[SC-Help] Re: Getting balcklisted

[John E. Malmberg]

Iain wrote:
> But John, the phishing site is never hosted here or anywhere where a legal 
> agency can get to it, they're always out in the 'lawless East' and run often 
> by Russian mafia. There is no complicit ISP to hand, just your poor ISP who 
> delivers the mail. It's often not easy to even go to an upstream ISP either 
> because of the site's location.

You are still missing the point, and need to learn quite a bit more 
about how the spamming operations work.

The phish is not sent from the ISP hosting the site, because the phisher 
knows that most of the well run ISP's are no longer accepting e-mail 
from that network, or in the rare cases where mail is still being 
accepted from that site, if they send a spam directly from the site, it 
will cause the same ISP's to block the e-mail from the site, which would 
force the server owner to take immediate action against them.

The phish it is sent through an zombie computer, usually one that has 
been known to be a zombie computer for several days by the ISP that is 
providing connectivity to it.

[Back when spamcop.net made evidence available to the general public, 
this was very easy to verify]

And these ISP's are usually the residential ISP's, in your country and 
mine included.  And this is easy to verify by evidence posted on the 
public internet.

You will find that about 1/2 of the spam and phish are relayed from 
sources that it is quite easy to get a law enforcement officer to if you 
could sufficiently motivate one to do so.

Your government may not be able to do anything about the networks 
outside of your country, however if an ISP in your country leaves a 
zombie computer connected to the internet for more than one business 
day, they are demonstrating that they to not have the knowledge on how 
to deliver the service that they have sold to their customers, and they 
are committing fraud to both their stock holders and their customers.

By their inaction they are knowing letting their networks be used for a 
crime, and in fact they are subsidizing the crime in lost profits, and 
in issuing refunds to the customer's whose internet access is 
effectively shut down because of the bandwidth being stolen.  Seems 
stupid doesn't it?  But they just issue a rate increase to cover the cost.

What needs to be done is to stop having pity on ISP's having problems 
that they have caused by their own incompetence, or letting them make 
phony excuses.

Start studying the proxypot project.  What that is is anti-spam 
operators that have set up what looks like open proxies, and then they 
record who tries to steal bandwidth from them.  Then they report the 
sources of them.  Usually you will find plenty of sources in your own 
country.  The proxy pot project directly identifies the ISP that the 
criminals are using and paying.  When an ISP does nothing about their 
customer that is hitting a proxypot, then that ISP is ignoring criminal 
activity by their customer.

And guess what, anyone can operate a proxypot, including your government.

These reports show that the operators of the spam and phishing sites are
usually located in countries like yours and mine.

Again, what is being found in the U.S., the U.K. and other countries is 
that many of the broadband ISP's are well aware of the criminal activity 
of their customers, and have willfully decided to do nothing as long as 
they think that the customer's bill is eventually going to be paid.

That basically gets back to this:

A country's anti-spam laws must hold ISP's responsible for any criminal 
activity on their network that they should be aware of and did not stop 
in a reasonable amount of time from that point.

Anything less than that is almost toothless.  And the law must also be 
enforced.

And a very lenient technical standard for this is that all such activity 
should stop with in one business day of a notice sent to either the 
abuse or postmaster e-mail address on their network.

Be aware that a competent network operator would be embarrassed if it 
took them more than 15 minutes to locate and shut off an abuser on their 
network.

It is also the only way to stop the phishers that are located in your 
country.

Once these scammers are caught, they are not usually located in the 
other countries, they are actually located in your country and mine, and 
that the ISP providing them primary connectivity to their home or 
business had received more than enough complaints to be aware that their 
customers were up to a criminal operation.

Even more curious, the scammers usually leave the ISP with an unpaid 
bill of over $2,000 U.S. and then declare bankruptcy.  I do not think my 
ISP would allow me to get that far in arrears, so how can these scammers 
get so far in arrears with out the assistance at someone at the ISP?

It is just that currently no one is holding ISP's responsible for not 
stopping a crime that they know to be in progress, so they just collect 
the money.

If the law held the ISP responsible for stopping a criminal activity 
that it should know to be being committed, this would force the scammers 
into having to be physically located in those other countries, instead 
of being nice and comfortable in your country and mine.

Right now the laws give the scammers a safe haven in your country and 
mine as long as their hosting ISP is willing to look the other way.

About 1/3 of the drug spams that are getting through to me are showing 
up as being hosted by one specific U.S. ISP.

At least 1/4 of the Nigerian 419 scams that are getting to me are coming 
through two British ISP's that are allowing anonymous senders to forge 
headers through their web mailers.  This is a security misconfiguration 
that has existed on those web mailers for at least 4 months now.
Why has not the ISP's taken action to stop this?  Other ISP's have web 
mailers and they have no problem keeping these scammers away.

Readers in the U.S. should be aware that it is very easy for you to find 
a toll free phone number for your elected representative.  A phone call 
ties up a physical staff member, unlike e-mail and snail mail that is 
more easily responded to with a bed-bug letter.

Also the network addresses that ISP's are willing to host spam and phish 
sites are usually listed in the sbl.spamhaus.org.  If ISP's would block 
all traffic from those sites, the it would make the phish sites 
invisible to their customers.

And it is highly likely that the only thing that the customers would 
notice is that most of the pictures in the spam would no longer show up.


 >However, better use of blocking lists and sharing of 'spam signatures'
> between ISPs would help enormously as phishing is usually conducted on spam 
> lists and just blasted out in the hope of finding a few people that may 
> respond. In that respect good filtering would cut down the number of 
> messages delivered, but then we all know that effective control of spam 
> isn't that easy...which is why SpamCop exists and this group is here. By the 
> time people start receiving and complaining about the messages a few million 
> have been delivered :-(

Effective control of spam is actually easy.  It is clouded by too many 
people that do not understand the issue and are.  Once you sort out the 
stuff that does not work and start looking at the stuff that works, the 
issues become really clear and are not really very complex technically.

Spam signatures do not work, and neither does most content analysis, and 
the concentration of those methods are one of the things that is 
assisting the spammers.  It is also confusing the issue because they are 
what are advertised as being state of the art.  They are not.
Spam changes to fast for spam signatures to work, and only one content 
filtering method has shown to be effective, but it is only known to be 
implemented in SpamAssasin 3.0.

And content filtering more than triples the cost of operating a mail server.

 From 80% to 95% of the spam sources are now in conservative blocking 
lists, and show up in them with in seconds of a spam run.
These can be safely blocked at the mail server with out risk of 
rejecting a real e-mail, and about 99% of all the mail servers in 
commercial use are able to do this.

Doing so also significantly lowers the cost of operating the mail server.

Almost all of the rest of the spam will have a significant defect in 
it's headers or will be listed in an aggressive blocking list like 
spamcop.net, spews.org, or one of the multi-hop lists.  Of those, almost 
all the ones of those that are really spam with have a URL that either 
does not resolve, or resolves to an I.P. address listed in the 
sbl-bl.spamhaus.org.  While that combined check will not catch 100% of 
the spam, it should pass any real e-mail that is coming through.

Steve Linford, an internationally recognized expert on spam control is 
reporting that UXN.COM is reporting 100% success in using a procedure 
similar to that, and unlike many ISP's they are not directly blocking 
mail from DHCP addresses.

Currently Only SpamAssasin 3.0 is known to be able to make that combined 
check.  And not all commercial mail servers can do this check before the 
SMTP transaction is over.

Even though this effective anti-spam algorithm has been well known on 
the internet for more than a year, and has proved it self to be 
effective, it does not appear to have been adopted by any of the 
commercial anti-spam products.

You will also find that network addresses that are willing to host the 
phish sites are usually already listed in the sbl-bl.spamhaus.org.


I see almost no complaints of problems with mail servers that primarily 
use DNS based blocking lists as an anti-spam measure, and they have 
excellent uptime.

For the mail servers that primarily use content filtering, or accept all 
e-mail and spam and then attempt to sort it out, I see lots of 
complaints from their users.  Usually a lot of spam gets through, and a 
lot of real mail is silently deleted, and there are usually a lot of 
complaints about the mail servers not working.

And to provide this poorer service, those mail servers operators that 
the people are complaining about are typically spending much more 
operating cash than the well run ones.  Even when the well run mail 
server is a larger operation.


The fact is that an I.P. address that allows spam or viruses to be sent 
does not send any real mail, or does not for long.

That is because many ISP's, and some of them very large, will use local 
blocking lists to cut off an I.P. address at the first reported spam 
from it.  When a commercial ISP's main mail servers are hit by this, 
they usually react quickly to shut off the multihop relay.  However they 
do not care if their DHCP addresses are in the local block lists.

The fastest way to get spam under control is for ISP's to cut off all 
connectivity to other ISP's that permit spam to be hosted or sent.

Based on the past experiences of ISP's who have done that, the isolated 
ISP complains about how unfair it is for 24 hours, along with how 
impossible it is for them to do anything about their thousands of zombie 
computers for another 24 hours.  After 72 hours, all traces of spam are 
gone from the ISP, as it has figured out how to do the impossible, and 
the ISP finds that other networks will accept packets from it.

Now ISP's have shown over and over again when they are threatened with a 
block by a larger ISP that they can shut off thousands of zombie 
computers in a few hours or less.

Which means that an ISP should never have a problem with a law that 
requires them to remove known criminal activity on their networks with 
in one business day of a report attempted to be mailed to their abuse or 
postmaster mail boxes.

Be aware that some ISP's have automated the procedure to run a security 
scan of on the reported infected computer as soon as a report hits their 
mail box.  They find that isolates the zombie faster, and that both 
saves them operating cash and prevents outages to their other paying 
customers.

Have you ever watched the U.S. TV show "Green Acres"?  The ISP's that 
can not remove reported criminal activity from their network in less 
than a business day are operating like the Hooterville phone company as 
compared to what should be the normal operation of a phone company.

Would your country's citizens put up with a phone company that operated 
the way the one does on "Green Acres"?  Then why allow the suppliers of 
what is becoming a critical electronic infrastructure to do so?

-John
wb8tyw at qsl.network
Personal Opinion Only