Spammers vs Free Speech

lunarpages.com thinks a phishing report is a "virus"

2011-02-03T19:11:00.000-08:00

I've been receiving phish spam from a Lunarpages VPS ("lunariffic.com") this year. When I send a sample, included inline in a plain text email, their inbound email machine (sharpmail.lunarpages.com, 64.50.162.254) waits until the end of the DATA phase of the SMTP conversation. Then it says:

554 rejected due to virus

which means it's refusing the message. I opened a ticket in their abuse system. The technician insisted that since the message says "virus" there must actually be a computer virus in the message. I pointed out that the message was in plain text and contained nothing like any kind of malware, and he simply repeated the response. The spamming continued. I called tech support and they insisted that since I am not a customer they are not allowed to talk to me about it. But he suggested I try sending from another provider. I have not been able to identify any human being at Lunarpages who is allowed to talk to an email admin outside his own company. Somehow, I suspect if postmaster@yahoo.com calls, they'll talk to him. But maybe their lawyers have to arrange an appointment first.

I tried sending the spam report from my account at freeshell.org. Same result.

This dysfunction, folks, is why the email medium is dying.

Incidentally, the RFC 2142 addresses abuse@lunarpages.com and abuse@lunariffic.com are listed as not working, with evidence, at RFC-Ignorant.org. No surprise there, since they don't work. The abuse.net clearinghouse suggests you try hostmaster there.

What's with Hinet.net?

2009-10-31T11:36:00.000-07:00

"Why is my ISP blocking Hinet.net senders?" someone asked on my contact form. I replied:

Hello [name], thanks for filling out the form. Your email address is on the sbcglobal.net domain. Most of those are outsourced by AT&T to Yahoo Inc. The rest are managed by AT&T internally.

I am fairly sure Yahoo and AT&T do not use my lists. Therefore, I have no control over whether you can receive email from Hinet.net senders.

The Hinet.net domain belongs to Chunghwa Telecom Co., Ltd. According to Spamhaus.org (very authoritative), Chungwa a/k/a Hinet is the #4 spammer service company in the world. Like most Asian phone companies, they take nationalistic pride in ignoring complaints from the West. (Mainland China and South Korea are equally imperious, and Viet Nam is even worse.) So lots of email systems in the West are blocking Hinet. It is not to make a political statement. We know Hinet does not care, and does not take protesters seriously. It is a simple mechanical defense against the ongoing spam attack by Hinet's spammers.

So you can tell your friends in Taiwan this:
Hinet is what we call a "rogue network." Hinet seems to believe the rules of the Internet do not apply to Hinet. As long as Hinet is on the Spamhaus top ten list, lots of networks all over the world are going to block email from there. Hinet needs to change the way it does business. That is not going to happen fast, so your friends need to use some other company for their email if they want to send reliably.

Best wishes. Sorry to bring you bad news.

-Cameron in San Jose.

We seem to get blocked a lot. But we love our ISP! RFC-Ignorant.org.

2009-10-02T18:47:00.000-07:00

A progressive activist mentioned to me that her organization's email tended to get blocked a lot. From her perspective, all these Internet companies (ISPs) are the same, and they're "warring" over spam emissions with nobody doing anything to clean it up. But we already know all ISPs are not the same. A single web query showed what was really wrong at her ISP. (I looked up her domain at the link four paragraphs down from here.) I replied something like so.

The problem is your Internet company sends a lot of spam and doesn't know it. That's because their contact address for that is broken.

There is a simple, widely recognized standard for contact addresses. It was published by the technical governing body of the Internet a dozen years ago, and it only formalized a tradition that was a dozen years old then. The standard is called Internet Engineering Task Force RFC2142. It says if you run a domain where there are things that can be abused, you are supposed to have an "abuse" email address on that domain for reporting said abuse. And you're supposed to have "postmaster" for reporting email issues. It's common sense to have a standard for that, and the IETF is the body that publishes standards like that.

Now, people who have no idea how the Internet works will tell you that there are no standards, or no standards body, or the real standards body is some corporation (Google, cisco, Microsoft...) or "RFC just stands for Request for Comment, they don't really mean anything." But that just shows their ignorance. The Internet works because people who know what they are doing voluntarily comply with the IETF's RFCs, including 2142. It's the greatest demonstration of functional anarchy, as far as I know, in all of human history. A voluntary association of network operators who agree to run their networks so that they're all compatible with each other.

IETF RFC2142 is so important in tracking and dealing with email abuse that there is a clearinghouse which keeps track of domains that fail. Unfortunately, the volunteers who set it up chose its name poorly, so that people who don't understand how the Internet works don't take it seriously, or even take offense at its name! Nevertheless, RFC-Ignorant.org has outlasted much more corporate or "professional" operations like Mail Abuse Prevention System, Open Relay Database, and plenty of others.

My fellow activist's ISP's domain name is listed at RFC-Ignorant.org. In fact, I submitted the evidence for that listing! I do that when I can't figure out where to report spam from a network, because its standard contact addresses bounce my spam report. I report most of the spam that reaches my mailbox, maybe a dozen a day. (I use tools. It's quick.) I report one or two domains to RFC-I each day, on average.

Often you'll see RFC-I listings on "resellers" or "virtual ISPs," that is marketing organizations that put their brand on a wholesale ISP's service.
Sometimes you see RFC-I listings on Microsoft-oriented ISPs. People who learned about Internet operations primarily from Microsoft (MSFT) training courses often have an "admin@example.net" address (there is no "admin" in RFC2142), but they don't have an abuse or postmaster address. There's a big overlap between those people and the ones spreading misinformation about the RFCs. A conspiracy theorist might imagine MSFT's public relations thing made sure that information was missing from MSFT's courses.
Sometimes you see RFC-I listings on school districts. Sometimes it's a small business that let some consultant set up their email service and doesn't have anyone around who knows how it works. It's not so much a matter of can't afford staff, as not realizing an email setup needs to work by the rules of the Internet, and it takes some monitoring and testing to get there.

She said, "But every week there are a couple of new [ISPs blocking us], or old ones that were once fixed that pop us again and have to be dealt with."

That's happening because her ISP has not been good at controlling spamming from its network. When the RFC2142 addresses don't work, or are listed as not working, you don't get the most detailed and timely reports. So you take longer to discover a spam source on your network.

Not that an RFC-I listing is the be-all and end-all of ISP ratings. But it tends to be a remarkably reliable indicator. Top-notch ISPs are hardly ever listed, with a handful of very large exceptions, while low-ballers and bumblers usually are.

Everybody gets in block lists occasionally. Verizon blocked all of Europe for a couple of weeks. But if it's happening regularly, your ISP really is doing something wrong.

Sorry if that's not what you wanted to hear.

Listwashed at Mailchimp.com

2009-07-24T20:27:00.001-07:00

Mailchimp.com wants you to think they're one of those post dot-com enlightened legitimate email marketing services

I got "campaign message" (spam) from their system to a trap address that's been dead for years. Reported it to their "contact us" form, not the Ethical CAN-SPAM Compliant Opt-Out link in the spam. Received a slick "sorry to see you go" message from the Client (customer of spammer-for-hire) within minutes.

That's called list washing. There was no ambiguity here. The spammer scraped or bought a list. There's no other way they would have gotten it. They took it to Mailchimp, who spammed it for them. It's what spammer-friendly service providers do. It's one of the reasons there's still spam. Spamming is what that other guy does.

new Microsoft spam support service, Office Live

2009-07-11T16:06:00.000-07:00

Spam came through a botnet host on eastlink.ca, advertising www.icandysoaps.com. It's hosted on Microsoft's Office Live "cloud" service. I reported it to report_spam@hotmail.com and the report was automatically rejected, needs a Hotmail domain. I added@hotmail.com some@hotmail.com chaff@hotmail.com to get it past the broken robot.

I got a personally worded response from MSFT's abuse staff. They refuse to do anything about the spamvertised web site on their server. I should "unsubscribe" from its "newsletter."

Now it's official. Microsoft lets you advertise your Office Live web site in spam. Kind of like Yahoo did when they first started their small business hosting service 15 years ago.

Hotmail stupidity protects spammers

2009-05-11T17:36:00.000-07:00

Apparently Hotmail (Microsoft Corporation) is now selling private label email service, and some of its customers offer that service "free" to the Nigerian identity theft syndicate.

A typical fraud email offers the usual box of money stranded somehow in Nigeria, and to reclaim it I must email the gov't of Nigeria at atm.cardremmitance@hotellos.nl. (Yes, people actually fall for this. Mostly it's wanna-be con artists who think they're gonna con the Nigerians.) I got three copies. The MX records for hotellos.nl are
hotellos.nl. 86024 IN MX 0 1023266581.pamx1.hotmail.com.
hotellos.nl. 86024 IN MX 10 1023266581.pamx1.hotmail.com.
That is, Hotmail hosts this Nigerian identity theft mailbox account.

The only address that seems to work at all for Hotmail is report_spam@hotmail.com. Abuse@ and Postmaster@ don't work. I sent a complete, simple spam report. Hotmail said:

Unfortunately, in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account.

The response came within a couple of minutes. Nobody told the abuse deaprtment about these new private-labeled domains. An automatic filter is throwing away reports of hotmail hosted spam. Until this is fixed, spammer accounts on Hotmail are pretty much bullet proof.

Apr1l 2010 update. I think I'll list the problem domains here.
8u8.tw, admin.it.th, banat.ps, discuz.org, hotellos.nl, hotmail.com.tw, info.al, live.co.uk, mycin.net, nba2k.com.cn, qatar.io, ufo.tc, w.cn, ws.tc

ACLU server hijacked for phishing

2008-04-13T14:44:00.000-07:00

This is just too funny. From a spam posted to news.admin.net-abuse.email.

Delivered-To: [redacted address]
Received: from exch2.aclu.org (smtp01.aclu.org [65.206.18.18])
   by [redacted hostname] (Postfix) with ESMTP id E004A11423
    for <[redacted address]>; Tue, 8 Apr 2008 10:27:31 -0700 (PDT)
Received: from nyexfe01.aclu.org ([10.1.1.248]) by exch2.aclu.org with Microsoft
    SMTPSVC(5.0.2195.6713);
    Tue, 8 Apr 2008 13:27:06 -0400
Received: from User ([85.120.78.130]) by nyexfe01.aclu.org with Microsoft SMTPSVC(6.0.3790.3959);
    Tue, 8 Apr 2008 13:27:05 -0400
From: "PayPal.com"
Subject: To many wrong attemps
Date: Tue, 8 Apr 2008 20:29:01 +0300
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 08 Apr 2008 17:27:06.0036 (UTC) FILETIME=[C42E8F40:01C8999D]
To: undisclosed-recipients:;

Because you have to many wrong attemps on your Paypal login,
we had to put your account on hold.

...
Years ago, when it was still possible to save the public email system, the ACLU carried water for the Direct Marketing (scumbag) Association, convincing Zoe "Clueless" Lofgren (D-CA) that spamming is free speech, not theft of service and illegal conversion of assets. The headers show ACLU runs Microsoft Exchange Server. Of course it got hacked and the criminal is ~~sending phish spam~~ exercising his first amendment rights with it. I wonder if anybody told them yet.

who protects Herbal King?

2008-02-16T09:07:00.000-08:00

I get more spam from the Herbalking gang than from any other spammer. That's because Herbalking is so confident that he is "bullet proof" that he sends spam to postmaster@ addresses. Those addresses are less heavily filtered than regular users'. Spamhaus seems to think the gang, to the degree that these gangs are based in any particular country, is Indian.

Herbalking sends through botnets. My system rejects spam from most consumer-residential bots, but Herbalking also has bots on compromised web hosts and "small business" and academic servers. Those are the ones that get through here. Every few days I pick one and inform the owner of the compromised server. Unfortunately, hardly anybody else does that. More often than not, the owner's published contact info is wrong, or the reports just disappear. Of the ones who reply, most are grateful. Perhaps a fifth insist that I am wrong, and either the spam could not possibly have come from their equipment or someone else is responsible for that equipment. These people tend to be ignorant of the basics of computer networking and security, and believe that an SMTP sender IP address can be "spoofed" or that their equipment is invulnerable because they bought an "anti virus" product.

Herbalking's "pharmacy" mail order sites are mostly hosted on the rogue ISP "ZBYD" in Beijing. As far as I know, ZBYD is owned and operated by spammers. It's connected to the Internet through Great Wall Broadband Network Service Co., Ltd of Beijing, and its route to North America is through an undersea fiber operated by China Netcom, which terminates in a neutral exchange point in Los Angeles. That's three layers of companies you can't even contact. The only thing that could affect ZBYD would be if the major consumer service providers decided to block traffic from its IP addreses. They won't even talk about doing that. They're lazy and indifferent, and they're not under any real pressure to do it, and recently they've become paranoid about creating the appearance of not offering "net neutrality."

Spamassassin vs Darfur

2007-12-07T12:39:00.000-08:00

I run a GNU Mailman list for the International Committee of the Green Party of the US. This morning someone forwarded an essay from blackagendareport.com, questioning the motives and veracity of the "Save Darfur" movement. Several African nations are mentioned, and large numbers of dollars spelled out. It triggered three of Spamassassin's ADVANCE_FEE rules, totaling 7.9. My threshhold for adding the ***SPAM*** indication to the subject line is 8.3. The additional 0.4 points came from the HTML-only and "no real name" tests.

The writer makes a good argument that "Save Darfur" is not what it seems. Spammers are making it hard for his message to get out.

reporting phishes

2007-06-30T12:30:00.000-07:00

If you really want to do something about phishes, don't bother reporting them to your ISP. Millions of people already hit that "this is spam" button. And it's only useful if you do it within a few minutes of your ISP's receiving it.

Instead, open the message source and find the URL of the fake bank site. We call that the payload URL. The whole point of the spam is to get you to go there with a web browser. The fake bank site was created by a dangerous gang of criminals. Don't forget that. Do not visit the URL with a web browser. It probably contains malware and will attack your PC.

Sometimes these are hosted on spammer-friendly ISPs in Eastern Europe or China. Do not report those. But most fake bank or credit union or Paypal sites are hosted on servers that the criminal broke into.

With a little common sense, you can safely figure out where the fake bank site is hosted. Look at the payload URL in the spam message source. You can spot it among the decoys and images because it's the one with "click here" or the domain name of the real bank.

If the payload URL is something like http://www.podunk-realtor.com/images/.hideme/bankofamerica.com/, you can be pretty sure it's a break-in, and the Podunk Realtor and his ISP or web design firm have no idea they are supporting large scale felony fraud. If it's more like http://www.cheaphosting.com/~someguy/bankofamerica.com/, it's probably a shared hosting account at a giant web hosting company, purchased with a stolen credit card. If it's http://www.paypaI.com/ (a subtle misspelling), the hosting company and the Registrar are probably in on it, and there's no point in reporting those. Some web hosting places are so careless that they might as well be in on it.

If it's in eastern Europe or China, leave it to the professionals. Stop here. You do not want to provoke the Russian mafia.

Copy the domain name of the fake bank site out of the message source and trace it (with "tcptraceroute" on unix or "tracert" on MSWindows, or use Samspade.org) to its hosting.

The output of the traceroute starts at your PC (or at Samspade) and shows the route to the fake site. The last item is the compromised server. It may have a domain name that belongs to the ISP, or to one of his customers. With a little practice you'll know which is which at a glance. Look up the IP address in Whois. ISPs generally own their own IP addresses. Even if they don't, it gives you a pretty good clue as to what company owns or controls that end of the route. In the case I called Podunk Realtor, it is probably safe to look at the front page of the Realtor's site with a browser, and find some contact info that way. Look up the domain name on the server, in Whois. That will give you more contact info, of the Podunk Realtor or his ISP or both.

Report the break-in to the owner of the server and his ISP. Out of the hundreds of thousands who received that phish run, you may be the only person to report it properly. Do not include a copy of the spam. That will probably prevent the victim from receiving it. Just tell them the IP address of the compromised server, and the URL you found in the spam.

You can look up contact addresses of a well-run ISP at www.abuse.net. Or just send to abuse@example.net where, of
course, example.net is the ISP's domain name. (If that bounces, report the ignorant ISP to RFC-Ignorant.org.)

Do that with one phish a week and you're doing more than all the times you ever hit "this is spam."

Sender Address Verification we told you so

2007-06-29T08:21:00.000-07:00

When we started seeing SMTP callbacks, aka "Sender Address Verification," several members of news.admin.net-abuse.email, including myself, said it was a Bad Idea.

It's trivially easy to get around SAV. The spammer just puts known deliverable addresses in his envelope-sender. Of course he needs to use thousands or millions of those in each spam run, to evade statistical filters. I'm surprised it took until now for them to figure that out. And because they have to be deliverable, it takes a higher quality list for the fake senders than for the spam recipients.

Meanwhile, there are still a lot of "anti-spam appliances" and other broken SMTP servers that accept and return messages to bad addresses, rather than refusing them. But you can't return spam once you've accepted it into your queue. You don't have an address for the spammer, and he isn't interested anyway. So the returned spam messages become a new form of spam known as "backscatter." Until recently, the Barracuda appliance in its default configuration sent backscatter. They've fixed that. Qmail-1.03 sends backscatter. There are patches for that. One popular Qmail backscatter patch is called "chkuser."

Two unforseen consequences combine for another harm. 1. SAV is becoming popular. 2. Backscatter. The backscatter used to go to the same poor quality address lists the spammers send to. So most of it never got delivered; it stuck in the Barracuda appliance or Qmail queue. But now it's getting delivered, adding to the spam load and degrading the statistical filtering results.

Not only are spammers destroying the public email system, but misguided Final Ultimate Solutions (FUSSPs) are damaging it too.

Soloway busted, so what.

2007-06-02T07:35:00.000-07:00

Big news, Robert Soloway busted for wire fraud, credit card fraud, CAN-SPAM violations, and using a bot-net.

Big deal. The prosecutor isn't even asking for prison time. That's the strongest signal yet that the US Government doesn't actually regard spamming and creating and running bot-nets as criminal behavior. It shows how successful US spammers have been at positioning themselves as persecuted entrepreneurs, not as criminal gangs. You can thank the Direct Marketing Association, the American Civil Liberties Union, and corrupt, stupid congresscritters like Zoe Lofgren for that.

And you can thank the US "news media" for spiking the story as systematically as they have blacked out anything in the Project Censored Yearbook.

Creating and using a bot-net is one of the most destructive computer crimes. A single bot-net operation can cause hundreds of millions of dollars of economic loss to consumers and businesses. Imagine if some criminal invented an automatic way to break into a hundred thousand people's cars and misuse them. Now imagine the DMA and the ACLU said that's okay, it's free speech!

Why is that so hard to understand? Because computers are "technical" and cars aren't?

false positives due to Microsoft's bad advice!

2007-05-11T11:17:00.000-07:00

My systems try to reject as much incoming spam as possible by its origin, so we don't have to spend time analyzing it all. There are basically three ways:

The sender's IP address, or the range it's in, is known to send nothing but spam.
The sender's software makes some protocol mistake during the SMTP session that legitimate senders don't make.
The sender identifies itself with a name that isn't defined, or its IP Address (numerical network location) doesn't have a name, or has a name that isn't defiined.

Now and then someone complains they can't send email to my users. Sometimes it's due to a mistake I made spelling out one of the "spammy" IP Address ranges in my block list. Sometimes the person is sending from a spammy place and I decide to override or remove the block for that particular place.

This week we had a new one. The sender's IP Address doesn't really have a name: its name is only an alias (a "CNAME") of something else. Of course I put an exception in my Postfix setup for that particular sender. (Chico.com.)

But tracking down the problem revealed an interesting cause. The Domain Name System was invented in the early 1980s by some geniuses (Mockapetris, Barr, Postel, etc) and it works in a way that is described in some "RFC" documents from the Internet Engineering Task Force. These RFCs achieve "standards track" status after years of discussion and testing by more geniuses. RFCs level the playing field, by saying exactly how Internet software programs must talk to each other. That way anybody can write Internet software and expect it to work pretty well with what's already out there.

The RFCs say an Internet Protocol Address should be given a name and that name should be published in a "Pointer Resource Record" ("PTR Record" for short) in the DNS. The geniuses reserved a special domain for those, in-addr.arpa. I suppose that means something like "inverse addresses on the ARPANET." Then they say the name in the PTR Record must be defined by an Address Record.

Postfix lets you reject email from senders who don't have those two things (a PTR Record and a corresponding Address Record) going for them. The test is called "smtpd_client_restrictions = reject_unknown_client" and it's really productive. There are tens of millions of unnamed cable modems and DSL lines, full of trojaned Microsoft boxes, sending spam, and we reject it all.

The standard book about the DNS, DNS and BIND by Albitz and Liu, mentions the requirement that the PTR name must have a real Address Record. (They also mention that a workaround exists in the Internet Systems Consortium's domain name resolver subroutines, for PTRs that have an alias instead of a real name.) Cisco's book says "PTRs use official names not aliases." IBM's tutorial for setting up DNS on its unix (AIX) servers says "the name in the PTR record should have an actual Address record."

But Microsoft's Knowlege Base says go ahead and use CNAME Aliases for the names in your PTR records! They're telling people to break the rule that helps us reject spam efficiently. Why? Well, Microsoft has an attitude about the Internet standards. They don't like anything that levels the playing field. So their software intentionally misoperates in subtle ways. That way, if you're in an all-Microsoft shop, your stuff will work, inside your shop, and you'll think those weirdos out there who use software from anybody else are using broken software. They're counting on the all-Microsoft users to not know or care about the standards. This attitude and behavior was identified in Microsoft internal memos as a strategy. It's called "embrace, extend, and extinguish."

spammer-friendly mzima networks

2007-04-25T16:27:00.000-07:00

This morning's "Quality Meds at Clearance Price" spam came from a trojaned consumer box on "broadband" in Malaysia. It had a bogus EHLO/HELO name. Either of those would have gotten it blocked, except it was addressed to Postmaster. You're not supposed to block spam to that RFC2142 address. (I'm getting tired of that rule.) Spammer must be pretty confident he's complaint-proof.

The spammer just gives his domain name, a throwaway at Register.com. They tell me these are usually paid for with stolen credit cards. He spells the domain name with spaces around the dot, to avoid triggering Spamassassin's "URL seen in spam" rule. The contact info in the registration is clearly bogus: 666 devils rd, lucifer, miami, +1.3056669990. Yeah, sure, lots of real people at that 666 exchange. By the time Register.com (Verisign still owns them?) takes it down, he'll have moved on.

The spammer's web server is hosted at Mzima Networks. A large colocation provider with data centers in the US, Honk Kong, Tokyo, and four cities in western Europe. A colocation provider rents you rack space in his data center for your server, which you connect to his network. Usually he reallocates you some IP addresses. If you're big enough you bring your own. Mzima has 21 entries on the Spamhaus block list. Mostly bunches of sixteen IP addresses. Most belonging to well known. chronic, "career" spammers. This one turns out to be "iMedia Networks." The 512 IP addresses are reallocated from Mzima to an " SBC Telecom Consulting, Inc." It's been there nine months.

I called Mzima. They told me that their customers can spam all they want, as long as they do it on someone else's network, and I should complain to the cable company in Malaysia. As long as the spam came from a bot-net, it's none of Mzima's business. Of course, well run networks won't accept email from an IP address assigned to a criminal like iMedia Networks anyway. He just sells his pills through them.

Mzima claims to be "connecting to multiple Tier-1 carriers and numerous private peers." But whenever I trace route to their spammer havens the route goes through Internet backbone carrier Level3. Of course Level3 doesn't give a damn about the criminal selling his fake pills through their network. They know the government isn't going to bother them, and Mzima pays them well.

Spammers exist because of the knowing, willful negligence of companies like Mzima Networks and Level3 Communications.

What you can do: Ask your ISP to "null route" the pill spammer's IP address range, 72.37.186/23. They're not expecting that. They're expecting you to complain about the bot-net pill spam, but they think you're too stupid to figure out that the spammer's web hosting matters more. Tell them you'd prefer that they not carry the pill spammer's traffic. Not just his email, which comes from everywhere, but his Web server and his bot-net controller too. Nobody's going to miss any legitimate traffic from there, because there isn't any. This happens, occasionally, to the very worst of the worst spammers. It renders their IP addresses fairly worthless, and they have to buy a new allocation from Mzima. Which leaves Mzima stuck with 512 IP addresses that nobody wants.

Of course, if we get the kind of "net neutrality" Moveon.org has been pushing for, such shunning becomes illegal. Under today's "free trade" agreements, the boycotts that forced the end of Apartheid in South Africa would be illegal. Think about it. Do you really want a "free trade" Internet? You can bet Level3 and Mzima do. And the spammers would just love it.

home servers blocked because of "generic" reverse DNS

2007-04-16T15:44:00.000-07:00

My server refused Michael's email. He's running a server at home on a phone company DSL line with a static IP address. "What's this about? Can I not send you mail because I have SBC DSL?"

Not exactly. It's because he's sending directly from a residential SBC DSL line with a "generic" name in reverse DNS.

$ host -t ptr 68.124.123.45 #(not his real address) 45.123.124.68.in-addr.arpa domain name pointer adsl-68-124-123-45.dsl.pltn13.pacbell.net.

Legitimate email senders just about always have a pointer record in the in-addr.arpa domain. The name in it suggests it's actually supposed to be sending mail. Picking a couple at random out of this morning's email:

$ host 204.13.164.18 18.164.13.204.in-addr.arpa domain name pointer mx1.riseup.net. $ host 66.159.220.136 136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org.

Take a look at amybiehl's network neighbors.
$ whi -v 66.159.220 132 141 132.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-132.dslextreme.com. 133.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-133.dslextreme.com. 134.220.159.66.in-addr.arpa domain name pointer alexsoo.net. 135.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-135.dslextreme.com. 136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org. 137.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-137.dslextreme.com. 138.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-138.dslextreme.com. 139.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-139.dslextreme.com. 140.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-140.dslextreme.com.

It's pretty easy to see which are the servers and which are just generic residential lines. Michael's email was refused because his server's pointer resource record name adsl-68-124-123-45.dsl.pltn13.pacbell.net matched the regular expression

/^(adsl|ppp)-.*.(dsl|dialup)\..*\.pacbell\.net$/

which stops an amazing amount of spam without any content analysis. SBC/Ameritech/Snet/AT&T/Pacbell generics are in the top twenty spam sources world wide. They claim to be "rolling out" port 25 blocking, but there are glaciers that move faster. I'll whitelist your PTR name, but I doubt many admins would bother. If you're gonna run a server in the middle of a block that's 99.99% Microsoft-DSL-residential spam zombies you're eventually gonna have to ask SBC for a non-generic name in rDNS. Or send through the SMTP relays SBC provides.

Your MTA probably has a routing table where you can relay out to certain domains and send directly by default. I can show you how to do it in Qmail and Postfix. I've noticed about a dozen domains that block amybiehl, and I route to those through my server off of Speakeasy
(Edit, July '08: I've moved from Speakeasy's T-1 to colocation at Got.net.)

You'll find this kind of preemptive blocking will only get more common. I'm kind of surprised you haven't hit it already. Some pretty large networks have been using this technique for years. DSL Extreme charged me $20 to install a custom PTR name. Sonic and Speakeasy did it for free.

The "see greens.org/delist" in my server's rejection message was supposed to lead you to my whitelist request form. Someone submits that form about once a month. (Not counting the crackers who shove junk into it every day. They're looking for leaky forms they can exploit to send spam.)

blocking vs filtering

2007-03-31T09:47:00.000-07:00

A poster on Techrepublic boasted that his workstation security suite (for MS-Windows) "blocks" spam.

AVG Internet Security does a lot of good things. I recommend it to my customers who still use Windoze. We prefer it to Symantec or McAfee. But it doesn't block spam. Nor do its competitors.

If you're using the typical consumer setup where you download your email via POP3 from your ISP's mailbox server, your workstation doesn't see the spam until it's already been delivered.

AVG Internet Security and its competitors filter spam. That is, they analyze and sort it. One good optimization you can do with POP3 is pull all the message headers, analyze them, and delete the obvious spam from the mailbox before downloading the whole messages. I'd be surprised if they don't do that, at least as an option. But that's not available if you want to download all the spam into a local spam "folder" to look for false positives.

Only your email service provider can block spam. That's because blocking happens before the SMTP server (receiving system) has accepted the message. The SMTP server has to consider the source while the wanna-be SMTP client (sender) is waiting to connect, or analyze the message on the fly while the client is waiting for a response.

There are two significant differences between blocking and filtering.

Blocked spam from spamware just disappears. (Spamware is the specialized software criminal spammers use for sending. Most of it is installed on PCs the criminals have broken into, using trojans or rootkits or the like. A lot of it just connects and blasts away, without paying any attention to the responses from the SMTP server.) But blocked spam from a "legitimate" sender piles up in the sender's outbound queue or gets returned. That gives the sender feedback that he's sending unwanted mail and/or the address is bad. In the case of a legitimate sender exploited by a criminal spammer, it gives him feedback that his security is compromised. Filtered spam appears to the sender to have been delivered. The "legitimate" spammers (the minority who try to comply with CAN-SPAM et. al.) are deprived of the chance to clean bad addresses off their lists. Those criminal spammers who pay any attention to SMTP responses at all are told your address is deliverable, which makes it more valuable to sell to other spamemrs. In the end, filtering is a way of (partially) automating the process of "just hitting delete." It adds to the overall problem.
Blocked spam doesn't cost the non-recipient anything to store or download. And blocking before body content analysis is a whole lot cheaper than filtering.

Danger of reporting spam

2007-03-30T09:28:00.000-07:00

This morning I got a spam from a hobby server on DSLextreme.com. I'm a DSL Extreme customer. Their customer service is great, and they don't tolerate spam. In fact, the last time I reported one of these to them, they misinterpreted the report and blocked me. Shoot first, ask questions later.

So today I copied the spam sample to my server at Explosive.net and sent the report from there. Explosive is really great, too. But their Internet Protocol Address (IPA) space is on Speakeasy.net, and Speakeasy's just as mean to spammers as DSL Extreme is. So I'm still taking a chance.

That's what it's come to. The well-run retail ISPs are few and far between. You don't want to be anywhere else. But the well-run ISPs are on such a hair-trigger you have to think twice about sending legitimate email that could be mistaken for spam. Argh.

Meanwhile, I'm shopping for a low-cost, well run virtual private server (VPS) in squeaky-clean IPA space. My users want to host video clips and I can't do it from the colocation at Explosive. Speakeasy and DSLExtreme don't offer VPS. I considered GPLhost but they're on PCCW, which doesn't seem to handle abuse complaints competently. Drop me a line if you've got any ideas. Charlie Lima Sierra at Truffula dot Sierra Juliet dot Charlie Alpha dot Uniform Sierra. Geez, think they'll harvest that?

Where to report spam

2007-03-28T09:33:00.000-07:00

I've seen estimates that less than one in a million spams results in a well-directed complaint.

Almost every week I see bad advice about where to report incoming spam.

Never reply to a spam message. The reply address is probably bogus, and if it's real, you just made your address more valuable to other spammers. You can't mailbomb them. You can't exhaust their web servers with repeated requests, either.

Don't report spam if you're not computer literate enough to save a spam into a plain text file and look at the headers. That means the lines in the message headers that begin with the word "Received:." If the files you save don't have those, don't bother. If you do not know the difference between a plain text file and an MS-Word document with the font set to Courier, don't bother. But if you can include the message in-line, not as an attachment, without destroying the headers or adding word processor crap, go for it. Report it to:

Your email service provider. That's nice. Sometimes it helps "educate" or "train" their filters. AOL and Yahoo! Mail do that. It does approximately nothing to the spammer. Your ISP is probably not going to contact his ISPs.

Spamcop. That's nice too. It helps ISPs who subscribe to Spamcop's block list block more spam from the same source. Don't bother if the spam is more than an hour old. Unfortunately Spamcop also offers a "personal" software product that's supposed to analyze the spam and help you generate a report. But it's not very accurate, and a lot of ISPs, maybe most, ignore those reports.

The FTC. You can forward spam with complete headers to spam@uce.gov. They keep statistics.

The SEC. You can forward stock spam to enforcement@sec.gov. They bust some criminals sometimes. If it's "image" spam, put the stock symbol that's being promoted in your subject line.

news.admin.net-abuse.sightings. That's a Usenet newsgroup for posting spam samples. People use it to research spam patterns. If you can't post the contents of a plain text file, in-line, to a newsgroup, don't bother.

The owner of the exploited equipment. Almost all spam is sent through computers the spammers don't own. Spammers break into servers through leaky Web applications. Or they steal or guess weak passwords. They break into PCs in people's homes, on DSL or Cable, through "virus" infected email and malware infected Web pages.

Look at the Received: header line where your service provider receives the message from someplace that's not your service provider. (If you can't read, don't bother.) Maybe it's a cable company you've heard of. Look up that company's abuse reporting address. There's a service for doing that, at abuse.net. You can query abuse.net with your whois program (e.g., whois -h whois.abuse.net hotmail.com), or use its web site. The DSL or cable company will (sometimes) contact the owner of the compromised computer.

The giveaway for those DSL or cable senders is a so-called "generic address." I'll pick two examples from today's incoming spam. The hostname wsip-70-183-84-39.dl.dl.cox.net is generic. It's got numbers in it that are the same as its IP address. The hostname mercury1.networknoc.com is not generic. If it's not a generic name, it's not one of those home machines. It's either web hosting or a small business. You can figure out who the ISP is with your traceroute or tcptraceroute program. You'll never figure out who the owners of the individual cable/DSL zombies are. But their ISPs know. You can try calling the owners of the exploited web servers themselves. But if you can't talk about the spam they're sending authoritatively, they'll think you're just harassing them or trying to sell something. It's easier to just send a spam sample to the abuse address at their ISP.

Sometimes spammers break into other people's computers to host their name servers or Web servers or both. Never go to the URL in a spam message. If you use MS-Outlook [Express] or Thunderbird don't even open your email with image display enabled. But you can trace the name in the URL. And you can trace the name servers. They're named in the domain's Whois entry or you can look them up with your host or nslookup or dig commands. If the servers are on cable/DSL or at hosting places in western Europe, Australia, or North America, report them. Elsewhere, it's probably not worth the trouble. If it's in China, South Korea, Russia, or Bulgaria, sad to say, don't bother. As far as I know, all ISPs in those countries are spammer-friendly. You can look up the ISP at Spamhaus.org if you're not sure. There is no point in reporting spam to a spammer-friendly ISP.

"Free" email providers. A certain type of spammer prefers to use throwaway accounts at Yahoo Mail, Hotmail, Excite.com, etc. Those are the "advance fee fraud" or "Nigeria 419" scammers. If they're fresh, report these to the abuse address at the email company. If you received it more than 24 hours ago, don't bother. Notice that the "Reply to" address is hardly ever the same as the "From" in these things. Sometimes the Reply to address is repeated in the message body. Those are the ones that are worth reporting. The From address had already been discarded by the time you saw the spam.
Notice that abuse@hotmail.com does not work and never has. Hotmail (Microsoft) thinks the rules of the Internet don't apply to them, and their special abuse address is report_spam@hotmail.com. Also, the abuse address for Yahoo Mail is always abuse@yahoo.com, even for the country domains like yahoo.co.uk.

That's all. If you're savvy enough to find other assets in the spammer's network, you already knew all this stuff and didn't have to read this far. Experts go after the credit card processors. Uber-experts sometimes take legal action. But this is not work for amateurs. Remember spammers are criminals. Spam is international organized crime. You don't want to provoke these people if you don't know what you're doing.

Advice to an unwilling spammer host

2007-03-22T09:07:00.000-07:00

I reported a spam to an email admin at an Indian reservation. He replied with a nice thank you note. His technician has been trying to stop the spam coming out of their MSFT system for a few days, with no success. I offer general advice:

Hi Justin, thanks.

I hope you won't mind some unsolicited general advice about the problem.

You're using a Microsoft system for your exposed email server. That's going to be an ongoing headache. Believe it or not, and despite everything you have read in the trade press and heard from Microsoft's sales force, their operating system is not designed to be exposed (on a "routable" address) directly to the Internet.

The customers Microsoft listens to, that they design their system for, are the Fortune 500 corporations. Consumers, small business, and distributors like Dell and Gateway, are taken for granted, because they have been taught they "have no choice." Their (our) needs are not considered in Microsoft's design decisions. Fortune 500 corporations do not expose Microsoft systems to the Internet. They hide them behind layers of protection: proxy servers, firewalls, "policy servers," and other equipment.

You would be wise to start thinking about placing some non-Microsoft system between your exposed address and your internal Microsoft email system, to relay email in and out, and be a firewall. PCs are very cheap now. You can put a PC running FreeBSD or GNU+Linux between the Internet and your private network for less than you spend on "anti-virus" junk for a few MSFT machines. The PC you retired because it wasn't fast enough to run Windows XP very well will usually do. You can stop the "virus" email and 90% of the incoming spam with it, as well as the criminals who compromised your current system.

It takes a bigger PC to run today's comprehensive spam and virus filters, but even a serious compute engine only costs a few hundred bucks these days, and all the software you need to do it is truly free and trustworthy.

A painless and risk-free first step down this road is to try a couple of "Live Linux" CDs. These let you temporarily run a fully functional computer system on your current PC, directly off the CD, without disturbing your current software installation and without installing anything. I recommend Knoppix.net, but Ubuntulinux.org is more popular. If you have an older, smaller PC, you might try damnsmalllinux.org instead.

--
Best wishes,
Cameron in San José
http://greens.org/cls/

Spamassassin and Amavis

2007-03-19T13:46:00.000-07:00

After resisting for years, I've taken the second step down the slippery slope of content filtering. My first lines of spam defense will continue to be source blocking and SMTP mistake-catching. But that only gets you so far. The criminals who break into legitimate web hosts get through. The only way to get them is analyze the messages.

The first step was Postfix' header_checks and body_checks. They stop some of the most obvious stuff. But Postfix warns you not to get carried away, and you can't combine different checks. "If it says it's from Paypal but it wasn't sent from their IP space" is too complex.

The second step is a big one. We set up a special local server, Amavis-new, that Postfix can consult as it decides whether to accept a message. This evaluation has to happen fast, while the sender (client) is waiting for the receiver's (server's) decision. Once you accept the message into your delivery queue, it's too late to refuse it. You can't return it, because once it's yours you don't really know where it came from. The client is long-gone, and the "From:" address in spam is always a lie.

Amavis-new's biggest module is Spamassassin, a collection of thousands of little "tests" that can be intricately selected, combined, and scored. Amavis-new considers Spamassassin's opinion of the message and advises Postfix to refuse the spammiest. It leaves marks on the messages it accepts, so that the final recipients can sort them as they're delivered. A very cool contraption. Each part is carefully and independently maintained.

It's software for professionals; the "documentation" is great reference material but scant tutorial. And there are lots of ways to put the pieces together. The maintainers of each piece have rather little to say about all those ways. They're responsible for their respective pieces, but you're responsible for your contraption. I have the O'Reilly Spamassassin book and the No Starch Postfix book (they're both pretty good) and I still had to ask for help. Someone on the Debian-ISPs list sent me exactly the clue I needed, immediately. Somewhere in Amavis-new's documentation they tell you that amavisd will only mark up messages destined for "local" recipients. That's what the @local_domains_maps variable is about. It's in the sample config file.

@local_domains_maps list of lookup tables are used in deciding whether a
recipient is local or not, or in other words, if the message is outgoing
or not. This affects inserting spam-related headers for local recipients,
limiting recipient virus notifications (if enabled) to local recipients,
in deciding if address extension may be appended, and in SQL lookups
for non-fqdn addresses. Set it up correctly if you need features
that rely on this setting (or just leave empty otherwise).

Well that clears everything up. Spamassassin itself is distributed through the amazing Comprehensive Perl Archive Network. Perl just gets it for you. Even though Perl is nearly as efficient doing complicated things as you would be in a lower-level compiled language, there are a lot of tests and Spamassassin is big and slow. You can run Postfix on any old PC, but you need a modern CPU and lots of RAM to run this contraption. I'm going through disabling the tests that duplicate things I already did in Postfix.

Eureka! It's the Final Ultimate Solution to the Spam Problem (FUSSP)

2007-01-20T13:46:00.000-08:00

It comes up all the time. "We're losing this escalating battle of blocking and filtering and reporting abuse. So why don't we just change the public SMTP email system (insert technological wonder fix here) so it's less vulnerable. I'm a genius! I've invented the Final Ultimate Solution to the Spam Problem (FUSSP)!"

Technological wonder fixes include: centralized filtering plants like Postini, Sender Policy Framework, postage via (insert your pet micropayment scheme here), certify senders at some central authority, Challenge-Response systems, block by default and whitelist by default, and more.

Each of these techno-fixes has its own faults, which have been well described elswhere. But they share one common problem: if you somehow magically manage to impose (insert aforementioned techno-fix here) across the whole Internet, it's not the public SMTP email system any more. So what you are really proposing is to replace the public email system with some other system.

All revolutions have the same problem. First you smash the state. Then your replacement state is supposed to take over. But the instant the state is smashed, there's a power vacuum, and a race with no rules begins. While your replacement state is fiddling around with tedious processes like elections and confirmations and adopting a constitution, a bunch of thugs is establishing an unethical dictatorship. It's faster. First brute to the top claims the flag, no matter who he had to kill to get there. If the public email system falls, its replacement will be worse. Here's why.

In prehistoric times, before, say, 1994, the Internet was governed cooperatively, by consensus, by bodies like the Internet Engineering Task Force (IETF). New services were developed, or at least adopted, in the open. Standards were evaluated by their merits. A simple rulebook, the set of IETF Requests For Comment, said how everything would work together. SMTP email is RFCs 2821 and 2822. They sort of depend on rules of responsibility like RFC 2142 (it says your postmaster@ and abuse@ addresses are supposed to work...) among others. There was never any RFC Police, it was simply known that if your software didn't conform it wouldn't work well with other people's software, and if you had abusers on your network everybody would wall you off in their firewalls and you'd lose your connectivity, and that was enough. The public email system was developed under this system of merit-based consensus.

Creating the Internet may be the biggest project in human history done under consensus governance and functional Anarchy. Anarchy with a capital A doesn't mean chaos, it means there's so much personal responsibility that you don't need a government. Nobody in charge. No cops, none needed.

Then a bunch of marketroids took over. They emerged from pods which arrived from outer space or Wall Street or someplace, an invading army of high maintenance parasites. Moneymen. They brought with them the unethical concept of intentionally violating the RFCs to obtain some kind of competitive advantage. Microsoft (stock symbol MSFT) announced it was going to "embrace and extend the Internet!" and published a bunch of software that doesn't play well with everybody else's, on purpose, to begin to force computer users and developers to choose between universal interoperability and the way that MSFT could control.

At about the same time, a tiny handful of Internet "entrepreneurs" decided the rules that held the network together didn't apply to them, and they were going to let their customers develop email spam as a new kind of advertising medium. (Which makes as much sense as going into business sticking advertisements on other people's store windows and billboards, and garage doors, and trees...) Net99, later known as AGIS, was the first to be really public about it. They said consensus governance was "a throwback to the sixties" and the people who used it were "neckbeard geeks." They went under, but the idea caught on with the marketroids, who were still trying to figure out whether they were going to "turn the Internet into" a new kind of shopping mall or a new kind of television. Anything but a new kind of public library or college.

The days of friendly consensus were over. Netscape and MSFT introduced conflicting "extensions" to HTML, the language of Web pages. Yahoo and AOL each introduced instant messaging that didn't talk to the other guy's system. Real Networks got away with introducing a trade secret way to stream audio, killing off the far more economical and efficient and open system of multicasting, and the MBONE network that had used it for years. Any replacement "email" system will go the same way. Competing systems that don't talk to each other. At least not very well.

Will we use MSFT's micropayment scheme, or Yahoo's, or Ebay's, or Google's? Will email software have to know how to use all four? What if MSFT's system doesn't work with the other three but they ship it in Vista Service Pack 1? I can answer that: MSFT owns and controls the new "email" system.

At the same time we lost the ability to deploy new open services, we pretty much lost the ability to deploy major changes to the services already in use. You can break the system we have into pieces, but there is no way to push a significant change in how things work all the way out to the edges. Most people administering email sytems today have never heard of the IETF and wouldn't read an RFC to save their businesses. They just do whatever the salesman or the tech support voice tells them to so they can go back to their "real" job.

So it turns out we only have two choices, fight to save the system we have, or let the bad guys destroy it while the marketroids sit back and laugh.

Phish spammer convicted under CAN-SPAM

2007-01-17T08:47:00.000-08:00

This was on the business page in the Los Angeles Times. "An Azusa man who defrauded users of Time Warner Inc.'s America Online unit by sending e-mails requesting credit data became the first defendant found guilty by a jury under a 2003 federal law barring Internet spam." (Link.)
The so-called "CAN-SPAM Act" (aka You Can Spam Now) doesn't actually ban spam, it legalizes it. It specifies a few things spammers must do to be "legitimate." No fake headers, valid "remove" mechanism, physical contact info. Almost all spammers ignore this law, as they ignore other laws. (In 1997 the Direct Marketing Association, fronted by an utterly clueless ACLU, killed the only reasonable spam law ever written in the US Congress.)

According to the story, this was a one-man phishing operation and the guy took in about a million dollars.

Four years to the first conviction. Sentencing in June. My prediction: the criminal positions himself as a "businessman" and gets a pat on the wrist. Fine and probation, and he doesn't even give up all the ill-gotten gains. At worst he goes to one of those "gentlemen's" minimum security places for a month or two.

Well, congratulations to AOL for pushing this through. We know the FBI doesn't move on these cases unless someone does most of the work for them.

But I use an antivirus!

2007-01-10T16:24:00.000-08:00

I got a fake Bank of America message yesterday, sent from a compromised MS-Windoze computer on Surewest DSL. Left a message on the owner's Web site and he called me.

He was pretty angry, but it wasn't at me in particular. He's trying to run email service for three hundred customers on that computer, using some commercial mail-server-in-a-box product. He'd already fielded four trouble calls on it that day, and that was a typical day. It's keeping him from running his web design business. He didn't know it was spamming. Surewest hadn't called him, of course, despite my report to their RFC2142 abuse address.

The email server wasn't coping with the spam load, and it was just "falling over." He's not using a DNSBL, but trying to filter the raw stream. Sorry, buddy, a 3 GHz P4 can't keep up with that any more. You have to block some fraction of it first.

He was absolutely sure he couldn't possibly have a spam bot or an intruder. Because he spends $hundreds/year on antivirus software (and the one he uses has a better reputation than Symantec or McAfee), checkups by Web sites, and specialized software that's supposed to monitor his outbound traffic for spam content. Evidently these measures don't work so well.

He was absolutely sure the spammers were "spoofing his IP address." That's so hard to do that even though the big spam gangs know how to do it, they don't bother. An explanation of why that's true would have gone high over his head so I didn't try.

It took a while but I got him to look in his server's outbound queue, and there were hundreds of Bank of America and Amazon phishes waiting to go out. Not all receivers are ready on the first try. He was puzzled. You're only looking at the leftovers, buddy, most of it's been sent. That was what it took to convince him something was happening on his machine that he didn't know about. The spambot was generating phish messages and letting his commercial email software queue it and send it. Phishers seem to like doing that way Exploiting a legitimate server doesn't get you blocked so much.

I explained that no antivirus can defend you from the zero day threat, that is an attack so new your antivirus doesn't detect it yet. It was the first time he'd heard of that.

We talked about possible solutions but he wasn't confident he could do any of them without disrupting his business. He'd been considering outsourcing the email operation and I think this convinced him. Spammers drove a small businessman out of the field, after nearly ruining his business and his life. Now there are fewer choices of email providers for the rest of us. Tell that to some bozo who thinks spam doesn't hurt anybody and you should "just hit delete."

Google doing SMTP callbacks now?

2007-01-07T12:49:00.000-08:00

A comment posted to my callbacks article suggests Google may have resorted to SMTP callbacks. AKA Sender Address Verification. Not only that, but their callback sender identifies itself as mx.google.com, and that name doesn't resolve in DNS. If it's true, everybody running an email server faces a choice.

We can figure out how to configure our servers to accept the bad HELO name from Google. But we can't just give mx.google.com a pass, because then the spammers would all use that name.
We can let Google's callbacks fail. Then Gmail users will refuse our email and they won't know why.

Maybe it's just a transient failure, and Google will publish an Address resource record in DNS for mx.google.com and fix it.

Why there is spam

2007-01-03T09:33:00.000-08:00

Spamming is a lot like other types of industrial pollution. It happens because "legitimate" Internet companies make a calculated business decision that they can get away with tolerating it to some degree. Some tolerate a lot, others hardly any. They know there won't be any law enforcement. The main consequence of hosting spammers is some of their IP addresses will get listed in databases like the Spamhaus Block List. (There won't even be adverse publicity: the rare newspaper or trade journal story never holds the "legitimate" ISPs responsible.) Some just want to save the money an abuse desk staff would cost. Or they've laid off the technical staff that would have been able to block the outbound "port 25" route the bot-nets send through. Others are attracted to the high rates the big spammers are willing to pay. The twenty-something MBAs and uninformed, timid lawyers who influence these decisions can find plenty of justifications for tolerating spammers on their networks. Just as they can justify dumping toxic waste overseas, stinking feedlots, clearcut runoff, and any other pollution whose source is at all obscure.

In the early days of the crisis, spammers simply paid more for the same service than law-abiding customers would. It was understood the premium was a fee for the ISP to ignore some level of complaints. A few ISPs (AT&T and Paetec...) got caught putting this agreement in writing; we call that a pink contract. Pink is the color of Hormel's SPAM.

For all I know there are still pink contracts in Asia and eastern Europe, but I haven't heard a pink contract allegation against a North American ISP in years. Here in North America, the spammer simply buys much more service than he is actually going to use. He rents a whole rack in the data center to hold just one or two servers, or he orders a $5000/month T-3 connection when a $600/month T-1 or $100/month SDSL connection would easily handle the traffic he is going to generate. (He's not going to send spam through his own link, he's just going to host the target Web sites and control his bot-nets through it.) Salespeople for Internet services beyond the consumer retail level, it seems, work on commission. So the overspending by the spammer gives him an advocate inside the ISP who will fight hard to keep him connected despite the complaints, and despite the crimes he is committing which the ISP is an accessory to.

Spammers are a natural response to the ecological niche that tolerance creates. It's no more their "fault" than a dirty kitchen is the fault of the cockroaches that thrive there. The rationalization we hear from the hosting companies is almost always simple buck passing. It's always somebody else's fault, their "hands are tied," you're complaining to the wrong people, yadda yadda yadda.

what's wrong with filtering?

2006-12-18T17:45:00.000-08:00

Here's the most common reaction I get from my friends to my concerns about the spam crisis.

You may not have seen it, but you still PAID FOR IT. Every message your ISP received for filtering cost network bandwidth. Bandwidth costs money. Every message your ISP stored because there's too much volume to filter in real time cost storage space. Disk drives may be really cheap but managing them and backing them up and powering them and cooling them isn't. Filtering one 50 KB message for spam and attachment viruses takes several tenths of a second on a 2GHz CPU that burns 80 watts. That's as much energy as sending you a typical web page, and it happens many times more often. With billions of spam messages per day, spam is consuming significant amounts of fossil fuel. One ISP told me spam filtering consumes more electricity than everything else in his data center. Now that spam is 97% of email, and the average spam message size is over 10KB, the cost of receiving and storing and filtering all that junk that you "never see" is the biggest component of the cost of your Internet service. You don't see it in your inbox, you see it on your monthly bill and you'll see it in anthropogenic climate change.

But there's a bigger problem that filtering doesn't solve. The volume of spam has been doubling in less than a year. It could double ten more times. There are enough vulnerable Microsoft PCs for spammers to take over. Spam would be more than 99.9% of email. But you could not stand to pay two hundred times as much for Internet service. Filtering will hide the problem from consumers until most of the Internet email system has already collapsed. It will prevent us from doing anything effective to stop spam and save email.

That's the real harm filtering does. Hiding the problem prevents you from fixing it.

dirty bird award to Yahoo Inc

2006-12-13T10:32:00.000-08:00

You already knew Yahoo Mail is the Nigerian advance fee fraud gang's favorite drop-box provider. Just look at where those thousands of widows of the late dictator want you to send your bank information. criminal@yahoo.com. They're easy to create, and, to put it politely, Yahoo isn't very good at discovering them and taking them down.

Most of the spam I've got in the last couple of years has been for pills and scams. The porn spammers have been avoiding me. They're smart enough to know that I file accurate complaints to the right places, and they just don't need the grief. Unlike the pills and other scams, porn is a legitimate business, and they know the value of a suppression list.

But for the last week or so, I've started getting porn spam again, and it's all been from one "company," the Webfinity/Python Video/Dynamic Pipe/Global Media spam gang. The reason I'm seeing it is they're sending it to my postmaster address. That address isn't as heavily guarded as the others, because it needs to accept spam reports from blocked addresses with filter-triggering content. (That's complying with the letter and spirit of IETF RFC2142.)

This gang has a special modus oparandi. They break into people's servers to send their junk. They get better delivery rates that way, compared to sending from bot-nets in consumer broadband country. But lots of spam criminals are doing that these days. Python's trick is they use compromised consumer Microsoft PCs (on cable TV or DSL) to host a special layer of servers.

Most spammers just use "bullet-proof" web hosting in China or Romania or Russia (or on Yahoo Small Business). These Python Video guys ultimately send you to their bullet-proof Web site. It's hosted, right now, on an entity called Rackco.com which is connected to the Internet through oblivious Internet company Teleglobe. I suspect Rackco is just another name for Python Video. It's a pretty common ploy. The spammer pretends to be a hosting company who is struggling with a series of badly behaved (spamming) customers. They could stall Teleglobe that way for years.

But the URL in the Python spam is always hosted on five compromised broadband Microsoft PCs. If you're stupid enough to click on the link in your graphical email program, you get sent to one, chosen at random. This morning, four of them are on Proxad in France, and one is in South Korea. Yesterday it was Comcast and SBC/AT&T. They move around quickly. They support that by using special name service, with a "short time-to-live", and that name service is also hosted on consumer broadband Microsoft PCs. Spamhaus.org calls that technique "fast flux." This morning all four name servers are on Proxad. In the last week, these special "servers" have been hopping around on Time Warner Road Runner, Cox, Optimum Online (Cablevision), Aliant, Bell Canada, Comcast, Eastlink, Cablegalicia (Spain), Cable Bahamas, and Le Groupe Videotron.

The special web servers send a 404 HTTP response, "page not found", but the 404 page comes with a refresh directive that sends you to another page on the same "server", with links to Python's bestiality porn sites in Russia. I guess the 404 is to throw the search engines off or something.

It doesn't do a lot of good to report the compromised Microsoft PCs to the cable companies. They don't care, and even if they were to do something, Python would just rotate in the next set, from an endless supply. Python is in Canada. Canada will bust you for selling High Times magazine, but they don't give a damn about Python's ongoing computer crime and exposing minors to bestiality porn. That's business. The porn hosting companies in Russia are part of the gang, untouchable.

The one place where Python's operation touches ground is at its domain name registrations. They churn through dozens or hundreds of domain name registrations per day, at ten bucks a pop. They have to use new names every day to stay ahead of the "seen in spam" block listing. Guess who they use. YAHOO DOMAINS, every time. Think Yahoo Inc doesn't know?

UPDATE Feb. 26 '07 : For the last couple of weeks, the Python gang has been registering its throwaway porn domains with Tucows and Register.com. But the "remove" domains are still on Yahoo.

Spamming a compulsive disorder? Pump and dump.

2006-11-29T11:01:00.000-08:00

Well over half the junk that gets past my IP address blocking these days is pushing penny stocks. The spammer or his client buys some shares of a thinly traded stock. He pushes it with messages that try to look like investment newsletters. He waits for some fools to buy it, and bump up the share price, and hopes he can spot the peak and sell there. It's called pump and dump and it's felony securities fraud. Perps go to prison for it, if they keep doing it long enough. Press releases from email firms like Sophos suggest pump and dump is about half the total spam volume now.

The strange thing is you can look up the charts on the stocks these guys pick, and they don't go up. Sometimes the spam runs seem to make them go down. Not only that, but some of the pumping on a single stock lasts for weeks, way too long for this trick to work. If this goose ever laid a golden egg, the spammers have long since beaten her to death. Recently they've been encoding their messages in images, to make it more expensive to filter. The images are full of artifacts to defeat optical character recognition: pop-art background images, ink spatter, random lines and curves, that you'd never see in a real stock newsletter. It's hard to imagine anyone would actually buy a stock promoted that way, even the dumbest would-be scammer.

How can we explain this behavior? First, understand that most spam is sent by highly organized gangs, doing very large spam runs for paying clients. The client pays up front, so the spammer gets paid even if the spam run loses money. But what is going on in the head of a pump-and-dumper? He's paying the spam gang, hundreds or thousands of dollars per run, on a gamble with very poor odds and a serious downside risk (prison time), and he keeps doing it, in the irrational expectation that the next time he'll hit the jackpot. That's compulsive gambling. It's a recognized mental disorder. It's in the American psychiatric catalog.

There's another aspect to it, that you'll discover if you contact spammers and try to talk to them about what they're doing, or if you read their rants in online forums like news.admin.net-abuse.email. Every spammer I have spoken to or otherwise heard from in ten years of doing this has had some level of denial about the nature and morality of what they are doing. Every spammer, from the sociopath Sanford Wallace to the bullet-proof porn spammer hosting guy on Merit.net to the anonymous Maoist spamming his/her manifesto. They think their message is different. They think they're only doing insignificant damage to infinitely wealthy corporations. They think the people trying to stop them are a conspiracy to stifle their "free speech" or unfairly compete with their business. Some think God told them to do it.

That's exactly the delusion that comes with compulsive stealing, kleptomania. What I'm doing isn't really hurting anyone, and the store detectives and the police are just out to get me. It's in the catalog, too.

I believe the leaders of the gangs you can hire to do spam runs are in it for the money. But the people paying them for most of the spam runs have some mental disorder. There's nothing rational about it. And the spammers-for-hire know it and exploit the illness.

Technorati link

2006-11-22T16:24:00.000-08:00

Technorati Profile

The new whack a mole

2006-11-22T12:47:00.000-08:00

Back in the good old days, spammers used stolen credit cards to buy dial-up service from retailers like Earthlink. They'd "bulk" for a day or two and Earthlink would kill the account, and Earthlink or Visa would take the loss. Even though Earthlink had full time staff identifying and killing the accounts, the volume of spam kept growing, because there was no way they could react fast enough. Reaction doesn't work. We called this game of disposable dial-up accounts "whack a mole."

This problem wasn't really solved. Major ISPs just blocked incoming email from the known dial-up network address ranges, and the delivery rates got so bad the spammers moved on to other illegal methods. Eventually the dial-up providers blocked the route from their customers to other people's email servers, but they were locking the door to an empty barn.

These days most spam comes from gangs of compromised computers organized into "bot-nets." Most of them are in consumers' homes, infected with malicious software (malware) that only afflicts Microsoft's operating system, and connected to cheap "broadband" (ADSL or cable TV) and left on all the time.

But a significant fraction of these spamming stations are low cost Web servers installed by the thousands in data centers like Everyone's Internet (EV1) and Schlund. You don't even have to corrupt their operating systems. They're running years-old copies of PHP-Nuke and Joomla and phpBB and Squirrel Mail. Web applications any fool can install by clicking a button on the retailer's "control panel." Unfortunately, the "control panel" doesn't have a button for "bring my PHP-Nuke up to the current version." And the guy who's renting time on one of these boxes has no idea how to install a security patch, and doesn't have the necessary access, and even if he did, the "control panel's" version of the application is just different enough from the original that you can't be sure a security patch for the original won't break it.

Over time, exploits become widely known for the old versions of these well known application programs. Simple programs that know how to install a spam sending form through a security hole that was fixed in a later version of the program. High school kids trade them like baseball cards.

Over time, a huge data center like Everyone's Internet is running tens or hundreds of thousands of instances of these exploitable Web applications. But they're renting those low-cost servers to "virtual" Internet service providers or "resellers." Sometimes there are layers of resellers and virtual ISPs. The data center, who owns the IP addresses, doesn't know who the actual customers are. They don't know what domains the actual customers have. And they don't want to know. It's that negligence that's bringing you most of those phish spams.

So what happens is people like me get the phish spams and report them to the designated owners of the network addresses, because it is usually really hard for us to find the virtual ISP. Everyone's Internet or Schlund forwards our complaints to the virtual ISPs, and they may or may not get passed down to someone who administers the exploited application or account. Then people like me block the spam source in our email servers, or rely on public list operators like Spamhaus.org to do it. Eventually the end user starts to notice there are places that won't take legitimate email from the same address. This sometimes leads to the compromised machine getting fixed or shut off and reloaded and rented to some other virtual ISP. Sometimes both paths break down, due to widespread apathy, negligence, and irresponsibility, and the compromised machine sends spam for years, until so many spammers are using it that its drive fills up and it crashes.

But most of the time the compromised system gets fixed within a few days or weeks. Now consider a place like Everyone's Internet with ten thousand servers hosting a million "web sites." If half of them are exploitable and 1% are spamming at any time, there are five thousand spam sources in their data center at any time. Just not the same ones from one day to the next. Spammers have gotten really good at spreading the sources around. This means Everyone's Internet, Schlund, Advanced Internet Technology, and a dozen more are huge, permanent sources of the worst kind of spam. They're undercounted in the statistics from Spamcop and Spamhaus and Brightmail because no IP address accounts for much. You can't say look, Leo Kuvayev is hosted at EV1 and they won't kill him, and give the IP address a Spamhaus advisory. And EV1 can brag about how they kill spamming accounts within a day or two of hearing about them.

It's the new whack a mole, but without the hassle of stealing credit cards.

What's wrong with this picture? Well, somehow, there are large hosting centers that don't have the problem. There must be a well known solution, and there is. Proactivity. You don't wait for volunteers to report spam from your IP addreses. You seed the Internet with a few hundred innocent-looking "spam trap" email addresses, and you automatically scan the resulting torrent of junk for spam from your own network. Even better, you search the Internet for domains hosted on your network, and search those domains for known exploitable applications, and get them fixed or removed BEFORE they start spamming. It's not rocket science. It's probably cheaper than waiting for spam reports and following through on them. But I'll bet it's not cheaper than just ignoring the problem and becoming a cesspool. At least in the short and medium term. Why isn't this happening? There's no real pressure on the big ISPs to force their customers to do work they don't want to do.

One more way spammers damage the email system: SMTP Callbacks

2006-11-19T08:34:00.000-08:00

A group I work with was refusing lots of legitimate email, and didn't know it. It turned out they are using a spam defense measure called "Sender Address Verification" or "SMTP callbacks," but their DNS wasn't set up quite right.

When your Internet service provider (ISP) tries to send a legitimate email to theirs, theirs puts that conversation on hold while it tries to verify that your sending address is valid. They do that by starting to send an email message to it. When your ISP's email server says okay, I'll accept that, they break off their transmission, and allow your incoming email to continue. That test message they almost sent is called a probe message or SMTP callback.

But if your ISP's spam defense interprets their probe message as possible spam, for any reason, and refuses or defers it, they won't get your legitimate message.

SMTP Callback is a controversial technique because it generates spurious email traffic. If it catches on, ISPs are going to have to invest in more equipment to handle that extra traffic, and email service will cost more.

We use a very common spam defense technique. We defer messages that come from Internet Protocol (IP) Addresses (IPAs) that have not been given a name. We defer messages that come from IPAs whose names are not defined. That's called "reverse DNS verification." It's cheap, fast, not abusive, and very effective. It works because places that are expected to send legitimate email are given valid names in the global Domain Name Service.

Unfortunately, our friends in Sacramento were sending probes from an IPA whose name was something like unknown.host.example.net. If you looked up that name, it was not defined. It says unknown right in its name! So of course we were deferring their probe, and their callback test was failing, and they were refusing our email. They would refuse email from anybody who uses the Postfix feature reject_unknown_client.

Before the spam crisis, none of this was necessary. Spammers are making email more expensive and less reliable, in unexpected ways.

Wanadoo don' wanna do nuffin

2006-11-15T11:19:00.000-08:00

Spam comes from every nation where there's Internet access. That's because every nation with phone service has criminally negligient Internet service providers (ISPs). Most spam comes from big ISPs whose main business is phone or cable TV service.

One of the biggest spam sources is France Telecom, also known as Wanadoo. Or Wanna-doodoo. The servers I run have been blocking email from Wanadoo's customers' bot-infested MSFT PCs for years.

Eventually we got so much phish spam through Wanadoo's outbound relays (the servers ISPs provide for their customers to send email through) that I blocked those too. Unlike most spammers, phishers make no pretense of being "legitimate businessmen." They prefer to send through servers that normally send legitimate email, because they get better delivery rates than consumer-owned bot-boxes get. They buy web-hosting accounts with stolen credit cards, or they just break in.

Didn't get away with that for long. With thousands of users (email aliases and Mailman lists) we quickly hear about the collateral damage. I had to let the mail from Wanadoo's outbound relays through, phishes and all.

But I'm not the only email admin fed up with Wannadoodoo. That particular outbound relay, smtp3.wanadoo.fr, is listed in the public block lists NOMOREFUNN, SORBS-SPAM, SPAMCANNIBAL, and TQM-SPAMTRAP. And those are just the DNSBLs they check at Dnsstuff.com. Those four are lists of IP addresses that have sent spam to the owners' traps. That policy is too aggressive for typical ISPs' customers, as you can see from our experience, but schools and corporate campuses may use them. Wanadoo users are going to have problems sending email to a lot of places. Paul Vixie calls this kind of shunning an intentional outage and it's getting to be standard defensive practice. If you depend on email to do real work, choose your ISP carefully. A consumer-oriented ISP like Verizon or Comcast or Yahoo or Wanadoo is going to give you problems.

Orwell warned us

2006-11-12T09:33:00.000-08:00

George Orwell and Noam Chomsky have warned us about a thought control device that's so obvious we don't notice it. The bad guys take a word that's useful for discussing some social problem that they don't want us discussing, and they start using it to mean something else. After a while, the original meaning can't compete with the new non-meaning.

The right wing publicity complex (I call it hate radio), along with misguided civil libertarians like Hugh Hefner, attached a new meaning to feminism, nearly opposite to what feminists mean by the term. The resource extraction industries have so diluted recycle that it hardly means anything today. Hate radio is destroying the specific term Fascism these days. Grassroots resistance to occupation in majority Muslim nations is a lot of things, but it's not Fascist nor even fascist. I'm sure you can think of a dozen more words under attack.

The advertising industry has been worrying for a long time about the decline of print media, especially postal mail. They're being told electronic mail is replacing paper, and they're the lobby that's shot down any sensible spam bills in the US Congress. They want to be allowed to send "legitimate" spam. If they can't have that, they'll settle for destroying the public email system to prevent it from obsoleting postal mail.

The advertising industry is exactly what George Orwell warned us it would be, a propaganda system so sophisticated it accomplishes thought control to a degree Hitler and Stalin and Mao could have only wished for. These days, they're encouraging misuse of the word spam, to make it more difficult for us to intelligently discuss the problem of unsolicited broadcast email. Watch for it. The next time you see someone referring to an off-topic message in a mailing list as spam, notice it. That's the bad guys, succeeding.

the real enemy

2006-11-08T00:26:00.000-08:00

" This is a war between the open late-20th century technology of
the Internet, and the closed early-20th century technology of the
telephone/telegraph networks. The telcos want the Internet as we
know it to die, and they've made great progress toward that goal
simply by shutting down the enforcement that the NSF used to do.

Internet protocols, including SMTP, were designed to be reliable
*if* abusive hosts are promptly disconnected by service providers,
and if abusive service providers are promptly disconnected by
backbone operators. Now, unfortunately, the backbone itself is
operated by abusive entities: a few large companies which never
wanted the open Internet to exist.

In a week or month timeframe, spammers are the enemy. In a
year-to-year timeframe, spammers are just a weapon being wielded
by the real enemy."
- anonymous poster in news.admin.net-abuse.email

what does really bad targetting tell us?

2006-11-07T11:37:00.000-08:00

The spam to my main RFC2142 role address is getting as varied as the rest of the junk. So it seems it's just another stoopid dictionary attack type address.

How dumb is that? They're spamming the address at this domain that's most likely to generate a correctly targetted and adequately detailed spam report. And least likely to fall for a phish or buy fake pills. The address is most likely to exist (and work) at well run domains and unlikely to exist at amateur domains. Anybody smart enough to put together a bot-net can remove all of the role addresses from any list with about five seconds' work. Obviously they just can't be bothered.

Meanwhile, a test address I named after my old cat and stopped using eleven years ago is still getting spam.

What's it mean?

The major spammers are not concerned about complaints. They're sending through disposable trojan-infected PCs, and there's an unlimited supply of those. They're hosted on corrupt and incompetent networks connected to the world by giant backbone carriers like AT&T and Sprint and Level3 and the spammers are quite sure those giants can't be bothered to enforce their harmful traffic language.
The people paying the major spammers either don't know how bad the lists they're using are, or they don't care either. I suspect it's some of each. Some spam runs are commissioned by clueless boobs who think they're gonna get rich selling sugar pills out of a multilevel marketing "company." They don't know. Other spam runs are by the spam gangs themselves. They don't care.

harrassment spams, coincidence?

2006-11-03T01:30:00.000-08:00

Today the postmaster address at my best known domain received more spam than it usually gets in a few months.

Postmaster is a special address. Any domain that gets mail is supposed to have it. Current best practice is you don't spam-filter it, so it can receive complaints and they won't get filtered or blocked.

And if there is any address at a domain that is likely to generate spam complaints, it's postmaster. Spammers are generally smart enough to avoid postmaster addresses. More domains have postmaster than the other special addresses, hostmaster (for name service issues) and abuse.

Could be a random fluke. Could be some spammer with not enough work to do doesn't like people starting blogs about how spamming hurts people. At any rate, the result was I discovered a few more spam sources to block.

By the way, there's a special domain name, too. example.net was reserved when the name service was invented. You can use it when you need an example email address, perhaps when you're writing the on-line help for an email program. You can also use it when somebody demands your email address but you don't want to give them a real one. Like those 555 phone numbers in the movies. Even postmaster@example.net doesn't go anywhere.

Australia gets it right

2006-11-02T10:04:00.000-08:00

There are certain canards or myths we see in the US media when they do an (all too infrequent) spam story. One of them is that spammers are beyond the law, or laws can never be effective, or some such nonsense.

Spamming is illegal in the European Union and Australia. When Australia began its criminal proceedings against big-time spammer Wayne Mansfield, he stopped spamming. Mansfield was convicted last month, and he and his company have been fined about US$four million. Alan Ralsky was regarded as the biggest spammer in the world. He stopped spamming, as far as I know, when the FBI raided his basement network operations center last year. (Mansfield might keep spamming. I believe spamming manifests a mental disorder of some kind, like kleptomania, and career spammers may be unable to stop. But it will be a lot harder for him now.)

Law enforcement can stop spam. It can do it without infringing anybody's rights. Spammers commit a variety of crimes under existing law. Using someone's computer without their permission is a crime in every civilized nation. Almost all spam involves fraud of some kind. All it takes is the political will to do it.

Using "Report spam" to censor

2006-11-01T12:54:00.000-08:00

My computers host a bunch of mailing lists on political topics. I use Mailman to manage the mailing lists, and it uses Postfix to send and receive. Postfix keeps a queue of messages it hasn't been able to send yet, and sometimes I have to figure out why they're stuck.

This morning I noticed America Online was deferring messages from an internal list for discussing press releases before they go out. Postfix shows the whole message to AOL, and AOL thinks for a second and says "try sending that one later." The actual deferral suggests AOL thinks the message might be spam, but meanwhile AOL is accepting other messages from us. I've seen that a lot this year. One of my users has a list about his antiwar activity and it gets deferred by AOL and Yahoo Mail quite a lot. And other folks who run similar lists tell me they're seeing the same thing.

Here's what seems to be going on. These messages contain keywords, especially URLs, that our political adversaries would prefer we be unable to discuss in email. The one that's stuck right now is about the movement resisting the stolen election and other government outrages in Oaxaca. My user group wants to express solidarity with the people there and they're drafting a press release.

Opposition to that kind of activism is well funded and relentless, and unethical. They get on lists that discuss similar things, and hit that "this is spam" button on AOL's email program. When this happens enough times, AOL's enormous content filter starts to think phrases like "solidarity" and "grassroots democracy" and the URLs of the sites that cover this stuff (indymedia, commondreams, even dailykos and moveon...) are "spam sign." Things seen in spam.

It doesn't help things any when well meaning idiots forward these messages to their whole address book, thinking their "action alert" is so "important" that the rules about unsolicited broadcasts don't apply. "Well, they should be interested," they rationalize. "Forward this to all your friends!" No, don't. That's a topic for another post.

This has been going on for a long time. You'll have a hell of a time discussing women's health issues (breast cancer, yeast infections, contraception, access to abortions...) on those big consumer services without setting off their filters. There are people who don't want those issues discussed. They'd prefer the information not be available. They've learned it's not hard to fool filters that were designed to detect erotica.

What seems to be different now is the "spam sign" threshholds are getting lower. If you want to kill an email forum, you don't have to barge in and flood it with invective any more. You can fool AOL (and Yahoo Mail and Hotmail) into killing it for you.

That's censorship by spam filter. And it's been made possible by the onslaught of spam. People are so desperate to keep their mailboxes usable that they are now willing to accept some false positives in spam filtering. At least on the consumer oriented services where it doesn't hurt your business to lose a legitimate message now and then. The spammers are softening us up, preparing us to give up the public email system for a controlled one.

Spammers versus free speech

2006-11-01T12:06:00.000-08:00

Spammers are destroying the public email system. I'm going to use that phrase here. Almost all of the servers, routers, optical fibers, and other equipment that carry email are private property. But the cultural system that says you can send email to your friends and strangers in the reasonable expectation that they will welcome it, and be willing to pay the cost of receiving it, is in the public domain. And so are the languages, or protocols, that computers speak to each other to move email across the network.

There's been too much focus on spam as a property rights issue. It's true: unsolicited broadcast email is theft of service, trespass to chattel, and illegal conversion of assets. Spammers use our equipment without our permission.

That's your PC. Nobody gave Leo Kuvayev permission to put his counterfeit mail order pills advertisement on your screen. It's like he'd barged into your yard and nailed a sign on your tree. That's trespassing. A big chunk of the cost of your Internet service goes into trying to block and filter the spam addressed to you. Spammers are stealing that money and throwing it in a bonfire. The total profits from spamming are less than 0.1% of spamming's cost to the economy. It's like blowing up a liquor store to steal a can of beer.

But spam is also a human rights issue. Spammers compel other people to do work, for no compensation. They steal our time and life energy. Where I come from, that's called SLAVERY. And it's a civil rights issue. The public email system is a venue of free speech. Spammers have made using email so difficult that people are actually giving up on it. When you drown out a speaker, or bulldoze his theater, or spray feces on the people waiting in line for tickets to his talk so they give up and go home, that's CENSORSHIP.

That's what this weblog is going to be about. Civil and human rights issues around spamming. The email system can be technical, but you won't have to be technical to understand anything here.