J.D. Falk wrote:
On 04/12/2008 23:59, "Chris Lewis" <clewis(_at_)nortel(_dot_)com> wrote:
Barry Shein wrote:
On December 3, 2008 at 23:24 sethb(_at_)panix(_dot_)com (Seth) wrote:
Most of my 419s come from Yahoo.
Well, since we're now debating about what amounts to a knowable fact
does anyone know of any reliable sources for this information?
I should think Seth is pretty reliable about what his own spam load
looks like ;-)
The point that Seth (and Steve) is really making here is that while BOTs
are 80-90% of all spam and IP blocking works well against them, there
are other classes of spam where IP blocking doesn't work nearly as well.
What's often forgotten here, though, is that those big ISPs who have
outbound spam problems have those problems not because of incompetence or
malfeasance, but because of those very same botnets attacking their
registration & webmail interfaces.
I'm not forgetting it, nor was I ascribing blame. Simply pointing out a
fact of life - the large free mails _do_ get infiltrated and spew spam.
That methods you might use against a compromised machine (blacklisting)
are much less effective unless you don't mind zapping legit email.
Which we don't want to do. Unless it gets as ridiculous as we've seen
it get sometimes (like when gmail's output surpassed 95% nigerian and
Tiscali's was indistinguishable from 100%).
Secondly, the problem no longer appears to be primarily BOTNET. There
seem to be just two currently major classes of spam related to the
freemail/freeweb suppliers: Nigerian horde invasions, and a form of blog
spamming. Neither of which involve BOTNETs attacking the freemails
directly.
Nigerians aren't particularly sophisticated. They don't need to use
BOTNETs - they can buy accounts from "captcha services" for a buck or
less per thousand or do it themselves. There's enough of them that they
can repeatedly log in, cut-and-paste, without resorting to BOTNETs.
These are incredibly difficult to deal with - at least at my end, I can
just block their servers but trying to reign it in from the sending side
isn't. I _know_ how hard it was to stop it at their end.
The other form is creating free web pages, and turning them either into
proxies to spam pages, or hosting the whole thing. At one point, quite
recently, more than 10% of _all_ spam was pharmacy and gambling sites
advertised via live.com URLs. The anjelina virus of a month or two ago
(also >10% of all spam) were by similar lifefilestore.com links. The
spam wasn't being sent via MSN, it was being sent by BOTNET. I _think_
the web sites were being created by some sort of automated process
(because the link names were consistent length random strings), but, it
didn't need the services of a BOTNET to do it - just a single program
instance chugging away - and perhaps changing IPs periodically.
[The problem with live.com is that the department involved with the
live.com stuff didn't seem to want to care about it. It took a
concerted effort by many (including others within MSN) to make them pay
attention and nuke the sites - they weren't before. At one point less
than two weeks ago, I was reporting several hundred _every_ hour,
representing spam volumes into my trap of _more_ than 100,000 per hour.]
But in any case, the all-too-common cry to blame the big ISPs has two
effects:
I intended no blame. Just pointing out reality. It happens, and it's a
big problem that for the most part can't be resolved by blacklisting.
Ignoring it won't make the problem go away. Ignoring it wouldn't have
gotten the live.com folks finally doing something about it.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg