From pb at techno.org Wed Sep 3 19:45:43 1997 From: pb at techno.org (Patrik Backstrom) Date: Wed, 3 Sep 1997 19:45:43 +0200 (MET DST) Subject: No subject Message-ID: subscribe From owl at owlsnest.com Fri Sep 5 00:52:45 1997 From: owl at owlsnest.com (owl at owlsnest.com) Date: Thu, 4 Sep 1997 18:52:45 -0400 (EDT) Subject: Is Your Web Site A Secret? Message-ID: <199709042252.SAA25515@owlsnest.com> Is your web site the best kept secret on the Internet? We'll promote it to 50 search engines and indexes for $85 and complete the job in 2 business days. Satisfaction is guaranteed! If you have a great product, but are not getting many inquiries from your Web site, you may not be adequately listed on the Web's search engines and indexes. Millions of viewers daily use these facilities to find the products and services they are looking for. But if your site is not listed, no one will see it. Listings on most of these services are free. However, locating and filling out the forms required to get a listing can take several days, and most people just don't have the time to do it. That is why we offer a web site promotion service. WHAT'S THE DEAL? We will submit your site to 50 indexes and search engines for $85. We will accept the return of this E-mail, with the form below filled out, as an order. We will bill you upon completion of the promotion. Our terms are net 15 days from date of invoice. Satisfaction guaranteed! HOW LONG WILL IT TAKE? Generally, we complete the submissions within 48 hours of receiving your order. It can take any individual search engine or index up to three weeks to process your submission, although most are much faster. WHAT SEARCH ENGINES AND INDEXES ARE INCLUDED IN THE PROMOTION? The list changes from time to time. This is our current list: Abaweb!, Alta Vista, Been There, BizWeb, Central Source Yellow Pages, Enterpreneurs on the Web, Excite, Four11, Galaxy, I-Network I-Systems Spiral Business Directory, I-World Web Pointer, Infoseek, Inktomi, Innovator's Network Yellow Pages, Internet Mall, Jayde Online Directory, Jumpcity, Jumper Hot Links, Linkmaster, Lycos, Magellan, Mega Mall, Net-Happenings, Net Navigator, Net Mall, NTG's List, NYNEX Big Yellow, One World Plaza, OnLine's WWWeb Index, Rex, Starting Point, Truenorth, URL Tree, Virtual Lynx, Web Point, WebCentral, Web Venture Hotlist, Webcrawler, Websurf, Win Mag/NetGuide Hotspots, WhatUSeek, Worldwide Announce Archive, WWW Business Yellow Pages, World Wide Yellow Pages, WWW Worm, YelloWWWeb. HOW WILL I KNOW THAT YOU HAVE PROMOTED MY SITE? When we have completed the promotion, we will send you an HTML file as an attachment to your E-mail bill. Save this file to your disk, and view it through your Web browser. It provides links to the search engine we submitted your site to, plus any comments we received from them when we did it. ARE THERE ANY GUARANTEES? We do not require prepayment. Your satisfaction is guaranteed or you don't pay the bill. WHO IS OWL'S EYE PRODUCTIONS? We are a web site promotion company located at: Owl's Eye Productions, Inc. 260 E. Main Street Brewster, NY 10509 Phone: (914) 278-4933 Fax: (914) 278-4507 Email: owl at owlsnest.com HOW DO I ORDER? The easiest way to order is by e-mail. Just hit the REPLY button on your e-mail program and fill out the following information. (This information will be posted to the search engines/indexes): Your name: Company Name: Address: City: State/Prov: Zip/Postal Code: Telephone: Fax: Email address: URL: http:// Site Title: Description (about 25 words): Key words (maximum of 25, in descending order of importance): Proofs (Where shall we e-mail proofs): If billing a different address, please complete the following: Addressee: Company Name: Address: City: State/Prov: Zip/Postal Code: Telephone: Fax: Email address: We will bill via Email. (7519) Terms: By returning this document via Email, you agree as follows: You have the authority to purchase this service on behalf of your company. Terms are net 15 days. Accounts sent to collections will be liable for collection costs. You agree to protect and indemnify Owl's Eye Productions, Inc. in any claim for libel, copyright violations, plagiarism, or privacy and other suits or claims based on the content or subject matter of your site. WHAT HAPPENS NEXT? When we receive your order, we will input the information into our system, and send you a proof. After we process any corrections, we will run your promotion, capturing any comments from search engines as we go. We will incorporate these into an HTML-formatted report to you, which we will attach to your bill. ===Web Promotions=====Press Releases=====Link Exchanges========= Owl's Eye Productions, Inc. 260 E. Main Street Brewster, NY 10509 Ph: 914-278-4933 Fx: 914-278-4507 E-mail: owlseye at owlsnest.com From wes at azlan.net Mon Sep 8 13:32:21 1997 From: wes at azlan.net (Mads Westermann) Date: Mon, 08 Sep 1997 13:32:21 +0200 Subject: Is Your Web Site A Secret? In-Reply-To: <199709042252.SAA25515@owlsnest.com> Message-ID: <3.0.1.32.19970908133221.008af310@popint.Azlan.net> At 18:52 04-09-97 -0400, owl at owlsnest.com wrote: > Is your web site the best kept secret on the Internet? > May I humbly suggest that the appropriate person take whatever legal action that required against this organisation. Not only have they been harrassing individuals with their unsolicited commercial E-mail, based on adresses obtained from Internic and RIPE databases - now they are even using our own infrastructure to colport their crap. I'm usually not a "hang 'em!" type of person - but this time I've had enough. Rgds. -- Mads Westermann | Produktionsvej 8 | Internet Manager | DK-2600 Glostrup | Put brain into gear Azlan Scandinavia | Tel. +45 4492-9600 | before engaging e-mail: wes at azlan.net | Fax. +45 4492-6393 | mouth! From neil at COLT.NET Mon Sep 8 13:00:38 1997 From: neil at COLT.NET (Neil J. McRae) Date: Mon, 08 Sep 1997 12:00:38 +0100 Subject: Is Your Web Site A Secret? In-Reply-To: Your message of "Thu, 04 Sep 1997 18:52:45 EDT." <199709042252.SAA25515@owlsnest.com> Message-ID: <199709081100.MAA00636@NetBSD.noc.COLT.NET> On Thu, 4 Sep 1997 18:52:45 -0400 (EDT) owl at owlsnest.com wrote: > Is your web site the best kept secret on the Internet? Can someone fix this list so that only members can post to it? I can't believe that someone spammed every ISP in Europe :-) Talk about instant filter lists :-) [and a UUnet customer! [gee what a surprise!]] Cheers, Neil. -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil at COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your computer! From edd at computer.org Mon Sep 8 13:57:04 1997 From: edd at computer.org (Edgar Danielyan) Date: Mon, 8 Sep 1997 15:57:04 +0400 (GMT) Subject: Is Your Web Site A Secret? In-Reply-To: <3.0.1.32.19970908133221.008af310@popint.Azlan.net> from "Mads Westermann" at Sep 8, 97 01:32:21 pm Message-ID: <199709081157.PAA23192@aic.net> I completely agree with your viewpoint but the problem is that it will be difficult to take a legal action against this organization and win. I think RIPE's legal counselor may inform us about the possibility of such an action? Thank you, Edgar > May I humbly suggest that the appropriate person take whatever legal action > that required against this organisation. > From rol at oleane.net Mon Sep 8 14:05:25 1997 From: rol at oleane.net (Paul Rolland) Date: Mon, 8 Sep 1997 14:05:25 +0200 (MET DST) Subject: Is Your Web Site A Secret? In-Reply-To: <199709081157.PAA23192@aic.net> from Edgar Danielyan at "Sep 8, 97 03:57:04 pm" Message-ID: <199709081205.OAA25779@riri.oleane.net> Well, Let's consider that this domain (owlsnest.com) has got the first prize : a No talk access to the SMTP port of my machine ! Paul Dans son message (In his/her message), Edgar Danielyan ecrivait (wrote) : > > I completely agree with your viewpoint but the problem is that it will be > difficult to take a legal action against this organization and win. > I think RIPE's legal counselor may inform us about the possibility of such > an action? > > > Thank you, > Edgar > > > > May I humbly suggest that the appropriate person take whatever legal action > > that required against this organisation. > > > Paul Rolland, rol at oleane.net OLEANE SA/Service Technique/Directeur Technique Adjoint OLEANE SA/Technical Service/Deputy Technical Manager -- Support technique et operationnel Oleane : support at oleane.net Test du mail : ping at oleane.net Please no MIME, I don't read it - Pas de MIME, je ne le lis pas Please no HTML, I'm not a navigator - Pas d'HTML, je ne suis pas un navigateur "I hope some day you'll join us, and the world would be as one" - J. Lennon From g.peritore at panservice.it Mon Sep 8 14:24:22 1997 From: g.peritore at panservice.it (Giuliano C. Peritore) Date: Mon, 08 Sep 1997 14:24:22 +0200 Subject: Is Your Web Site A Secret? In-Reply-To: <3.0.1.32.19970908133221.008af310@popint.Azlan.net> References: <199709042252.SAA25515@owlsnest.com> Message-ID: <3.0.3.32.19970908142422.00a32810@panservice.it> >Not only have they been harrassing individuals with their unsolicited >commercial E-mail, based on adresses obtained from Internic and RIPE >databases - now they are even using our own infrastructure to colport >their crap. I suggest that RIPE should call the Internic and ask them to discontinue that domain. -- Dott. Giuliano C. Peritore Panservice InterNetWorking E-Mail: g.peritore at panservice.it Centro Comm. Latinafiori Phone: +39/773/410020 Torre 8 - Sc. B - Int. 4 Via Pier Luigi Nervi snc WWW: http://www.panservice.it I-04100 Latina - Italy From mnorris at hea.ie Mon Sep 8 14:26:42 1997 From: mnorris at hea.ie (Mike Norris) Date: Mon, 08 Sep 97 13:26:42 +0100 Subject: Is Your Web Site A Secret? In-Reply-To: Your message of "Mon, 08 Sep 97 15:57:04 +0400." <199709081157.PAA23192@aic.net> Message-ID: <199709081226.NAA07972@dalkey.hea.ie> >I completely agree with your viewpoint but the problem is that it will be >difficult to take a legal action against this organization and win. >I think RIPE's legal counselor may inform us about the possibility of such >an action? > >> May I humbly suggest that the appropriate person take whatever legal action >> that required against this organisation. You're probably right about the difficulty of legal action. How about using peer pressure among ISPs, though? Suppose there was a URL where, each week/month, a list of the top 20 abusers of the Internet, giving the ISP they came from, were published? Maybe this is already being done? Some advantages of this approach: 1. Peer pressure can be effective cf CIDR deployment. 2. It encourages (ante-factum) deterrence as distinct from (post-factum) retribution. 3. It offers a means of measuring the amount of idiocy on the Internet, as against the amount of information. It is suspected that the rate of growth of the former exceeds that of the latter. 4. It doesn't (explicitly) involve lawyers and legal costs. Mike Norris From bredo at ripe.net Mon Sep 8 14:35:02 1997 From: bredo at ripe.net (Jon B Oeveraas) Date: Mon, 08 Sep 1997 14:35:02 +0200 Subject: Is Your Web Site A Secret? Message-ID: <9709081235.AA26426@ncc.ripe.net> I've asked UUnet about who is using this address. I'll talk to the end-user and/or the people responsible for this domain as soon as I get UUnet's reply. Bredo Oeveraas RIPE NCC From Daniel.Karrenberg at ripe.net Mon Sep 8 14:50:38 1997 From: Daniel.Karrenberg at ripe.net (Daniel Karrenberg) Date: Mon, 08 Sep 1997 14:50:38 +0200 Subject: Is Your Web Site A Secret? In-Reply-To: Your message of Mon, 08 Sep 1997 13:26:42 BST. <199709081226.NAA07972@dalkey.hea.ie> References: <199709081226.NAA07972@dalkey.hea.ie> Message-ID: <9709081250.AA27073@ncc.ripe.net> >From "RIPE NCC Activities & Expenditure 1998" to be published later this afternoon: C2.1 Mailing List Management Goal: The mailing lists maintained by the RIPE NCC have a history of constructive and concise dis- cussions on issues of import to the RIPE commu- nity. Mailing list maintainers are facing new challenges ranging from unsolicited messages (spam) to increased size and usage of lists. This activity is intended to maintain the qual- ity of the mailing lists in the face of increased usage and new challenges. This serves to facilitate discussion and consensus forming in the RIPE community. Description: The RIPE NCC will maintain high quality mailing lists for exchanging information among members of the RIPE community. Effort will be spent to prevent spam (unsolicited advertising) on the lists, to improve the quality of the address lists in order to minimize bounces, and to sup- port subscribers with problems. The processing of mailing list traffic will be constantly mon- itored. ____________________________________________________ ripe-162.txt Page 30 From Mirjam.Kuehne at ripe.net Wed Sep 17 15:03:47 1997 From: Mirjam.Kuehne at ripe.net (Mirjam Kuehne) Date: Wed, 17 Sep 1997 15:03:47 +0200 Subject: discussions will be continued on lir-wg list Message-ID: <9709171303.AA01342@ncc.ripe.net> Dear local IR's, The list was meant to be used for announcements and information relevant for contributing local registries. Local registries are automatically subscribed to this list when they become a registriy and they cannot unsubscribe. Therefor we try to keep the traffic on this list very low. We have decided to move the discussions currently going on on to the working group list . If you are interested in following these discussions you can subscribe to the working group list by using majordomo. If you have further questions, please do not hesitate to contact . Kind Regards, Mirjam Kuehne Manager Registration Services RIPE NCC From lms at esoterica.pt Tue Sep 16 19:38:33 1997 From: lms at esoterica.pt (Luis Miguel Sequeira) Date: Tue, 16 Sep 1997 17:38:33 -0000 (GMT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <34192B43.13F2@internext.fr> Message-ID: Hello, I normally just lurk around this mailing list, but I think I'll contribute my two cents this time... Spamming is a serious problem. Here at Esoterica where I am, unsolicited email was about one half of total email traffic - which is quite a lot. Thus, our postmaster has dedicated all his available time to implement anti-spamming measures. What he found out is this: Firstly, far from being "mindless robots", the companies in the spamming business are cold-hearted professionals. They have teams of professional programmers spending all their time just to develop new and more effective ways of illegally sending out unsolicited email - using several clever relaying mechanisms. They work full-time on the job. They are a strong force which will easily overthrow any basic measures taken against spamming - like simply filtering up domains, or blocking traffic from relaying machines. Secondly, they are vindictive and protect their own jobs. This means that if an ISP tries to agressively implement anti-spamming mechanisms, they will fight back! And how they do this? For instance, they send out forged emails with these ISP's addresses. What happens? Entities receiving the forged emails will complain to the ISP in question. The ISP replies telling that the emails are forged, trying to make them understand that this is the "spammer's revenge". Most of these entities either don't care or don't believe, so they just shut the ISP off their firewall (especially if on the next day they get a new lot of unsolicited email apparently coming from the same forged addresses...). This forces the ISP to open up themselves to spamming from this particular company, hoping that they won't forge spamming attempts in the future... As you see, they're quite clever. Their businesses and jobs depend on their cleverness. How can ISP's successfully "fight back"? First, and foremost, they need to assume that the "threat" is serious. Secondly, allocate resources to the job - this means a *lot* of time. But thirdly, and I think that's the major issue here, by sticking together. While a single postmaster probably won't be able to do much work single-handedly, having a group to coordenate the work is helpful. Some free time taken from a group of postmasters adds quickly up to a "task force" of some magnitude... Basically, what our postmaster found out is that denying access is not a good measure - spamming companies will try every trick of the trade to get through or else they will try to hurt the blocking ISP in some way. UUNet, for instance, has publicly announced their "zero tolerance" towards spammers - it's no wonder that perhaps half of the spammers use now forged emails (and dial-up accounts) coming from UUNet to spam the net. Their hope is getting enough ISPs blocking UUNet's traffic so that UUNet is "forced" to "open" their machines to spamming again... (in our case, as a transit customer of UUNet I obviously can't block traffic through them :-) ) Better is just to difficult their action. Remember that their jobs depend on getting as many messages through as possible (using third-party relayers). If a sendmail configuration just lets a few messages through, or selectively blocks some domain for a while, this means that this machine will only deliver a few messages - when spammers rely on tens of thousands to be delivered. This is uninteresting to them. They will thus use other machines as relays. Of course, this also means that your own users will see a delay on the sending of their own, legitimate messages. It's a tradeoff. By using a combination of these tricks one can try to keep the spammers away for a while - until they develop a new creative method for spamming again. We have seen all sorts of very clever and ingenious methods to get through. Who knows what else they will invent next? By keeping a mailing list with several postmasters' contacts it's possible not only to exchange domains from where the spammers usually attack, but anti-spamming techniques and tricks. There are some steps being taken at a national base here in Portugal (from where I'm writing :-) ) but, as shown by the traffic generated on this list on this topic of spamming, I'm going to make the suggestion again, at this level... Do you think that there is some interest in mantaining a mailing list for all postmasters from the LRs for the sole purpose of discussing anti-spam techniques and listing spamming domains and relay machines? Would RIPE be interested in "sponsoring" this mailing list? BTW, searching through the RIPE's Web site, the only mention to spam is on RIPE-162, chapter C2.1. This basically states the commitment of RIPE to mantain the mailing lists spam-free. I wonder if there is already a "task force" in place for anti-spamming measures. We're aware of some efforts on an international basis - mostly some Web sites with interesting information and data on anti-spamming measures, with associated mailing lists - but to my personal knowledge, there is no such coordinated effort at RIPE (so far :-) ). There is also an issue of local laws. Filtering out spam *could* be illegal on some countries (it violates freedom of speech). In Portugal, spamming is actually illegal - it's "unsolicited email", and this is an abuse of a third party's infrastructure, ie. using computational (and telecommunications) resources that you aren't allowed to. This makes it a crime according to Portuguese law. There is a case of mail bombing (a particular kind of spamming...) brought to court - it will take ages to be ruled and probably the offender will get away with some community work :) but it will be judged in court. Of course, on other countries, freedom of speech may be more important than using others' telecommunications resources. I wonder if local laws will actually work *against* a RIPE-based global effort across Europe. On 12-Sep-97 "Scott A. Marlin" wrote: >Which basically means that any customer is free to spam. The ISP is >there to take the rap and clean up afterward. I think for such matters, >the "spammer" should be held responsable ... like being charged a flat >or hourly rate for the cleanup job. This is the case around here. Of course, catching the spammer and actually condemning him/her in court in order to charge him/her that rate is another story, especially if we're talking about an international incident. Better to prevent him/her to spam on the first place. >Incidently, in the cited case, I sent a mail to an address mentioned in >the ad asking them to stop sending the ads. What I got back was another >mail from another source (obviously from a blind mail-robot) with *lots* >of info about their services. > >At the bottom of the e-mail was an URL address for those who wished to >stop the ads from being sent. Waaaay down at the bottom of this web site >plugged full of promotional information was the opportunity to >"register" my name in the database of those who didn't want to receive >any more spam (the name of the link was a baby crying "mommy ... they >thpammed me again".) Really ! One of the major issues about spamming customers is knowing how many people were actually reached by a spamming effort. Spamming companies have found out that these two tricks - "send email here to be deleted from our database" and "click here to remove yourself from our database online" - are the best to know if you're reaching people. Also, many postmasters will contact the spamming company in order to complain. Based on all this feedback, spamming companies can determine a "success rate" for their spamming efforts. This keeps their own customers happy... A better way to deal with this is simply ignore the message, and make sure that all your users ignore the spam, too. In the long end, this means a lower "success rate" for a particular domain/spamming technique, so the spamming companies will probably try somewhere else. >The entire operation took about 30 minutes. I haven't heard from them >since. But I have recieved at least 10 unsollicited e-mails since then. My bet is, they will try again and again and again. The problem is, each time your address is found on a Usenet post, on a subscription web site or on a mailing list, there is a high probability of someone "selling" your email address to a spamming company. For instance, I'm receiving spam to addresses that have been disconnected 2 and 3 years ago... DejaNews and other public sites with lots and lots of addresses are a perfect place to get all those addresses for the spamming lists... - Luis Sequeira ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms at esoterica.pt http://www.esoterica.pt/ From quaynor at ghana.com Wed Sep 17 22:44:57 1997 From: quaynor at ghana.com (Dr. Nii Narku Quaynor) Date: Wed, 17 Sep 1997 13:44:57 -0700 Subject: Spammers hapless fate = ISP toil and sweat References: Message-ID: <34204149.4C0B@ghana.com> The Internet needs unforgeable addresses, IP and "caller ID" equivalent. Nii Luis Miguel Sequeira wrote: > > Hello, > > I normally just lurk around this mailing list, but I think I'll > contribute my two cents this time... > > Spamming is a serious problem. Here at Esoterica where I am, > unsolicited email was about one half of total email traffic - > which is quite a lot. Thus, our postmaster has dedicated > all his available time to implement anti-spamming measures. > > What he found out is this: > > Firstly, far from being "mindless robots", the companies in the > spamming business are cold-hearted professionals. They have teams > of professional programmers spending all their time just to develop > new and more effective ways of illegally sending out unsolicited email - > using several clever relaying mechanisms. They work full-time on the > job. They are a strong force which will easily overthrow any basic > measures taken against spamming - like simply filtering up domains, > or blocking traffic from relaying machines. > > Secondly, they are vindictive and protect their own jobs. This means that > if an ISP tries to agressively implement anti-spamming mechanisms, > they will fight back! And how they do this? For instance, they send out > forged emails with these ISP's addresses. What happens? Entities receiving > the forged emails will complain to the ISP in question. The ISP replies > telling that the emails are forged, trying to make them understand that > this is the "spammer's revenge". Most of these entities either don't care > or don't believe, so they just shut the ISP off their firewall (especially > if on the next day they get a new lot of unsolicited email apparently coming > from the same forged addresses...). This forces the ISP to open up themselves > to spamming from this particular company, hoping that they won't forge > spamming attempts in the future... > > As you see, they're quite clever. Their businesses and jobs depend on their > cleverness. > > How can ISP's successfully "fight back"? First, and foremost, they need to > assume that the "threat" is serious. Secondly, allocate resources to the job - > this means a *lot* of time. But thirdly, and I think that's the major issue > here, by sticking together. While a single postmaster probably won't be able > to do much work single-handedly, having a group to coordenate the work is > helpful. Some free time taken from a group of postmasters adds quickly up > to a "task force" of some magnitude... > > Basically, what our postmaster found out is that denying access is not a good > measure - spamming companies will try every trick of the trade to get through > or else they will try to hurt the blocking ISP in some way. UUNet, for instance, > has publicly announced their "zero tolerance" towards spammers - it's no wonder > that perhaps half of the spammers use now forged emails (and dial-up accounts) > coming from UUNet to spam the net. Their hope is getting enough ISPs blocking > UUNet's traffic so that UUNet is "forced" to "open" their machines to spamming > again... (in our case, as a transit customer of UUNet I obviously can't block > traffic through them :-) ) > > Better is just to difficult their action. Remember that their jobs depend on > getting as many messages through as possible (using third-party relayers). > If a sendmail configuration just lets a few messages through, or selectively > blocks some domain for a while, this means that this machine will only > deliver a few messages - when spammers rely on tens of thousands to be > delivered. This is uninteresting to them. They will thus use other machines as > relays. Of course, this also means that your own users will see a delay on > the sending of their own, legitimate messages. It's a tradeoff. > > By using a combination of these tricks one can try to keep the spammers away for > a while - until they develop a new creative method for spamming again. We have > seen all sorts of very clever and ingenious methods to get through. Who knows > what else they will invent next? > > By keeping a mailing list with several postmasters' contacts it's possible not > only to exchange domains from where the spammers usually attack, but > anti-spamming techniques and tricks. There are some steps being taken at > a national base here in Portugal (from where I'm writing :-) ) but, as shown by > the traffic generated on this list on this topic of spamming, I'm going to make > the suggestion again, at this level... > > Do you think that there is some interest in mantaining a mailing list for > all postmasters from the LRs for the sole purpose of discussing anti-spam > techniques and listing spamming domains and relay machines? > > Would RIPE be interested in "sponsoring" this mailing list? > > BTW, searching through the RIPE's Web site, the only mention to spam is on > RIPE-162, chapter C2.1. This basically states the commitment of RIPE to mantain > the mailing lists spam-free. I wonder if there is already a "task force" in > place for anti-spamming measures. We're aware of some efforts on an > international basis - mostly some Web sites with interesting information and > data on anti-spamming measures, with associated mailing lists - but to my > personal knowledge, there is no such coordinated effort at RIPE (so far :-) ). > > There is also an issue of local laws. Filtering out spam *could* be illegal > on some countries (it violates freedom of speech). In Portugal, spamming is > actually illegal - it's "unsolicited email", and this is an abuse of a third > party's infrastructure, ie. using computational (and telecommunications) > resources that you aren't allowed to. This makes it a crime according to > Portuguese law. There is a case of mail bombing (a particular kind of > spamming...) brought to court - it will take ages to be ruled and probably the > offender will get away with some community work :) but it will be judged in > court. Of course, on other countries, freedom of speech may be more important > than using others' telecommunications resources. I wonder if local laws will > actually work *against* a RIPE-based global effort across Europe. > > On 12-Sep-97 "Scott A. Marlin" wrote: > >Which basically means that any customer is free to spam. The ISP is > >there to take the rap and clean up afterward. I think for such matters, > >the "spammer" should be held responsable ... like being charged a flat > >or hourly rate for the cleanup job. > > This is the case around here. Of course, catching the spammer and actually > condemning him/her in court in order to charge him/her that rate is > another story, especially if we're talking about an international > incident. > > Better to prevent him/her to spam on the first place. > > >Incidently, in the cited case, I sent a mail to an address mentioned in > >the ad asking them to stop sending the ads. What I got back was another > >mail from another source (obviously from a blind mail-robot) with *lots* > >of info about their services. > > > >At the bottom of the e-mail was an URL address for those who wished to > >stop the ads from being sent. Waaaay down at the bottom of this web site > >plugged full of promotional information was the opportunity to > >"register" my name in the database of those who didn't want to receive > >any more spam (the name of the link was a baby crying "mommy ... they > >thpammed me again".) Really ! > > One of the major issues about spamming customers is knowing how many people > were actually reached by a spamming effort. Spamming companies have found > out that these two tricks - "send email here to be deleted from our database" > and "click here to remove yourself from our database online" - are the best > to know if you're reaching people. Also, many postmasters will contact the > spamming company in order to complain. Based on all this feedback, spamming > companies can determine a "success rate" for their spamming efforts. This keeps > their own customers happy... > > A better way to deal with this is simply ignore the message, and make sure that > all your users ignore the spam, too. In the long end, this means a lower > "success rate" for a particular domain/spamming technique, so the spamming > companies will probably try somewhere else. > > >The entire operation took about 30 minutes. I haven't heard from them > >since. But I have recieved at least 10 unsollicited e-mails since then. > > My bet is, they will try again and again and again. The problem is, each > time your address is found on a Usenet post, on a subscription web site or > on a mailing list, there is a high probability of someone "selling" your > email address to a spamming company. For instance, I'm receiving spam to > addresses that have been disconnected 2 and 3 years ago... DejaNews and > other public sites with lots and lots of addresses are a perfect place > to get all those addresses for the spamming lists... > > - Luis Sequeira > > ____ > \ Esoterica - Novas Tecnologias de Informacao, SA > :-) Luis Miguel Sequeira > /___, lms at esoterica.pt http://www.esoterica.pt/ From pontus.ekman at pi.se Wed Sep 17 16:05:40 1997 From: pontus.ekman at pi.se (Pontus Ekman) Date: Wed, 17 Sep 1997 16:05:40 +0200 Subject: Spammers hapless fate = ISP toil and sweat Message-ID: <3.0.32.19970917160540.00f73d5c@mail.pi.se> At 17:38 1997-09-16 -0000, you wrote: >Hello, > >I normally just lurk around this mailing list, but I think I'll >contribute my two cents this time... > >Spamming is a serious problem. Here at Esoterica where I am, >unsolicited email was about one half of total email traffic - Luis, I would say your essay was more than two cents worth: More like two (sizeable) golden nuggets. I move RIPE that takes the suggested task force under consideration. The major problem may be to keep any analysis and proposed countermeasures out of the adversaries?hands. Pontus Ekman > -------------------------------------------------------------------------- Pontus Ekman tfn 08-783 20 40 pi.se AB e-mail Pontus.Ekman at pi.se BOX 24 116 fax 08-783 20 46 Karlav?gen 104 pl 7 http://www.pi.se 104 51 STOCKHOLM Sweden -------------------------------------------------------------------------- From phk at critter.freebsd.dk Wed Sep 17 16:01:45 1997 From: phk at critter.freebsd.dk (Poul-Henning Kamp) Date: Wed, 17 Sep 1997 16:01:45 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Tue, 16 Sep 1997 17:38:33 -0000." Message-ID: <1212.874504905@critter.freebsd.dk> In message , Luis Miguel Sequeira writes: >Hello, > >I normally just lurk around this mailing list, but I think I'll >contribute my two cents this time... > >Spamming is a serious problem. [...] Thanks to Luis! I totally agree, we need to handle these assholes seriously. Yes, I belive this is a place where RIPE could be used as a forum. It's clear that the non-USA part of the world will have to deal with this in a different way that USA, firstly because we're not so afraid of the "censor" word, but mostly because we have no chance of legally assaulting these people. A mere passive role in other words. My personal filtering technique is to accept the email and never deliver it. Interestingly enough, some of the spammers have one "control" address on each email they send, typically the last, so one will se an email being sent to 50 AOL users and the 51st address goes somewhere else. It this last address doesn't receive the email in some timewindow, it will be sent again. I have yet to think of the right way to exploit this fact. (Should any of you want study material, I can provide you with about three months of non-delivered emails.) The other thing we could try is more political: Have RIPE send a formal letter to AGIS and the IEMMC who houses most of these creep, and tell them that either they will cease to send spam to the following list of top level domains: {be, dk, ...} effectively today or the RIPE will orchestrate a pan-european filtering of all AGIS and IEMMC member networks until such filtering is in place. It should be pretty simple to simply filter all routes based on AGIS AS#(s), and maybe inject a bogus route for the IEMMC members networks. This is somewhat close to shooting while wearing a black hat.. but they disregard common courtesy, so maybe we need to do so as well to teach them a lesson. -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From nh at iol.ie Wed Sep 17 17:53:52 1997 From: nh at iol.ie (Nick Hilliard) Date: Wed, 17 Sep 1997 16:53:52 +0100 (IST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <34204149.4C0B@ghana.com> from "Dr. Nii Narku Quaynor" at Sep 17, 97 01:44:57 pm Message-ID: <199709171553.QAA24564@beckett.earlsfort.iol.ie> > The Internet needs unforgeable addresses, IP and "caller ID" equivalent. This is a good point, but unfortunately, we're still stuck with ipv4, which is completely forgeable. If you've got even one rogue BGP site, they can inject anything the feel like into the internet routing tables and do all sorts of horrible things. I'm almost surprised that spammers haven't cottoned on to this yet -- they could inject some temporary routes into the internet, use hosts on these address ranges to bounce their spam off a 3rd-party relay site and then withdraw the announcements. This would be almost totally untraceable and would circumvent routing black holes completely -- for those who are using routing black holes to try to control spamming. DNS for these addresses could be set up with an extremely short TTL, if necessary. Nick From eri at swip.net Wed Sep 17 17:58:46 1997 From: eri at swip.net (Jorgen Ericsson) Date: Wed, 17 Sep 1997 17:58:46 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <1212.874504905@critter.freebsd.dk> References: Your message of "Tue, 16 Sep 1997 17:38:33 -0000." Message-ID: <199709171559.RAA27727@nix.swip.net> On 17 Sep 97 at 16:01, Poul-Henning Kamp wrote: - snip - >a pan-european filtering of all AGIS and IEMMC member networks >until such filtering is in place. It should be pretty simple to >simply filter all routes based on AGIS AS#(s), and maybe inject >a bogus route for the IEMMC members networks. > I wouldn't recommend that. They will receive our routing and then their ip-packets will still get here - and we will all experience something very nasty.... It's pretty close to SYN-flooding. What should be done is to have our transit operators stop announcing our networks to AGIS/IEMMC. Then they will not get their packets over the atlantic and we wouldn't have to bother. But they will probably set other american hosts as relays and go from there... /Jorgen From phk at critter.freebsd.dk Wed Sep 17 18:12:17 1997 From: phk at critter.freebsd.dk (Poul-Henning Kamp) Date: Wed, 17 Sep 1997 18:12:17 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Wed, 17 Sep 1997 17:58:46 +0200." <199709171559.RAA27727@nix.swip.net> Message-ID: <220.874512737@critter.freebsd.dk> In message <199709171559.RAA27727 at nix.swip.net>, "Jorgen Ericsson" writes: >On 17 Sep 97 at 16:01, Poul-Henning Kamp wrote: > >- snip - > > >a pan-european filtering of all AGIS and IEMMC member networks > >until such filtering is in place. It should be pretty simple to > >simply filter all routes based on AGIS AS#(s), and maybe inject > >a bogus route for the IEMMC members networks. > > > >I wouldn't recommend that. They will receive our routing and then their >ip-packets will still get here - and we will all experience something very >nasty.... It's pretty close to SYN-flooding. No worries: 1. AGIS will act swiftly to get this fixed, they also have serious customers. It would make a very bad dent in their reputation to be locked out of a continent. 2. Your host will receive "host unreachable" and not keep the TCP session block around. >What should be done is to have our transit operators stop announcing >our networks to AGIS/IEMMC. Then they will not get their packets over >the atlantic and we wouldn't have to bother. That is far more complex and probably downright impossible to orchestrate. >But they will probably set other american hosts as relays and go from >there... Well, then somebody else in America will take action, because we'll just move over and block them next if they don't act. Remember, making their IP numbers useless is the hardest way we can hit them, get new IP# are not easy (the fact that you're on this mail-list means that you know that :-) For this to work, we need to get europe to work as a block, if the bigger party blocks the smaller, the smaller has a problem. If the smaller party blocks the bigger, nobody cares. -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From lms at esoterica.pt Wed Sep 17 19:39:15 1997 From: lms at esoterica.pt (Luis Miguel Sequeira) Date: Wed, 17 Sep 1997 17:39:15 -0000 (GMT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <3.0.32.19970917160540.00f73d5c@mail.pi.se> Message-ID: Hello again, On 17-Sep-97 Pontus Ekman wrote: > I move RIPE that takes the suggested task force under consideration. The > major problem may be to keep any analysis and proposed countermeasures out > of the adversaries?hands. I believe that this is exactly the same theory behind having the CERT or not. Security alerts are issued for interested parties because it's better to know where the security risks *are* and plug them then stop disseminating security loopholes because potential hackers may use exactly the CERT alerts to hack other machines... Tools like SATAN and others exist to detect security flaws on you own machines and to help you out eliminating those security risks. Of course hackers will happily use SATAN and related tools to attack other people's machines. It's a compromise between sharing your know how and letting the potential hackers know what you know. I believe that the same applies to anti-spamming techniques. - Luis ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms at esoterica.pt http://www.esoterica.pt/ From mvalente at esoterica.pt Wed Sep 17 18:16:12 1997 From: mvalente at esoterica.pt (Mario Valente) Date: Wed, 17 Sep 1997 17:16:12 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <1212.874504905@critter.freebsd.dk> References: Message-ID: <3.0.3.32.19970917171612.006cd2c8@mail.esoterica.pt> >>Spamming is a serious problem. [...] > >Thanks to Luis! I totally agree, we need to handle these >assholes seriously. > >My personal filtering technique is to accept the email and never >deliver it. Interestingly enough, some of the spammers have one As postmaster for Esoterica together with Paulo Laureano (who's on holiday) I and Paulo have been responsible for dealing with the spammers. There are two distinct problems: one is your local users being hit by spam. I dont mean one or two or ten. I mean when someone gets a hold of your list of users (/etc/passwd or mailing lists or scanning Usenet) or (like we had in the past) have someone create a program to generate all the permutations of 8 letters and try do deliver mail to permutationN at esoterica.pt. The other problem is your email server being used as a relay for spamming. Someone delivers mail on your server saying it is destined for somewhere else. Not only do you spend computation and bandwidth resources, but you also appear to be the origin of the spam, and thus get bothered a lot by other sysadms. This last problem was quite simple to solve, since there are patches and configurations for sendmail to do relay for only a list of machines. The second problem we dealt with by detecting which spams were being sent and blocking email coming from such domains or addresses. The problem with this approach is that there's still a conection being made; there's still a process launched on your machine. The next solution was to block packets coming from those addresses to port 25 of any machine on our network. This, together with the no-relay change, worked wonders. Our spammer friends didnt like this at all. They started sending out spam through other mail servers with fake From addresses ending in @esoterica.pt; we've had no end of complaints from people thinking we were the origin of spam and had to do no end of explanation. Our current solution is quite devious :-) We receive mail from anywhere!....Yes...But we have a daemon running that checks the incoming mail queue for certain patterns of use, domains, volume of messages, etc. If a spam is detected, the daemon at once, using Linux's ipfwadm ( firewall/packet blocking tools), blocks reception of packets from the address/domain originating the spam for about 15 minutes. After that the reception is restored. This means that normal mail comes in; even very frequented mailing lists are no problem; but a repeated message, from the same address with the same size puts up a red sign; some of the messages are received; but then reception is blocked and for 15 minutes no more messages can be delivered; for the spammers it looks like a network congestion or lack of connectivity, so they give us no problems; 15 minutes later, reception is reestablished, for normal recepetion of email (even from the previous offending domain) or for another 15 minutes of blocking. This has worked wonders. We still receive unsolicited email, but no more heavy duty spams. C U! -- Mario Valente From lms at esoterica.pt Wed Sep 17 20:04:47 1997 From: lms at esoterica.pt (Luis Miguel Sequeira) Date: Wed, 17 Sep 1997 18:04:47 -0000 (GMT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <199709171553.QAA24564@beckett.earlsfort.iol.ie> Message-ID: On 17-Sep-97 Nick Hilliard wrote: > I'm almost surprised that spammers haven't cottoned on to this yet -- they > could inject some temporary routes into the internet, use hosts on these > address ranges to bounce their spam off a 3rd-party relay site and then > withdraw the announcements. This would be almost totally untraceable and > would circumvent routing black holes completely -- for those who are using > routing black holes to try to control spamming. > > DNS for these addresses could be set up with an extremely short TTL, if > necessary. Scary thoughts, Nick. :-( The only thing they do so far is to register as many domain names with random characters at the InterNIC as possibly, and spam from these domains (you can get a reply for those domains to test out how well your "spamming success rate" went). As you know, the InterNIC takes some time to setup a domain name, then some time more to bill you, and some weeks until they decide that the customer is not going to pay and unregister the domain. But in the mean while the spamming companies have a "window" of about one month to six weeks during which they have a "valid" temporary domain to spam and use as feedback. The best thing being that after a few weeks the domain name disappears anyway and you can't fight back/protest/whatever. Your trick manipulating router tables at the backbone is too scary to contemplate. I fail to understand from where these guys get Internet connectivity. It would violate almost any AUP I know of... - Luis ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms at esoterica.pt http://www.esoterica.pt/ From nh at iol.ie Wed Sep 17 19:29:43 1997 From: nh at iol.ie (Nick Hilliard) Date: Wed, 17 Sep 1997 18:29:43 +0100 (IST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <220.874512737@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 17, 97 06:12:17 pm Message-ID: <199709171729.SAA00329@beckett.earlsfort.iol.ie> > Remember, making their IP numbers useless is the hardest way we can > hit them, get new IP# are not easy (the fact that you're on this > mail-list means that you know that :-) This is a bit off topic, but I disagree. If you're as unscrupulous as these guys, getting new IP numbers is as easy as this: : interface Ethernet0 : ip address 219.1.1.1 255.255.0.0 : : router bgp xxxx : network 219.1.0.0 netmask 255.255.0.0 : : ip route 219.1.0.0 255.255.0.0 Null0 254 Hey presto: you've just got a /16 block which will probably get routed to most Internet sites. If the block doesn't get routed everywhere, it's not the end of the world. Hey, it's only spam -- 90% saturation is almost as good as 100%. This is one reason why address-based inbound filtering of customer BGP announcements is critically important. Mario, I like your solution, but does it scan individual email messages, or just mail logs? If it's the former, does it chew system resources? Nick From phk at critter.freebsd.dk Wed Sep 17 19:59:57 1997 From: phk at critter.freebsd.dk (Poul-Henning Kamp) Date: Wed, 17 Sep 1997 19:59:57 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Wed, 17 Sep 1997 18:29:43 BST." <199709171729.SAA00329@beckett.earlsfort.iol.ie> Message-ID: <414.874519197@critter.freebsd.dk> In message <199709171729.SAA00329 at beckett.earlsfort.iol.ie>, Nick Hilliard writ es: >> Remember, making their IP numbers useless is the hardest way we can >> hit them, get new IP# are not easy (the fact that you're on this >> mail-list means that you know that :-) > >This is a bit off topic, but I disagree. If you're as unscrupulous as these >guys, getting new IP numbers is as easy as this: > >: interface Ethernet0 >: ip address 219.1.1.1 255.255.0.0 >: >: router bgp xxxx >: network 219.1.0.0 netmask 255.255.0.0 >: >: ip route 219.1.0.0 255.255.0.0 Null0 254 > >Hey presto: you've just got a /16 block which will probably get routed to >most Internet sites. If the block doesn't get routed everywhere, it's not >the end of the world. Hey, it's only spam -- 90% saturation is almost as >good as 100%. This is why we should filter on the AS number rather than the IP#. AS numbers and peering sessions are even harder to get than IP#... -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From ifl at online.no Wed Sep 17 20:21:52 1997 From: ifl at online.no (Ina Faye-Lund) Date: Wed, 17 Sep 1997 20:21:52 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: References: <34192B43.13F2@internext.fr> Message-ID: <3.0.1.32.19970917202152.0190e848@online.no> At 17:38 16.09.97 -0000, Luis Miguel Sequeira wrote: >job. They are a strong force which will easily overthrow any basic >measures taken against spamming - like simply filtering up domains, >or blocking traffic from relaying machines. Would think that a "nospam" in the address would tell them that we're not interested, but... :( >Secondly, they are vindictive and protect their own jobs. This means that >if an ISP tries to agressively implement anti-spamming mechanisms, >they will fight back! And how they do this? For instance, they send out >forged emails with these ISP's addresses. What happens? Entities receiving >the forged emails will complain to the ISP in question. The ISP replies >telling that the emails are forged, trying to make them understand that >this is the "spammer's revenge". Most of these entities either don't care >or don't believe, so they just shut the ISP off their firewall (especially >if on the next day they get a new lot of unsolicited email apparently coming >from the same forged addresses...). Well, I usually get positive replies when I answer that it's a forged header. Now, abuse at online.no always replies manually to every mail we get, and that might help, of course. Also, I always point out how to read the header, and where they got it wrong. That too seems to help. >This forces the ISP to open up themselves >to spamming from this particular company, hoping that they won't forge >spamming attempts in the future... It depends on the ISP. In those cases where people shut our domain out, I've contacted the sys-admin at the remote site, and so far, we've been able to figure out a solution. >Do you think that there is some interest in mantaining a mailing list for >all postmasters from the LRs for the sole purpose of discussing anti-spam >techniques and listing spamming domains and relay machines? I at least would be interested. It would be far less public, and thus far less exposed to harassment, than news.admin.net-abuse.* Those who post regulary there, will discover that spammers pick up their address and subscribe them to lots of spamming-lists, or just mailbomb them. >There is also an issue of local laws. Filtering out spam *could* be illegal >on some countries (it violates freedom of speech). I though that "freedom of speech" only gave you the right to say what you wanted without fearing punishment from the government, but not where you want. Now, I don't know the laws in all countries. Does anybody know of any country with such laws? >Portuguese law. There is a case of mail bombing (a particular kind of >spamming...) brought to court - it will take ages to be ruled and probably the >offender will get away with some community work :) but it will be judged in >court. Of course, on other countries, freedom of speech may be more important >than using others' telecommunications resources. I wonder if local laws will >actually work *against* a RIPE-based global effort across Europe. For a while, it might. But I think a change in local law will come in most countries, when the authorities understand the problem with this. >A better way to deal with this is simply ignore the message, and make sure >that >all your users ignore the spam, too. In the long end, this means a lower >"success rate" for a particular domain/spamming technique, so the spamming >companies will probably try somewhere else. I don't agree. There will always be new spammers, and I don't think ignoring the spam will make it go away. But since most of the spam comes from USA, one effective way is to say that you regard this as a "Denial of Service"-attack. The US law is pretty strict on this. en -- Regards, Ina Faye-Lund Abuse Telenor Nextel AS From ifl at online.no Wed Sep 17 20:39:51 1997 From: ifl at online.no (Ina Faye-Lund) Date: Wed, 17 Sep 1997 20:39:51 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <3.0.3.32.19970917171612.006cd2c8@mail.esoterica.pt> References: <1212.874504905@critter.freebsd.dk> Message-ID: <3.0.1.32.19970917203951.01a54010@online.no> At 17:16 17.09.97 +0100, Mario Valente wrote: > There are two distinct problems: one is your local users being > hit by spam. I dont mean one or two or ten. I mean when someone > gets a hold of your list of users (/etc/passwd or mailing lists or > scanning Usenet) or (like we had in the past) have someone create > a program to generate all the permutations of 8 letters and try do > deliver mail to permutationN at esoterica.pt. This is one of the worst, in my experience as abuse/postmaster. It's difficult to block mails to our own customers, since we don't really know whether it's a legal mail or not. The chance is not that big, but it's there. One of the nastiest things I've seen, was someone using finger permutationN at site.no to find addresses to spam. It was not _one_ finger-connection... The server wasn't happy with several hundred finger-connections at the same time, and decided to take a vacation. > The other problem is your email server being used as a relay for > spamming. Someone delivers mail on your server saying it is destined > for somewhere else. Not only do you spend computation and bandwidth > resources, but you also appear to be the origin of the spam, and thus > get bothered a lot by other sysadms. > > This last problem was quite simple to solve, since there are patches > and configurations for sendmail to do relay for only a list of machines. Only, it takes some time to do the neccessary changes, especially when you're acting as secondary mailserver to a lot of domains. :( > The next solution was to block packets coming from those addresses > to port 25 of any machine on our network. That's what we're doing now. Since our router can throw away packets faster than they can send them (usually), it solves most of the problem. Except, of course, new spam-domains pops up every day. We did this to one of the larger American domains (come to think of it, we still do). In approximately 48 hours, we got the following figures: connections to the mailserver that was accepted: 1 200 000 connections refused from that domain: 980 000 connections refused from other known spamdomains: 100 000 I also opened for their mailservers, but there were _no_ connections from those. Not one single try. > This has worked wonders. We still receive unsolicited email, but no more > heavy duty spams. I haven't seen much since we started blocking certain IP-blocks in USA. It was _not_ CyberPromo, since we've been blocking them for several months. -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS From ifl at online.no Wed Sep 17 20:27:18 1997 From: ifl at online.no (Ina Faye-Lund) Date: Wed, 17 Sep 1997 20:27:18 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <1212.874504905@critter.freebsd.dk> References: Message-ID: <3.0.1.32.19970917202718.0190e980@online.no> At 16:01 17.09.97 +0200, Poul-Henning Kamp wrote: >Have RIPE send a formal letter to AGIS and the IEMMC who >houses most of these creep, and tell them that either they will >cease to send spam to the following list of top level domains: >{be, dk, ...} effectively today or the RIPE will orchestrate >a pan-european filtering of all AGIS and IEMMC member networks >until such filtering is in place. It should be pretty simple to >simply filter all routes based on AGIS AS#(s), and maybe inject >a bogus route for the IEMMC members networks. That sounds like a good idea. Hmm... What about rejecting in the router; access-lists? That's what we mostly use, and that would drop SMTP-connections, and make the spammer wait for timeout on every SMTP-connection. Also, he won't get a "Connection Refused", so as far as he knows, he might just have a bad link, or a server might be down in the other end. The problem about fighting spam, is that most things we do, also affects legitimate users. And that would ruin the point about everybody standing together against spam. Also, blocking for relaying is against the RFC. Perhaps someone should write a new one, that only deals with spam and how to prevent it, and what to prevent? Would this be a good task for this forum? -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS From mvalente at esoterica.pt Wed Sep 17 20:51:01 1997 From: mvalente at esoterica.pt (Mario Valente) Date: Wed, 17 Sep 1997 19:51:01 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <3.0.1.32.19970917203951.01a54010@online.no> References: <3.0.3.32.19970917171612.006cd2c8@mail.esoterica.pt> <1212.874504905@critter.freebsd.dk> Message-ID: <3.0.3.32.19970917195101.006e8cf4@mail.esoterica.pt> >> The next solution was to block packets coming from those addresses >> to port 25 of any machine on our network. > >That's what we're doing now. Since our router can throw away packets > >> This has worked wonders. We still receive unsolicited email, but no more >> heavy duty spams. > >I haven't seen much since we started blocking certain IP-blocks in USA. >It was _not_ CyberPromo, since we've been blocking them for several months. > Remember, what has worked wonders was not blocking IP addresses totally and 24 hours a day at the routers but blocking them intermitently at the mail machine. C U! -- Mario Valente From phk at critter.freebsd.dk Wed Sep 17 20:54:01 1997 From: phk at critter.freebsd.dk (Poul-Henning Kamp) Date: Wed, 17 Sep 1997 20:54:01 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Wed, 17 Sep 1997 20:27:18 +0200." <3.0.1.32.19970917202718.0190e980@online.no> Message-ID: <552.874522441@critter.freebsd.dk> In message <3.0.1.32.19970917202718.0190e980 at online.no>, Ina Faye-Lund writes: >At 16:01 17.09.97 +0200, Poul-Henning Kamp wrote: > >>Have RIPE send a formal letter to AGIS and the IEMMC who >>houses most of these creep, and tell them that either they will >>cease to send spam to the following list of top level domains: >>{be, dk, ...} effectively today or the RIPE will orchestrate >>a pan-european filtering of all AGIS and IEMMC member networks >>until such filtering is in place. It should be pretty simple to >>simply filter all routes based on AGIS AS#(s), and maybe inject >>a bogus route for the IEMMC members networks. > >That sounds like a good idea. Hmm... What about rejecting in the >router; access-lists? That's what we mostly use, and that would Simply deny all routes that originate in AS4200 :-) -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From tonyb at uk.uu.net Thu Sep 18 10:26:07 1997 From: tonyb at uk.uu.net (Tony Barber) Date: Thu, 18 Sep 1997 09:26:07 +0100 (BST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <414.874519197@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 17, 97 07:59:57 pm Message-ID: <19970918082607.7977.qmail@pool.pipex.net> Poul-Henning Kamp wrote: > >>: router bgp xxxx >>: network 219.1.0.0 netmask 255.255.0.0 >>: >>: ip route 219.1.0.0 255.255.0.0 Null0 254 >> >>Hey presto: you've just got a /16 block which will probably get routed to >>most Internet sites. If the block doesn't get routed everywhere, it's not >>the end of the world. Hey, it's only spam -- 90% saturation is almost as >>good as 100%. > >This is why we should filter on the AS number rather than the IP#. > >AS numbers and peering sessions are even harder to get than IP#... > You should filter both ideally. --Tony From phk at critter.freebsd.dk Thu Sep 18 10:34:16 1997 From: phk at critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 18 Sep 1997 10:34:16 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Wed, 17 Sep 1997 20:21:52 +0200." <3.0.1.32.19970917202152.0190e848@online.no> Message-ID: <2190.874571656@critter.freebsd.dk> >>There is also an issue of local laws. Filtering out spam *could* be illegal >>on some countries (it violates freedom of speech). > >I though that "freedom of speech" only gave you the right to say what you >wanted without fearing punishment from the government, but not where you >want. Now, I don't know the laws in all countries. Does anybody know >of any country with such laws? No, there is no way in hell it can ever be illegal to filter out commercial messages sent without paying for the service. All you have to do is to put in your bussiness rules that you take payment of USD1 for delivering advertising material via email. Check with your local laywer. -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From ev at nextel.no Thu Sep 18 10:41:48 1997 From: ev at nextel.no (Espen Vestre) Date: 18 Sep 1997 10:41:48 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Luis Miguel Sequeira's message of Wed, 17 Sep 1997 18:04:47 -0000 (GMT) References: Message-ID: Luis Miguel Sequeira writes: > I fail to understand from where these guys get Internet connectivity. > It would violate almost any AUP I know of... Unfortunately, some well-known ISPs, especially Psi.Net and UUNet, but several others also, continue to give these guys internet connectivity. Customers of these providers are starting to discover that they are losing mail connectivity, so let's hope the AUP-ignoring ISP's will lose in the (not too) long run. -- regards, Espen Vestre Telenor Nextel AS Norway From ev at nextel.no Thu Sep 18 10:44:07 1997 From: ev at nextel.no (Espen Vestre) Date: 18 Sep 1997 10:44:07 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Nick Hilliard's message of Wed, 17 Sep 1997 18:29:43 +0100 (IST) References: <199709171729.SAA00329@beckett.earlsfort.iol.ie> Message-ID: Nick Hilliard writes: > This is a bit off topic, but I disagree. If you're as unscrupulous as these > guys, getting new IP numbers is as easy as this: Are you suggesting that some of these guys are connected directly to the backbone and thus able to make BGP announcements? Oh-oh. -- regards, Espen Vestre Telenor Nextel AS From jhma at eu.net Thu Sep 18 11:07:46 1997 From: jhma at eu.net (James Aldridge) Date: Thu, 18 Sep 1997 11:07:46 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Wed, 17 Sep 1997 20:27:18 +0200." <3.0.1.32.19970917202718.0190e980@online.no> Message-ID: <199709180907.LAA02549@aegir.EU.net> Ina Faye-Lund wrote: > Also, blocking for relaying is against the RFC. Perhaps someone > should write a new one, that only deals with spam and how to prevent > it, and what to prevent? Would this be a good task for this forum? Work is going on in this area in the IETF "Responsible Use of the Network (run)" and "Detailed Revision/Update of Message Standards (drums)" working groups. See, for example: | Internet-Draft Intel Corp. | draft-ietf-run-spew-01.txt Albert Lunde | Expires September, 1997 Northwestern University | | | DON'T SPEW | A Set of Guidelines for Mass Unsolicited | Mailings and Postings (Spam*) | | | Abstract | | This document provides explains why mass unsolicited electronic mail | messages are not useful in the Internetworking community. It gives a | set of guidelines for dealing with unsolicited mail for users, for | system administrators, news administrators, and mailing list | managers. It also makes suggestions Internet Service Providers might | follow. and | INTERNET-DRAFT John C. Klensin, Editor | Expires in six months Dawn P. Mann, Co-Editor | July 30, 1997 | | | Simple Mail Transfer Protocol | | draft-ietf-drums-smtpupd-06.txt | [...] | 0. Abstract | | This document is a self-contained specification of the basic protocol | for the Internet electronic mail transport, consolidating and | updating | | * the original SMTP specification of RFC 821 [RFC-821], | * Domain name system requirements and implications for mail | transport from RFC 1035 [RFC-DNS] and RFC 974 [RFC974], | * the clarifications and applicability statements in | RFC 1123 [RFC-1123], and | * material drawn from the SMTP Extension mechanisms [SMTPEXT]. | | It replaces RFC 821, RFC 974, and the mail transport materials of RFC | 1123. However, RFC 821 specifies some features that are not in | significant use in the Internet of the mid-1990s and (in appendices) | some additional transport models. Those sections are omitted here in | the interest of clarity and brevity; readers needing them should | refer to RFC 821. | | It also includes some additional material from RFC 1123 that required | amplification. This material has been identified in multiple ways, | mostly by tracking flaming on the header-people list [HEADER-PEOPLE] | and problems of unusual readings or interpretations that have turned | up as the SMTP extensions have been deployed. Where this | specification moves beyond consolidation and actually differs from | earlier documents, it supersedes them technically as well as | textually. The full text of these documents is available from your local internet-draft archive (e.g. ftp://ftp.ripe.net/internet-drafts/). James ----- ___ - James Aldridge, Senior Network Engineer, ---- / / / ___ ____ _/_ -- EUnet Communications Services BV --- /--- / / / / /___/ / --- Singel 540, 1017 AZ Amsterdam, NL -- /___ /___/ / / /___ /_ ---- Tel: +31 20 530 5327; Fax: +31 20 622 4657 - ----- 24hr emergency number: +31 20 421 0865 From toby.williams at business.net.uk Thu Sep 18 12:08:12 1997 From: toby.williams at business.net.uk (Toby Williams) Date: Thu, 18 Sep 1997 11:08:12 +0100 Subject: Spammers hapless fate = ISP toil and sweat Message-ID: <01BCC423.2896C440@toby2.business.net.uk> So.. Sysadmin's have a range of techniques for stopping unsolicited mail, but everytime it's used, a new way is found to get around it. This sounds to me like spam is going to go on forever. Earlier on in this discussion, it was mentioned that spammers use test accounts to see if they get mail back - if you spam, you need to know how effective you are so that you can punish whoever tries to stop you etc. It makes sense. So why not focus upon making the spammers think they have succeeded. If there is a way of stopping spam to all but the test accounts then we are on a winner ;-) Maybe spammers could even get sloppy, if they thought that their work was successful. Any ideas as to how this could be achieved? As a second way of stopping spam, I think Europe has to push for a very clear law which defines spamming and can be used to prosecute those that are careless enough to give away their origins. Currently being a spammer could be deemed as a bit of a "buzz" - trying to beat the sysadmins at their own game etc. How about making spammers realise that they're disliked and are on a very fine line towards getting locked up ...seriously, if spamming is to be stopped for good, unfortunately spammers will have to be shown zero tolerance in legal terms. Either this will be achieved through court cases based on existing laws (such as the Portugese "unsolicited use of resources" law) or through new legislation specific to spam. Does anyone have access to legal resources who would be able to point us in the right direction? OK, I accept I have committed a bit of a "faux pas" mentioning Law ;-) but as far as I see, we are all having our resources used to devalue the commodity we trade in - Internet, and the only way to stop this is to 1. Make spammers think they're winning when they're not and 2. Make spammers pay for their abuse ten times over until they get the message that European ISPs will not tolerate abuse of their resources. Otherwise, as is the situation currently, our message will be "we don't like them, but will continue to play the game by your rules". Regards, Toby Williams BusinessNet UK - Internet for Business -----Original Message----- From: Poul-Henning Kamp [SMTP:phk at critter.freebsd.dk] Sent: 17 September 1997 19:54 To: Ina Faye-Lund Cc: local-ir at ripe.net Subject: Re: Spammers hapless fate = ISP toil and sweat In message <3.0.1.32.19970917202718.0190e980 at online.no>, Ina Faye-Lund writes: >At 16:01 17.09.97 +0200, Poul-Henning Kamp wrote: > >>Have RIPE send a formal letter to AGIS and the IEMMC who >>houses most of these creep, and tell them that either they will >>cease to send spam to the following list of top level domains: >>{be, dk, ...} effectively today or the RIPE will orchestrate >>a pan-european filtering of all AGIS and IEMMC member networks >>until such filtering is in place. It should be pretty simple to >>simply filter all routes based on AGIS AS#(s), and maybe inject >>a bogus route for the IEMMC members networks. > >That sounds like a good idea. Hmm... What about rejecting in the >router; access-lists? That's what we mostly use, and that would Simply deny all routes that originate in AS4200 :-) -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From nh at iol.ie Thu Sep 18 12:44:31 1997 From: nh at iol.ie (Nick Hilliard) Date: Thu, 18 Sep 1997 11:44:31 +0100 (IST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: from "Espen Vestre" at Sep 18, 97 10:44:07 am Message-ID: <199709181044.LAA19136@beckett.earlsfort.iol.ie> > Are you suggesting that some of these guys are connected directly > to the backbone and thus able to make BGP announcements? I don't know whether they are or not. But the possibility should be entertained. >From a policy routing point of view, it's easier to filter our a whole AS rather than mess around with single address prefixes. This would make a good deterrant for spammers not to use BGP. Nick From phk at critter.freebsd.dk Thu Sep 18 12:52:49 1997 From: phk at critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 18 Sep 1997 12:52:49 +0200 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Thu, 18 Sep 1997 11:44:31 BST." <199709181044.LAA19136@beckett.earlsfort.iol.ie> Message-ID: <2569.874579969@critter.freebsd.dk> In message <199709181044.LAA19136 at beckett.earlsfort.iol.ie>, Nick Hilliard writ es: >> Are you suggesting that some of these guys are connected directly >> to the backbone and thus able to make BGP announcements? > >I don't know whether they are or not. But the possibility should be >entertained. > >>From a policy routing point of view, it's easier to filter our a >whole AS rather than mess around with single address prefixes. This would >make a good deterrant for spammers not to use BGP. And for ISPs not to host them. So far, all the spammers I have had to deal with have been hosted under AGIS, although a few of them use random dial-in accounts for actually sending their spam. -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." From javier at bitmailer.com Thu Sep 18 13:16:19 1997 From: javier at bitmailer.com (Javier Llopis) Date: Thu, 18 Sep 97 13:16:19 Subject: Spammers hapless fate = ISP toil and sweat Message-ID: On Wed, 17 Sep 1997 20:21:52 +0200, Ina Faye-Lund wrote: > >>There is also an issue of local laws. Filtering out spam *could* be illegal >>on some countries (it violates freedom of speech). > >I though that "freedom of speech" only gave you the right to say what you >wanted without fearing punishment from the government, but not where you >want. Now, I don't know the laws in all countries. Does anybody know >of any country with such laws? No, I don't think the issue has anything to do with freedom of speech. The spammers are using someone else's resources for their marketing campaign. Our mailbox REALLY IS a space for publicity, but it is OUR PROPERTY and using it without your consent is THEFT. Just as if someone interrupted a TV broadcast to show their own commercials without paying the studio who owns the frequency. No judge in any country would consider the rights to speech of the offender in this case. I don't know about you but if I could get $200 for every spam message that appears in my mailbox I would look forward to them and if my company could get a fair retribution for the messages relayed through their line and servers way they'll be happy to do it. The thing that makes spam evil is that neither Internet companies or the individuals who are the target for spam get any compensation for the abuse of their resources. ------------------------------------------------------------ Javier Llopis javier at bitmailer.com "It is best to assume that the network is filled with malevolent entities that will send packets designed to have the worst possible effect." - F.Baker, RFC1812 ------------------------------------------------------------ From mvalente at esoterica.pt Thu Sep 18 14:31:17 1997 From: mvalente at esoterica.pt (Mario Valente) Date: Thu, 18 Sep 1997 13:31:17 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <199709171729.SAA00329@beckett.earlsfort.iol.ie> References: <220.874512737@critter.freebsd.dk> Message-ID: <3.0.3.32.19970918133117.006d78b8@mail.esoterica.pt> > >Mario, I like your solution, but does it scan individual email messages, or >just mail logs? If it's the former, does it chew system resources? > It just scans the tail of the mail logs (the queue log) every 15 minutes to inspect if there's a spam going on (msgs from a certain list of known spammers, a repetition of the same message from the same domain, msgs from numeric domains like 34534.com). It cleans all the domains blocked and blocks the ones that are in offense. From what we were able to gather, CPU consumption is not high. C U! MV From clive at demon.net Thu Sep 18 14:50:33 1997 From: clive at demon.net (Clive D.W. Feather) Date: Thu, 18 Sep 1997 13:50:33 +0100 (BST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <01BCC423.2896C440@toby2.business.net.uk> from "Toby Williams" at Sep 18, 97 11:08:12 am Message-ID: <874587033.20290.0@office.demon.net> Toby Williams said: > Does anyone have access to legal resources who would be able to > point us in the right direction? [...] Allegedly Monday's LINX meeting delegated me to work on this, but I haven't officially been told yet. Later today, apparently. -- Clive D.W. Feather | Work: | Tel: +44 181 371 1138 Director of | Home: | Fax: +44 181 371 1037 Software Development | Demon Internet Ltd. | From francois.weil at chiptechnologies.fr Thu Sep 18 15:35:36 1997 From: francois.weil at chiptechnologies.fr (Francois Weil) Date: Thu, 18 Sep 1997 15:35:36 +0200 Subject: Spammers Message-ID: <34212E28.30F0@chiptechnologies.fr> In this case, spammers have got two level of success ... First we did receive unsollicited messages, that I considere to be a kind of violation of property. Non depending of law, I can decide to respond or not, and I can decide if law allows to defend, or if it doesn't to agress spammer. The second level of success is that people generates lots of Emails, ..., sorry but I found it funny. Well. My attitude is to leave mailbox open, and to put most of contents in the basket. Filtering is not possible, as well as spammers use some technics that we have not time to study. A software filter could try to examine coherence of Emails. Such as a specific format which could contain legal informations. A legal mail should contain a real reply address, or something that certify that sender exists, and is ready to respond to any asks. If messages I receive does not contain some informations, I can decide to destroy them. If messages does not contain but come from precise addresses, I can decide to keep. It is an idea. When I take my mail in my post-mailbox, at home, I have the same attitude. Rgrds From kch at uu.net Thu Sep 18 16:28:43 1997 From: kch at uu.net (Keith C. Howell) Date: Thu, 18 Sep 1997 10:28:43 -0400 (EDT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Message-ID: On 18 Sep 1997, Espen Vestre wrote: > Luis Miguel Sequeira writes: > > > I fail to understand from where these guys get Internet connectivity. > > It would violate almost any AUP I know of... > > Unfortunately, some well-known ISPs, especially Psi.Net and UUNet, but > several others also, continue to give these guys internet connectivity. > Customers of these providers are starting to discover that they > are losing mail connectivity, so let's hope the AUP-ignoring ISP's > will lose in the (not too) long run. If someone could suggest how to identify a spammer *before* they start sending out email, then I am sure every person who has to deal with the spam would be most gratefull, it will save them alot of time and money. When an ISP sells a connection to a company, they have no idea what the customer will use the connection for. Certainly, here at UUNET, our AUP is enforced. But if the spammer just buys another connection, how would we identify them? All the outside world will see is "another UUNET connected spammer", but to us, this is a separate customer. The other unfortunate thing is that the law enforcement agencies will not assist ISP's in tracking down spammers. If the culprit has a dial-up account and dials into a network, you can get all sorts of information on them. But even if the caller is stupid enough not to suppress caller ID (or make the call from a payphone), the phone companies will not release the address that matches the phone number. -- Keith Howell From neil at colt.net Thu Sep 18 17:01:09 1997 From: neil at colt.net (Neil J. McRae) Date: Thu, 18 Sep 1997 16:01:09 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Thu, 18 Sep 1997 13:50:33 BST." <874587033.20290.0@office.demon.net> Message-ID: <199709181501.QAA06346@NetBSD.noc.COLT.NET> On Thu, 18 Sep 1997 13:50:33 +0100 (BST) "Clive D.W. Feather" wrote: > Allegedly Monday's LINX meeting delegated me to work on this, but I haven't > officially been told yet. Later today, apparently. I don't remember you being named out apart from the action given to you on the previous LINX meeting. As for spam, the first and most important issue regarding this is to educate users and vendors into securing their mail transport agents so that they _DO_NOT_ automatically relay any email that is sent to them. Microsoft, sendmail and others are all guilty of this, [mostly for backwards compatibility reasons]. Fix that and then the spammers have to pay for their own resources... Regards, Neil -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil at COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your computer! From clive at demon.net Thu Sep 18 17:02:49 1997 From: clive at demon.net (Clive D.W. Feather) Date: Thu, 18 Sep 1997 16:02:49 +0100 (BST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <199709181501.QAA06346@NetBSD.noc.COLT.NET> from "Neil J. McRae" at Sep 18, 97 04:01:09 pm Message-ID: <874594969.22567.0@office.demon.net> Neil J. McRae said: >> Allegedly Monday's LINX meeting delegated me to work on this, but I haven't >> officially been told yet. Later today, apparently. > I don't remember you being named out apart from the action given to you > on the previous LINX meeting. Which was to do with something else, not spam. Okay, I must have misunderstood what I was told. Phew. -- Clive D.W. Feather | Work: | Tel: +44 181 371 1138 Director of | Home: | Fax: +44 181 371 1037 Software Development | Demon Internet Ltd. | From aid at u-net.net Thu Sep 18 17:48:45 1997 From: aid at u-net.net (Adrian Bool) Date: Thu, 18 Sep 1997 16:48:45 +0100 (BST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Message-ID: On Thu 18 Sep, Keith C. Howell wrote: > On 18 Sep 1997, Espen Vestre wrote: > > > Luis Miguel Sequeira writes: > > > > > I fail to understand from where these guys get Internet connectivity. > > > It would violate almost any AUP I know of... > > > > Unfortunately, some well-known ISPs, especially Psi.Net and UUNet, but > > several others also, continue to give these guys internet connectivity. > > Customers of these providers are starting to discover that they > > are losing mail connectivity, so let's hope the AUP-ignoring ISP's > > will lose in the (not too) long run. > > If someone could suggest how to identify a spammer *before* they start > sending out email, then I am sure every person who has to deal with the > spam would be most gratefull, it will save them alot of time and money. > > When an ISP sells a connection to a company, they have no idea what the > customer will use the connection for. Certainly, here at UUNET, our AUP is > enforced. But if the spammer just buys another connection, how would we > identify them? All the outside world will see is "another UUNET connected > spammer", but to us, this is a separate customer. One soluton that I aiming for (not implemented yet!) is tying our SMTP server into our database. When a customer connects, we look them up in teh db based upon the MAIL FROM:<> value. from the db is returned a max limit of RCPTs that the user may issue for a single mail. New accounts can be given a value of 15 and incremented automatically by say 10 each month as our trust of them develops. If people want to run mailing lists etc.. then they can phone/email us and we can manually up the limit, after making appropriate checks first. Biggest problem in this is ensureing people have legal MAIL FROMs Regards, aid -- Adrian J Bool | mailto:aid at u-net.net Network Operations | http://www.noc.u-net.net/ U-NET Ltd | tel://44.1925.484461/ From andre at ml.ee Thu Sep 18 21:11:49 1997 From: andre at ml.ee (Andres Kroonmaa) Date: Thu, 18 Sep 1997 21:11:49 +0200 (EETDST) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: References: Message-ID: Date sent: Thu, 18 Sep 1997 10:28:43 -0400 (EDT) From: "Keith C. Howell" > If someone could suggest how to identify a spammer *before* they start > sending out email, then I am sure every person who has to deal with the > spam would be most gratefull, it will save them alot of time and money. Dialups should be forced to use their ISP's smtp relay. There should be implemented enough checks, like ensuring valid mail froms and starting off all sorts of bells when recipient count gets too high. These two alone would reduce spam alot. If one adds forged header checks and sender ident, he'd be perfect. Mailinglists distribution might be also enforced to controlled arrangement. Although these measures might be unwelcome by some customers, most legitimate users can live with it. Just thought. ---------------------------------------------------------------------- Andres Kroonmaa mail: andre at online.ee Network Manager Organization: MicroLink Online Tel: 6308 909 Tallinn, Sakala 19 Pho: +372 6308 909 Estonia, EE0001 http://www.online.ee Fax: +372 6308 901 ---------------------------------------------------------------------- From lms at esoterica.pt Thu Sep 18 21:16:00 1997 From: lms at esoterica.pt (Luis Miguel Sequeira) Date: Thu, 18 Sep 1997 19:16:00 -0000 (GMT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Message-ID: Hello, On 18-Sep-97 "Keith C. Howell" wrote: > If someone could suggest how to identify a spammer *before* they start > sending out email, then I am sure every person who has to deal with the > spam would be most gratefull, it will save them alot of time and money. > > When an ISP sells a connection to a company, they have no idea what the > customer will use the connection for. Certainly, here at UUNET, our AUP is > enforced. But if the spammer just buys another connection, how would we > identify them? All the outside world will see is "another UUNET connected > spammer", but to us, this is a separate customer. I think this is exactly the same problem with requests for domain names which are never payed and will never be, whose whole purpose of existence is giving an email message a "real existence" for a while for the purposes of getting feedback. If the InterNIC were able to know *beforehand* that these addresses would be used for spamming, they probably wouldn't ever consider registering the requested domains. So, knowing who is a spammer *beforehand* is unpractical and almost impossible. However, here is an idea for you: limit the number of email messages per user that may be able to be sent at a time; limit the number of email messages with the same subject that may come from the same address; and finally, restrict the number of cc:'s or bcc:'s per message (for legitimate users, offer them to set up their own, private mailing list - this will impress your customers with superb customer service :) and the time taken to set something up with majordomo would be neglegible when compared with the wasteful bandwidth). Remember that spammers generate the same message for multiple users during a very short time period (or have messages with multiple cc:'s) and will, for the duration of a session, be mostly flooding port 25 with several messages. This kind of usage pattern should be easily detected by a few scripts (just by looking at the mail logs...) and you could temporarily block port 25 for that user's particular IP address for a while... This will mean that - a) legitimate users, who just send a few messages at every time of the day, would not notice any difference; b) private mailing lists (ie. people in dire need to contact a large, legitimate base of users on a regular basis) would be implemented using the correct way, ie. a majordomo/listserv/whatever solution (bcc's just waste CPU power) c) spammers, while still being able to spam, would give up as your mail server would be "too slow" to process tens of thousands of messages, forcing them to drop you as a provider and try elsewhere (additional accounts would be useless for the same reasons). Of course, in an ideal world, every ISP would implement exactly the same anti-spamming measures and spam would be controlled in a matter of days :-) But look what it means if a LARGE group os ISPs (say, all of those in Europe) implement similar measures. You could actually claim, as a block, that spamming will not be tolerated on a large geographical region (or for large group of users). This means that spamming companies will be unable to offer their customers service into those areas. That's why it's so important to implement a common set of rules and standard practices (an Internet draft, a RFC, something like that) against spamming: if you're actually blocking a large percentage of the Internet from spamming attacks, the spamming companies will lose customers. And will go broke. After a while, you can invert the tendency: ISPs *permitting* spamming (ie. those not actively implementing anti-spamming techniques) will be avoided by potential customers. The active implementation of anti-spamming techniques would become a commercial advantage... > The other unfortunate thing is that the law enforcement agencies will not > assist ISP's in tracking down spammers. If the culprit has a dial-up > account and dials into a network, you can get all sorts of information on > them. But even if the caller is stupid enough not to suppress caller ID (or > make the call from a payphone), the phone companies will not release the > address that matches the phone number. Around here you can easily get the address based on the phone number unless it's confidential, but I think that the issue here is implementing anti- -spamming techniques (ie. making the spammers' life so hard that they will give up your ISP and find another one) that will keep them away. Mind you, I live in a country where issues at court take AGES (several years) to solve, so the only legal considerations we usually have is if the measures we're taking against spammers (or any other kind of abuse) are legal, ie. making sure that *they* wouldn't sue *us* for anything. Once that issue is clear, the only think we need to think about is how we are going to stop them from pestering us. The police is always quite helpful and exchanges some emails about the issue, but we perfectly know that the *courts* will take too long to react to a spamming attack (I shudder from the thought of actually defining "spam" on court in front of a judge...). So I really think that it's more important to prevent spamming than take any legal action against spammers. Even in countries with a good and fast legal system you have the problem of international law - which will take ages even if both countries have excellent legal systems. :-( Again, this view comes mainly from having to live under an ugly, painfully slow legal system (which has some very nice laws if you just could find someone to enforce them in useful time...). As a conclusion: if I can't know who is a spammer *before* the act, and if I can't convict him of that crime at once, the only solution left to me is *preventing* him to commit this crime. I hope that at least the simple techniques described before will help you out with the spammers... - Luis ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms at esoterica.pt http://www.esoterica.pt/ From prc at co.ip.pt Thu Sep 18 23:16:56 1997 From: prc at co.ip.pt (Pedro Ramalho Carlos) Date: Thu, 18 Sep 1997 22:16:56 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: References: Message-ID: <3.0.3.32.19970918221656.00d68ea4@jaguar.ip.pt> I think we all agree that the technical efforts that each of us has endured for the last few months trying to get ahead of spammers' tricks have produced some results...until they get some new trick (like the unallocated IP-BGP one from Nick. I hope AGIS is not on this list :(... At 10:28 18-09-1997 -0400, Keith C. Howell wrote: >On 18 Sep 1997, Espen Vestre wrote: > [...] >The other unfortunate thing is that the law enforcement agencies will not >assist ISP's in tracking down spammers. If the culprit has a dial-up >account and dials into a network, you can get all sorts of information on >them. But even if the caller is stupid enough not to suppress caller ID (or >make the call from a payphone), the phone companies will not release the >address that matches the phone number. ...unless there is a judge's order to do so (at least that's how it works here). And one can reject incoming calls that don't have Caller-ID, ISDN Calling Party ID, etc. (but then they will start by attacking the PTT telephone switch :( We all agree that results from going after each spam individually, each isp on it's own, is not pratical: - it has high technical labour costs, - it has high legal costs; - it has VERY limited effect on the problem as a whole, because there are way too many clueless companies willing to pay 200USD to send a mass mailing. However we tend to address this problem only from a technical perspective (probably because this where we feel we can do something about spam)... and laws and lawyers are generally "tabu". However, if we agree that: - most spams are originating in the US; - the justice system seems to work there; - spams are eventually payed by businesses (that buy "spamming services" from spam operations); - the US has explicit laws agains spam, aka "unsolicited bulk email" ( US Code Title 47, Sec.227(a)(2)(B) - is supposed to define a $500USD compensation for EACH e-mail message spooled; - the US has the largest concentration of lawyers and law-firms eager to get a few million USD more; - that businesses are not especially fond of getting a huge suit asking for compensation, especially if the suitor is represented by one big-shot law-firm. What about organizing something along this lines? - pick up a case where most of us have been hit by spams for the same company products where at least 10.000 instances of the same message can be individually identified in our combined spool/mails. Collect a copy of each message, with headers and organize them as proof. - select one of the large law firms in the US, and file a suit for 10.000 x $500 USD = 5 mill, USD against that company. They would have the "carrot" of getting x% of the compensation actually paid. If some minimum fee is needed it would be supported by us/RIPE. (x can be as high as 99% if we feel comfortable with it) - have them win the case; - make a lot of publicity directly and get a lot of it indirectly. Ideally: - RIPE could organize this, and we would all delegate to RIPE all the compensations for the action (that RIPE would continue to use in the benefit of Europe's part of the Internet:) - the target company(ies) should be big enough to be able to pay the 5 mill USD only marginally without going bankrupt, should be listed on one of the stock exchanges, so that a suit against it would have to be published by the company itself under stock exchange laws. If we're lucky, their stock prices will fall sharply, getting attention also from the "Business Press", etc. Possibly a series of several suit's against a few such companhies would be needed to get enough publicity (but if one wins the first the next will be easier). What I would hope for, is that the attention raised on the media on the VERY NEGATIVE business results of "cheap massive Internet mailings" (as "spam" is known in the business world), would refrain anyone but the clueless to resort to spamming. Even, if it doesn't completely stop all of them, it will make the number of companies buyng spamming services smaller because of the legal action risk, and that would make spam prices higher (or make spam operators unable to pay smart people to develop tricks to work around our spam-blocks) and create a positive feedback cycle here that would eventually put spam back into the small dimension it was a few years back. I guess this is a bit maquievelic, and I might be a bit too much willing to use legal tricks against them, but as a RIPE member I would clearly support an action from RIPE to get some "legal counsel" to check what the odds are of winning such a case are... On the technical side, however, I propose that all of us stop our clients ability to use other people's mail relays, by blocking SMTP access to all but the ISP's own relays. This seems pretty easy to implement on most dialup/permanent connections these days. This brings me back to Keith: >If someone could suggest how to identify a spammer *before* they start >sending out email, then I am sure every person who has to deal with the >spam would be most gratefull, it will save them alot of time and money. > >When an ISP sells a connection to a company, they have no idea what the >customer will use the connection for. Certainly, here at UUNET, our AUP is >enforced. But if the spammer just buys another connection, how would we >identify them? All the outside world will see is "another UUNET connected >spammer", but to us, this is a separate customer. ...this "UUNET connected spammer" would probably be very easily detected by UUNET itself, if he would only be able to use UUNET's email relays, wouldn't he? just my .02 Euro kind regards, --- pedro ramalho carlos Pedro.Carlos at co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2 From prc at co.ip.pt Thu Sep 18 23:37:18 1997 From: prc at co.ip.pt (Pedro Ramalho Carlos) Date: Thu, 18 Sep 1997 22:37:18 +0100 Subject: Possible Problem? [was Re: Spammers hapless fate = ISP toil and sweat] In-Reply-To: <3.0.1.32.19970917203951.01a54010@online.no> References: <3.0.3.32.19970917171612.006cd2c8@mail.esoterica.pt> <1212.874504905@critter.freebsd.dk> Message-ID: <3.0.3.32.19970918223718.00d71fb4@jaguar.ip.pt> Ina, At 20:39 17-09-1997 +0200, Ina Faye-Lund wrote: > [...] >We did this to one of the larger American domains (come to think of it, >we still do). In approximately 48 hours, we got the following figures: > >connections to the mailserver that was accepted: 1 200 000 >connections refused from that domain: 980 000 >connections refused from other known spamdomains: 100 000 > >I also opened for their mailservers, but there were _no_ connections >from those. Not one single try. How do you know their "submitting/outgoing mail servers" list? Note that the DNS MX RR list points to their incoming mail servers. Some people have different pools of servers to process outgoing email. Could this be the reason why you don't get a single email from a "large American domain"? You might be blocking their "email-out" servers... Just a wild guess. kind regards, >Ina Faye-Lund --- pedro ramalho carlos Pedro.Carlos at co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2 From prc at co.ip.pt Thu Sep 18 23:49:24 1997 From: prc at co.ip.pt (Pedro Ramalho Carlos) Date: Thu, 18 Sep 1997 22:49:24 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <199709171553.QAA24564@beckett.earlsfort.iol.ie> References: <34204149.4C0B@ghana.com> Message-ID: <3.0.3.32.19970918224924.00d72a0c@jaguar.ip.pt> Nick, At 16:53 17-09-1997 +0100, Nick Hilliard wrote: >> The Internet needs unforgeable addresses, IP and "caller ID" equivalent. > >This is a good point, but unfortunately, we're still stuck with ipv4, which >is completely forgeable. If you've got even one rogue BGP site, they can >inject anything the feel like into the internet routing tables and do all >sorts of horrible things. > >I'm almost surprised that spammers haven't cottoned on to this yet -- they >could inject some temporary routes into the internet, use hosts on these >address ranges to bounce their spam off a 3rd-party relay site and then >withdraw the announcements. This would be almost totally untraceable and >would circumvent routing black holes completely -- for those who are using >routing black holes to try to control spamming. To do this they would have to BGP peer with somebody that does NOT filter prefixes from a customer connection (and that is a Bad Thing (tm)). Unless the spammer is an NSP itself. Ok, there are ways around this but I wouldn't even think of them, much less discuss them on a list :-) kind regards, --- pedro ramalho carlos Pedro.Carlos at co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2 From ifl at online.no Fri Sep 19 09:41:16 1997 From: ifl at online.no (Ina Faye-Lund) Date: Fri, 19 Sep 1997 09:41:16 +0200 Subject: Possible Problem? [was Re: Spammers hapless fate = ISP toil and sweat] In-Reply-To: <3.0.3.32.19970918223718.00d71fb4@jaguar.ip.pt> References: <3.0.1.32.19970917203951.01a54010@online.no> <3.0.3.32.19970917171612.006cd2c8@mail.esoterica.pt> <1212.874504905@critter.freebsd.dk> Message-ID: <3.0.1.32.19970919094116.01917088@online.no> At 22:37 18.09.97 +0100, Pedro Ramalho Carlos wrote: >How do you know their "submitting/outgoing mail servers" list? >Note that the DNS MX RR list points to their incoming mail servers. Some >people have different pools of servers to process outgoing email. >Could this be the reason why you don't get a single email from a "large >American domain"? >You might be blocking their "email-out" servers... >Just a wild guess. Of course, I might. What happened, was I wanted to shut out those who used our mailserver directly. I called Psi and asked them if they could tell me what IP-addresses their mailservers had. I explained that I planned to shut out most of their addresses, but that I would let their mailservers through. She wouldn't tell me, so I would either have to accept the spam, or shut out all mailservers not registered. However, I do receive the standard replies when I complain about spam to abuse at psi.net, so they have at least one mailserver that we do accept mail from, and that they use to send mail out. What I said was that we didn't receive any mail from them in that specific 48 hours. -- Med vennlig hilsen/Regards Ina Faye-Lund Telenor Nextel AS From neil at colt.net Fri Sep 19 09:59:25 1997 From: neil at colt.net (Neil J. McRae) Date: Fri, 19 Sep 1997 08:59:25 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Thu, 18 Sep 1997 16:48:45 BST." Message-ID: <199709190759.IAA09409@NetBSD.noc.COLT.NET> On Thu, 18 Sep 1997 16:48:45 +0100 (BST) Adrian Bool wrote: > One soluton that I aiming for (not implemented yet!) is tying our SMTP > server into our database. When a customer connects, we look them > up in teh db based upon the MAIL FROM:<> value. from the db is > returned a max limit of RCPTs that the user may issue for a single > mail. New accounts can be given a value of 15 and incremented automatically > by say 10 each month as our trust of them develops. If people want to > run mailing lists etc.. then they can phone/email us and we can manually > up the limit, after making appropriate checks first. > We do this with qmail. -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil at COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your computer! From mick at fox.iprolink.ch Fri Sep 19 10:20:35 1997 From: mick at fox.iprolink.ch (Mickey Coggins) Date: Fri, 19 Sep 1997 10:20:35 +0200 (CEsT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <3.0.3.32.19970918224924.00d72a0c@jaguar.ip.pt> from "Pedro Ramalho Carlos" at Sep 18, 97 10:49:24 pm Message-ID: <199709190820.KAA17146@fox.iprolink.ch> One thing we should keep in mind when implementing anti-spam solutions is to not try to solve the problem like was done with news. Since people started rejecting massive cross-postings, the spammers just sent a new article to each of the groups. Most of the spam is binary pictures trying to attract people to their site, so the amount of news traffic skyrocketed with dozens of copies of the same stuff. Score: spammers 1 isps 0 I don't have a solution, but a wise man once said "don't try to squeeze water in your hands without freezing it first." -- Mickey Coggins Mobile: +41-79-210-3762 Technical Support Group Internet Prolink SA Tel: +41-22-788-8555 AG/BE/BS/GE/GR/SG/VD/ZH ICC - CP 1863 Fax: +41-22-788-8560 "Get connected today!" CH-1215 Geneva 15 Data: +41-22-788-8585 http://www.iprolink.ch/ Mickey Coggins Technical Support Group "Get Internet Prolink SA Mobile: +41-79-210-3762 connected 55 Rue Auguste Piccard Tel: +33-450-42-0223 today Technoparc Gessien Fax: +33-450-42-0286 in F-01630 St. Genis Pouilly http://www.iprolink.fr/ France!" From mick at fox.iprolink.ch Fri Sep 19 10:20:35 1997 From: mick at fox.iprolink.ch (Mickey Coggins) Date: Fri, 19 Sep 1997 10:20:35 +0200 (CEsT) Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <3.0.3.32.19970918224924.00d72a0c@jaguar.ip.pt> from "Pedro Ramalho Carlos" at Sep 18, 97 10:49:24 pm Message-ID: <199709190820.KAA17146@fox.iprolink.ch> One thing we should keep in mind when implementing anti-spam solutions is to not try to solve the problem like was done with news. Since people started rejecting massive cross-postings, the spammers just sent a new article to each of the groups. Most of the spam is binary pictures trying to attract people to their site, so the amount of news traffic skyrocketed with dozens of copies of the same stuff. Score: spammers 1 isps 0 I don't have a solution, but a wise man once said "don't try to squeeze water in your hands without freezing it first." -- Mickey Coggins Mobile: +41-79-210-3762 Technical Support Group Internet Prolink SA Tel: +41-22-788-8555 AG/BE/BS/GE/GR/SG/VD/ZH ICC - CP 1863 Fax: +41-22-788-8560 "Get connected today!" CH-1215 Geneva 15 Data: +41-22-788-8585 http://www.iprolink.ch/ Mickey Coggins Technical Support Group "Get Internet Prolink SA Mobile: +41-79-210-3762 connected 55 Rue Auguste Piccard Tel: +33-450-42-0223 today Technoparc Gessien Fax: +33-450-42-0286 in F-01630 St. Genis Pouilly http://www.iprolink.fr/ France!" From matt at planet.net.uk Fri Sep 19 10:48:28 1997 From: matt at planet.net.uk (Matt Ryan) Date: Fri, 19 Sep 1997 09:48:28 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <199709181501.QAA06346@NetBSD.noc.COLT.NET> Message-ID: Much as I wouldn't like to be seen agreeing with Neil, but his last point below is the most constructive comment to date. The delivery of email is a co-operative process, spammers (who don't relay through you) are NOT stealing your resources. They are using a valid distribution method to deliver email to your customers. If they generate all their spam via their own server (and I know some [most?] don't) then I think you are obliged to deliver it. Also any ISP who black-holes parts of the 'net is in danger of having their competitors use it against them in marketing material... Matt. -- Views expressed at not necessarily those of my employer. "Neil J. McRae" added to the discussion: > > I don't remember you being named out apart from the action given to you > on the previous LINX meeting. > > As for spam, the first and most important issue regarding this is > to educate users and vendors into securing their mail transport agents > so that they _DO_NOT_ automatically relay any email that is sent to them. > > Microsoft, sendmail and others are all guilty of this, [mostly for > backwards compatibility reasons]. Fix that and then the spammers > have to pay for their own resources... > > Regards, > Neil > From neil at colt.net Fri Sep 19 11:03:04 1997 From: neil at colt.net (Neil J. McRae) Date: Fri, 19 Sep 1997 10:03:04 +0100 Subject: Possible Problem? [was Re: Spammers hapless fate = ISP toil and sweat] In-Reply-To: Your message of "Fri, 19 Sep 1997 09:41:16 +0200." <3.0.1.32.19970919094116.01917088@online.no> Message-ID: <199709190903.KAA09903@NetBSD.noc.COLT.NET> The problem of spam is not just with the Internet community. COLT Telecommunications are recieving more and more complaints about random people being called by spamming fax machines, we also recieve them and I personally have been stuck with out a phone because some PITA fax machine kept calling my phone. The problem needs technical and legislative solutions. Regards, Neil. -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil at COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your computer! From neil at colt.net Fri Sep 19 12:42:57 1997 From: neil at colt.net (Neil J. McRae) Date: Fri, 19 Sep 1997 11:42:57 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: Your message of "Fri, 19 Sep 1997 09:48:28 BST." Message-ID: <199709191042.LAA10221@NetBSD.noc.COLT.NET> On Fri, 19 Sep 1997 09:48:28 +0100 Matt Ryan wrote: > > Much as I wouldn't like to be seen agreeing with Neil, but his last point > below is the most constructive comment to date. The delivery of email is a > co-operative process, spammers (who don't relay through you) are NOT stealing > your resources. They are using a valid distribution method to deliver email > to your customers. If they generate all their spam via their own server (and > I know some [most?] don't) then I think you are obliged to deliver it. > > Also any ISP who black-holes parts of the 'net is in danger of having their > competitors use it against them in marketing material... > Yah, I wouldn't filter out any part of the net, unless it was damaging my services or my network, I do inform our customers of the dangers in having an open relaying mail server however. Technical solutions work short term but the spammer will always be back. Until the day when the users find spam as socially unacceptable as drink driving. Cheers, Neil. -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil at COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your computer! From mvalente at esoterica.pt Fri Sep 19 16:06:56 1997 From: mvalente at esoterica.pt (Mario Valente) Date: Fri, 19 Sep 1997 15:06:56 +0100 Subject: Spammers hapless fate = ISP toil and sweat In-Reply-To: <199709190820.KAA17146@fox.iprolink.ch> References: <3.0.3.32.19970918224924.00d72a0c@jaguar.ip.pt> Message-ID: <3.0.3.32.19970919150656.00733c70@mail.esoterica.pt> At 10:20 19-09-1997 +0200, Mickey Coggins wrote: >One thing we should keep in mind when implementing anti-spam >solutions is to not try to solve the problem like was done with >news. > >Since people started rejecting massive cross-postings, the spammers >just sent a new article to each of the groups. Most of the spam >is binary pictures trying to attract people to their site, so the >amount of news traffic skyrocketed with dozens of copies of the >same stuff. Score: spammers 1 > isps 0 Well, in this case and in what it concerns Esoterica, its spammers 0 - isp -1 We have a filter on incoming articles that not only detects ECP ( Excessive Crossposting) but also detects EMP (Excessive Multi Posting). By maintining a list of the last 5000 or 6000 articles, we can check using Subject, Lines and From headers if there's a repetition of the same article being sent to several newsgroups; if it is, we refuse the article. Since we're a node of Usenet II, this is indeed mandatory for the net.* hierarchy This filter is refusing something like 50000 articles per day. ( Does it show that I, as postmaster/newsmaster of Esoterica, have a thing with spammers ? I guess it does :-) C U! -- Mario Valente From mnorris at hea.ie Sun Sep 21 19:24:06 1997 From: mnorris at hea.ie (Mike Norris) Date: Sun, 21 Sep 1997 18:24:06 +0100 Subject: LIR WG at RIPE 28 - draft agenda Message-ID: <199709211724.SAA16348@dalkey.hea.ie> RIPE 28 - 24th to 26th September 1997 Local IR Working Group D R A F T A G E N D A 1. Preliminaries - select a minute-taker - agree agenda, times 2. RIPE 27 - minutes - actions - RIPE NCC Regional Registry to continue: - external auditing & monitoring - internal consistency and quality control - LIR courses (see Item 3 below) - RIPE NCC to re-publish ripe-140 as a new document with changes agreed (see Item 4 below) - M. Norris to start discussion on web-assisted reverse delegation, address assignment (see Item 5 below) - J. Keery to draft specs for web-based forms (see Item 5 below) 3. Reports from registries - European regional (RIPE NCC) - other registries, significant events - other regionals, coordination - APNIC - ARIN (formerly InterNIC) - AfriNIC 4. IP Address Space Assignment - RIPE policy, ripe-159 - registered PI addresses - use of available what-used-to-be-called Class A space 5. Registry procedures - web-assisted assignment, reverse delegation - tools, forms for local registries 6. Input/Output with other Working Groups - Database - Routing - DNS - NetNews - other 7. Statistics - reverse DNS counts, errors - effects of NAT, firewalls and private addresses 8. AOB - mailing lists - some information on the RIPE mailing lists, their purpose, how they are maintained, monitored and filtered. - anti-spamming proposals - we've seen some proposals from Luis Miguel Sequiera and some good discussion of anti-spamming measures on this list. The RIPE chairman will allow time for some discussion on this in the plenary, but at its meeting before the plenary, the LIR WG might like to bring the e-mail discussion to a conclusion and form a specific proposal for RIPE action. - - Mike Norris 19/9/1997 From phk at freebsd.org Sat Sep 20 19:45:57 1997 From: phk at freebsd.org (Poul-Henning Kamp) Date: Sat, 20 Sep 1997 19:45:57 +0200 Subject: THANK YOU! Message-ID: <5213.874777557.1@critter.freebsd.dk> An embedded message was scrubbed... From: Poul-Henning Kamp Subject: THANK YOU! Date: Sat, 20 Sep 1997 19:45:57 +0200 Size: 1088 URL: