Wednesday, November 29, 2006


Spamming a compulsive disorder? Pump and dump.

Well over half the junk that gets past my IP address blocking these days is pushing penny stocks. The spammer or his client buys some shares of a thinly traded stock. He pushes it with messages that try to look like investment newsletters. He waits for some fools to buy it, and bump up the share price, and hopes he can spot the peak and sell there. It's called pump and dump and it's felony securities fraud. Perps go to prison for it, if they keep doing it long enough. Press releases from email firms like Sophos suggest pump and dump is about half the total spam volume now.

The strange thing is you can look up the charts on the stocks these guys pick, and they don't go up. Sometimes the spam runs seem to make them go down. Not only that, but some of the pumping on a single stock lasts for weeks, way too long for this trick to work. If this goose ever laid a golden egg, the spammers have long since beaten her to death. Recently they've been encoding their messages in images, to make it more expensive to filter. The images are full of artifacts to defeat optical character recognition: pop-art background images, ink spatter, random lines and curves, that you'd never see in a real stock newsletter. It's hard to imagine anyone would actually buy a stock promoted that way, even the dumbest would-be scammer.

How can we explain this behavior? First, understand that most spam is sent by highly organized gangs, doing very large spam runs for paying clients. The client pays up front, so the spammer gets paid even if the spam run loses money. But what is going on in the head of a pump-and-dumper? He's paying the spam gang, hundreds or thousands of dollars per run, on a gamble with very poor odds and a serious downside risk (prison time), and he keeps doing it, in the irrational expectation that the next time he'll hit the jackpot. That's compulsive gambling. It's a recognized mental disorder. It's in the American psychiatric catalog.

There's another aspect to it, that you'll discover if you contact spammers and try to talk to them about what they're doing, or if you read their rants in online forums like Every spammer I have spoken to or otherwise heard from in ten years of doing this has had some level of denial about the nature and morality of what they are doing. Every spammer, from the sociopath Sanford Wallace to the bullet-proof porn spammer hosting guy on to the anonymous Maoist spamming his/her manifesto. They think their message is different. They think they're only doing insignificant damage to infinitely wealthy corporations. They think the people trying to stop them are a conspiracy to stifle their "free speech" or unfairly compete with their business. Some think God told them to do it.

That's exactly the delusion that comes with compulsive stealing, kleptomania. What I'm doing isn't really hurting anyone, and the store detectives and the police are just out to get me. It's in the catalog, too.

I believe the leaders of the gangs you can hire to do spam runs are in it for the money. But the people paying them for most of the spam runs have some mental disorder. There's nothing rational about it. And the spammers-for-hire know it and exploit the illness.

Wednesday, November 22, 2006


Technorati link

Technorati Profile


The new whack a mole

Back in the good old days, spammers used stolen credit cards to buy dial-up service from retailers like Earthlink. They'd "bulk" for a day or two and Earthlink would kill the account, and Earthlink or Visa would take the loss. Even though Earthlink had full time staff identifying and killing the accounts, the volume of spam kept growing, because there was no way they could react fast enough. Reaction doesn't work. We called this game of disposable dial-up accounts "whack a mole."

This problem wasn't really solved. Major ISPs just blocked incoming email from the known dial-up network address ranges, and the delivery rates got so bad the spammers moved on to other illegal methods. Eventually the dial-up providers blocked the route from their customers to other people's email servers, but they were locking the door to an empty barn.

These days most spam comes from gangs of compromised computers organized into "bot-nets." Most of them are in consumers' homes, infected with malicious software (malware) that only afflicts Microsoft's operating system, and connected to cheap "broadband" (ADSL or cable TV) and left on all the time.

But a significant fraction of these spamming stations are low cost Web servers installed by the thousands in data centers like Everyone's Internet (EV1) and Schlund. You don't even have to corrupt their operating systems. They're running years-old copies of PHP-Nuke and Joomla and phpBB and Squirrel Mail. Web applications any fool can install by clicking a button on the retailer's "control panel." Unfortunately, the "control panel" doesn't have a button for "bring my PHP-Nuke up to the current version." And the guy who's renting time on one of these boxes has no idea how to install a security patch, and doesn't have the necessary access, and even if he did, the "control panel's" version of the application is just different enough from the original that you can't be sure a security patch for the original won't break it.

Over time, exploits become widely known for the old versions of these well known application programs. Simple programs that know how to install a spam sending form through a security hole that was fixed in a later version of the program. High school kids trade them like baseball cards.

Over time, a huge data center like Everyone's Internet is running tens or hundreds of thousands of instances of these exploitable Web applications. But they're renting those low-cost servers to "virtual" Internet service providers or "resellers." Sometimes there are layers of resellers and virtual ISPs. The data center, who owns the IP addresses, doesn't know who the actual customers are. They don't know what domains the actual customers have. And they don't want to know. It's that negligence that's bringing you most of those phish spams.

So what happens is people like me get the phish spams and report them to the designated owners of the network addresses, because it is usually really hard for us to find the virtual ISP. Everyone's Internet or Schlund forwards our complaints to the virtual ISPs, and they may or may not get passed down to someone who administers the exploited application or account. Then people like me block the spam source in our email servers, or rely on public list operators like to do it. Eventually the end user starts to notice there are places that won't take legitimate email from the same address. This sometimes leads to the compromised machine getting fixed or shut off and reloaded and rented to some other virtual ISP. Sometimes both paths break down, due to widespread apathy, negligence, and irresponsibility, and the compromised machine sends spam for years, until so many spammers are using it that its drive fills up and it crashes.

But most of the time the compromised system gets fixed within a few days or weeks. Now consider a place like Everyone's Internet with ten thousand servers hosting a million "web sites." If half of them are exploitable and 1% are spamming at any time, there are five thousand spam sources in their data center at any time. Just not the same ones from one day to the next. Spammers have gotten really good at spreading the sources around. This means Everyone's Internet, Schlund, Advanced Internet Technology, and a dozen more are huge, permanent sources of the worst kind of spam. They're undercounted in the statistics from Spamcop and Spamhaus and Brightmail because no IP address accounts for much. You can't say look, Leo Kuvayev is hosted at EV1 and they won't kill him, and give the IP address a Spamhaus advisory. And EV1 can brag about how they kill spamming accounts within a day or two of hearing about them.

It's the new whack a mole, but without the hassle of stealing credit cards.

What's wrong with this picture? Well, somehow, there are large hosting centers that don't have the problem. There must be a well known solution, and there is. Proactivity. You don't wait for volunteers to report spam from your IP addreses. You seed the Internet with a few hundred innocent-looking "spam trap" email addresses, and you automatically scan the resulting torrent of junk for spam from your own network. Even better, you search the Internet for domains hosted on your network, and search those domains for known exploitable applications, and get them fixed or removed BEFORE they start spamming. It's not rocket science. It's probably cheaper than waiting for spam reports and following through on them. But I'll bet it's not cheaper than just ignoring the problem and becoming a cesspool. At least in the short and medium term. Why isn't this happening? There's no real pressure on the big ISPs to force their customers to do work they don't want to do.

Sunday, November 19, 2006


One more way spammers damage the email system: SMTP Callbacks

A group I work with was refusing lots of legitimate email, and didn't know it. It turned out they are using a spam defense measure called "Sender Address Verification" or "SMTP callbacks," but their DNS wasn't set up quite right.

When your Internet service provider (ISP) tries to send a legitimate email to theirs, theirs puts that conversation on hold while it tries to verify that your sending address is valid. They do that by starting to send an email message to it. When your ISP's email server says okay, I'll accept that, they break off their transmission, and allow your incoming email to continue. That test message they almost sent is called a probe message or SMTP callback.

But if your ISP's spam defense interprets their probe message as possible spam, for any reason, and refuses or defers it, they won't get your legitimate message.

SMTP Callback is a controversial technique because it generates spurious email traffic. If it catches on, ISPs are going to have to invest in more equipment to handle that extra traffic, and email service will cost more.

We use a very common spam defense technique. We defer messages that come from Internet Protocol (IP) Addresses (IPAs) that have not been given a name. We defer messages that come from IPAs whose names are not defined. That's called "reverse DNS verification." It's cheap, fast, not abusive, and very effective. It works because places that are expected to send legitimate email are given valid names in the global Domain Name Service.

Unfortunately, our friends in Sacramento were sending probes from an IPA whose name was something like If you looked up that name, it was not defined. It says unknown right in its name! So of course we were deferring their probe, and their callback test was failing, and they were refusing our email. They would refuse email from anybody who uses the Postfix feature reject_unknown_client.

Before the spam crisis, none of this was necessary. Spammers are making email more expensive and less reliable, in unexpected ways.

Wednesday, November 15, 2006


Wanadoo don' wanna do nuffin

Spam comes from every nation where there's Internet access. That's because every nation with phone service has criminally negligient Internet service providers (ISPs). Most spam comes from big ISPs whose main business is phone or cable TV service.

One of the biggest spam sources is France Telecom, also known as Wanadoo. Or Wanna-doodoo. The servers I run have been blocking email from Wanadoo's customers' bot-infested MSFT PCs for years.

Eventually we got so much phish spam through Wanadoo's outbound relays (the servers ISPs provide for their customers to send email through) that I blocked those too. Unlike most spammers, phishers make no pretense of being "legitimate businessmen." They prefer to send through servers that normally send legitimate email, because they get better delivery rates than consumer-owned bot-boxes get. They buy web-hosting accounts with stolen credit cards, or they just break in.

Didn't get away with that for long. With thousands of users (email aliases and Mailman lists) we quickly hear about the collateral damage. I had to let the mail from Wanadoo's outbound relays through, phishes and all.

But I'm not the only email admin fed up with Wannadoodoo. That particular outbound relay,, is listed in the public block lists NOMOREFUNN, SORBS-SPAM, SPAMCANNIBAL, and TQM-SPAMTRAP. And those are just the DNSBLs they check at Those four are lists of IP addresses that have sent spam to the owners' traps. That policy is too aggressive for typical ISPs' customers, as you can see from our experience, but schools and corporate campuses may use them. Wanadoo users are going to have problems sending email to a lot of places. Paul Vixie calls this kind of shunning an intentional outage and it's getting to be standard defensive practice. If you depend on email to do real work, choose your ISP carefully. A consumer-oriented ISP like Verizon or Comcast or Yahoo or Wanadoo is going to give you problems.

Sunday, November 12, 2006


Orwell warned us

George Orwell and Noam Chomsky have warned us about a thought control device that's so obvious we don't notice it. The bad guys take a word that's useful for discussing some social problem that they don't want us discussing, and they start using it to mean something else. After a while, the original meaning can't compete with the new non-meaning.

The right wing publicity complex (I call it hate radio), along with misguided civil libertarians like Hugh Hefner, attached a new meaning to feminism, nearly opposite to what feminists mean by the term. The resource extraction industries have so diluted recycle that it hardly means anything today. Hate radio is destroying the specific term Fascism these days. Grassroots resistance to occupation in majority Muslim nations is a lot of things, but it's not Fascist nor even fascist. I'm sure you can think of a dozen more words under attack.

The advertising industry has been worrying for a long time about the decline of print media, especially postal mail. They're being told electronic mail is replacing paper, and they're the lobby that's shot down any sensible spam bills in the US Congress. They want to be allowed to send "legitimate" spam. If they can't have that, they'll settle for destroying the public email system to prevent it from obsoleting postal mail.

The advertising industry is exactly what George Orwell warned us it would be, a propaganda system so sophisticated it accomplishes thought control to a degree Hitler and Stalin and Mao could have only wished for. These days, they're encouraging misuse of the word spam, to make it more difficult for us to intelligently discuss the problem of unsolicited broadcast email. Watch for it. The next time you see someone referring to an off-topic message in a mailing list as spam, notice it. That's the bad guys, succeeding.

Wednesday, November 08, 2006


the real enemy

" This is a war between the open late-20th century technology of
the Internet, and the closed early-20th century technology of the
telephone/telegraph networks. The telcos want the Internet as we
know it to die, and they've made great progress toward that goal
simply by shutting down the enforcement that the NSF used to do.

Internet protocols, including SMTP, were designed to be reliable
*if* abusive hosts are promptly disconnected by service providers,
and if abusive service providers are promptly disconnected by
backbone operators. Now, unfortunately, the backbone itself is
operated by abusive entities: a few large companies which never
wanted the open Internet to exist.

In a week or month timeframe, spammers are the enemy. In a
year-to-year timeframe, spammers are just a weapon being wielded
by the real enemy."
- anonymous poster in

Tuesday, November 07, 2006


what does really bad targetting tell us?

The spam to my main RFC2142 role address is getting as varied as the rest of the junk. So it seems it's just another stoopid dictionary attack type address.

How dumb is that? They're spamming the address at this domain that's most likely to generate a correctly targetted and adequately detailed spam report. And least likely to fall for a phish or buy fake pills. The address is most likely to exist (and work) at well run domains and unlikely to exist at amateur domains. Anybody smart enough to put together a bot-net can remove all of the role addresses from any list with about five seconds' work. Obviously they just can't be bothered.

Meanwhile, a test address I named after my old cat and stopped using eleven years ago is still getting spam.

What's it mean?
  1. The major spammers are not concerned about complaints. They're sending through disposable trojan-infected PCs, and there's an unlimited supply of those. They're hosted on corrupt and incompetent networks connected to the world by giant backbone carriers like AT&T and Sprint and Level3 and the spammers are quite sure those giants can't be bothered to enforce their harmful traffic language.
  2. The people paying the major spammers either don't know how bad the lists they're using are, or they don't care either. I suspect it's some of each. Some spam runs are commissioned by clueless boobs who think they're gonna get rich selling sugar pills out of a multilevel marketing "company." They don't know. Other spam runs are by the spam gangs themselves. They don't care.

Friday, November 03, 2006


harrassment spams, coincidence?

Today the postmaster address at my best known domain received more spam than it usually gets in a few months.

Postmaster is a special address. Any domain that gets mail is supposed to have it. Current best practice is you don't spam-filter it, so it can receive complaints and they won't get filtered or blocked.

And if there is any address at a domain that is likely to generate spam complaints, it's postmaster. Spammers are generally smart enough to avoid postmaster addresses. More domains have postmaster than the other special addresses, hostmaster (for name service issues) and abuse.

Could be a random fluke. Could be some spammer with not enough work to do doesn't like people starting blogs about how spamming hurts people. At any rate, the result was I discovered a few more spam sources to block.

By the way, there's a special domain name, too. was reserved when the name service was invented. You can use it when you need an example email address, perhaps when you're writing the on-line help for an email program. You can also use it when somebody demands your email address but you don't want to give them a real one. Like those 555 phone numbers in the movies. Even doesn't go anywhere.

Thursday, November 02, 2006


Australia gets it right

There are certain canards or myths we see in the US media when they do an (all too infrequent) spam story. One of them is that spammers are beyond the law, or laws can never be effective, or some such nonsense.

Spamming is illegal in the European Union and Australia. When Australia began its criminal proceedings against big-time spammer Wayne Mansfield, he stopped spamming. Mansfield was convicted last month, and he and his company have been fined about US$four million. Alan Ralsky was regarded as the biggest spammer in the world. He stopped spamming, as far as I know, when the FBI raided his basement network operations center last year. (Mansfield might keep spamming. I believe spamming manifests a mental disorder of some kind, like kleptomania, and career spammers may be unable to stop. But it will be a lot harder for him now.)

Law enforcement can stop spam. It can do it without infringing anybody's rights. Spammers commit a variety of crimes under existing law. Using someone's computer without their permission is a crime in every civilized nation. Almost all spam involves fraud of some kind. All it takes is the political will to do it.

Wednesday, November 01, 2006


Using "Report spam" to censor

My computers host a bunch of mailing lists on political topics. I use Mailman to manage the mailing lists, and it uses Postfix to send and receive. Postfix keeps a queue of messages it hasn't been able to send yet, and sometimes I have to figure out why they're stuck.

This morning I noticed America Online was deferring messages from an internal list for discussing press releases before they go out. Postfix shows the whole message to AOL, and AOL thinks for a second and says "try sending that one later." The actual deferral suggests AOL thinks the message might be spam, but meanwhile AOL is accepting other messages from us. I've seen that a lot this year. One of my users has a list about his antiwar activity and it gets deferred by AOL and Yahoo Mail quite a lot. And other folks who run similar lists tell me they're seeing the same thing.

Here's what seems to be going on. These messages contain keywords, especially URLs, that our political adversaries would prefer we be unable to discuss in email. The one that's stuck right now is about the movement resisting the stolen election and other government outrages in Oaxaca. My user group wants to express solidarity with the people there and they're drafting a press release.

Opposition to that kind of activism is well funded and relentless, and unethical. They get on lists that discuss similar things, and hit that "this is spam" button on AOL's email program. When this happens enough times, AOL's enormous content filter starts to think phrases like "solidarity" and "grassroots democracy" and the URLs of the sites that cover this stuff (indymedia, commondreams, even dailykos and moveon...) are "spam sign." Things seen in spam.

It doesn't help things any when well meaning idiots forward these messages to their whole address book, thinking their "action alert" is so "important" that the rules about unsolicited broadcasts don't apply. "Well, they should be interested," they rationalize. "Forward this to all your friends!" No, don't. That's a topic for another post.

This has been going on for a long time. You'll have a hell of a time discussing women's health issues (breast cancer, yeast infections, contraception, access to abortions...) on those big consumer services without setting off their filters. There are people who don't want those issues discussed. They'd prefer the information not be available. They've learned it's not hard to fool filters that were designed to detect erotica.

What seems to be different now is the "spam sign" threshholds are getting lower. If you want to kill an email forum, you don't have to barge in and flood it with invective any more. You can fool AOL (and Yahoo Mail and Hotmail) into killing it for you.

That's censorship by spam filter. And it's been made possible by the onslaught of spam. People are so desperate to keep their mailboxes usable that they are now willing to accept some false positives in spam filtering. At least on the consumer oriented services where it doesn't hurt your business to lose a legitimate message now and then. The spammers are softening us up, preparing us to give up the public email system for a controlled one.


Spammers versus free speech

Spammers are destroying the public email system. I'm going to use that phrase here. Almost all of the servers, routers, optical fibers, and other equipment that carry email are private property. But the cultural system that says you can send email to your friends and strangers in the reasonable expectation that they will welcome it, and be willing to pay the cost of receiving it, is in the public domain. And so are the languages, or protocols, that computers speak to each other to move email across the network.

There's been too much focus on spam as a property rights issue. It's true: unsolicited broadcast email is theft of service, trespass to chattel, and illegal conversion of assets. Spammers use our equipment without our permission.

That's your PC. Nobody gave Leo Kuvayev permission to put his counterfeit mail order pills advertisement on your screen. It's like he'd barged into your yard and nailed a sign on your tree. That's trespassing. A big chunk of the cost of your Internet service goes into trying to block and filter the spam addressed to you. Spammers are stealing that money and throwing it in a bonfire. The total profits from spamming are less than 0.1% of spamming's cost to the economy. It's like blowing up a liquor store to steal a can of beer.

But spam is also a human rights issue. Spammers compel other people to do work, for no compensation. They steal our time and life energy. Where I come from, that's called SLAVERY. And it's a civil rights issue. The public email system is a venue of free speech. Spammers have made using email so difficult that people are actually giving up on it. When you drown out a speaker, or bulldoze his theater, or spray feces on the people waiting in line for tickets to his talk so they give up and go home, that's CENSORSHIP.

That's what this weblog is going to be about. Civil and human rights issues around spamming. The email system can be technical, but you won't have to be technical to understand anything here.

This page is powered by Blogger. Isn't yours?