Dean Anderson wrote:
Brian Carpenter asked that the subject be changed. I've also removed
the IESG from the cc-list.
Doug, you've been misled. Inline.
On Wed, 22 Jun 2005, Doug Royer wrote:
I have not been following this topic closely.
To the point of open relays being a problem.
I think that the judgment as to if open replays are a problem
or not depends on which spam lists you are on.
With my system and by grep-ing through my last 4 weeks of logs
there were 22,870 of 26,157 spams blocked by my usage of two open
relay DNS-black lists blocking them from 14,131 UNIQUE IP addresses.
You cannot know from logs whether you are blocking spam or ham. You can
only see that you blocked messages. Like many before you, you've been
misled, but you probably feel much better thinking that you are
blocking spam.
Of the two of us, you would NOT HAVE A CLUE about if I can or
can not read and understand my own logs :-)
I have been programming, administering, and building OS
for BSD and UNIX's for about 27 years. And for the last few
years Linux
When the logs do not tell me what I want, I modify the tool
to produce the logs I want.
I am sure that those 22,000+ spams were blocked by the DNS
list that "says" its an open relay list by SORBS and the other one.
I'm not sure which blacklists you consider being "open relay" blacklists.
Which is why you HAVE NO CLUE about my system or how I CAN read my logs :-)
Note that 235.245.195.212 is not allocated. This is a forged header.
66.59.238.35 isn't running an open relay. Indeed, I could not find a
single open relay spam in a sample of 15 of the 605 spams I've
received in
the last 24 hours. But I did find forged headers pretending to be open
relay. Though that is also becoming the exception. Much spam doesn't even
bother with forged headers.
I do NOT rely on ANY information from the content of SPAM to tell me
anything. I use the getpeername() OS call to get the IP of the remote
sending system - live as they send it.
If it were not for open-relay DNS black lists, I could not run my
company.
These are probably doing you more harm than you realize. Or are you a
promoter? (there are basically two kinds of users of these blacklists:
The
misled who don't know, and the promoters, who know and don't care)
Nether, I am one that can NOT rum my business without blacklists as
I would spend my time reading 26,000 spams per month and not running my
business. I have no choice, I have to fitter them out. And SORBS
seem to get a HUGE percentage of them. Again, this is by trial
and error and I do NOT just trust them. Try FOO-list,
try BAR-LIST, repeat until the percent of spam goes down.
Most "open relay" blacklists are revenge lists, and while they may block
some real spam [or possibly block pretend spam that they generated--they
call this "mailbombing"], their purpose is revenge and extortion.
This is
well documented: ORBS and its successors, SORBS, Osirusoft, Monkeys.org,
IMRSS. Most people "in the know" know that none of these blacklists are
suitable for blocking spam, and few ISPs or professional mail staff use
them. You will just wind up blocking non-spam email. Very few people
use
these lists. We can tell:
The -ONLY- complaints I ever got I check out myself. I manually
connected to those sites, and guess what - they were OPEN RELAYS!
I think over the last year (estimated 300 hundred thousand blocked
message to my PERSONAL email box), I only got 5 or so complaints.
And ALL of them were open relays. 4 of them were hotels where people
send me personal email while they traveled. And all 4 of those hotels
whois contacts that I notified told me they would fix the problem of
their open relay. And all 4 of them did. And the rest (just a handful
or so at the most) ignored me. And only ONE complaint in the last year
was email I wanted.
That is almost ZERO false positives (That ONE was in fact
from an open relay site). In all cases reported to me the email
came from a site that was an open relay.
The reason that ISP's might not use them is because they have a
large variety of users some of which have local access providers
that have open relays. So the ISPs would be blocking their own
customers.
And because large ISPs have almost on a daily occurrence
one of their virtual host customers sites hacked and used
to proxy spam. They would be blocking themselves.
We have been blocked by these lists since 1997, and have very little
problem with their "blocking". This is due to the relatively low
number of
"subscribers". Last month, we had just 2 issues with SORBS. Yet SORBS
blocks all of our IP address space claiming it to be hijacked. Both
issues were with university student-run servers (GATech and UCLA).
Neither
University's professionally-operated mail systems used SORBS. We had no
problem getting in touch with the professional University IT staff who
told us in both cases that the offending servers were student-run, and
who
the student administrators were. One student admin was very surprised to
find out about SORBS. He said SORBS was recommended by some web site, and
he didn't know its revenge-oriented nature and false claims. He seemed
genuinely surprised, and after verifying for himself, genuinely shocked
and apologetic. The other admin was different: He clearly aware of SORBS,
and was very beligerent, telling me to "see figure 1", and other
things. His supervisor, however, was surprised, and much less willing
to block
non-spam email. Both quit blocking.
All irrelevant to me. I can't spend time reading 22,000+ emails
per month just to find out if 5 or so were false positives.
See http://www.pathname.com/~corpus/NET.age for some stats on how much
spam and ham is blocked by SORBS and other blacklists. The NET.age
corpus
isn't that big, but still interesting because it is hand sorted into spam
and ham and compared. SORBS is the only blacklist whose "Hijacked"
category blocks ham.
Interesting, but not consistent with my data and logs.
SORBS has multiple lists. Which ones do they use?
About 90% of the the spam that is in my logs seems to be from open
relays.
You are probably being "mailbombed" by the blacklist. I have found that
blacklist subscribers sometimes have uniquely interesting spam
profiles. If your blacklist is way more "effective" than it should
be, something is
fishy. Much spam is sent by residential machines, and many residential
ISPs use DHCP. ...
About 1/2 of the IP address that are blocked seem
to be from DHCP addresses (just a guess by looking).
My spot checking shows that about 1/4 is fake PayPal, Bank, or
other fishing sites. Mostly from Asia. About 1/100 is in
languages I can't read (non-English messages) and I do
not care if those are false positives (relays) or not.
< So their IP addresses naturally change over relatively
short periods. Ordinary blacklists should have difficulty keeping up
with
this---Indeed, it should be just about impossible to keep up with DHCP on
millions of residential computers. When the blacklist knows the dynamic
IP address of the abuser before it conducts abuse, something is wrong.
Many of the blacklist sites update their IPs from their honeypots
multiple times per day. It does not take much to auto-check them
for open relay in real time. Just take the REAL connect from IP
address and connect to port 25 and try it.
I sometimes turn off my usage of black lists and spot check the results.
I have not found ANY false positive in the last few months.
I rather doubt that one person is responsible for 60% of your (or anyone
elses) spam.
I suspect the 60% is intentional. I helped several of my customers
block him. One sent him email telling him that 'Doug' found you.
The next day I got about 30,000 spams that day that made it
past SORBS (first one hit from that IP block I guess).
I do think that 60% of the email is a form of DOS attack.
I'll send you his name in private email.
I think he is from Australia. I know the name he uses, I am
still tracking him down.
At this point, I'll take this off the ietf list
and we can continue this between ourselves.
--->>> I set the Reply-To of this message to me.
------------------------------------------------------------------------
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf