Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam Operating Systems BSD

Spam Blocking Engine for OpenBSD 274

mkeke writes "In a post over at OpenBSD Journal, Theo states that he has written a spam blocker that works with pf and Spews. It looks darn cool :)"
This discussion has been archived. No new comments can be posted.

Spam Blocking Engine for OpenBSD

Comments Filter:
  • 550? 450? (Score:5, Informative)

    by Habbie ( 601521 ) on Friday December 20, 2002 @09:12AM (#4929239) Homepage
    I assume he means a 450 reply, not a 550? 550 won't make the message stay in the queue, 450 will.
    • Re:550? 450? (Score:2, Informative)

      by Anonymous Coward
      yes, in the code there is a gem like so:

      char *reply = "450";

      i'm guessing the 550 is a typo in the message body.
    • Re:550? 450? (Score:5, Informative)

      by edgarde ( 22267 ) <slashdot@surlygeek.com> on Friday December 20, 2002 @10:07AM (#4929615) Homepage Journal
      450 says there's still a mailbox there. 550 says not found. Here's a list of SMTP codes [infokomp.no].

      Incidentally, the code actually has a command line option to choose between 450 and 550.

      • Yes, and the poster you replied to was absolutely correct though. No email MTA keeps the email in the queue for a 5xx error as this is a hard bounce (retrying after a 5xx error would be a violation of the relevant RFCs). Only a soft bounce error (4xx) will keep the message in the queue. So the statement in the original message about using up disk space is totally invalid.
  • Spews = /m\ (Score:5, Insightful)

    by joeszilagyi ( 635484 ) on Friday December 20, 2002 @09:15AM (#4929260)
    Why even bother with Spews? Why not Spamcop, who doesn't block half the planet?
    • Re:Spews = /m\ (Score:2, Interesting)

      Perhaps because SpamCop is overzealous to the point of stupidity?


      See, for instance:


      Quite frankly, Julian Haight comports himself like a True Asshole. Admittedly, Theo can be rather terse himself, but he generally doesn't cause innocent third parties distress while attempting to achieve his goals.
      • Re:Spews = /m\ (Score:4, Interesting)

        by PacketMaster ( 65250 ) on Friday December 20, 2002 @10:04AM (#4929589) Homepage
        And spews doesn't? Spews randomly blocked a consulting company's netblock I worked for part-time simply because that our block was next to a "known spammer's" block. When they politely asked to be removed and pointed out that according to their own evidence file that their netblock had nothing to with spam, they were met with very hostile responses and told to essentially ditch their teleco provider because they'd never unlist anyone. They admitted that they simply block IPs in a form of "collateral damage" because they feel like it to hurt legitimate businesses so they flee their network provider. Look at antispews.org [antispews.org] for more info on their flagrant abuses and why you shouldn't use spews.

        ... generally doesn't cause innocent third parties distress while attempting to achieve his goals.

        Using spews is going to cause third-party distress.

        • Re:Spews = /m\ (Score:3, Insightful)

          by Senior Frac ( 110715 )

          And spews doesn't? Spews randomly blocked a consulting company's netblock I worked for part-time simply because that our block was next to a "known spammer's" block.

          I just went to SPEWS' website. It appears that this falls within their listing criteria. I'll take it you don't agree with their listing criteria.

          When they politely asked to be removed and pointed out that according to their own evidence file that their netblock had nothing to with spam, they were met with very hostile responses and told to essentially ditch their teleco provider because they'd never unlist anyone.

          They talked to SPEWS? It says here SPEWS doesn't talk to anyone. Are you sure? That statement appears highly misleading. Are you certain they didn't talk to news.admin.net-abuse.email?

          They admitted that they simply block IPs in a form of "collateral damage" because they feel like it to hurt legitimate businesses so they flee their network provider.

          Boy, this is so misleading as to be approaching a lie. They really, really talked to SPEWS, huh? And "spews said"...?

          Look at antispews.org [antispews.org] for more info on their flagrant abuses and why you shouldn't use spews.

          The fact that you disagree with their listing criteria is all fine and good; that is your right. But there seem to be lots of outright wrong information on that webpage.

          My server, SPEWS recommends, my decision whether to trust them, and my decision as to their effectiveness.

        • Re:Spews = /m\ (Score:3, Insightful)

          by Dimensio ( 311070 )
          Antispews is run by a known hack.
          SPEWS is used because it works. It is NOT the job of my ISP to tell your ISP to kick off their spammers. If your upstream is providing an open haven for criminals, don't be surprised when no one wants traffic from your upstream.

          Remember, your consulting company wasn't being blocked. Your consulting company didn't own the ISPs. SPEWS wasn't blocking anything (anyone who claims that SPEWS blocks is either ignorant or lying), SPEWS was merely listing IP addresses owned by the upstream provider. It isn't SPEWS's probem that your upstream is rogue and that no one wants their traffic.
    • by neurostar ( 578917 ) <neurostar@pri[ ].com ['von' in gap]> on Friday December 20, 2002 @09:40AM (#4929421)

      ...doesn't block half the planet?

      I thought half the email on the planet was spam though!

      :)

    • Why even bother with Spews? Why not Spamcop, who doesn't block half the planet?

      SpamCop's blacklist announces hosts with a bad no-spam/spam ratio. As a result, non-US freemail providers tend to end up in SpamCop's blacklist.

      SpamCop is honest and they warn [spamcop.net] that the blacklist should only be used for tagging, but many people ignore this advice.
  • by GeckoFood ( 585211 ) <geckofoodNO@SPAMgmail.com> on Friday December 20, 2002 @09:17AM (#4929278) Journal
    The author states that it's for OpenBSD. Any clue if he plans to port it to other flavors of Unix, such as Solaris, HP-UX, Linux, IRIX, etc? This sounds like a useful honeypot tool, I would be curious to see how well it works in actual production (translation -- I'd like some stats).
  • The theory here is that most spam still comes in via open relays, and the only way we are going to convince them to clean up their act is to waste _their_ disk space, their time, and their network bandwidth more than they waste ours.

    To me, this seems exactly the right strategy, although how well it works in practice will be interesting to watch.

    • the only way we are going to convince them to clean up their act is to waste _their_ disk space, their time, and their network bandwidth more than they waste ours.

      To me, this seems exactly the right strategy, although how well it works in practice will be interesting to watch.


      To me, this is about as hypocritical a strategy I can imagine. If something is wrong, it's wrong.
  • by Sturm ( 914 ) on Friday December 20, 2002 @09:27AM (#4929335) Journal
    Spews is EVIL. Plain and simple. They block IPs based soley on the fact your upstream provider hosts or has hosted in the past, someone the SPEWS "admins" (and I use that term losely) believe to be spammers. It is impossible to get off their list and if you are a customer of C&W you probably have IP space being blacklisted by them. Blocking large blocks of class Cs, just because someone happens to share IP space with an alleged spammer is the WRONG way to filter spam.
    Please take a look at http://www.antispews.org for more information before using SPEWS.
    • Time and again we see case after case of some provider that
      1. Let some customers spam
      2. ignored abuse complaints
      3. did nothing while when that particular spammer's IP was listed.
      4. Only took action against a spammer when the SPEWS listing expanded to include non-spamming customers
      5. Whinged that SPEWS was unfair and not the right way to do things
      Every day SPEWS proves itself necessary and effective at getting otherwise unwilling providers to remove their spammers. Note that SPEWS uses an escalation process. The provider has to ignore complaints for a while to have the IP range expanded to include non-spammers

      If you can suggest something that is half as effective at raising the cost for spammers as SPEWS, please suggest it. SPEWS forces providers to decide whether they want to host exclusively spammers or host exclusively non-spammers.

      But if your goal is merely to filter spam (making life easier for the spammers) then you are right. SPEWS is not the way to do that.

      • by jamie ( 78724 ) <jamie@slashdot.org> on Friday December 20, 2002 @10:06AM (#4929608) Journal
        "If you can suggest something that is half as effective at raising the cost for spammers as SPEWS, please suggest it. SPEWS forces providers to decide whether they want to host exclusively spammers or host exclusively non-spammers."

        First of all, I don't think most network administrators -- or their bosses -- know what they're getting into when they use Spews to police their network. If you are an admin who signs your company up for it, be prepared to have this conversation:

        Boss: Hey, can you check to see if there's some kind of network trouble. I haven't gotten a reply email from a client in three days.

        You: (after checking) Ah, that mail server is spam-friendly, we reject their mail.

        Boss: (confused) They're not a spammer, they're our best client.

        You: No, but they buy bandwidth from someone who buys bandwidth from someone who...

        Boss: What?

        You: We're using SPEWS, which is the most effective tool at stopping spam around the world! It forces providers to decide whether...

        Boss: I don't give a damn, you work for me, not people around the world. Your job is to make the email work, not be a do-gooder. You may have cost this company a contract. Now get the damn mail working and tell me how many times you bounced my client's mail so I can decide whether you still have a job.

        And -- you think Spews is effective? After being put on their list I had a grand total of one person unable to receive my mail. I have a dozen other people using my server to send and receive mail to hundreds of people, and according to my logs, among all of us, the sum total of people who couldn't get our email was two. That's the most pitiful boycott I've ever seen.

        • by binner1 ( 516856 ) <bdwalton@@@gmail...com> on Friday December 20, 2002 @10:41AM (#4929805) Homepage
          At my last job, that is exactly the conversation I had. My boss said: We get too much spam here, do whatever it takes to stop it. I said: Sure, I'll have qmail do some rbl polling before accepting mail. Worked great for about a month...cut roughly 50% of the spam that network received. Then, boss says: Why can't I get email from ebay seller X? I say: Oh he's rbl'd...we don't take mail from there. He says: Ok, turn off the rbl.

          After that, I turned on my own bayesian filtering and said F the rest of the network/users.

          -Ben
        • First of all, I don't think most network administrators -- or their bosses -- know what they're getting into when they use Spews to police their network.

          You are absolutely right. Although I advocate using things like SPEWS, you must make it clear that it will block mail from legitimate users. You either have to persuade people that this is right (as I believe) or not do it that way.

          See this policy statement [cranfield.ac.uk] as an example of using such a policy, while making it clear that it will block mail from legitimate users.

        • At my place of employment we have been filtering all incoming e-mail for ourselves and our small ISP through SPEWS and various other lists. Just now I checked and found that since 4:00am when the logs switched over we've blocked just over 2000 messages. About 1600 of them were because of SPEWS. This is a system with 6000 users and we've only had two or three complaints since we started filtering a few years ago.

          That seems pretty effective to me.

          Oh, and the boss loves it. As soon as we implemented the filters his spam load saw a *huge* decrease. He has even used the filters as a way to persuade a few of our more foolish clients to fix their open relays.
      • Fighting spammers by causing as much collateral damage as possible (like SPEWS) does not work, and it is simple to see why:

        1. I am customer of a small ISP. I don't send spam, and my ISP actively fights spam. Nevertheless, my ISP is on SPEWS - bad luck, wrong netblock.

        2. I have zero incentive to change my ISP, and thus my ISP has zero incentive to put pressure on their upstream network operator.

        3. Why ? Because I am blocked by bad luck, nothing else. I could change the ISP, but any new ISP might have the same bad luck. Changing providers will cost money, and will not secure me from future problems of that sort.

        In short: the overzealous blocking by SPEWS removes any incentive to change ISP or exert any pressure on upstream providers. If it's just bad luck to be blocked, it may happen anywhere and anytime, and changing providers does not make any sense.

    • by jamie ( 78724 ) <jamie@slashdot.org> on Friday December 20, 2002 @09:53AM (#4929519) Journal
      "Spews is EVIL... Please take a look at http://www.antispews.org"

      Thanks for the link. I'll confirm that Spews is not the way to go. Well, it depends on whether your goal is to block spam for your users, or just to piss people off.

      If you're a network admin and you want to block spam for your users, try something else.

      If you just want to piss people off, Spews is great. My personal mail server (very kindly hosted for me for free on a friend's network) was put on Spews' blacklist. My server has never in its lifetime sent a single spam, of course. But Spews had found four (count 'em) examples of spammer websites (not spam-sending machines) on the IP blocks owned by the people who my friend bought access from, twice removed. Because of these four claimed spam websites, Spews put FOUR CLASS A's on their list.

      That's right -- a quarter-million IP numbers were blocked because they didn't like the policies at four IP numbers.

      Wait, did I say four? When I checked up on them, two had already moved to other providers, one I couldn't find, and only one was still there. So my server, and a quarter-million others, were being blocked because the Spews people disagreed with one solitary website. Hosted by a company that I have no relationship with.

      It goes without saying that attempts to get my server whitelisted failed.

      And I do question the value of their blocking my mail server. Like I said, I was being hosted for free just because I have helpful friends... my moving to another network actually saved them money!

      Somehow, I think most net administrators, if they knew that Spews' purpose was political and not technological, would be less likely to use it. There are plenty of other blacklists out there. What are the good ones that don't hijack your networks to apply political pressure?

      • Did you ever ask in news.admin.net-abuse.email why you're still listed? People there are often very good at digging up the information, and it usually turns out that there are still spammers lingering on the network that your ISP has ignored.
      • Spews put FOUR CLASS A's on their list. That's right -- a quarter-million IP numbers were blocked because they didn't like the policies at four IP numbers.

        Perhaps you meant class B's? Four class A's would have been 67 million. I doubt even SPEWS is that stupid. Wait, this is SPEWS we're talking about.
    • Spews is EVIL. Plain and simple. They block IPs based soley on the fact your upstream provider hosts or has hosted in the past

      I think too many hosting companies are far too lenient when it comes to booting spammers -- if they do anything at all. Honestly, I think going overboard on blocking will be a great asset in getting these clowns off their behinds.

      It is impossible to get off their list

      That is lame, if they have cleaned up their act. I'd say make it easy to be taken off once. After that, forget about it. Having little anti-spam programs running on every PC is just silly. Unless serious action is going to be taken, it's just wasted effort.

      P.S. Ever notice spew is oops backwards :)

    • Spews randomly blocked a consulting company's netblock I worked for part-time simply because that our block was next to a "known spammer's" block. When they politely asked to be removed and pointed out that according to their own evidence file that their netblock had nothing to with spam, they were met with very hostile responses and told to essentially ditch their teleco provider because they'd never unlist anyone. They admitted that they simply block IPs in a form of "collateral damage" because they feel like it to hurt legitimate businesses so they flee their network provider. Someone mentions C&W addresses, same thing if you're getting service from Qwest. Their website makes them come off as the noble crusaders against spam, but in reality what they do is just mean-spirited, unethical and just plain wrong.

      Don't use SPEWS! [antispews.org]

      See the newsgroup news.admin.net-abuse.email [google.com] to see just how the spews people treat those who politely ask for erroneous entried to be removed and PROVE they have nothing to do with spammers.
      • See the newsgroup news.admin.net-abuse.email [google.com] to see just how the spews people treat those who politely ask for erroneous entried to be removed and PROVE they have nothing to do with spammers.
        You didn't get it, did you? There are no SPEWS people posting in nanae. SPEWS does not talk to anyone. You do not prove that you do not have something with spammers, you disconnect them and you get unlisted if they are gone. Gone means, no WWW, no eMail, no DNS. Nothing. Go read the FAQ as it looks to me that you didn't. Your listing was for shure NOT randomly as you stated yourself that you where in the neighbourhood of some spammers. Get a clue.

        We use SPEWS. It reduces spam to 5% of before. It rocks.
      • ...because they'd never unlist anyone

        SPEWS didn't tell you that. Probably it was someone on news.admin.net-abuse.email, which is as about as authoritative as a random reply on Slashdot.

        And further more, it isn't true. SPEWS has frequently reacted to spammer-removal within hours (or less).

    • They block IPs based soley on the fact your upstream provider hosts or has hosted in the past, someone the SPEWS "admins" (and I use that term losely) believe to be spammers.

      As a sysadmin for an ISP I can assure you that this is absolutely the case. There is no human contact at Spews, the entire system is automated. Which means that when their system is alerted to a "spammer" within a particular class C, that entire class C is quickly blocked by thousands of misinformed SAs who don't understand that they are in the process going to block legitimate emails that the people within their network have every right to receive.
      Blocking large blocks of class Cs, just because someone happens to share IP space with an alleged spammer is the WRONG way to filter spam.
      A hosting provider should be responsible for the domains they host. But there is rarely anything a provider can do to pre-emptively stop a spammer. Just recently, my company signed up a new company for Co-Location. Within a week, this company sent out a huge spam mailing. The moment we saw spam complaints come in we called the company and demanded proof that their mailing list consisted solely of opt-in addresses. They had no proof and their contract was immediately terminated for violating our Acceptable Use Policy. However, at this point our entire class C (housing our main mail server for hundreds of websites and ten times that many individual email clients) was listed in SPEWS database. Apparently this company had, in the past, under a different name, been blacklisted as a spammer. We were now added to the list of their hosting providers and could not, despite our best effort, contact a single human at SPEWS to explain our situation. As a result, for over 3 weeks, thousands of mail servers were rejecting our clients' mail as coming from a spam-server.

      I ask you, how does that make the internet a better place?

      Spam is a waste of bandwidth, of time, and it's insanely annoying, as a sysadmin I realize that as much as anybody (except maybe Alan Ralsky [slashdot.org]). But SPEWS is a horrible "solution" to the problem. Too many misinformed sysadmins use SPEWS at the expense of those who use their network.
      • I ask you, how does that make the internet a better place?
        It stoppes beeing flooed by fscking spammers like you signed up with one. Good that you disconnected them. The term for SPEWS is: education. If only more ISPs would act as you did, the internet would be a better place for sure. The problem is, that as long no one gets hurt (read: loses money because customer quit their services), loads of ISPs does not enforce their AUP, has bad AUPs or are pro-spamming. Only if they really get a clue what's going on, they act. Read: Education. Prevention.
        • Read: Education. Prevention.
          Sysadmins need to educate themselves about SPEWS before hastily hopping on board the "I'm preventing spam!" bandwagon. SPEWS doesnt prevent spam, it prevents spam AND legitimate emails.

          Often it boils down to "The All ighty ollar" [snpp.com]. An irresponsible ISP is willing to let a spammer continue to pay for their outrageous use of bandwidth as long as they can. SPEWS does nothing more than allow the spammer to spread the wealth to other ISPs once their current one is blacklisted. And yes, this ISP should be punished, its sysadmins and CEO should be dragged out into the street and beaten. However, until SPEWS starts carrying out vigilante justice, SPEWS is doing more harm than it does good, and is not a viable spam solution.

          Police Chief: My Mayor, as you asked we have devised a scheme to catch every criminal in the city before they can comitt a crime.

          Mayor: That's amazing! Let's get started

          Police Chief: There is a catch. It only catches criminals registered in our "Ex-Con Database" and 10% of the people imprisoned will be random towns-people who have done no wrong.

          Mayor: But, it catches criminals right?

          Police Chief: Well, yes, but...

          Mayor: Then let's do it!

          Welcome to Spewsville...Where the world is a better place..for some people.
          • If the sysadmins, the CEO et all know about SPEWS and know how SPEWS works, they'll do what they can to not getting listed (nuke spammers with zero tolerance for example). But if the CEO is letting the spammer sign up and more important: let them stay up; someone needs to PREVENT the users from the next bunch of spammers which will sign up with this pro spam|scum ISP- and most important - and will get an IP (or even a block of IPs) from the blackhat ISP, then the goal of SPEWS has been reached: Prevention. I won't get any mails from additional spammers on their network because SPEWS prevented me to receive them.

            And if every customer who has a clue about spam and spam support moves to a white hat ISP (yes, the're plenty of them around), the ISP has to close the sooner the better.

            Remember: SPEWS lists pro spam ISPs only. And only whole blocks in order that the PREVENTION comes into effect. Sorry for my poor english - it's not my native language as one can guess.

            BTW your comparison to the police is really lame. The police is acting on public ground. The servers where my email passing trough is just not public and I (well in my case my sysadmin) can decide who to put in "jail" or not. And yes, I know that SPEWS blocks legit emails but I do not care about it - I do not want to receive emails from spam supporting folks.
    • I couldn't agree more.

      The company I work for was affected by the infinite wisdom of Spews. Apparently a spammer once sent email from an address that happens to share the same leading 16-bits of address space with us. Because of their escalation procedures, a full 8192 sites have been placed on their "spam" list because of a single incident.

      I don't think Spews provides any useful service. They don't resolve problems, they encourage you to bury your head in the sand and pretend problems don't exist. Blocking (and thus ignoring) a whole set of unrelated domains because once upon a time, a single spam event happened in a vaguely similar namespace is like banning everyone in the state of California from visiting Las Vegas, because one guy from LA was caught cheating in a casino 10 years ago.

      They are a lawsuit waiting to happen. What if a company sends out stock information, or other time-dependant data by email, and they happen to get added to the Spews blacklist? Now clients who are paying $XXX for these notices don't get them, and thus lose a great deal of money. The sender isn't at fault, as they sent the mail in good faith, and they didn't engage in spamming themselves, but had the misfortune of belonging the same class A or B subnet of a spammer. Who's gonna compensate the victims here? IANAL, but I'd be looking at Spews with $$'s in my eyes.
    • Smacks of 'IP profiling' if there were such a thing...

      The conviction of innocence is completely unacceptable in America.
    • by Frater 219 ( 1455 ) on Friday December 20, 2002 @11:59AM (#4930350) Journal
      Please take a look at http://www.antispews.org for more information before using SPEWS.

      Actually, antispews.org is likely being operated by spammers, as the Osirusoft FAQ [osirusoft.com] suggests. (If nothing else, they are spammers of USENET newsgroups, since they kiboze [tuxedo.org] for references to "SPEWS" and troll in response, much as Serdar Argic [kkc.net] once did with "Turkey".) Naturally, spammers are pissed off at SPEWS, because it is simply put the most effective tool presently in the field for denying spammers access to (1) victims, and (2) willing ISPs to host them. Innumerable spammers have been terminated as a result of SPEWS listings.

      There is no conceivable informed controversy as to whether or not SPEWS is effective at getting spammers off the Net. Whether or not SPEWS is a good tool for your site to use as a tool for reducing your spam count is quite another question. In my personal experience (as a security and email administrator for my site, which is a research institution) SPEWS is extremely valuable. I read my mail logs and ascertain that SPEWS usage blocks spam, with a remarkably low incidence of false positives.

      In the past week, our incoming mail server has blocked 969 messages on account of SPEWS, with zero reports of false positives from our users. (To be honest, we get about one such report a month, and we whitelist the offending IP address. It's usually in China; we have several Chinese researchers.) Our locally maintained blacklist blocks about twice as much spam, and our use of sbl.spamhaus.org blocks about five times as much -- but that is biased by the fact that we consult those lists before SPEWS, and there is a good deal of overlap between them.

      I would not recommend that ISPs who offer email service to their users use SPEWS by default, though it would be a valuable optional service. The DNSBLs I would recommend everyone use are:

      • sbl.spamhaus.org, which lists only netblocks occupied by known repeat spam offenders
      • relays.ordb.org, which lists only open mail relays; and
      • proxies.relays.monkeys.com, which lists only open proxies.

      These are all low-to-no-false-positives lists which I feel comfortable recommending to every ISP regardless of its stance on SPEWS.

    • You were almost looking credible there until you linked to AntiSpews. You do know that it's run by a well known spammer don't you? The .org is also rather deceptive as they have started to sell mail server hosting.

      If your ISP is listed in SPEWS you need to talk to them about it. They need be informed that either the spammers go or you go. Obviously some ISPs value spammers' business more than that of their legitimate customers. Why would you want to do business with a company with ethics like that anyway?

      However I guess I can count on Slashdot to throw their fists in the air when reading about Alan Ralsky then turn around and pay their bandwidth bills to ISPs with the same attitudes as his just because it's "convenient".
    • Let's see...

      SPEWS
      • Anonymous - no contact info provided
      • Voluntary - no one is forced to use it
      AntiSPEWS
      • Anonymous - cellphone and a P.O. Box
      • Voluntary - not forced to support them
      • Solicits money... anonymously

      Whom do you trust to be more impartial?
      Come on folks, it's no contest.

    • SPEWS does not block anything. SPEWS LISTS IPs owned by known spam-friendly companies such as Cable and Wireless. Individual ISPs CHOOSE to block because they have decided that if a company like C&W, which openly tolerates abusive criminal activities from their customers, isn't going to clean up their act then there isn't any traffic worth accepting from them.

      If everyone starts using SPEWS and you get blocked because no one wants C&W's traffic, that is NOT their problem and it is not the problem of SPEWS. Call C&W, tell them to stop openly tolerating criminal activity (such as theft of service, trespass to chattel and distributing pornographic material to minors), and then if they clean up their act, SPEWS will delist them.

      The alternative is to have hundreds, if not thousands, of individual ISPs run their own private lists. That way, when C&W does finally clean up their act, they have to convince hundreds or thousands of individual people to remove them from the filters -- of course, by this time many of the admins who put the IP there might have moved on or forgotten the reason for the block in the first place. As such, C&W would stay in those hundreds or thousands of those individual blocklists and their netspace would be effectively worthless. Such was the fate of AGIS, who died the death of a thousand cuts, walled off from much of the Internet even when they did finally clean up their act.

      And SPEWS does not just block blindly. You're either lying or stupid when you claim that it's just based on who they 'believe' to be spammers. SPEWS keeps documentation for their list entries, and it takes multiple spams and multiple ignored reports to the ISP before the list becomes expanded to include collateral damage.

      The only people who complain about SPEWS are spammers and people who are too pig-headed to be bothered to learn how and why it is used.
  • MailScanner (Score:5, Informative)

    by chicks.net ( 566891 ) <chicks@chicks.net> on Friday December 20, 2002 @09:37AM (#4929405) Homepage Journal
    Honestly, I'm surprised there's still so much division and debate on server-based spam-filtering packages when MailScanner [mailscanner.info] so throroughly trumps the competition. It uses SpamAssassin, it does virus checking, it'll work with any RBL's you like, and it has more features than any other commercial or open source product out there.
  • I'm Disappointed (Score:4, Insightful)

    by TerryAtWork ( 598364 ) <research@aceretail.com> on Friday December 20, 2002 @09:45AM (#4929458)
    I remember when I applied for a Mead mailing list and got a nasty letter back saying 'your SPAM has been rejected!' just because I sent it from a Rogers.com address, so I know what it's like to be blacklisted like in SPEWS, and it sucks. That's not the way to do it.

    Also, this new spam program retaliates and the law is very nasty about vigilantism and retaliation, perhaps because it threatens their monopoly. I don't want to see a spammer WIN in court, do you?

    Also, program like popfile doe a great job of removing spam.

    My advice is to forget kicking the spammers ass and just make their work vanish down a black hole like it will WHEN BAYESIAN TECHNIQUES ARE USED AT THE ISP END hint hint...

    • Yeah, but isn't it better when they KNOW their messages aren't making it to the recipient? If not by using a gray-area deception like 450 (which means "recipient unavailable", then by using the proper 550 Rejected.

      Eventually, someone's going to notice all the 550s in the SMTP log and start worrying. Then maybe they'll try to find a better way to run a business.

    • Re:I'm Disappointed (Score:3, Interesting)

      by Diabolical ( 2110 )
      Also, this new spam program retaliates and the law is very nasty about vigilantism and retaliation,

      The law has nothing to say over this. I'm at total liberty to block access to my site for whoever i want to block. If i block others in the process then that is their problem solely and not that of the lawmakers. Basicly you're stating that just because i have an email address i am not allowed to decide who may and who may not send me email.

      The retaliation you're mentioning is just a message that is being sent back to the spammer who as a result has alot of errormessages in his mailbox, if they used a valid email address that is.

      WHEN BAYESIAN TECHNIQUES ARE USED AT THE ISP END hint hint...

      Now there's a statement i can live with.. ;-)
      • Yes, you are free to block anyone you want at your own site. However, if you operate a service that maintains a list of "known spammers", and people incorrectly listed show you that they are incorrectly listed, and you still won't remove them, you're setting yourself up for libel/slander charges: making statements that are false, with reckless disregard for the truth, that cause financial damage to others.

        Now, I'm sure that services with very precise descriptions are safe: for example, a list of open relays with a procedure to get off the list after you show that you no longer have an open relay.

        • Yes, you are free to block anyone you want at your own site. However, if you operate a service that maintains a list of "known spammers", and people incorrectly listed show you that they are incorrectly listed, and you still won't remove them, you're setting yourself up for libel/slander charges:

          However, if you claim that your list contains IP ranges of ISPs that have harbored spammers and that unlisting might not be immediate then that's definitely not libel.

          Oh... Wait... that's what SPEWS does! See their webpage.

          Let's all click our heels three times and wish that SPEWS' published criteria magically matches whatever we want. Then we can accuse them of libel/slander for not following our fantasy criteria.

    • Bayesian techniques don't work at server level. Bayesian filtering is personal. Just because an email contains (for example) the words "horny slut" doesn't mean it's spam.

      Why?

      Let's say there are two people: person A and person B. Both have example.com -addresses. A uses his accont only for personal stuff, emailing friends and relatives etc. B uses his account for the same stuff, but additionally subscribes to mailing lists where people send erotic stories.

      Now, A starts getting spam "Free herbal viagra", "horny sluts", "get a diploma", and reports these to example.com as being spam. Their bayesian filter learns that words like "horny" and "slut" are very 'spammy', so B's emails from the mailing lists start getting deleted as spam.

      If you were B, and your non-spam emails that might look spammy to some, start to disappear, wouldn't you be pissed?

      Bayesian filtering is (apparently) very effective in catching spam, but it only works on personal level.
      • Ok, point taken.

        So let's try it THIS way - suppose you're an ISP admin and all - or a large number - of your users all get the sort of same message at sort of the same time.

        That's a lot of uncertainty, BUT if Bayesian software can flag that sort of thing, and I think it can, we can build a great tool here.

  • Use a Teergrube (Score:4, Informative)

    by Brett Glass ( 98525 ) on Friday December 20, 2002 @09:53AM (#4929524) Homepage
    What Theo should be doing, instead of sending a 5xx response (which, by the way, won't keep the message in the spammer's queue; a 5xx is a final rejection) is to redirect spammers' connections to a Teergrube [iks-jena.de] (a spam "tarpit"). If enough people do this, the spammer will be slowed down greatly.
  • by Gothmolly ( 148874 ) on Friday December 20, 2002 @10:16AM (#4929673)
    Works great for me, thank you DJB! Here's a summary of the spamhouses I've blocked (with a 553 error code) over the past few hours. These never even touch spamassassin.

    64.70.22.99-outbound1.lamailer.com
    209.236.32.1 57-
    216.19.164.127-127.opti9.com
    65.126.119.178- formulatedmail.com
    64.201.128.3-netblock-64-201-1 28-3.stanfordintl.co m
    66.216.111.187-mail213.rm23.com
    63.96.237.154-
    216.109.73.35-om40.yourmailsoure.com
    211.90.191 .61-
    204.73.107.103-
    209.189.49.102-
    209.123.11 1.22-mail.dmx4.com
    216.19.163.204-204.sbase30.com
    63.70.105.139-ntls1.digitalriver.com
    66.197.162 .15-
    209.47.251.15-smtp5.rapid-e.net
    209.236.57. 176-mtsbp512.email-deliveries.net
    202.103.64.43-
    66.216.116.78-mail153.myfunsleuth.com
    65.107.195 .162-
    209.213.210.18-mailer18.labeldaily.com
    200 .206.207.206-200-206-207-206.terra.com.br
    66.216. 115.56-mail16.justforyou-mail.com
    64.119.213.95-p assionup.com
    66.216.107.233-mail233.dealdelivery. com
    • For half of those addresses, why not just block EVERYTHING from the domains that are obvious bulk mailers, rather than just from a specific smtp relay node? So based on what you posted, blocked anything from rapid-e.net, email-deliveries.net, etc.
  • 550 is a temporary denial. 553 is a permanent failure (rblsmtpd switch is "-b"). spammers usually just move on to another host if they keep getting 553's. 550s tell them to keep on trying, which is bad on the receiving mail server if you're getting a pretty heavy load.

    on a side note, i would advise against using the spews.org list. it is almost impossible to get off of that list. they recently decided to put a few /23's and /22's of a network that i run, just because abuse@domain.com did not respond fast enough. The only way to get off of that list is to post to a newsgroup, and just hope they read your posting and take off the ban. That means it is a total manual process on their side to remove you.

    in my eyes, using something like sbl.spamhaus.org or/and relays.ordb.org is a much better solution. If you are going to go the DNSBL route, and you should, i would advise you figure out how to run your own DNSBL so you can quickly add and remove hosts that are mailbombing your server.

    • Correct me if I'm wrong, I do not have the RFC handy, but isn't a 5xx error a perminant error, and a 4xx error a transient error? Both 550 and 553 shoud indicate a non-recoverable error and the email should be returned as such to the sender.

      Also if you want to tie up resource on the sending server use 4xx errors. The email wil sit on the sending server taking up space, and processing time. Which may or may not give you some pleasure. This will cost you in some tiny amount of bandwidth.....

  • I use something very similar, MessageWall(.org). This is a smtp proxy with excellent filtering. So no need for something new.
  • by wowbagger ( 69688 ) on Friday December 20, 2002 @10:34AM (#4929743) Homepage Journal
    I won't go into the validitiy of using SPEWS as a blocklist - there are good arguments pro and con there.

    But here's a twist to the basic idea:

    Given the the email sender is in $BLOCKLIST, have the filter daemon give the 450 response

    v... e... r... y... ... s... l... o... w... l... y...

    Combine a teergrube with the 450 response to fill up both their mail spool AND their socket connection table.

    (For those who don't know, a teergrube (tarbaby) is a mail server that response slowly to a spammer, the better to tie up his connections).

    Now, not only will the open relay's mail queue fill, but it will run out of (file descriptors|sockets) and choke on that too!
  • If message has a '!' in the title, delete.

  • by Anonymous Coward on Friday December 20, 2002 @10:48AM (#4929867)
    Between Theo's erroneous statements, implying that SPEWS is a list of open relays, and some of the whiners in here bitching about "don't use SPEWS because they're too aggressive," I thought it would be handy to note a couple of things.

    SPEWS is not a list of open mail relays. SPEWS (Spam Prevention Early Warning System) is a list of "spam sources." Some of those spam sources may be open relays. Some of 'em may be open proxies. Some of 'em may be spammers themselves (e.g.: Topica).

    Regarding those that have found yourselves SPEWSed, yet are not, themselves, spammers: I'm sorry you've found yourselves in that situation. But, you see, kinder, gentler methods have been tried for years and have not solved the problem. It only continued to grow worse. And whether you like it or not: SPEWS works. I've never, in all the years I've been battling spam, ever seen ISPs boot spammers off their networks like I have since their netblocks started getting SPEWSed. You blame SPEWS for your problems but the truth of the matter is this: you've chosen to use an irresponsible ISP for your connectivity. If your ISP had been responsive to spam complaints, their netspace wouldn't have gotten SPEWSed.

    Note: my personal net space was SPEWSed once. For a short while. But my ISP is a good one. They addressed the problem promptly and got their space delisted.

    • Wrong. Spews maintains multiple listings for various kinds of spam sources and facilitators. See their webpage at http://www.spews.org for more information.
    • You should address another, common, misconception.

      SPEWS does not block mail.
      ISPs choose to block mail individually, on their own. Some ISPs choose to use one of SPEWS's lists (they keep two, one more 'aggressive' than the other) as a reference for blocking, but SPEWS itself does NOT prevent your mail from reaching its destination.

      Anyone who claims otherwise is either ignorant or lying.
  • While some of the spam detecting algorithim's are cool and innovative they are still prone to circumvention. The best spam blocker I have ever seen used whitelist blocking. If I did not send you a message you cannot send me one unless you go to a web page and entered the reason that I should see your message.

    This blocked 100% of the spam period ...
  • What tools in Linux would one need to do the following:

    Setup a pop3 server / smtp server so that email can be sent and received.

    Filter spam / easily add filters to this pop3 / smtp server on the same box.

    Also be able to check OTHER accounts on OTHER pop3 servers, download them, and filter out the same spam / things marked as spam.

    Noobie proof is a good thing too.

    PS - If BSD does it better then linux, post those tools as well. Maybe make it a chalange to see which OS can do said request better. Could win32 win (heh) ?
  • by honold ( 152273 ) on Friday December 20, 2002 @11:47AM (#4930242)
    the point is to punish open relays, not to block spam. the mail has to be retried for days, wasting network bandwidth and space.

    if a signifigant number of people were to employ this, open relays would become crushed and filled with their own load.
  • by dananderson ( 1880 ) on Friday December 20, 2002 @12:39PM (#4930682) Homepage
    I think what Theo did was great and I can't wait until it gets out into the mainstream.

    However, I find it funny (hypercritical) that the weblog is hosted by a ISP that tolerates spam, Hurricane Electric. Specifically:

    • Hurricane Electric's customers include major spammers, such as Bulk ISP Corp.
    • Hurricane Electric's customers often show up in my spam trap, usually harvesting email addresses.
    • Hurricane Electric's mail servers have open relays, which allows spammers to spam using their servers. Yes, I know it makes it easier for HE's customers to read email anywhere, but it allows spammers to flood others with spam also.
    I'm sure others can add more, but I have other things to do . . .
  • Having 550 messages sent based on a bayesian filter such as bogofilter [sourceforge.net] is the best/most adaptive way to handle the problem. Open relay lists have a greater statistical probability of blocking legit email. The challenge this represents is that, unlike with Spews, you have to have clients which convey back to the server which emails get marked as spam.
  • Spammers are frustrating because they disturb you, there is no way to track them down, and you can't get them to stop.

    Spews is exactly the same.

    1. They disturb legitimate users: I run a business hosting an email customer support application (Neotonic.com [neotonic.com]). It is very important for us to get email support replies thorough to customers. Numerous times our IP addresses have ended up on the Spews blocklist because of some unsolicited mail sender in the same 256 address subnet. At most colocation facilities, ten or more companies share the same subnet, and it is not easy to change your IP addresses.
    2. There is no way to track them down: Organizations like MAPS are judicious about how they block IP addresses. They do NOT block entire subnets unless there is cause, and they have an organized appeals process to take care of their oversights. Spews has no such facilities. In fact, the only centralized item in spews is the spews.org website.
    3. You can't get them to stop: They block entire ISPs, and their FAQ says that I'm a victim of "rare inadvertant blocking". The trouble is, we followed their advice, we moved to a new colocation, with an entirely new bandwidth provider, and our new IPs are also spews blocked. There is no organization to appeal to, there is no way to get this fixed.
    Legitimate users like us can't keep changing IP addresses because SPEWS is too aggressive and has no organized process. If you want to use a spam advisory system, use MAPS RBL [mail-abuse.org].

    Spews is worse than the spammers, because at least I can ignore the spammers.

    • > Legitimate users like us can't keep changing IP addresses because SPEWS is too aggressive and has no organized process. If you want to use a spam advisory system, use MAPS RBL [mail-abuse.org].
      >
      > Spews is worse than the spammers, because at least I can ignore the spammers.

      If you want an effective spam advisory system that actually lists spamhausen, use SPEWS.

      SPEWS is better than MAPS, because the spammers discovered they could ignore MAPS.

UNIX enhancements aren't.

Working...