, etc.

Now here is the clincher. In a proper configuration. DMZ servers ARE NOT
ALLOWED to connect to ANYTHING internal. The interface between internal pcs
and servers to the DMZ is as restricted, almost to the same degree, as the
interface from the Internet to the DMZ servers.

Then construct your "services" to require a logon....

The whole purpose of having a website is allow anyone to view it. If you do
not want people to view all or some of it, require a logon. As for email, I
already told you the technique of blacklisting countries does not cut it
for me. We work with people around the World. We have people constantly
traveling around the World....I use other techniques that result in the
same SPAM kill rate but WITHOUT using the "black list most of the World"
technique.

Again, if your technique works for you, use it. It does not matter to me. I
just see it as unneeded overkill with the potential to un-needlessly piss
off our sales people and potentially lose customers....

Michael

 

It is not only potential customers there but the business people who go
there and use an ISP. What about those. Sorry but I am a professional. This
type of solution is not. Again, if it works for you use it. It does not
work for me...(red the comment I repled to in the same tree)

Are you looking at the IP address of the SPAM or the spoofed "domain name".

Again I see, and log, from these countries: China, Brazil, E. Europe and US.
All of these are on the top of the SPAM countries...

Maybe (except California) but the EU does not actively pursue credit card
theft. It is rampant in the EU...and nobody seems to do anything about it.

 

Mine use webmail on the corporate server.

Oh wow, as I've told you before some of us have been doing
these things for a living for some time.

you mean those email addresses and domains are not real? oh wow again
I never guessed

Nonsense.

 

Actually, you don't have to move to "there". You can set up a shell
company there, and spam your heart out with little chance of the
chickens coming home to roost. The money is easily moved without
difficulty. You could be an employee of a company registered in
Liechtenstein or whatever, and they could be the nominal owner of the
shell company in Brazil or whatever.

[compton ~]$ grep BR IP.ADDR/stats/[ALR]*
IP.ADDR/stats/AFRINIC:0
IP.ADDR/stats/APNIC:0
IP.ADDR/stats/ARIN:0
IP.ADDR/stats/LACNIC:260
IP.ADDR/stats/RIPE:0
[compton ~]$ grep BR IP.ADDR/stats/LACNIC| cut -d' ' -f2 | cut -d'.' -f1 |
sort -n | uniq -c | column
1 139 1 147 1 157 38 192 1 206
4 143 5 150 3 161 10 198
1 144 2 152 2 164 185 200
2 146 1 155 1 170 2 201
[compton ~]$ grep BR IP.ADDR/stats/LACNIC | grep ' 139'
BR 139.82.0.0 255.255.0.0 assigned
[compton ~]$

(The last command is there only to show the format of the file I'm using.)
However, that doesn't catch "everyone", as several .us registered domains
are providing service there too.

Columbia - 95 allocations from LACNIC, a handful from .us ranges like
Equant, or SpewU.net. Argentina - 228 allocations from LACNIC and
similar handfuls from .us ranges. Eastern Europe? Define what you mean.
Romania for example has 231 allocations from RIPE, but they're only in
14 /8s, and the "bad guys" can be blocked with very few rules.

The subject has been discussed thousands of time in many newsgroups. Heck,
there's even a whole Usenet news group about blocklists

news.admin.net-abuse.blocklisting Discussion of ip-based blocklisting.
(Moderated)

If the company isn't offering goods or services to country X, then there is
no need to allow access from what is perceived to be country X. For a very
recent discussion of pros/cons/opinions, see the thread "Why you have
hardware firewalls" in comp.security.firewalls. The local Cadillac dealers
spew from every radio and TV station in the local market - but they don't
advertise in LAX, or Vegas, or Dallas. Why? You answer the obvious question.
And before you say "that's different", think about it.

There are situations where that might be appropriate. "Your servers, your
rules" (which may also translate to "your decisions, your loss"). By the
same token, there may be situations where other (or even no) filtering
may be more desirable. See the book by John Madden (yes, that John Madden)
titled "One Size Doesn't Fit All" (ISBN 0-394-56313-1, Villard Books 1988).
I don't accept mail from 172.0.0.0/8. Why? Because the only two blocks
assigned to that space belong to AOL, and AOL doesn't have their mail servers
in that block (they are in 64.12.138.x).

Then don't use it. But don't think that it might not be suitable (even
"ideal") for others.

Old guy

 

That is pretty much what I meant...

Sure. But you missing the point. The point is, for me, blocking countries is
like using a sledgehammer to kill fly. Sure you will kill the fly sooner or
later but, you will also probably break a lot of peripheral objects also. I
prefer using a fly swatter...

Not to meantin the problem of traveling businessmen. We have people who
travel the World 365 days a year....Country blacklisting causes more
problems than is removes... especially where there are other techniques
that give the same result.

Sure. Again, I will not implement this when there are clearly better ways to
achieve the same goal...

Read my respose I posted earlier. Maybe you company is small or has a small
market. We are global. Most companies (even medium and some small) are
going global...Your argument might have been valid some years ago, but the
Internet, and how companies are being run now-a-days, has changing things.
My company for example does a lot of business in China, South Korea and all
of S. America...

Now you example for the car dealership has valid points. However, it does
not fit all business models...only small local companies.

You are proving my point with respect to your car dealership. One size does
not fit all. If you are a small (ie national) company sure, block entire
countries. If you are a global company this technique is foolish when there
are other ways to do that are equally effective.

Let me give you an example that happened to me the other day. I got a phone
call about a new company that we were looking to do business with. Know, I
was out of the office. I have a Palm Treo 650. I sent them an email (using
Hotmail) that never reached them.

I thought to myself, you guys have to block entire domains in your email
system? Not even taking into account that most of the SPAM will spoof email
address from Hotmail and don't really come from them to being with
(currently not the same in the past). I thought how good is this company
really? I scratched them off the list and went to the next company....

The point I am making is this. For global companies you really do not want
to piss off you potential customers or sales people. There are many
techniques that will give you the same result without using a
"sledgehammer"....

I don't and won't. Your techniques are good for national companies really
bad for global...

Michael

 

Microsoft based no doubt. I bet you even have your DMZ servers on the same
authentication scheme as your internal clients...

Most of us in fact...

Jim, you were doing so well for some time. Then your lame sarcasm has reared
it's ugly head again...

Look Jim, use whatever technique you want to use. I do not care....whatever
works for you...

Michael

 

I know we all have got off topic a little but, I thought this was relevant:

http://yro.slashdot.org/article.pl?sid=05/04/16/1729233&from=rss

Michael

 

I always had trouble suffering fools gladly.

 

No, here's the problem - you seem to think that the world is your my
market-place, but I seem to have a better understanding of my market-place
and know where my customers and remote users are. If I understand what I
just said, I can still block subnets in foreign countries and still allow
remote connections from unblocked areas of those countries.

Now, before you misunderstand again, since I only work with US customers,
except for a couple places in India, I can safely block most foreign
countries from my US based services, and it will not have ANY impact on my
customers or my workers, even my workers that travel.

Now, again, if I understand my target audience and have any clue about my
own company and it's resources, I can safely block non-needed access to my
company without any problem.

Read my reply to your complete misunderstanding of the reason for blocking
- if you DO NOT PROVIDE SERVICE TO THOSE COUNTRIES you don't have any
reason to provide access to your network from them. If you're sales people
don't travel to those countries you don't need to give them access from
those countries either. What part are you unable to understand about this
concept.

There is NO SHRINKING of the target, you can't shrink the target audience
if you didn't offer services to them to begin with.

Windows has nothing to do with a secure/non-secure network, Windows
servers are as simple to secure as any other server if you understand the
OS. We've had public Windows servers running at fortune 500 companies for
5+ years, running ASP and (not as long) .Net applications, without a
single compromise.

And the point you miss, another time, is that if you don't offer anything
to country X, you don't need to provide access from country X to your
network. This means that if I don't provide ANY services to country X,
don't have business work in country X, don't have employees in country X,
I can block that country WITHOUT ANY IMPACT on my business.

You're not telling me anything new, I design secure networks for a living,
ones that have passed Homeland Security audits, and the first rule of
security is to limit access to resources to those users/systems that need
access.

You don't really understand the internet or business if you believe the
above, and you don't do security work for a living either.

The purpose of having a website is to allow your information to be
provided to your target. The target can be as small as one user/system or
as large as the world. Only the owner of the service has a right to
suggest anything to the contrary.

Wrong, since you don't offer services to the world, as is the case in my
part of the discussion, there is no reason to require a user/system to
LOGON to view the public information targeted to them - that's like asking
me to logon to my cable TV before I can watch any TV.

And I never suggested that it would work for you, I said, and you need to
read this, I don't do business outside the US, Canada, GB, and India, we
block anything we don't need once we see an attempt to break into the
networks. This method does NOT IMPACT OUR BUSINESS.

Also, this has nothing to do with any specific service, it's not about
email or web or ftp, it's about the basics of security: If you don't need
to provide access to something, don't provide access to it.

And I didn't suggest that you needed to apply it to your organization. Our
sales, customers, techs, business partners, etc... work with our systems
and networks just fine, never a problem, and never a complaint. We don't
provide services to the world, only a select portion of it, and we're very
happy with that scope.

What you should understand from all of this is that many businesses are
not global, don't need to expose their resources to large areas of the
world (geographically), and that basic security principals dictate that
you only expose what is needed. You might want to analyze your business,
where it's doing business/partners/support and determine if you really
need to provide access from attacking networks in countries where you
don't do business/etc.

As I said before, been working with systems/computers since the 70's,
doing networking and security for a long time, and never had a compromised
system/network at any location. I'll stick with my methods and processes.

 

And this is your point of confusion - not anything is broken at any time
if you understand the basics of your targets and your basic security
principals. If you don't have a reason to provide service to country X (no
reason at all), then you can safely block it. Notice, read it twice if you
have too, I said "If you don't have a reason to provide service to country
X then you can safely block it).

If you have a reason to provide services to country X, then don't block
it.

The above are simple concepts, and they work for everyone.

And the above two concepts (which are really just one concept) would apply
to those sales people in your company as easily as they apply to anyone in
my company - if you need to provide service to the world, then don't block
anything, otherwise, if you're smart enough to know your targets, you can
block without any issues.

There is not a single technique that gives a better method than blocking -
that's what firewalls are about. If I don't want the public to access my
SQL server or my Oracle server I don't open those services through the
firewall. If I don't want to expose my web-server to places I don't target
then I block access from those locations. If I don't want email from
China, directly from them, then I can block their networks from accessing
my services.

If you ever get into security or providing public services from networks,
you would do well to learn what I've just said - only expose what you need
to expose, nothing more.

 

No, you are misunderstanding my posts. I'm not showing what my company
is doing (NDA and all that stuff). I do know about some of the blocks
because I'm in network support, but I don't have access to the firewalls.
What I do at home is quite different.

You don't want to hear different - so be it.

Read the thread in comp.security.firewalls, specifically my response to
Leythos last Wednesday. You look up our company in ARIN or IANA, and the
address is New York. You do a traceroute, and the last response you
get is BBN in San Jose California. But I'm not there, and some of
the subnets are in Europe, some in Japan, some in Argentina. But we can
block (for example) China because communications from them go via the
local company that we own there. You can do some neat things with DNS,
you know. That helps, because I doubt that we have that many people in the
states that are comfortable with Big5. Those dudes are in Shanghai or
whatever it's called now, Beijing, Singapore and Hong Kong. Also, golly gee,
we're in a different time zone. That's not the excuse for Central/South
America, but they go through the reps down there, not here, on their local
time, not ours. Lather, rinse, repeat. Or doesn't your company have
facilities overseas?

Do a read on news.admin.net-abuse.blocklisting a month or two ago. Some
clowns were trying to get a block lifted on Singapore IP space that was
used by American Express. I'm sure you've heard of them - registered in
New York also. The IP space was assigned by APNIC to some crappy .sg ISP,
and I suspect the posters were local employees of whoever is repping AmEx
there. I recall one of the addresses they were bitching about did resolve
(both ways) to a aexp.com name. A traceroute sure looked like .sg too.

This is alt.computer.security - a lot of the readers are under a hundred
million dollars in sales a year. I dunno about those Cadillac dealers,
but I haven't seen their domain names in the news spool. But then, I'm
sure I'm not the only one here who's not posting with a company address.

Hotmail??? What an incredibly stupid thing to use for business. My
management would go absolutely ballistic if I tried to conduct business
and failed to use the company mail servers. It really doesn't inspire
confidence to see a hotmail or similar used as part of company business.
Not in the office? Tunnel in. Period. If your network people can't figure
out how to make such a tunnel, whether from Starbux, or the hospitality
suite at some airport, or some shitty two line ISP in a sixth world country
in the middle of Southeast Nowhere, or can't figure out a means of securely
authenticating and encrypting the tunnel, they _REALLY_ shouldn't be in
the business. I certainly don't want to do business with a company that
incompetent.

I'm not the mail king, and I really don't know all of the blocks that are
in place (I know about AOL, and a few others, because I helped the poor
sod who is the mail king in identifying some of the hosts). My home
address is a random character string (I used /dev/random piped through
uuencode when I opened the account - the expression of the salesdroid
when I explained what I was doing must have been priceless), and it's not
used for mail other than to receive the monthly invoice from the ISP. They
also give me up to five additional account names for mail, and I can change
them freely (which I do on an average of once a quarter). The only people
who know those are family and friends. Other than that, I don't do
email - as the headers show.

Old guy

 

OG, I'm starting to suspect he's not really a technical type, more of a
some-day-hopeful. As I see it, almost every company I know, and all of
them we've setup, have Web access to their email, including access via
their cell phones, PDA Cells, BlackBerry's, etc....

He keeps coming up with reason to not block a network, but he's not
addressing the issues that were presented at the start of the discussion,
and he fails to understand that the proper way to secure a network is to
restrict access to only those that need it.

 

I still can't get over this one. In the 15+ years that I've had external
email. I have NEVER seen a reputable company using anything other than
their own mail systems. Flat out NEVER! Heck, even my neighbors teenage
son who's operating a bicycle repair service out of the third bay of
the family garage even knows that - has his own domain, and even provides
bills on a presentable letterhead. I don't think he's out of high school yet.

I don't think we've ever had web access. In the late '80s. once we got
access to DARPANET, we had some horrible application - don't even remember
the program name - that ran under DOS that you basically used for terminal
access. That lasted until about 1992, when we got an application that ran
under 4BSD, AIX, and SunOS over the net. It was basically a form of
encrypted telnet with passwords changing weekly, then your session was
further encrypted with a personal key once you logged in. If you were
coming in over the Internet (and in 1992, that wasn't all that common),
you connected to a bastion host, and after authentication there, got to
connect to an inner server where you logged in and actually did stuff. It
was _SLOOOOOOOOOWWW!!! The company backbone then was a 56k link, and all
of the local sites were running 10MB Ethernet. Our connections to the
world (we had 3 that I was aware of) were also 56K links. When we finally
got a T1, we were amazed. Almost like "local" performance. I don't know
what the backbone is now, but last week I was stealing lots of CPU cycles
for the accounting division (it's tax time) from servers in France, Japan,
New York, and California depending on local time of day.

Access to a network isn't all of it. Everything that is publicly accessible
on our nets are in the DMZ, or locally operated DMZs in overseas facilities.
That includes mail in/out, web servers, ftp, and such. There is no access
to ANY internal network, and that includes name-service to resolve internal
subnet hostnames. For that matter, there is no access _from_ the DMZ into the
internal network - only access from internal _to_ the DMZ/. Our remote access
from the world isn't even on our /8, which does make it harder to hack in.
It's slightly slower, but it's not like we have people running remote X at
1600x1280x76 through a tunnel.

Old guy

 

You did not read what I said, I was sending a question to a company. I was
logged into hotmail on my PALM. I was not at home, I was in a cafe...

No shit really? You should ask question before you
judge..."some-day-hopeful"? maybe you...

Idiot! The point is we are a global company! Explain to me this. our sales
people quite often go to Chine, S. Korea all over S. America. As you know
sales people the hand the cards out to everyone they can. Should I have
them include a warning that they can only email our sales people after they
have sent snail mail to me to unblock their IP address? Ya, that would work
really well. In fact I can see the business card now:

Mr. Brown VP Sales
Email:
(Please if you are not in the US send regular mail to IT team because they
are to lame to figure out a way to limit/stop SPAM.An currently they are
blocking your company)

You sound more like the "some-day-hopefull" to me...


Michael

 

Gee, thanks for the advice I've only been doing for quite some time but, I
really appreciate you security 101 lesson. Really, I do.

A couple of flaws in your argument
1) SPAM is not a SECURITY issue. It is a nuisance. Not counting SPAM that
are phising. Now don't say emailed viruses are SPAM because everyone
filters incoming email to remove Defanged MIME attachments and dangerous
file types. I am sure, rather hope, you have some sort of filtering of your
incoming email...
2) You seem to not be able to comprehend that not everyone has the same
business model as you. You may be able to block countries, but I can not.
Why you ask, I will tell you:

For the last time, we have sales people. They travel a lot. In fact most
have a 80% road time to 20 % office time. Most travel overseas. Their
travel includes but, is not limited to, China, S Korea and most of S.
America. What do sales people do when they travel. They sell. They hand out
their business cards to anyone that will take it.
So what do you do? Do you include a disclaimer on your business cards that
reads "If you come from these countries, CHINA, Etc, ETC, sorry we do not
except email from you."
Do you really think that is a good idea?
3) Why should I block email from various countries because of SPAM when I
can accurately nuke it? You guys have never answered this question yet.
Instead you give me incorrect statement's about security when SPAM is not
equated to security (minus phising). Then, you say I do not know security.
Nice try, but I think you should at least know what then hell you are
talking about first. I am starting to think you just another blowhard
wannabe.

Michael

 

Sure.

The part you do not get, is that fact that business people try to build
contacts. In fact, if you are a sales person that does not try to build
contacts you will not be a sales person for much longer.

Here is the point (actually one of the reasons I do not block like that).
Our sales people will try to get new accounts which means they will hand
out business cards. Considering they do most of their business overseas,
that means that you can not know all of the potential people who will be
using our email system to contact our sales people. God damn it why the
hell is this concept do f'n difficult for you people to
grasp???????????????????

If your business is static then you are correct our's is not. So therefore
you are wrong. Read above.

Well, good luck to ya. I personally never use Windows in a DMZ environment.
While working for the government I would have been laughted at if I even
tried to suggest it. Then again, it was a high research organization.
Different philosophies perhaps...

Didn't we already address this. You may work for a company who's business is
static. Cool. I do not. At any given time we could get a new customer or a
question about services. They could come from any where. As you can see, in
our environment blocking is not the way to go.

Forget for a minute about the company I work at. I have posted this question
many, many, times and no one seems to be able to answer it. Why should I
block when I can achieve almost exactly the same SPAM kill percentage? Why?
Please don't say something lame about security we are talking about one
port (25) access. There has not been a security breach in sendmail in quite
some time. Even if their was, the way viruses and worms travel it would not
make much of a difference...so anwser the question

Again, read my situation with sales people. You do not know business...

 

Maybe you misunderstood my original post. Maybe I did not explain it clearly
for you. First no, I do not work for a company that uses HOTMAIL. I need to
emaila question to a possible vendor. I was in a cafe. I had my Palm Treo.
I was already logged into hotmail at the time. So I created an email and
sent my question on pricing to them. Get it now?????????

I remember going from a 56k frame relay to 512. I though I was in
heaven . Now, we have 100Mb FastE (it really is a Sonet transport with a
100Mb FastE handoff) links within the city I work. How things change so
fast...Now VoIP...

Nice setup...

I run all FreeBSD servers in the DMZs. Each server is stripped down to the
barebones. Only what is needed to preform the task the server does is
allowed on. Each service within each server is run in a jailed environment.
We have 12 DMZ interfaces. Each DMZ performs a logical task. I.E. Email
gateways are in one DMZ, Web servers another DMZ, etc, etc. All access is
one-way (from the intranet to the DMZ) except email (which is allowed to
forward to the internal email servers and syslog which is allowed to also
forward syslog messages to an internal server. I have Snort boxes on all of
the DMZs and in between the Internet routers (using BGP) and the first
firewall. Each Snort box has a local firewall and blocks every packet from
the bridging layer up on the "listening" interface. They all have their
reporting interface connect to a special DMZ that my internal system
monitor polls to....and so on and so on...


Take care, nice talking with someone who really knows security as apposed to
wannabes...

Michael