h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

You didn't mention S.P.E.W.S. (Spam Prevention / Early Warning System) which is a similar blacklist to those you did mention, in that it works in a similar way, but instead lists entire networks, some of which does not belong to the spammers themselves.

Many people, particularly the spammers concerned, consider this to be unfair. Many of the people affected by a SPEWS listing complain at length, sometimes involving lawyers, about how their legitimate business it being impeded by the SPEWS listing.

What they endlessly fail to realise is:
A) Networks are only listed on SPEWS when the service provider concerned fails, after several warnings, to do anything about their parasitic customers.
B) SPEWS deliberately expands listings to include paying customers, because that is sometimes the only way that internet service providers who have chosen to deal with the spam problem on their network by ignoring it, can be made to take notice.
C) SPEWS is an organisation that deliberately hides away from direct contact with anyone, because there are many people who would like to see it shut down. Formost amongst these people are the spammers, many of whom have large amounts of money, and are able to pay clever lawyers to intimidate people into action (or rather, lack of action).
D) Enough other network outages exist to make people who rely solely on email being delivered appear completely insane to network professionals.
E) Finally, SPEWS doesn't block mail. It merely indicates that a network protects or even encourages it's parasitic customers. Anyone refusing mail as a result of consulting SPEWS does so on the basis that they don't want to deal with network providers who do these things, and indirectly, with their customers.


Disclaimer: Neither the BBC, nor the author of this comment are SPEWS today. The author is not a member of the lumber cartel (tinlc) and has not been member number 819782 since January 18th 2002.

Awesome! I had no idea about spews. Thanks for the info.

dave

The important thing to understand about any blocklist is that the owner of the mail relay/server that uses the blocklist has chosen to do so on the basis that they do not want mail from people listed on that blocklist, and that they trust that blocklist to list people who fit into whatever categories that the blocklist lists.

There are blocklists that block by country. For instance, if you don't want mail from Korea, which personally I don't[1], then there are blocklists out there that list korean IP addresses. Right now, because of the spam problem, I'm ready to block mail coming from certain providers in The Netherlands, all of Korea, Certain provinces in China, and the whole of South America. I still receive mail from Nigeria, mainly because it's so entertaining stringing these 419 scammers along, before handing them off to Winchester police organised crime squad.

Back to my original point. Spammers complain that blocklists violate their right to free speech. Their right to ANYTHING stops at my network boundary. It's my network, my rules. If I require that anyone coming onto my network wear a pair of green wellies, pink tights, and a top hat, then so be it. Nobody has any rights to complain if I reject their traffic for any reason. The likes of SPEWS and the SpamHaus SBL/ROKSO[2] make my life easier.

Anyway, I've gone on way too long...

[1] I don't want mail from Korea, because ALL, repeat ALL, 100%, every last bit, the whole wahoonie, ALL of it is spam. The korean mindset seems to think that it is an honour to receive spam, consequently I've personally decided ********* to all of 'em. At work, we have customers in Korea, so I do receive korean mail there (because we can't afford to miss a sale out there). However, 99.98% of it is still spam. I have nothing against people from korea, or of korean descent, but the attitude of korean ISP's bugs me something rotten. PLEASE, please don't take this as a racist remark, it's not meant to be, and I'm sure there are some South Korean folk reading. Please reply and tell me why it is that every single business in Korea seems to think I want mail full of pretty pictures which say []!! ! @[]!!.kr as I can't understand a word of it (mainly because it uses a character set I don't have, and wouldn't understand if I did).

[2] ROKSO, mysteriously always misspelt ROSKO by spammers, is the SpamHaus Register Of Known Spam Operators. You'll be amazed just how few spammers there are out there, responsible for 98% of the spam that we all get.

as an end user, is there anyway for me to block countries the way you've done as a sysadmin? I can block specific IP addresses with a filter program on Eudora, but I'm guessing I need a more advanced program to block ranges. Also, I'm assuming that the IANA has lists of which countries/regions have which IP addresses - is it easy to get this from their website?

thanks in advance,

dave

Trouble is, most end users receive mail via POP3.

To do any effective filtering with pop3, assuming that your ISP's pop3 server doesn't have the Demon SDPS extensions (which just lets you get the SMTP MAIL FROM: and RCPT TO: data), you have to download headers. The only way to download headers only on a mail is via the POP3 'TOP' command, which is what some anti-spam products use to scan for received: headers, and check the IP addresses in them for blacklisted IP's.

This is all very well, but the number of headers is variable, and mail may have travelled through several systems before it got to you, some of which will be legitimate relays, and others will be compromised or open relays. This makes it difficult to optimise the 'TOP' operation, because you end up downloading very large amounts jut to make sure you get all the headers, so you might as well download the whole lot and filter on content.

The other major drawback of receiving mail via POP3 is that you can't bounce. That's can't as in SHOULD NOT. Obviously you can bounce the message if your filter system decides it doesn't want it, but by doing so, you rely on the Return-Path: or From: headers being legitimate, which in the case of spam, they rarely are. Bouncing to untrustworthy headers is akin to spamming yourself. As an MX, receiving mail at with SMTP, you are talking directly to the spammer, or the spammers ISP, or the compromised server that the spammer is using, so you can choose to accept/deny/teergrube/whatever before you even receive the message.

Regards country based blacklists, you could try blackholes.us, which has blacklists for the countries of argentina, brazil, china, china+korea, hong kong, japan, korea, malaysia, nigeria, russia, singapore, taiwan, and thailand, all of which are downloadable. However, I can't recommend that you do or don't block any partcular country with any particular blacklist. For all I know, you may have contacts in, say, Japan.

Country based probably only catches a small (but significant) amount of spam. Most spam is mailed through compromised servers (open proxies mainly, and open relays) which could be anywhere. You may even be operating one yourself. (If you don't have a proper firewall, then the odds are good that you've been probed by several people). Spammers are theives, and don't care who they rip off to get their crud out.

More diatribe follows (I seem to be unable to resist posting long rambling rubbish, perhaps I should give up and become a spammer, eh?)

For the uninitiated, an open relay is a machine which allows anyone to connect to it, and dump mail on it that is destined for a user not on the network to which the relay belongs. It then passes the mail on for you. This used to be a good idea in the early internet, because mail was handled cooperatively, and you couldn't rely on a connection to the eventual destination being available, so you just dump the mail onto someone nearer the destination than you are.

An open proxy on the other hand is a newer security hole. Internet connection sharing software, when improperly configured (or just downright buggy software) allows spammers to use another machine to talk to the destination server. Corporate HTML proxies are a favourite, as many improperly protected or configured proxies allow a spamer to connect to the proxy port, usually 1080 or 8080 or similar port numbers, and issue CONNECT messages thus:
(Don't click on the link, it A) won't work, and B) has been deliberately damaged ( ; instead of : ) to prevent problems incase it actually does resolve to something)

CONNECT http://target.mail.server;25 HTTP/1.1
200 Hello, badly.configured.proxy.com this is target.mail.server
HELO [email protected]
MAIL FROM:
RCPT TO:
DATA
Received: from forged.address.somewhere.net [1.2.3.4] by bogus.address for [email protected]
Subject: Buy our useless diet herbal hair-loss extension teenage zzv19381

Visit www.stupid.spammer.net for all your
blah blah blah
.

The poor target mail server (in this case target.mail.server) thinks it is receiving mail from badly.configured.proxy.com and will create a received: line to this extent.

well, I'm not behind a firewall. So how do I prevent my regular old computer from being used by spammers?

It depends on the software you're running.

You should atleast keep your system up to date with all of the latest security patches. The golden rule is not to run any services unless you know you can run them securely. File and print sharing is one obvious way in, as is Universal Plug & Play if you are running any version of WinXP. Various software packages have weaknesses; Internet explorer and outlook express are two of the most insecure applications, solely due to the number exploits written to abuse them. At the very least you should have a regularly updated virus killer, and not have any form of file or print sharing of any kind installed on your internet connected machine.

Mail servers, and proxy servers tend to be deliberately installed, however 'Internet Connection Sharing', if installed (which it probably is by default in WinXP) is a potential loophole, although I can't think of any specific attacks off the top of my head, as we don't install it (or uninstall it) on work XP boxes.

So I think your best bet is A) Proper virus protection, and B) Some sort of firewall software. Few of the products out there are real firewalls, but they come close enough. I'm not a fan of the package whose name begins with Z, because it seems to be a toy product, the aim of which is to panic you into buying the 'professional' version. It's also extremely hard to get rid of. That's just my opinion; your mileage may vary.

hmmm. Well, I have to use file & print sharing. I do run virus checks, and I haven't really gotten infected. I can't setup a firewall, at least I don't think I can. It gives me something to work on, think about though. Thanks,

dave