Technology Blog

There’s a common misconception about spam, email, and email authentication;
Matt Cutts has been the most recent promulgator, asking ‘Where’s my authenticated email?’,
in which various members of the comment thread consider this as an anti-spam
question.

Here’s the thing — email these days is authenticated. If you send a mail
from GMail, it’ll be authenticated using both SPF and DomainKeys. However,
this alone will not help in the fight against spam.

Put simply — knowing that a mail was sent by ‘jm3485 at massiveisp.net’, is
not much better than knowing that it was sent by IP address 192.122.3.45,
unless you know that you can trust ‘jm3485 at massiveisp.net’, too. Spammers
can (and do) authenticate themselves.

Authentication is just a step along the road to reputation and accreditation, as Eric Allman notes:

Reputation is a critical part of an overall anti-spam, anti-phishing system
but is intentionally outside the purview of the DKIM base specification
because how you do reputation is fundamentally orthogonal to how you do
authentication.

Conceptually, once you have established an identity of an accountable entity
associated with a message you can start to apply a new class of
identity-based algorithms, notably reputation. … In the longer term
reputation is likely to be based on community collaboration or third party
accreditation.

As he says, in the long term, several vendors (such as Return Path and Habeas)
are planning to act as accreditation bureaus and reputation databases,
undoubtedly using these standards as a basis. Doubtless Spamhaus have similar plans, although they’ve not mentioned it.

But there’s no need to wait — in the short term, users of SpamAssassin and
similar anti-spam systems can run their own personal accreditation list, by
whitelisting frequent correspondents based on their DK/DKIM/SPF records,
using whitelist_from_spf, whitelist_from_dkim, and whitelist_from_dk.

Hopefully more ISPs and companies will deploy outbound SPF, DK and DKIM as time
goes on, making this easier. All three technologies are useful for this
purpose (although I prefer DKIM, if pushed to it ;).

It’s worth noting that the upcoming SpamAssassin 3.2.0 can be set up to run
these checks upfront, “short-circuiting” mail from known-good sources with valid
SPF/DK/DKIM records, so that it isn’t put through the lengthy scanning process.

That’s not to say Matt doesn’t have a point, though. There are questions about
deployment — why can’t I already run “apt-get install
postfix-dkim-outbound-signer” to get all my outbound mail transparently signed
using DKIM signatures? Why isn’t DKIM signing commonplace by now?

Tags:accreditation anti spam authentication dkim domainkeys email habeas reputation return path smtp spam spamhaus spf

This post was written by Justin, source: Email authentication is not anti-spam

As I’ve noted before, we
still have a major problem with sites generating bounce/backscatter storms in
response to forged mail — spam, viruses, and so on. These sites have a broken
mail configuration, but there are still thousands out there — it’s very hard
to fix an old mail setup to avoid this issue. As a result, a single spam
run can concentrate the volume of response bounces in a Smurf-attack-style volume
multiplication, and this acts as a serious denial of service; I’ve
regularly had serious load problems and backlogs on my MX, due solely to
these bounces.

However, I think I’ve now solved it, with only a little loss of functionality.
Here’s how I did it, using Postfix and SpamAssassin.

Firstly, note that if you adopt this, you will lose functionality.
Third party sites will not be able to generate bounces which are sent
back to senders via your MX — except during the SMTP transaction.

However, if a message delivery attempt is run from your MX, and it is bounced
by the host during that SMTP transaction, this bounce message will still be
preserved. This is good, since this is basically the only bounce scenario that
can be recommended, or expected to work, in modern SMTP.

Also, a small subset of third-party bounce messages will still get past, and be
delivered — the ones that are not in the RFC-3464 bounce format generated
by modern MTAs, but that include your outbound relays in the quoted header.
The idea here is that “good bounces”, such as messages from mailing lists
warning that your mails were moderated, will still be safe.

OK, the details:

In Postfix

Ideally, we could do this entirely outside Postfix — but in my experience,
the volume (amplified by the Smurf attack effects) is such that these
need to be rejected as soon as possible, during the SMTP transaction.

In my Postfix configuration, on the machine that acts as MX for my domains –
edit ‘/etc/postfix/header_checks’ and add these lines:

/^Return-Path: <>/                              REJECT no third-party DSNs
/^From:.*MAILER-DAEMON/                         REJECT no third-party DSNs
/^Content-Type: multipart\/report; /            REJECT no third-party DSNs
/^Content-Type: message\/delivery-status; /     REJECT no third-party DSNs

Edit ‘/etc/postfix/main.cf’, and ensure it contains this line:

header_checks = regexp:/etc/postfix/header_checks

Now restart Postfix.

In SpamAssassin

Install the
Virus-bounce ruleset. This will catch challenge-response mails, “out of
office” noise, “virus scanner detected blah” crap, and bounce mails generated
by really broken groupware MTAs — the stuff that gets past the Postfix
front-line.

Once you’ve done these two things, that deals with almost all the forged-bounce
load, at what I think is a reasonable cost. Comments welcome…

Tags:anti spam backscatter bounces email howto smtp spamassassin virus bounces viruses

This post was written by Justin, source: How to deal with joe-jobs and massive bounce storms

Here’s a great presentation from
Joe St Sauver presented at the London Action Plan meeting
recently: Infected PCs Acting As Spam
Zombies: We Need to Cure the Disease, Not Just Suppress the Symptoms

Some key points in brief:

Despite all our ongoing efforts: the spam problem continues to worsen, with
nine out of every ten emails now spam; spam volume has increased by 80% over
just the past few months and users face a constantly morphing flood of
malware trying to take over their computers. Bottom line: we’re losing the
war on spam.

The root cause of today’s spam problems is spam zombies, with 85% of all spam
being delivered via spam zombies.

The spam zombie problem grows worse every day (with over ninety one million
new spam zombies per year)

Users don’t, won’t, or can’t clean up their infected PCs; and ISPs can’t be
expected to clean up their infected customers’ PCs.

Filtering port 25 and doing rate limiting is like giving cough syrup to
someone with lung cancer — it may suppress some overt symptoms but it
doesn’t cure the underlying disease.

Filtered and rate-limited spam zombies CAN still be used for many, many OTHER
bad things, and they represent a huge problem if left to languish in a live
infected state.

Joe’s take — “we’re in the middle of a worldwide cyber crisis”. I agree.
He suggests a new strategy:

It is common for universities to produce and distribute a one-click
clean-up-and-secure CD for use by their students and faculty. It’s now time
for our governments to produce and distribute an equivalent disk for everyone
to use.

I agree the existing schemes are clearly not working; this is an interesting
suggestion. Read/listen to the presentation in full for more details; pick up PDF, PPT and video here.

Tags:anti spam botnets ddos internet joe st sauver london action plan security smtp windows zombies

This post was written by Justin, source: Spam zombies — we need to cure the disease, not suppress the symptoms

Via Steve
Champeon’s
daily links, the following spam-in-the-news stories illustrate a rising trend:

• Spam causing email delays: NZ Telecom

Huge amounts of spam are said to be responsible for delays in the email
network of NZ ISP Xtra.

Several customers have vented their frustrations on an Xtra website message
board saying some emails were days late, The New Zealand Herald reports.

… Record volumes of spam meant such problems would be “an unfortunate and
on-going reality of the internet not specific to any provider”, he said.

Mr Bowler said Telecom had invested “tens of millions of dollars” in email
and anti-spam software and worked closely with two of the world’s leading
anti-spam vendors.

• Holiday spam turns e-mail to snail mail for states schools

Holiday spam e-mails are to blame for slowing message delivery to faculty and
staff in schools across Kentucky …

• Channel Register: 123-Reg says sorry

“Some 123-reg customers may have experienced intermittent delays in their
emails in the last two weeks. We had received a particularly high level of
image-based spam attacks over a short period of time,” the Pipex subsidiary
said.

• Xtra faces lawsuits over email delays

Small businesses are threatening legal action over continuing glitches with Xtra’s email service and the Consumers’ Institute says they may have a case.

Several people have contacted the Herald complaining that delays and non-deliveries of emails over the past three weeks on the Xtra network are severely affecting their businesses. …

The institute’s David Russell said home users could claim compensation for email delays if they had suffered “a real measurable loss”.

Non-commercial customers were covered by the Consumer Guarantees Act and services they paid for had to be of a “reasonable quality”.

Although it might be more difficult for small business owners, they could also have a case, Mr Russell said. “If there has been a considerable amount of money, they could consider legal action or, if the amount was smaller, they could go through the disputes tribunal.”

In other words, the DDOS-like elements of the spam problem are becoming an
increasing worry; even with working spam filtering in place, the record size of
zombie botnets means that spammers can now destroy organisations’ computing
infrastructure, almost accidentally.

Spammers don’t care if an organisation’s infrastructure collapses while they’re
sending their spam to it — they just want to maximise exposure of their spam,
by any means necessary. If that requires knocking a company off the air
entirely for a while, so be it.

I’m not sure what can be done about this, in terms of filtering. It may
finally be time to fall back to a “side channel” of trusted, authenticated SMTP
peers, and leave the spam-filled world of random email from people and
organisations you don’t know to one side, as a lower-priority system which can
(and will, frequently) collapse, without affecting the ‘important’ stuff.
What a mess.

Alternatively, maybe it’s time for governments to start putting serious money
into botnet-spam-related arrests and prosecution.

This has additional issues for ISPs, too, btw — I wonder if Earthlink
are taking note of that Xtra lawsuit story above….

Tags:anti spam botnets ddos delays filtering security spam

This post was written by Justin, source: Massive spam volumes causing ISP delays

As all right-thinking people know by now, Challenge-response spam
filtering is
broken and abusive, since it simply shifts the work of filtering spam out of
your email, onto innocent third-parties — either your legitimate
correspondents, people on mailing lists you read, or even random people you
have never heard of (due to spam
blowback).

I’ve ranted about this in the past,
but I’m not alone in this opinion — and frequently find myself explaining it.
To avoid repeating myself, here’s a canonical collection of postings from
around the web on this topic.

• Spamcop FAQ: Why are auto responders bad?:

Description: This “selfish” method of spam filtering replies to all email with a “challenge” - a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.

1. Does not scale: If everyone used this method, nobody would ever get any mail.
2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.
3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.

• Karsten M. Self: Challenge-Response Anti-Spam Systems Considered Harmful:

C-R systems in practice achieve an unacceptably high false-positive rate
(non-spam treated as spam), and may in fact be highly susceptible to
false-negatives (spam treated as non-spam) via spoofing.

Effective spam management tools should place the burden either on the
spammer, or, at the very least, on the person receiving the benefits of the
filtering (the mail recipient). Instead, challenge-response puts the burden
on, at best, a person not directly benefitting, and quite likely (read on) a
completely innocent party. The one party who should be inconvenienced by spam
consequences ¿ the spammer ¿ isn’t affected at all.

Worse: C-R may place the burden on third parties either inadvertantly (via
spoofed sender spam or virus mail), or deliberately (see Joe Job, below).
Such intrusions may even result in subversion of the C-R system out of
annoyance. Many recent e-mail viruses spoof the e-mail sender, including
Klez, Sobig variants, and others.

• John Levine: Challenge-response systems are as harmful as spam:

The collateral damage from widely used C/R systems, even with implementations
that avoid the stupid bugs, will destroy usable e-mail. [jm: in fairness,
this was written in 2003.]

Challenge systems have effects a lot like spam. In both cases, if only a few
people use them they’re annoying because they unfairly offload the
perpetrator’s costs on other people, but in small quantities it’s not a big
hassle to deal with. As the amount of each goes up, the hassle factor
rapidly escalates and it becomes harder and harder for everyone else to use
e-mail at all.

• Ed Felten: A Challenging Response to Challenge-Response:

I’m skeptical of CR as a response to email. If you’re the first on your block
to adopt CR, and if nobody else uses anti-spam technology, then CR might
provide you some modest benefit. But it¿s hard to see how CR can be widely
successful in a world where most people use some kind of spam defense.

• Jeremy Zawodny: TMDA Users Can Blow Me (heh):

If these systems are so brain-dead as to not bother adding my address to the
whitelist when the user sends me e-mail, I have serious trouble understanding
why anyone is using them.

Is it just me? Is this too hard to figure out?

Anyway, there’s another 5 minutes I’ll never get back. It’s too bad there’s
no mail header to warn me that “this message is from a TDMA user”, because
then I’d be able to procmail ‘em right to /dev/null where they belong.

Ugh.

This bullshit is not going to “solve” the spam problem, people. If that’s
your solution, please let me opt out. Forever.

• Michele Neylon: Why C/R is not a good idea:

C/R slows down and impedes communication by placing unwanted barriers between
you and your clients/suppliers.

If you must insist on using some form of C/R please make sure that you
whitelist my address before you contact me as I will not reply to challenges.

• TidBITS policy on Challenge-Response:

We will not answer any challenges generated in response to our mailing list
postings. Thus, if you’re using a challenge-response system and not receiving
TidBITS, you’ll need to figure that out on your own. Also, if you send us a
personal note and we receive a challenge to our reply, we may or may not
respond to it, depending on our workload at the time.

• Fedora Project policy on UOL — a Brazilian ISP that uses C-R extensively:

uol.com.br uses a very broken method of anti-spam. Everytime someone sends an
email message to one of their members, they send back a verification message,
asking the original sender to click a link before they will allow the message
through. These messages are themselves a form of spam, and the resulting
back-scatter of these messages is altogether bad for the Internet, the UOL
member, and all of the UOL member’s contacts. UOL is aware of the complaints
against them, and they refuse to correct the issue, claiming that their
members love the service.

• Matt Sergeant: C-R spam solutions:

I hate C/R systems. With a passion. I absolutely will not respond to them.
They go in the trash. I don’t get them very often but I get them more and
more. I think they have the potential to seriously damage email communication
as we know it. And I’m not alone in this opinion.

• Richi Jennings: ‘Challenge/Response makes you a spammer.’

• BusinessWeek: Stephen Wildstrom: A Spam-Fighter More Noxious Than Spam: ‘Challenge-response filtering systems are likely to wipe out e-mails you want, too.’

• and lots more at Spamlinks.net

Phew.

Tags:abuse anti spam backscatter blowback bounces c r challenge response email filtering rants smtp

This post was written by Justin, source: An anti-challenge-response Xmas linkfest

Yay! Kudos to Richi Jennings, who’s been trumpeting the dangers of backscatter to InformationWeek recently.
It’s a great article. I particularly like how it digs up this impressively off-the-mark quote:

Tal Golan, CTO, president, and founder of Sendio, maker of a challenge/response e-mail appliance used by more than 150 enterprise consumers, disagrees strongly with Jennings’s assertion that challenge-based filtering has problems. “Without question, the benefit to the whole community at large drastically outweighs that FUD [fear, uncertainty, and doubt] that’s out there in the marketplace that somehow challenge/response makes the problem worse,” he says. “The real issue is that filters don’t work. From our perspective, challenge/response is the only solution. This whole concept of backscatter is just not true. Very, very rarely do spammers forge the e-mail addresses of legitimate companies anymore.”

hahahaha. Well, since last Thursday, “very very rarely” translates as “214 MB of backscatter in my inbox”. The facts aren’t on Tal Golan’s side here…

(PS: SpamAssassin 3.2.0 will include backscatter detection.)

Tags:anti spam backscatter bounces challenge response filtering funny richi jennings sendio spam

This post was written by Justin, source: Backscatter in InformationWeek

Like a few other anti-spammers, I found myself under a hitherto-unprecedented
level of spam blowback this weekend. Disappointingly, there are still
thousands of SMTP servers configured to send bounce messages in response to
spam.

Even with the anti-bounce ruleset for SpamAssassin, the volume was so great
that our creaky old server had a lot of difficulty keeping up — once
the messages got to SpamAssassin, the load issues had already been created.
Also, Postfix’s anti-spam features really weren’t designed to deal with
blowback.

While attempting to take some shortcuts in the setup on our server to deal with
this, a great idea occurred to me — why not come up with an app that uses Amazon EC2 to flexibly provision enough
server power and bandwidth to pre-filter the SMTP traffic for an MX under
attack?

I’m basically thinking of qpsmtpd, with SpamAssassin and/or other antispam blobs active, running in an Amazon EC2 server image. Multiple images can be brought up, and added to the attacked domain’s MX record at an equal priority, to take load off the main (overloaded) MX.

Now to cogitate a little — details to follow…

Tags:amazon anti spam aws ec2 qpsmtpd s3 smtp

This post was written by Justin, source: Using qpsmtpd and Amazon EC2 to provide SMTP-DDoS protection

Donncha asks, is spam self-defeating?

has anyone else noticed that the new generation of gif based stock-trading
spams are getting really hard to read? In the last one I had to squint and
look really carefully to find out what stock was hot and a sure-buy today!

I’ve been wondering about this, too. We
continually push spammers further and further from comprehensibility, since
comprehensible spam is easily-filtered spam, but the spam flood doesn’t stop.
In fact, spam volumes have shot up higher than
ever.

My theory is that it’s a symptom of the spam side of things being a market in
itself (and an inefficient, scam-heavy one at that).

IMO, the people providing the underlying products advertised in “high-end” spam
– the pill-peddlers and stock pumpers — no longer control the technical
details of how or where the spam is sent. Instead, they are the customers of professional spam
gangs who do that, and take care of the obfuscation, filter-evasion, etc.

In other words, the pill-peddlers and scam operators are getting ripped off,
too. They think their products or scams will be advertised in a comprehensible
manner, in readable emails; but instead, odd, opaque 3-word messages with “cut
and paste this” lines, hidden inside filter-evasion text and bits of Project
Gutenberg, are what gets delivered to the victims.

I can’t imagine the clickthrough rates are exactly stellar on that.
So I’d guess the spammers are responding by pushing up volumes to attempt
to increase clickthrough/sales volumes. Wonder if it’s working or not?

Tags:anti spam filtering obfuscation spam

This post was written by Justin, source: Spam filter evasion self-defeating?

Thanks to Jeff Chan of the SURBL project, data from PhishTank is now being included in the SURBL ‘ph’ anti-phishing list.

This means it’s now supported by all existing versions of SpamAssassin from 3.0.0 onwards. Good news, and thanks to Jeff and the OpenDNS guys!

Tags:anti spam jeff chan opendns phish phishtank spamassassin

This post was written by Justin, source: PhishTank now supported by SpamAssassin

A couple of years ago, various anti-spammers discussed how the credit-card payment processing companies were perfectly placed to disrupt the spam economy, by tracking down spammers through “poison pill” transactions. Nothing happened from that, though, and spam is now a bigger problem than ever.

Today, I hear
that the Russian MP3 site, AllOfMP3, have lost their
account with Visa to process credit-card payments.

In other words, it sounds like the banks are happy
enough to close off filesharing, but couldn’t be bothered dealing with spam…

Tags:allofmp3 anti spam credit cards filesharing payments visa

This post was written by Justin, source: VISA and priorities

[This is a copy of an article I submitted to ICANNWatch.]

Spamhaus, the UK-based non-profit that runs the SBL and XBL anti-spam DNS
blocklists, is reportedly facing serious legal trouble in the US.

A US-based spam gang has started legal action to have Spamhaus’ domain name
confiscated by ICANN, and reportedly, Spamhaus may have been advised badly by
their US legal people; so there is now a danger that they *may* indeed
lose their domain, and possibly worse.

Note that Spamhaus is entirely UK-based, bar some mirrors; however, the
proposed order is aimed at ICANN, which is US-based. This is the really
tricky part; can a US company kill the domain of a non-US group?

According to anti-spam lawyer
Matthew Prince, ‘there may be some time before ICANN is formally
ordered to shut down the Spamhaus domain, but make no mistake that ICANN’s
lawyers will be considering their options beginning first thing Monday, if
they haven’t already begun the conference calls tonight’ … ‘In the end,
[ICANN’s] decision is likely to be much more about setting a general
policy than the specific details of who Spamhaus is or why they are
critical for the Internet. ICANN will desperately want to stay out of this
dispute, but they are subject to U.S. law and they will probably have
attorneys who will argue they need to follow it. All it will take for this
to end badly for Spamhaus is one lawyer at ICANN getting a little bit
spooked and Spamhaus could lose not only it’s .org but potentially any
other TLD that ICANN controls.’

This is interesting — if Spamhaus is forced to close down its domains and
US-based mirrors, that will mean that the SBL and XBL blocklists will be
down for a while, too. Typically those are used for up-front blocking,
and if my servers are any indication, they take care of 75% of incoming
spam before it hits any more CPU-intensive filtering.

Without those, there’ll be a lot of sites around the net suddenly dealing
with quadrupled spam volumes hitting their MTAs.

Tags:anti spam e360 icann jurisdiction law spamhaus

This post was written by Justin, source: Anti-spam group under attack — via ICANN

Regarding the use of p0f, passive OS fingerprinting, as an anti-spam measure — on top of this analysis which I linked to a few weeks back, one of the emeritus SA guys, Craig Hughes, sends over some p0f experiences. Handily, this includes a more detailed breakdown by OS release:

I’ve been using the SA p0f plugin for nearly a month or so now both on
gumstix’s web server and my hughes-family.org
server, and it actually looks like it could be pretty useful. So far I’ve
just been scoring 0.001 for each OS to collect data, but here’s the results
amavis has logged:

This breakdown shows what %age of the stuff coming in via OS xyz is spam or
ham. ie 84.6% of all mail received from Windows-2000 is spam, 14.9% is ham
(the rest is viruses). The first numeric column is number of messages of
each type. Statistics are only since the last time amavis restarted:

On his home machine (comcast cable modem connection) :

On gumstix.com (hosted at some provider in Texas):

my home machine has a lot more relayed mail coming to it (all my
various craig@* email addresses forward into there) which is probably
why the linux spam rate is higher there — the relaying machines are
probably running linux and forwarding spam through.

Interesting figures — but I’m still not-convinced that the correlation
is quite high enough to form a good enough basis for solid anti-spam rules;
reliable rules in the SpamAssassin core typically have over 95% accuracy at
differentiating ham from spam (at least when we first check them in).

Update: it’s a natural for use as a Bayes token, though. The way amavisd-new implements p0f support is perfect for this use.

BTW, my guess is that many of the spam hits for “linux” are due to things like Netgear/Linksys routers, running embedded linuces. No evidence, just guessing

Tags:anti spam craig fingerprinting p0f spamassassin

This post was written by Justin, source: Some p0f Data From Craig

Linus Torvalds, in a post to linux-kernel today:

I’m sorry, but spam-filtering is simply harder than the bayesian word-count
weenies think it is. I even used to know something about bayesian
filtering, since it was one of the projects I worked on at uni, and dammit,
it’s not a good approach, as shown by the fact that it’s trivial to get
around.

I don’t know why people got so excited about the whole bayesian thing. It’s
fine as one small clause in a bigger framework of deciding spam, but it’s
totally inappropriate for a “yes/no” kind of decision on its own.

If you want a yes/no kind of thing, do it on real hard issues, like not
accepting email from machines that aren’t registered MX gateways. Sure, that
will mean that people who just set up their local sendmail thing and connect
directly to port 25 will just not be able to email, but let’s face it, that’s
why we have ISP’s and DNS in the first place.

But don’t do it purely on some bogus word analysis.

If you want to do word analysis, use it like SpamAssassin does it - with some
Bayesian rule perhaps adding a few points to the score. That’s entirely
appropriate. But running bogo-filter instead of spamassassin is just
asinine.

Me, I like bogofilter — those guys are cool, and it’s a great anti-spam product for many purposes. But of course I have to agree with Linus that the correct approach in most cases is a bigger picture than just Bayes alone, a la SpamAssassin

Tags:anti spam bayes linus torvalds spamassassin

This post was written by Justin, source: Linus on Bayesian filtering

I’ve been hearing increasing reports of false positives using bl.spamcop.net.

One today spurred me to check out exactly how many times it I’m seeing
it misfiring on nonspam in my own mail collection. The results have
been pretty astonishing.

In my nonspam collection, it fired on 1043 messages out of 8415 in July; 12.4%
of the mail. It gets worse for August, though — 884 messages out of 3729
since the start of August. That’s a staggering 23% of my nonspam mail this
month.

Most of that is due to the listings of GMail and Yahoo! Groups, both of which seem to have been listed for large swathes of the past month and a half.

Now, an important point — it can work pretty well as a single input
to a scoring system, like Spamcop itself or SpamAssassin. In fact, I didn’t lose any mail as a result of those listings; SpamAssassin assigns only 1.5 points to the RCVD_IN_BL_SPAMCOP_NET rule, so it’s easily corrected by other rules.

However, people using it to block or reject spam outright, or who’ve changed the score of the RCVD_IN_BL_SPAMCOP_NET rule, need to turn
that off ASAP — as they are losing mail.

Tags:anti spam blocklists dnsbls smtp spamcop

This post was written by Justin, source: Don’t use bl.spamcop.net as a blocklist

Renesys Blog: The Bluesecurity
Fiasco
– in which Todd Underwood, CSO for Renesys Corporation, applies some
real-world knowledge of how the internet works to the “timeline of events”
press release, issued by
BlueSecurity
as part of their ongoing PR about the DDoS.

Judging by the
comments
at
Slashdot, this
really needs to be more widely read.

Here’s some highlights:

The timeline from BlueSecurity […] is frustratingly vague. It uses phrases
like ‘tampering with the Internet backbone using a technique called
“Blackhole Filtering”.’ As Thomas Pogge, a philosophy professor of mine, used
to say: that’s not even wrong yet. There is no “Internet backbone”, there is
no technique known as “Blackhole Filtering”, and blackhole routing is not
normally described as tampering. So the whole explanation is nonsense. […]
Let’s clear one thing up for the press and everyone else: this event just
wasn’t that interesting. The attack against bluesecurity was a
run-of-the-mill denial of service attack.

His conclusion:

I believe that the PR engine from BS is in overdrive spinning this event as
fast as they can. But the concrete facts being put out by them simply to not
add up. In the process they seem to be doing two things: 1) trying to imply
or state that someone at UUnet was bribed by a spammer. This is simply
ridiculous. I know many of the people who work for UUnet and they are honest,
hardworking and extraordinarily clever people. They would not be crooked, or
stupid, enough to do such a thing and if they were, they would have been
trivially caught by change-management procedures. Moreover, such a change at
UUnet (or BTN) wouldn’t have caused the event BS claims to have witnessed
anyway. Additionally, 2) BS is trying to deflect attention from the damage
that they caused at Six Apart. It would be much better if they could just
claim ignorance of the DOS, apologize and move on. I recognize that that
isn’t going to happen, but it sure would make this whole thing easier to
handle.

Well said.

Of course, this is pretty much immaterial — the people who are using Blue
Frog, and vocally supporting Blue Security, don’t really care what happened.
All they care about is that someone is taking some kind of direct action
against spammers, in some way or another, and if there’s a little “friendly
fire” and some bending of the truth, why, this is a war! What, do you support
the spammers?

It’s disappointing — the amount of disinformation being successfully pumped
out (and accepted!) on this story is massive.

Tags:anti spam blue frog bluesecurity ddos internet routing security

This post was written by Justin, source: Todd Underwood on BlueSecurity DDoS

Blue Frog is a
company who operates a “Do Not Email” list, on the (optimistic) basis that
spammers will vet their lists against it.

Reportedly, it’s been compromised.
If this is true, I’m not surprised — as Dr. Aviel
Rubin’s report to the FTC of May 2004 regarding a
Do-Not-Email list
notes:

The scrubbing approach [to running a D-N-E list] requires that a list of live
email addresses exist. While the party owning that list may be well
intentioned, it is unlikely that such a valuable list would not leak out.
History is replete with insider attacks, as well as external break-ins to
highly sensitive sites, such as the Pentagon computers. The Do Not Email
Registry represents the kind of prize that attracts hackers. In this case,
the prize has monetary value as well. Once the list is exposed, there is no
way to undo it.

Also, it’s almost inevitable:

If this service were running for some time, it is more likely than not that
the plaintext addresses would leak at some point, given the history of
computer security incidents.

Tags: anti spam blue frog blue security do not email

This post was written by Justin, source: Blue Frog List Leaked?

John-Graham Cumming asks, ‘Are Citibank crazy?’:

I blogged a while ago about Thunderbird’s phishing filter trapping a
seemingly innnocent mail. Now, a reader has forwarded to me a genuine email
from Citibank that he says was trapped by Thunderbird. I’m not going to
reproduce the email here because it contains private details of the user, but
it is a valid Citibank message.

Thunderbird thinks it’s a scam because Citibank uses one of the oldest
phishing tricks in the book. The have a URL displayed in the message then
when clicked goes to a totally different URL.

Sadly, this has proven to be really quite common. We’ve investigated using
this rule as a worthwhile phish-detection rule in SpamAssassin, several times,
and without much luck. In fact, we’ve had to create a FAQ entry for
it — since it’s
such a superficially-attractive but ultimately useless, idea, many people have
had long discussions on our lists about it!

The companies that produce these false positives in their mails include
American Express, Bed Bath & Beyond, Universal Studios, Microsoft, Hilton
Hotels — and now Citibank.

A couple of other examples from real mails:

  <a href="http://www65.americanexpress.com/clicktrk/Tracking?
    mid=MESSAGEID&msrc=ENG-ALERTS&url=
    https://www.americanexpress.com/estatement/?12345">
    https://www.americanexpress.com/estatement/?12345</a>

  <A HREF="http://echo.epsilon.com/WebServices/EchoEngine/T.aspx?l=ID">
    https://www.hilton.com/en/ww/email/tab_email_subscriptions.jhtml</A>

By the way, it really is quite impressive for a bank as heavily phished as
Citibank to still be making this kind of basic mistake in their mail-outs!
It reinforces a point I made in a mailing list posting recently:

As far as I can see, the approach taken by pretty much all banks to their
online services is simply too bureaucratic, hide-bound, and fundamentally
driven by their marketing departments, to ever cope effectively with
phishing.

(For what it’s worth, I know Citi have some smart people working there; but the rest of the company needs to start paying attention to them.)

anti spam banks jgc phishing rules spamassassin thunderbird

This post was written by Justin, source: Phishing and Inept Banks

Things have really been heating up recently around the AOL/Goodmail “pay to
send” CertifiedMail scheme — the EFF and a host of other groups have launched
dearaol.com, stating:

This system would create a two-tiered Internet in which affluent mass emailers could pay AOL a fee that amounts to an “email tax” for every email sent, in return for a guarantee that such messages would bypass spam filters and go directly to AOL members’ inboxes. Those who did not pay the “email tax” would increasingly be left behind with unreliable service. Your customers expect that your first obligation is to deliver all of their wanted mail, and this plan is a step away from that obligation.

While I dislike this proposal, too, as far as I can tell, AOL actually have
pretty reasonable intentions with this program — nowhere near as bad as the
DearAOL.com site makes out.

However, they’re doing a really really crappy job of getting this information
out there, or committing to reasonable limits on the program, such as
announcing that they will use it only for transactional emails, as Yahoo! have
done.

I’d strongly recommend reading Carl Hutzler’s posting on the
subject. Carl was AOL’s head of anti-spam
operations until last year, so he really knows what he’s talking about, and he
lays it out clearly — a lot more clearly than any corporate statements from AOL
do. His blog contains a fair bit more on the
subject, too.

But seriously — why isn’t there a press release on the AOL
site about this
scheme? Some front-channel communication about now might be useful, I’d
suggest, before things really get hairy — this crapstorm is coming about
partly because AOL’s comments are all filtering out in drips and drabs via
third parties, and (AOLers say) are being misconstrued and misrepresented in
the process. It’s a classic case of missing the
cluetrain.

I’d also really encourage the EFF people to tone done the rhetoric; statements
like “senders will have no guarantee that their emails will be delivered” is
scare-mongering, given that SMTP email already provides no such guarantee.

Update: wow, MoveOn went really overboard — “threatening the Internet as we know it … The very existence of online civic participation and the free Internet as we know it are under attack.” OMG the sky is falling!

Side Issue: The Spam Definition

Also, another note to EFF: defining spam as “whatever you don’t want to
read” is a terrible mistake to make. That
confuses a good, clear, enforceable and automatable definition of spam –
unsolicited bulk email –
and makes it effectively unenforceable by law, unpoliceable by ISPs, impossible
to detect automatically, and incompatible with existing, effective EU and
Australian legislation.

Listen to your own Chairman of the
Board; he’s right on this
count.

PS: any luck fixing up the non-confirmed signups issue? Last time I checked I
could still subscribe any address to the EFF Action Alerts without a
cross-check, which is not a good
thing.

anti spam aol defining spam eff goodmail pay to send spam ube

This post was written by Justin, source: DearAOL and GoodMail

AOL and Yahoo! have been making a lot of headlines with their plans to reduce
their whitelist-management workload — and make a little pay-to-send money on
the side — with a deal with Goodmail.

Now Spamhaus have gone on the record against the
plan:

On Monday, Richard Cox, chief information officer at antispam organization
Spamhaus, said that “an e-mail charge will destroy the spirit of the
Internet.”

“The Internet has become what it is because of freedom of communication. Open
discussion is what gives it value. There should be no cost for particular
services, and e-mail should be free and accessible to all. This will
disenfranchise people.”

anti spam aol goodmail pay to send spam spamhaus whitelisting

This post was written by Justin, source: Spamhaus comment on the AOL/Goodmail deal

Dr. Dave, author of the Spam Karma WordPress antispam plugin, has posted an
interesting article about new weblog-spammer
tactics:

These spams do not present most of the idiotic traits of their lower
colleagues: they do not try cramming hundreds of URLs or inserting hundreds
of easily spotted junk keywords in the comment content. Instead, they use
only the dedicated name and homepage fields to sneak in spam URL and
keywords. The comment content is often perfectly innocuous, sometimes even
topical (by copying parts of another comment or a trackbacking post). All in
all, these spams could easily be missed by a human moderator who wouldn’t
look carefully at the contact name and URL.

(Thanks to Kelson Vibber for the pointer
to this.)

In other words, he is noting what we noticed in email anti-spam; that what
works well one year, is likely to degrade over time as the spammers attempt to
evade it, and one has to keep working to keep up.

The best term for this appears to be adversarial
classification. Anti-spam
activities fall into this category, and it often means that classic text
classification algorithms aren’t suitable — after all, the Reuters-21578
dataset
never tried to evade your classifier

In a similar vein, this MS research
paper is interesting:

Previous work on adversarial classification has made the unrealistic
assumption that the attacker has perfect knowledge of the classifier. …. We
present efficient algorithms for reverse engineering linear classifiers with
either continuous or Boolean features and demonstrate their effectiveness
using real data from the domain of spam filtering.

It’s akin to John Graham-Cumming’s work looking into how a spammer could get
past a bayesian filter “from the outside”, but with more techniques, and
examining MS’ MaxEnt algorithm, too. PDF
here, well worth
a read.

(By the way, I’m in the process of moving house, so if you send me an email, it
may take a while for me to reply. This situation is likely to prevail for the
next few weeks, for what it’s worth — fun.)

adversarial classification anti spam maxent papers spam karma weblogs wordpress

This post was written by Justin, source: Weblog Spam and Adversarial Classification