Dean Anderson wrote:
Brian Carpenter asked that the subject be changed. I've also removed the IESG from the cc-list.Doug, you've been misled. Inline. On Wed, 22 Jun 2005, Doug Royer wrote:I have not been following this topic closely. To the point of open relays being a problem. I think that the judgment as to if open replays are a problem or not depends on which spam lists you are on. With my system and by grep-ing through my last 4 weeks of logs there were 22,870 of 26,157 spams blocked by my usage of two open relay DNS-black lists blocking them from 14,131 UNIQUE IP addresses.You cannot know from logs whether you are blocking spam or ham. You can only see that you blocked messages. Like many before you, you've beenmisled, but you probably feel much better thinking that you are blocking spam.
Of the two of us, you would NOT HAVE A CLUE about if I can or can not read and understand my own logs :-) I have been programming, administering, and building OS for BSD and UNIX's for about 27 years. And for the last few years Linux When the logs do not tell me what I want, I modify the tool to produce the logs I want. I am sure that those 22,000+ spams were blocked by the DNS list that "says" its an open relay list by SORBS and the other one.
I'm not sure which blacklists you consider being "open relay" blacklists.
Which is why you HAVE NO CLUE about my system or how I CAN read my logs :-)
Note that 235.245.195.212 is not allocated. This is a forged header. 66.59.238.35 isn't running an open relay. Indeed, I could not find asingle open relay spam in a sample of 15 of the 605 spams I've received in the last 24 hours. But I did find forged headers pretending to be open relay. Though that is also becoming the exception. Much spam doesn't even bother with forged headers.
I do NOT rely on ANY information from the content of SPAM to tell me anything. I use the getpeername() OS call to get the IP of the remote sending system - live as they send it.
If it were not for open-relay DNS black lists, I could not run my company.These are probably doing you more harm than you realize. Or are you a promoter? (there are basically two kinds of users of these blacklists: The misled who don't know, and the promoters, who know and don't care)
Nether, I am one that can NOT rum my business without blacklists asI would spend my time reading 26,000 spams per month and not running my business. I have no choice, I have to fitter them out. And SORBS
seem to get a HUGE percentage of them. Again, this is by trial and error and I do NOT just trust them. Try FOO-list, try BAR-LIST, repeat until the percent of spam goes down.
Most "open relay" blacklists are revenge lists, and while they may block some real spam [or possibly block pretend spam that they generated--they call this "mailbombing"], their purpose is revenge and extortion. This is well documented: ORBS and its successors, SORBS, Osirusoft, Monkeys.org, IMRSS. Most people "in the know" know that none of these blacklists are suitable for blocking spam, and few ISPs or professional mail staff use them. You will just wind up blocking non-spam email. Very few people use these lists. We can tell:
The -ONLY- complaints I ever got I check out myself. I manually connected to those sites, and guess what - they were OPEN RELAYS!I think over the last year (estimated 300 hundred thousand blocked message to my PERSONAL email box), I only got 5 or so complaints.
And ALL of them were open relays. 4 of them were hotels where people send me personal email while they traveled. And all 4 of those hotels whois contacts that I notified told me they would fix the problem of their open relay. And all 4 of them did. And the rest (just a handful or so at the most) ignored me. And only ONE complaint in the last year was email I wanted. That is almost ZERO false positives (That ONE was in fact from an open relay site). In all cases reported to me the email came from a site that was an open relay. The reason that ISP's might not use them is because they have a large variety of users some of which have local access providers that have open relays. So the ISPs would be blocking their own customers. And because large ISPs have almost on a daily occurrence one of their virtual host customers sites hacked and used to proxy spam. They would be blocking themselves.
We have been blocked by these lists since 1997, and have very little problem with their "blocking". This is due to the relatively low number of "subscribers". Last month, we had just 2 issues with SORBS. Yet SORBS blocks all of our IP address space claiming it to be hijacked. Both issues were with university student-run servers (GATech and UCLA). Neither University's professionally-operated mail systems used SORBS. We had no problem getting in touch with the professional University IT staff who told us in both cases that the offending servers were student-run, and who the student administrators were. One student admin was very surprised to find out about SORBS. He said SORBS was recommended by some web site, and he didn't know its revenge-oriented nature and false claims. He seemed genuinely surprised, and after verifying for himself, genuinely shocked and apologetic. The other admin was different: He clearly aware of SORBS,and was very beligerent, telling me to "see figure 1", and other things. His supervisor, however, was surprised, and much less willing to blocknon-spam email. Both quit blocking.
All irrelevant to me. I can't spend time reading 22,000+ emails per month just to find out if 5 or so were false positives.
See http://www.pathname.com/~corpus/NET.age for some stats on how much spam and ham is blocked by SORBS and other blacklists. The NET.age corpus isn't that big, but still interesting because it is hand sorted into spam and ham and compared. SORBS is the only blacklist whose "Hijacked" category blocks ham.
Interesting, but not consistent with my data and logs. SORBS has multiple lists. Which ones do they use?
About 90% of the the spam that is in my logs seems to be from open relays.You are probably being "mailbombed" by the blacklist. I have found thatblacklist subscribers sometimes have uniquely interesting spam profiles. If your blacklist is way more "effective" than it should be, something isfishy. Much spam is sent by residential machines, and many residential ISPs use DHCP. ...
About 1/2 of the IP address that are blocked seem to be from DHCP addresses (just a guess by looking). My spot checking shows that about 1/4 is fake PayPal, Bank, or other fishing sites. Mostly from Asia. About 1/100 is in languages I can't read (non-English messages) and I do not care if those are false positives (relays) or not. < So their IP addresses naturally change over relatively
short periods. Ordinary blacklists should have difficulty keeping up with this---Indeed, it should be just about impossible to keep up with DHCP on millions of residential computers. When the blacklist knows the dynamic IP address of the abuser before it conducts abuse, something is wrong.
Many of the blacklist sites update their IPs from their honeypots multiple times per day. It does not take much to auto-check them for open relay in real time. Just take the REAL connect from IP address and connect to port 25 and try it. I sometimes turn off my usage of black lists and spot check the results. I have not found ANY false positive in the last few months.
I rather doubt that one person is responsible for 60% of your (or anyoneelses) spam.
I suspect the 60% is intentional. I helped several of my customers block him. One sent him email telling him that 'Doug' found you. The next day I got about 30,000 spams that day that made it past SORBS (first one hit from that IP block I guess). I do think that 60% of the email is a form of DOS attack. I'll send you his name in private email. I think he is from Australia. I know the name he uses, I am still tracking him down. At this point, I'll take this off the ietf list and we can continue this between ourselves. --->>> I set the Reply-To of this message to me. -- Doug Royer | http://INET-Consulting.com -------------------------------|----------------------------- We Do Standards - You Need Standards
begin:vcard fn:Doug Royer n:Royer;Doug org:INET-Consulting.com adr:;;1795 W. Broadway St #266;Idaho Falls;ID;83402;U.S.A email;internet:Doug@xxxxxxxxx title:CEO tel;work:208-881-0380 tel;fax:866-494-8574 note;quoted-printable:AOL: SupportUnix=0D=0A= MSN: Support@xxxxxxxxxxxxxxxxxxx=0D=0A= Yahoo: Help4Unix x-mozilla-html:TRUE url:http://Royer.com version:2.1 end:vcard
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf