--- michael.dillon@bt.com wrote:----------------
Hey, you've just described the FUSSP!
Solution!?
Since when is a description of one aspect of the problem, considered to
be the solution. In a nutshell I said that the email SPAM problem is
getting worse, not just measured by SPAM volumes or number of new SPAM
techniques, but measured by the number of people turning to non-email
communications channels.
They won't go away, they'll just go infest whatever the people are using.
We're already seeing significant amounts of blog-comment spam, and as soon
as the spammers find a good methodology, they'll be Myspace and YouTube
spam (if they aren't already)....
I can personally testify that, as a proportion of the "mail" I get through it, there's quite a bit of spam on MySpace - phishing scams (Adult MySpace Viewer), fake profiles designed to draw you to adult dating / webcam / porn sites, etc. Lots of attractive women claiming to want you to be their friend for some mysterious reason.
Some of it is quite sophisticated: full blown "instant" profiles with fake comments ... the smarter spammers actually make the profile look real (often lifting material from legit user profiles), and then just stick their spam in the comments (and of course, "comment" spam is quite prevalent too, as is spam that invites you to join "groups" that are front ends to other sites, etc.) or wait a few days and then spam you via "bulletins". Sometimes, it is pretty hard to tell what is spam, and what is not... I have an acquaintance who specializes in documenting these scams and tracking down the sponsors of the affiliate programs funding some of them and getting affiliate accounts canceled (I've done this once in a while myself).
Sometimes there's a strange mixture of sophistication and stupidity - plausible profiles, very credible on their face... all batched together, five or six "friend requests" at a time, coming within two or three minutes of each other at 4 a.m. Or two requests, from users with slightly different "names", and an identical photo.
MySpace does a fairly good job of responding to complaints and terminating accounts (sometimes within hours of their creation).
I'm not a dedicated YouTube user, but I've seen plenty of spam in comments on YouTube as well... this is a generic problem, with levels of vulnerability dependent on the architecture of the communications system, and the scale within which it operates (how attractive it is).
Some of it is quite sophisticated: full blown "instant" profiles with
fake comments ... the smarter spammers actually make the profile look
real (often lifting material from legit user profiles), and then
just ...
At the MIT Spam Conference, I was talking to MySpace's anti spam
researcher. He said that they see many profiles that look totally
legit and which have been carefully nurtured for more than six months
-- and then the formally legit profile suddenly becomes the drop site
for a Phishing campaign or other spam repository.
Captchas apparently help quite a bit to stem this kind of problem
because they install a technical barrier that, while not impossible to
break through programatically, at least delays things a bit and
reduces the ROI for the spammer.
Regards,
Ken
Greetings.
While its a pretty brute force approach, one method I’m trying is to
curtail the source of email. In otherwords, if smtp traffic comes from an
unknown source it gets directed to a sendmail server that intentionally
rejects the email message (550 with a informational message/url). If the
email message comes from a “known” source (friend/family’s ISP) it
gets routed to my main sendmail server which allows most email after
checking for the obvious (non resolvable domains, blacklisted domains etc)
using an access lists.
I’ve cut down on Spam (including this account which I use solely for
NANOG) to about 0. Granted the amount of valid email that can get rejected
is high, but since I log the bounces on the drop server I can look for
obvious rejects from good/expected email servers.
Not by any means a solution to/for a large even medium size provider, but
for a small home based setup it works well. Details at http://www.sumless.net/nsh.html
Cheers,
-Joe Blanchard
That makes sense, and matches up with my experience... you also have "amateur" spammers just doing stuff manually (as well as spammers paying people pennies a page to input CAPTCHA responses).
Another issue is that the unsolicited contact paradigm blurs a bit, when you have musicians and promoters and organizations with causes, etc. all asking to be "added as a friend"... the situation becomes one of those "I know spam when I see it." ones...
Ken Simpson wrote:
joej wrote:
Greetings.
While its a pretty brute force approach, one method I’m trying is to
curtail the source of email. In otherwords, if smtp traffic comes from an
unknown source it gets directed to a sendmail server that intentionally
rejects the email message (550 with a informational message/url). If the
email message comes from a “known” source (friend/family’s ISP) it
gets routed to my main sendmail server which allows most email after
checking for the obvious (non resolvable domains, blacklisted domains etc)
using an access lists.
I’ve cut down on Spam (including this account which I use solely for
NANOG) to about 0. Granted the amount of valid email that can get rejected
is high, but since I log the bounces on the drop server I can look for
obvious rejects from good/expected email servers.
Not by any means a solution to/for a large even medium size provider, but
for a small home based setup it works well. Details at No Spam HereCheers,
-Joe Blanchard
Hi Joe,
1) You send bounces from spammers to innocent people, whose addresses have been forged.
2) Even if you modified the return address, so the bounce returns to the zombie, it
does not make sense. Bots dont listen.
Looks like you are adding to the noise and chance is good you are finding youself
in a blacklist.
3) You are dropping valid emails.
It might make more sense telling your friends not to send emails to port 25 but
to port 26 if they want to get in. The spammers dont know how to switch to port 26.
They will knock on the door once and go away.
Another means would be switching to uucp. I have not seen any spam on our little
uucp network yet.
Cheers
Peter and Karin
While its a pretty brute force approach, one method Iâm trying is to
curtail the source of email. In otherwords, if smtp traffic comes from an
unknown source it gets directed to a sendmail server that intentionally
rejects the email message (550 with a informational message/url).
1) You send bounces from spammers to innocent people, whose
addresses have been forged.
This is an SMTP reject, not a bounce. It's a lethal variety of
greylisting.
This technique works great to keep spam out of your mailbox.
3) You are dropping valid emails.
Right. It also quite an effective way to be sure you never hear from
non-technical users who don't understand your bounce message, and from
people like me who don't feel like jumping through your hoops,
particularly in a case like this where we're responding to a question
you asked.
R's,
John
[...snip]
Captchas apparently help quite a bit to stem this kind of problem
because they install a technical barrier that, while not impossible to
break through programatically, at least delays things a bit and
reduces the ROI for the spammer.Regards,
Ken--
Ken Simpson, CEO
MailChannels Corporation
Reliable Email Delivery (tm)
http://www.mailchannels.com
Captchas are all fine and dandy but they are not ADA compliant
and certainly a no-no for government or public agencies. Don't
believe me? Accessibility issues (Section 508) will be the next
Y2K obstacle for IT folks because all of our future software
purchases require that the software is accessible. Within the
next 18 months we'll have to provide a VPAT
[example: http://www.section508.nasa.gov/vpat3.htm\] for all
software purchases. If your company doesn't know about these
yet kiss goodbye to all your government customers.
As for catching spam and viruses we gave up on open-source
solutions a long time ago in favor of IronPort appliances.
These products negate almost 100% of your effort in maintaining
greylists or rulesets. You have plenty of choices out there with
very different approaches and you can bet the top-tier companies
like MailChannels, IronPort, and Mirapoint (among others) have
something to make your life easier.
matthew black
network services
california state university, long beach
1250 bellflower boulevard
long beach, ca 90840-0101
> 1) You send bounces from spammers to innocent people, whose
> addresses have been forged.This is an SMTP reject, not a bounce. It's a lethal variety of
greylisting.This technique works great to keep spam out of your mailbox.
Inline rejection is a little dangerous for mailing lists (because you
might be auto-unsubscribed), but IMHO it's better than receiving and
quarantining, because at least the sender can do something to resolve
the situation -- such as calling you to say their email was bounced by
your spam filter.
Providing a telephone number in the bounce is an effective way to deal
with false positives.
Regards,
Ken
Yes, its an SMTP bounce, not a store, try to forward and return.
I should have clarified.
Right. It also quite an effective way to be sure you never hear from
non-technical users who don't understand your bounce message,
and from people like me who don't feel like jumping through your hoops,
particularly in a case like this where we're responding to a question
you asked.
Yes, unfortunately there are draw backs, I try to make the 550 bounce as
informative as possible, (url link yadayada) but.. With a maillist I see
the responses because I allow email from the network that serves the
maillist server, in this case NANOG (: So...
As needed I add IPs/Netblocks, but like I said very much over kill and
administratively burdening. But the upside is (I think maybe 1) spam email
in the last 3 months. I still get a count on the spam bounces, which have
decreased, month 1=1752 bounces, 2=1292, 3=899. Again not an answer, more
like a campaign..
Just my 2¢s on the whole thing.
Cheers,
-Joe Blanchard
This technique works great to keep spam out of your mailbox.
Inline rejection is a little dangerous for mailing lists
And for anyone else who doesn't feel like jumping through your hoops.
Providing a telephone number in the bounce is an effective way to deal
with false positives.
Only if you assume that everyone who writes to you is so desperate to send you mail that they are willing to make what may be an international call in the middle of the night. I have not found that to be a very realistic assumption.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
I have to agree with John here - I've been sending back 'email me at
postmaster@... if this in an error' for all rejections here since 2003
or so, and can count the legit mail to postmaster I've received in that
time on one hand, maybe two; the stuff that gets rejected before the
accept postmaster default gets a different error, containing a phone
number. I've never had anyone call me there.
Not that it bothers me much - I've done my part, I figure, and if they
aren't willing to email a postmaster or call, then <shrug>? What can I
do?
I'll add that even if everyone were willing to email/call with problems,
the hideous things that (e.g.) Exchange does to your carefully
handcrafted rejection errors are enough to cripple the least tech-savvy
of your likely audience, anyway.
MySpace and blog spamming can be cured instantly if users required
all public posts to be moderated rather than automatically accepted.
Many people see blogging as analogous to newspaper publishing. If
you want to be a newspaper publisher, you also need an editor to
review content printed in your paper (posted to your blog). I've posted
to the Washington Post blogs and their on-line folks read and review
each and every post to keep out the spam. Sure it's expensive, but
that's the price for quality forums. If you leave a blank canvas for
all to use, the taggers will come.
As for YouTube spamming...well, that's like classified advertising.
Some people will pay for big bold spots and some people can only
afford a two-line ad. If you want to give everyone the opportunity
to post for free, you have to accept the garbage. Do you want a
content editor to ensure policy compliance or let it be a open to
all who come?
matthew black
network services
california state university, long beach
1250 bellflower boulevard
long beach, ca 90840-0101
One problem with the "bounce" solution is that for those of us with multiple domains (some of them wildcarded) mapped to our mailboxes, the volume of "backscatter" makes it a real hassle to sort out the valid bounces from the "noise". Even users with a single email address can be victimized often enough to dismiss this stuff as a form of "spam", and automatically delete it without looking; \every few months, I get pained complaints from one friend or family member or another about someone using their address to spam, and thousands of bounce messages winding up in their mailbox as a result... another major problem, in my opinion, caused by spam that is leading to email becoming more and more of an unreliable medium - even when everything works perfectly according to protocol and RFC, and a person gets a bounce message because an address is out of date or typoed or otherwise invalid, they'll never know.
Thomas
Steven Champeon wrote:
One problem with the “bounce” solution is that
Todd makes my point exactly. As he notes, the rejection message tells me that the message was rejected by some system. It does not tell my why it was rejected. Thus, just like this message, it adds more to the noise to signal ratio!
Cutler
<aol />
Backscatter from spam forgeries is *the* reason stevesobol.com is no
longer a catchall domain.
James R. Cutler [05/04/07 16:30 -0400]:
Todd makes my point exactly. As he notes, the rejection message
tells me that the message was rejected by some system. It does not
tell my why it was rejected. Thus, just like this message, it adds
more to the noise to signal ratio!
Has anyone ever thought of standardizing the 500-responses from the
DATA phase? For instance, maybe 571 could always mean "rejected
because of the spam filter".
If there was a standard for these response codes then maybe clients
like Microsoft Outlook could do something useful with the error
message.
Regards,
Ken
I had a good chuckle after reading your message. It's a great
suggestion BUT... Microsoft products already ignore 5xx responses.
From what I've seen, Outlook and Exchange will indefinitely retry
a message after receiving a 5xx error. Outlook keeps the message in
the user's PersonalFolders/Outbox for subsequent delivery attempts
when you hit Send/Receive. We've seen lots of clients here attempt
to send the same message every minute for weeks when the message
exceeds our message size restrictions.
Have they recently fixed this or released patches for all
older product versions?
Best regards,
matthew black
network services
california state university, long beach
1250 bellflower boulevard
long beach, ca 90840-0101
