Monday, December 18, 2006

 

what's wrong with filtering?

Here's the most common reaction I get from my friends to my concerns about the spam crisis.



You may not have seen it, but you still PAID FOR IT. Every message your ISP received for filtering cost network bandwidth. Bandwidth costs money. Every message your ISP stored because there's too much volume to filter in real time cost storage space. Disk drives may be really cheap but managing them and backing them up and powering them and cooling them isn't. Filtering one 50 KB message for spam and attachment viruses takes several tenths of a second on a 2GHz CPU that burns 80 watts. That's as much energy as sending you a typical web page, and it happens many times more often. With billions of spam messages per day, spam is consuming significant amounts of fossil fuel. One ISP told me spam filtering consumes more electricity than everything else in his data center. Now that spam is 97% of email, and the average spam message size is over 10KB, the cost of receiving and storing and filtering all that junk that you "never see" is the biggest component of the cost of your Internet service. You don't see it in your inbox, you see it on your monthly bill and you'll see it in anthropogenic climate change.

But there's a bigger problem that filtering doesn't solve. The volume of spam has been doubling in less than a year. It could double ten more times. There are enough vulnerable Microsoft PCs for spammers to take over. Spam would be more than 99.9% of email. But you could not stand to pay two hundred times as much for Internet service. Filtering will hide the problem from consumers until most of the Internet email system has already collapsed. It will prevent us from doing anything effective to stop spam and save email.

That's the real harm filtering does. Hiding the problem prevents you from fixing it.

Wednesday, December 13, 2006

 

dirty bird award to Yahoo Inc

You already knew Yahoo Mail is the Nigerian advance fee fraud gang's favorite drop-box provider. Just look at where those thousands of widows of the late dictator want you to send your bank information. criminal@yahoo.com. They're easy to create, and, to put it politely, Yahoo isn't very good at discovering them and taking them down.

Most of the spam I've got in the last couple of years has been for pills and scams. The porn spammers have been avoiding me. They're smart enough to know that I file accurate complaints to the right places, and they just don't need the grief. Unlike the pills and other scams, porn is a legitimate business, and they know the value of a suppression list.

But for the last week or so, I've started getting porn spam again, and it's all been from one "company," the Webfinity/Python Video/Dynamic Pipe/Global Media spam gang. The reason I'm seeing it is they're sending it to my postmaster address. That address isn't as heavily guarded as the others, because it needs to accept spam reports from blocked addresses with filter-triggering content. (That's complying with the letter and spirit of IETF RFC2142.)

This gang has a special modus oparandi. They break into people's servers to send their junk. They get better delivery rates that way, compared to sending from bot-nets in consumer broadband country. But lots of spam criminals are doing that these days. Python's trick is they use compromised consumer Microsoft PCs (on cable TV or DSL) to host a special layer of servers.

Most spammers just use "bullet-proof" web hosting in China or Romania or Russia (or on Yahoo Small Business). These Python Video guys ultimately send you to their bullet-proof Web site. It's hosted, right now, on an entity called Rackco.com which is connected to the Internet through oblivious Internet company Teleglobe. I suspect Rackco is just another name for Python Video. It's a pretty common ploy. The spammer pretends to be a hosting company who is struggling with a series of badly behaved (spamming) customers. They could stall Teleglobe that way for years.

But the URL in the Python spam is always hosted on five compromised broadband Microsoft PCs. If you're stupid enough to click on the link in your graphical email program, you get sent to one, chosen at random. This morning, four of them are on Proxad in France, and one is in South Korea. Yesterday it was Comcast and SBC/AT&T. They move around quickly. They support that by using special name service, with a "short time-to-live", and that name service is also hosted on consumer broadband Microsoft PCs. Spamhaus.org calls that technique "fast flux." This morning all four name servers are on Proxad. In the last week, these special "servers" have been hopping around on Time Warner Road Runner, Cox, Optimum Online (Cablevision), Aliant, Bell Canada, Comcast, Eastlink, Cablegalicia (Spain), Cable Bahamas, and Le Groupe Videotron.

The special web servers send a 404 HTTP response, "page not found", but the 404 page comes with a refresh directive that sends you to another page on the same "server", with links to Python's bestiality porn sites in Russia. I guess the 404 is to throw the search engines off or something.

It doesn't do a lot of good to report the compromised Microsoft PCs to the cable companies. They don't care, and even if they were to do something, Python would just rotate in the next set, from an endless supply. Python is in Canada. Canada will bust you for selling High Times magazine, but they don't give a damn about Python's ongoing computer crime and exposing minors to bestiality porn. That's business. The porn hosting companies in Russia are part of the gang, untouchable.

The one place where Python's operation touches ground is at its domain name registrations. They churn through dozens or hundreds of domain name registrations per day, at ten bucks a pop. They have to use new names every day to stay ahead of the "seen in spam" block listing. Guess who they use. YAHOO DOMAINS, every time. Think Yahoo Inc doesn't know?

UPDATE Feb. 26 '07 : For the last couple of weeks, the Python gang has been registering its throwaway porn domains with Tucows and Register.com. But the "remove" domains are still on Yahoo.

This page is powered by Blogger. Isn't yours?