Nuclear Glassing Spam

This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.
21 October 2006
From maillist Cypherpunks.
Date:	Thu, 19 Oct 2006 17:00:40 -0700
To:	Eugen Leitl <eugen[at]leitl.org>
From:	Bill Stewart <bill.stewart[at]pobox.com>
Subject: Re: Client host rejected: 85/8 banned for abuse
Cc:	cypherpunks[at]jfet.org, measl[at]mfn.org

At 12:16 PM 10/19/2006, Eugen Leitl wrote:
>Are you sure? 85/8, that's a lot of unreal estate.
>
>  <measl[at]mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554
>      <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for
>abuse
>      (in reply to RCPT TO command)

The whole /8?  I'd certainly say it's a lot -
it's not even a single Class A owned by a carrier like AT&T or UUNet,
but has a number of different ISPs in different countries owning
chunks of it.  leitl.org has a /24 that's part of an ISP /18 in Germany,
and I saw some Swisstel in another /18 there.

That's the kind of global overkill I'd expect from an
irresponsible spam-blocker list like SPEWS,
and even for them that would be pretty excessive.




Date:	Fri, 20 Oct 2006 08:24:47 -0500 (CDT)
From:	"J.A. Terranson" <measl[at]mfn.org>
To:	Bill Stewart <bill.stewart[at]pobox.com>
Cc:	Eugen Leitl <eugen[at]leitl.org>, cypherpunks[at]jfet.org
Subject: Re: Client host rejected: 85/8 banned for abuse

On Thu, 19 Oct 2006, Bill Stewart wrote:

> >Are you sure? 85/8, that's a lot of unreal estate.
> >
> >  <measl[at]mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554
> >      <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for
> >abuse
> >      (in reply to RCPT TO command)
>
> The whole /8?  I'd certainly say it's a lot -
> it's not even a single Class A owned by a carrier like AT&T or UUNet,
> but has a number of different ISPs in different countries owning
> chunks of it.  leitl.org has a /24 that's part of an ISP /18 in Germany,
> and I saw some Swisstel in another /18 there.
>
> That's the kind of global overkill I'd expect from an
> irresponsible spam-blocker list like SPEWS,
> and even for them that would be pretty excessive.

Ahhh, but I have a *lot* more flexibility here than SPEWS does.  I can
set filters by individuals, and I have little need for the vast majority
of IP space - therefore I filter very hyperagressively for this domain.

Prior to this "overreaction", I was receiving approximately 25K spam
emails per day (on an *average* day - there have been *much* worse!).
Now, I see less than several hundred: a fair trade for the rare false
positive (about 75% of which come from this list, and of which I see less
than a dozen per year).

I have literally dozens of /8s on block: All of APNIC, AFRINIC, South
America, Israel, Russia and neighboring real estate... You get the idea.

The policy here is that if an abusive email gets through:

(1) If generated by a hosting company, the entire allocation to that
hosting company is blocked;

(2) If from dynamic space, it was missed the first time, so added now;

(3) If from a microallocation (/25-/32) I block the micro, and if from a
company with significant space, but what appears to be just a compromised
host, the /24 in which that host lives.

It works.

-- 
Yours,

J.A. Terranson
sysadmin[at]mfn.org
0xBD4A95BF

"Surely the larger lesson learned from that day is that other men, all
over the world, took inspiration not from the heroism of the rescuers in
New York or the passengers flying over Pennsylvania, but from the 19
hijackers - the twisted brilliance of their scheme and their willingness
to sacrifice their lives to make a political and, as they saw it,
religious statement."

Richard Corliss/Time Magazine
11 Aug 2006



Date:	Fri, 20 Oct 2006 15:35:58 +0200
From:	Eugen Leitl <eugen[at]leitl.org>
To:	"J.A. Terranson" <measl[at]mfn.org>, cypherpunks[at]jfet.org
Subject: Re: Client host rejected: 85/8 banned for abuse

On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote:

> Ahhh, but I have a *lot* more flexibility here than SPEWS does.  I can
> set filters by individuals, and I have little need for the vast majority
> of IP space - therefore I filter very hyperagressively for this domain.

The nice thing is that you never see those false positives. But for this
list, you'd never seen my message.

> Prior to this "overreaction", I was receiving approximately 25K spam

Wow, wonder how you managed to attract that. I only get several
hundreds a day (malware is already filtered at MTA level), which
spamassassin catches quantitatively. I'm thinking about starting
blocking .gif/.jpeg/.png by MTA, which would catch the rest of
them. If I ever got fancy I could use greylisting and firewall
throttling of Windows hosts, or similiar shenanigans. But, blocking
by RBL, never.

> emails per day (on an *average* day - there have been *much* worse!).
> Now, I see less than several hundred: a fair trade for the rare false
> positive (about 75% of which come from this list, and of which I see less
> than a dozen per year).
>
> I have literally dozens of /8s on block: All of APNIC, AFRINIC, South
> America, Israel, Russia and neighboring real estate... You get the idea.

I get the idea. You could just block the entire IP address space,
which would cut your spam rate down to zero. Ever tried that?

> The policy here is that if an abusive email gets through:
> (1) If generated by a hosting company, the entire allocation to that
> hosting company is blocked;
> (2) If from dynamic space, it was missed the first time, so added now;
> (3) If from a microallocation (/25-/32) I block the micro, and if from a
> company with significant space, but what appears to be just a compromised
> host, the /24 in which that host lives.
>
> It works.

I would call it the "nuclear glass approach" to spam. If this works
for you, great, but I don't know too many people who'd subscribe to your
approach (to which RBL hardcore nazis look like teletubbies).

--
Eugen* Leitl http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE



Date:	Fri, 20 Oct 2006 21:50:02 -0700
To:	Eugen Leitl <eugen[at]leitl.org>
From:	Bill Stewart <bill.stewart[at]pobox.com>
Subject: Re: Client host rejected: 85/8 banned for abuse
Cc:	"J.A. Terranson" <measl[at]mfn.org>, cypherpunks[at]jfet.org

At 06:35 AM 10/20/2006, Eugen Leitl wrote:

>On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote:
> > Prior to this "overreaction", I was receiving approximately 25K spam
>Wow, wonder how you managed to attract that.

It's easy to attract a lot of spam - luck of the draw,
or having your name widely spread in archives,
or having ever provided free email services.

>I'm thinking about starting blocking .gif/.jpeg/.png by MTA, [...]
Also overkill, but highly effective.

>If I ever got fancy I could use greylisting and firewall throttling

Greylisting turns out to be a big big win -
most zombieware doesn't ever retry, so you lose that spam.

Another popular spammer trick lately has been to
hijack unused address space, usually unused small blocks in
larger allocations, spamming madly for a few minutes,
then dropping the BGP advertisement so nobody can traceroute back,
and never reusing addresses so you don't care if it's blacklisted.
Greylisting totally protects you from this technique,
because a typical half-hour delay means that the spammer's gone,
but Alif's techniques are likely to lead to the legitimate space
getting blacklisted, while the spammer is living behind some
entirely different ISP that openly accepts bogus BGP requests.

Another defense against this spammer trick, if you've got a
big enough network connection to accept full BGP routes
(i.e. you're a medium-large service provider, but not a home system)
is to not accept any email from a BGP address block that
has existed for fewer than 24 hours or some similar threshold
that's long enough to make address thieves go away or get traced,
but short enough to not bother legitimate email much
("453 The Wizard Says Go Away and Come Back Tomorrow")

> > I have literally dozens of /8s on block: All of APNIC, AFRINIC, South
> > America, Israel, Russia and neighboring real estate... You get the idea.

The ISP where I get most of my email lets users pick countries
or regions to reject mail from, using lists that are more precise
than "burn the /8".  I decided a few years ago to reject all mail
from China, Korea, Brazil, and Argentina, and that cut out
more than half my spam load, and I didn't know anybody from those
countries; I'll accept mail from Japan and Israel but it gets extra filtering,
since I do know some people there but it's mostly spam
(unfortunately, they don't have an option to filter by character set;
anything in alphabets I don't read is highly likely to be spam,
though at work I do get email in mixed English and Japanese or Chinese...)

>...
>I would call it the "nuclear glass approach" to spam. If this works
>for you, great, but I don't know too many people who'd subscribe to your
>approach (to which RBL hardcore nazis look like teletubbies).

A _real_ nuclear glass approach would be to start advertising
BGP routes for the addresses that spam you, which would drop them
off the net for anybody who's within a few hops of you,
and wouldn't even give you much extra network traffic,
because it would kill the TCP handshake responses from
any new email sessions.  I work at a Tier 1 ISP,
which would mean that it would be blocked from most of the US,
and somebody with a LINX account could do the same for half of Europe,
but fortunately they don't give me the keys on days that
the spammers have been makin' the ganglia twitch...
and you could accomplish the same thing non-destructively
with a block-list if enough people trusted your service.

In reality a legitimate ISP would never do this or permit their
users to do it, because it could not only cause chaos for the
entire Internet, but it would trivially blow through the
route-cached capacity of most of the routers on the Internet.
There was an event a decade or so ago when some small ISP
announced that their T1 line was the best route to reach
everything at Sprint or MAE-West or something,
so about 1/3 of the traffic on the Internet was trying
to get through there before the line smoked,
and most ISPs put in a lot of route protection then.
The address-space hijackers shouldn't be able to do it either,
but there are enough ISPs that are sloppy about managing
route advertisements that they get away with it.