You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ha...@t-online.de on 2004/11/28 11:11:12 UTC
Re: reply from sorbs
>>
>> On Sat, Nov 27, 2004 at 04:43:37PM -0800, Bob Amen wrote:
>> > I must disagree. Unfortunately the number of responsible people on
>> > the other end of cable and DSL modems is vanishingly small compared to
>> > the number of zombie machines that are spewing spam and more viruses. On
>> > a typical day we get abut 340,000 delivery attempts. We block about
>> > 110,000 thanks to SORBS. That's per day. I have only gotten 4 or 5 false
>> > positives due to SORBS listings in the last 6 months. (Of 340,000
>> > incoming messages, we pass on 7,400 to our users.)
>> >
>> > So would you have us accept 110,000 garbage messages per day for
>> > less than one a month that are responsible people running their own mail
>> > server on a cable or DSL modem? That would be a great cost to us in
>> > either processing power to analyze the messages with SA and/or lost
>> > productivity for all our users to wade through more junk.
>> >
>> > I'm sorry but you must send mail through your ISP's mail server or
>> > be blocked by an increasing number of mail servers around the Internet.
>> > If your ISP doesn't support using their mail server with your domain,
>> > find another one. My home ISP does, which is one reason I chose them.
>> >
>> > --
>> > Bob Amen
>> > O'Reilly Media, Inc.
>> > http://www.ora.com/
>> > http://www.oreilly.com/
>>
>> Bob is right. If you want to send mail directly to mail servers without
>> having a static IP, switch to another ISP. Or use your ISP's mail
>> server.
>>
>> We don't want users to receive thousands of spam mails just in order to
>> allow 1 or 2 guys to send their mail directly from their machine,
>> without using their ISP's mail server...
>>
>> Nicolas, Paris.
>>
Hi,
if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and
pays more for the access than dynamic ip would cost with the same provider.
The provider, however, reports a full ip block (which may have a few percent of
static ip's) as dialup.
I believe the extra money they get on the fixed ip should allow them to
- either report correctly or
- create a mail relay where authenticated users can use their own domain name as sender
Wolfgang Hamann
Re: reply from sorbs
Posted by John Rudd <jr...@ucsc.edu>.
On Nov 28, 2004, at 8:35 PM, Bob Amen wrote:
> John Rudd wrote:
>
>> On Nov 28, 2004, at 9:00 AM, Bob Amen wrote:
>>
>>> It's very depressing and getting worse, according to my mail
>>> servers' statistics.
>>
>> Hm. My mail servers' stats say it's getting better. For example, at
>> home, I think I've only actually seen 1 spam message in the last
>> month. I think 4 or 5 more got caught by spam assassin. And the
>> rest are all filtered out by an aggressive greet delay, connection
>> rate control, and spamhaus. At work, in the last month, we've cut
>> our spam rates by about 90%.
>
> And you said "an aggressive greet delay." I tried that and found too
> many false positives with legitimate mail servers that are poorly
> configured. The only recourse for those false positives is another
> means of communication (eg. telephone).
What time frame were you looking at it? I had one false positive back
when it was still experimental (before Sendmail had implemented it),
from mac.com. I filed a bug with apple, and an employee there, that I
knew, made sure it was fixed before she left to become a full time mom.
I'm aware of a problem with verizon's callback feature, for which I
make an exception (in the form of a lower delay than their callback's
timeout). That's my intended means of handling problem sites.
I haven't heard directly about any other problem sites, but during that
same experimental stage I saw one or two odd behaviors from prodigy,
but wasn't able to nail it down to being greet delay related ... and I
haven't seen it since.
Where were you seeing false positives?
>>> Don't blame me and the other mail server admins if you can't get
>>> mail to our systems because you are sending from a machine on a DSL
>>> modem. Blame the spammers and those that buy from them!
>>
>> Sorry, but that's a complete cop-out BS statement. The culpability
>> of those who support spam is not a magic pardon for all anti-spam
>> ends to justify their means.
>
> That's not what I was saying.
It may not be what you intended to say (though the rest of your message
still sounds that way to me), but it is what the wording of your
message says. "It's not my fault your message got blocked when I
decided to deploy blacklists".
Yes, it is your fault. You chose to use blacklists. No one else made
that choice (well, ok, maybe your boss did, but the point is the same).
I'm not saying it's the wrong decision, or that it isn't the best
practical decision, I'm saying that the reason their legitimate
messages get blocked IS because you chose to use a blacklist. Trying
to rationalize it by talking about the larger spam war, saying that
"they made me do it because of their actions" IS passing the buck (it's
also amazingly like "I hit him because he hit me first" -- the actions
of "him" don't change the fact that the speaker hit him too). No
matter how you feel about the decision on the practical level, on the
literal level, the spammers did NOT force you to do it, you did it of
your own free will. Period.
I'm not saying you should be ashamed of it, or even apologize for it
... far from it, I'm proud to use the blacklists I use, and so should
you. We've selected tools that we feel make the right trade-off
between practical need and collateral loss. But don't then undermine
your own decision by then saying "oh, I did it because of the big mean
spammers, so don't blame me that your message bounced". Don't
disrespect those people caught in your collateral damage by denying
that that's what you've done.
Stand up and say "I'm the reason your message bounced, because I'm
protecting my system and my users from abuse by people who are abusing
loop-holes in some mail systems; you can avoid being caught by it by
following some best-practices." While the message about the
bounced-user's activities is the same, it avoids the passing-the-buck
nature that IS present in your original message.
Re: reply from sorbs
Posted by David Brodbeck <gu...@gull.us>.
On Sun, 28 Nov 2004 20:35:31 -0800, Bob Amen wrote
> And you said "an aggressive greet delay." I tried
> that and found too many false positives with legitimate mail servers
> that are poorly configured. The only recourse for those false
> positives is another means of communication (eg. telephone). So
> who's being irresponsible?
I compromise. I use a pretty aggressive greet delay -- but only on machines
that are on dynamic IP addresses (as determined by a DNS-based blacklist.) So
if the person is on a static IP, *or* they're running an RFC-compliant MTA,
their mail gets through. If they're on a dynamic IP and their MTA is crummy,
I don't get their mail. Seems fair to me, and so far I haven't had any
problems with this technique. It rejects an awful lot of mail from addresses
in comcast.net. ;)
Re: reply from sorbs
Posted by Bob Amen <am...@oreilly.com>.
John Rudd wrote:
> On Nov 28, 2004, at 9:00 AM, Bob Amen wrote:
>
>> It's very depressing and getting worse, according to my mail servers'
>> statistics.
>
>
> Hm. My mail servers' stats say it's getting better. For example, at
> home, I think I've only actually seen 1 spam message in the last
> month. I think 4 or 5 more got caught by spam assassin. And the rest
> are all filtered out by an aggressive greet delay, connection rate
> control, and spamhaus. At work, in the last month, we've cut our spam
> rates by about 90%.
I was writing about the statistics *before* reaching our user's mail
boxes. As far as our user's are concerned, we're doing quite well,
thanks to the various methods that we employ to stop spam. My statistics
show that the attempts to deliver spam has increased dramatically in the
last six months (as it did the six months prior to that, etc.). And you
said "an aggressive greet delay." I tried that and found too many false
positives with legitimate mail servers that are poorly configured. The
only recourse for those false positives is another means of
communication (eg. telephone). So who's being irresponsible?
>> Don't blame me and the other mail server admins if you can't get mail
>> to our systems because you are sending from a machine on a DSL modem.
>> Blame the spammers and those that buy from them!
>
>
> Sorry, but that's a complete cop-out BS statement. The culpability of
> those who support spam is not a magic pardon for all anti-spam ends to
> justify their means.
That's not what I was saying. The fact that spammers have
compromised so many systems at the end of DSL and cable modems has meant
that we need to take some rather drastic measures. I wish it weren't so.
I was saying that because of this situation, people must send mail
through their ISPs mail server or find an ISP that maintains separate IP
space for their fixed IP and responsible customers. Don't blame me for
that situation as I did not create it.
> You are precisely and exactly responsible for the accuracy and
> inaccuracy of the tools you use on your servers which may reduce spam
> OR interrupt legitimate communications. The actions of others (the
> spammers) do not excuse/absolve your actions. Show some spinal column
> and take responsibility for voluntarily choosing to use tools that
> have non-zero false positive rates.
I do absolutely do take responsibility for false positive rates. If
you had read my posting you would known that I got 4-5 false positives
in *six months* while rejecting 110,000 messages *per day*, thanks to
SORBS. You would call that a poor false positive rate? I chose only
those SORBS DNSBLs that have a vanishingly low false positive rate. I am
supported in my choices by my management and users, many of whom wish I
would be more aggressive.
Each one of those false positives was addressed with an exception
list that I maintain. And I encouraged the senders to use their ISPs
mail servers to send mail. People that send mail to us and have it
rejected can always send mail to postmaster. Their message will get
through and I will address their problem. I operate our mail servers in
a responsible manner for the benefit of our business and our employees.
I take offense to your "spinal column" and BS statements. I am not
passing the buck but placing blame for the situation where it
belongs...on the spammers and their paying customers (and BTW the ISPs
that make money off them).
--
Bob Amen
O'Reilly Media, Inc.
http://www.ora.com/
http://www.oreilly.com/
Re: reply from sorbs
Posted by John Rudd <jr...@ucsc.edu>.
(my choice of comments to reply to make my position sound a lot more at
odds with your overall post than I am, but there were a two parts I
just had to respond to)
On Nov 28, 2004, at 9:00 AM, Bob Amen wrote:
> It's very depressing and getting worse, according to my mail servers'
> statistics.
Hm. My mail servers' stats say it's getting better. For example, at
home, I think I've only actually seen 1 spam message in the last month.
I think 4 or 5 more got caught by spam assassin. And the rest are all
filtered out by an aggressive greet delay, connection rate control, and
spamhaus. At work, in the last month, we've cut our spam rates by
about 90%.
> Don't blame me and the other mail server admins if you can't get mail
> to our systems because you are sending from a machine on a DSL modem.
> Blame the spammers and those that buy from them!
Sorry, but that's a complete cop-out BS statement. The culpability of
those who support spam is not a magic pardon for all anti-spam ends to
justify their means.
You are precisely and exactly responsible for the accuracy and
inaccuracy of the tools you use on your servers which may reduce spam
OR interrupt legitimate communications. The actions of others (the
spammers) do not excuse/absolve your actions. Show some spinal column
and take responsibility for voluntarily choosing to use tools that have
non-zero false positive rates.
Do blame me and other mail server admins if your mail can't get through
my systems because you're being blocked by one of my techniques. I
accept that risk, and I judge the benefits to be worth the cost. BUT,
it would be irresponsible of me (and is irresponsible of you) to
dismiss that cost or pass the buck on to someone else just because you
come across someone who represents that statistical error range. You
choose to use an inaccurate service. I choose to use an inaccurate
service. DNSBL's, by their nature of trying to reject spam via IP
address (when are not tied to IP addresses, nor are IP addresses
necessarily tied to spammers), are inaccurate. They are perhaps
reasonably inaccurate, if you choose a good one, but they are by their
nature inaccurate for the actual end goal (reducing spam).
No one forces you or I to make that choice, no matter how much we feel
forced to do it for practical reasons. We choose it not because we
think it's perfect, but because we think its inaccuracies are
acceptably small compared to their benefits in reducing spam. But
don't try to glorify it, dress it up, cover it up, nor deny it.
It is what it is, and it is both ugly and your choice. People SHOULD
blame you if their mail gets blocked by your server, and you should
accept that blame without shame (because, hopefully, you've done your
homework on that cost instead of just slapping some solution into
place on the assumption that it's "good"). But you shouldn't pass the
buck.
Re: reply from sorbs
Posted by Steve Sobol <sj...@JustThe.net>.
David Brodbeck wrote:
>> make sure in writing before you sign anything that your ip(s) will
>> never be listed by the ISP as res/dynamic/dialup ip. If they do they
>> may be in breach of contract (and you would need a lawyer for
>> resolution.)
>
> I doubt any ISP would agree to a contract term like that, because they
> don't have any control over what the blacklist maintainers do. Some of
> the blacklists deliberately list whole blocks of IP addresses that
> happen to be on the same backbone provider as a spammer, to
> intentionally cause collateral damage. There's little an invididual ISP
> can do about that.
They can start by using proper rDNS. There's an awful lot of rDNS that looks
like dynamic rDNS that contains statically-assigned addresses. The corollary to
that is "hey, stupid, don't throw your static customers and servers into blocks
that are mostly dynamic." Which, believe it or not, some ISPs do. Try to get a
separate allocation or sane rDNS from SBC** on a DSL line... Good luck. They do
it on T-1 and other leased lines but apparently not on DSL.
You are correct to a certain extent, and there are lists like the Mail Abuse
Prevention System DUL (Dialup User List) where the ISPs are asked to VOLUNTEER
their lists of dynamic netblocks (although that wouldn't help in the example
given above), but I believe most of the dynamic lists are based on trawling
rDNS (out of necessity more than anything else).
Best,
Steve
**SBC is the USA's largest telephone company.
--
JustThe.net Internet & New Media Services, http://JustThe.net/
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
PGP Key available from your friendly local key server (0xE3AE35ED)
Apple Valley, California Nothing scares me anymore. I have three kids.
Re: reply from sorbs
Posted by JamesDR <ro...@bellsouth.net>.
Reread it, i said *YOUR* ISP marking *YOUR* leased IP(s) as
*DUL/DYN/RES* read before replying (OH yes, ISP'S *DO* this kind of
thing to enforce their polices.) :-D And yes, an isp who does not agree,
is sheit imo, if they're too lazy to classify their ips, move along, get
sat, cable etc. The have direct control over what THEY report to the
blacklist. Server admins who knowingly use blacklists that "blacklists
deliberately list whole blocks of IP addresses that happen to be on the
same backbone provider as a spammer, to intentionally cause collateral
damage." should be shutdown. That is not only irresponsible of the admin
who is administering the blacklist, but also of the server admin who
uses said blacklist. I think False positives and mails that are blocked
are far worse than the spam message itself. If you aren't in business to
make money based on customers corispondance via email, this isn't an
issue for you. If I were a customer and I had a question, only to find
out my message was blocked because someone in affrica set up a blacklist
that blocks all of my ISP's range of leaseable addresses, I'd find a new
company, and you'd by out of my money. If you aren't interested in
making money, such schemes will work to drive your customers away my
friend.
I can easily stop spam by putting in *.*.*.*; is that lazy: yes. is that
irresponsible: yes. should you be sacked: yes :-D
Thanks,
JamesDR
David Brodbeck wrote:
> JamesDR wrote:
>
>> make sure in writing before you sign anything that your ip(s) will
>> never be listed by the ISP as res/dynamic/dialup ip. If they do they
>> may be in breach of contract (and you would need a lawyer for
>> resolution.)
>
>
> I doubt any ISP would agree to a contract term like that, because they
> don't have any control over what the blacklist maintainers do. Some of
> the blacklists deliberately list whole blocks of IP addresses that
> happen to be on the same backbone provider as a spammer, to
> intentionally cause collateral damage. There's little an invididual ISP
> can do about that.
>
>
Re: reply from sorbs
Posted by David Brodbeck <gu...@gull.us>.
JamesDR wrote:
> make sure in writing before you sign anything that your ip(s) will
> never be listed by the ISP as res/dynamic/dialup ip. If they do they
> may be in breach of contract (and you would need a lawyer for
> resolution.)
I doubt any ISP would agree to a contract term like that, because they
don't have any control over what the blacklist maintainers do. Some of
the blacklists deliberately list whole blocks of IP addresses that
happen to be on the same backbone provider as a spammer, to
intentionally cause collateral damage. There's little an invididual ISP
can do about that.
Re: reply from sorbs
Posted by JamesDR <ro...@bellsouth.net>.
DSL, Cable, T1, Fiber, etc. your high speed connection type shouldn't be
blacklisted, your service level should, ie dynamic residential line. A
business class customer paying for static ip(s) on a (a/s)dsl line
should not have their ip's blacklisted. I've seen as much spam come from
lines where a spammer buys 254 ip's and starts spamming, then changes
ip's a month later. The RDNS of the ip matches the helo etc. It isn't
the blacklister's fault in most cases to have a user's isp too lazy to
properly operate their policies. If you are a business customer, your
isp has blacklisted you, it's your responsibility to either find a new
isp (where there ins't a monopoly on the line in case of DSL and Cable)
or make sure in writing before you sign anything that your ip(s) will
never be listed by the ISP as res/dynamic/dialup ip. If they do they may
be in breach of contract (and you would need a lawyer for resolution.)
If I'm a business customer, pay for static ip, I'd expect to not have my
ip listed by default as a res/dynamic/dialup ip.
Also, if AOL/Yahoo/MSN were to require you as an admin to pay $100k per
year in order to be allowed to send mail to them (via from your ip),
would you be willing to do this? This would in effect stop 100% spam...
My 2c
Thanks,
JamesDR
Bob Amen wrote:
>
> I realize this is way off topic, but it is important to spam fighting.
>
> jdow wrote:
>
>>> On Sun, Nov 28, 2004 at 10:11:12AM -0000, hamann.w@t-online.de wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> if I did not miss anything in this thread, the victim HAS a static
>>>> IP on
>>>>
>>
>> the cable/dsl link and
>>
>>
>>>> pays more for the access than dynamic ip would cost with the same
>>>>
>>
>> provider.
>>
>>
>>>> The provider, however, reports a full ip block (which may have a few
>>>>
>>
>> percent of
>>
>>
>>>> static ip's) as dialup.
>>>> I believe the extra money they get on the fixed ip should allow them to
>>>> - either report correctly or
>>>> - create a mail relay where authenticated users can use their own
>>>> domain
>>>>
>>
>> name as sender
>>
>>
> Yes, they should have a separate block of IP addresses for those that
> pay the added cost. And those don't get reported to the SORBS DUL list.
> Maybe other lists if they actually do spam but not DUL.
>
>> So because he is on an address block listed as dialup he gets no chance
>> to issue an SPF for his site. Ah well.
>>
>
> He could but unfortunately SPF doesn't solve the problem. The very
> same zombie machines that are spewing spam are also DNS servers offering
> SPF records for the domain they claim to send from. And those domains
> are either registered with false or forged information or registered
> anonymously, thanks to the policies of some registrars, aided and
> abetted by ICANN. Spammers are adopting SPF faster than the rest of the
> Internet.
>
> It's a difficult situation we're in and there is no silver bullet. We
> need every resource we can use, including good block lists, SPF as a
> rule in SpamAssassin and more. It's very depressing and getting worse,
> according to my mail servers' statistics. We need everyone with a clue
> to help by sending mail in ways that support the resources we use
> instead of whining that they can't do something the way they want. Don't
> blame me and the other mail server admins if you can't get mail to our
> systems because you are sending from a machine on a DSL modem. Blame the
> spammers and those that buy from them!
>
Re: reply from sorbs
Posted by Bob Amen <am...@oreilly.com>.
I realize this is way off topic, but it is important to spam fighting.
jdow wrote:
>>On Sun, Nov 28, 2004 at 10:11:12AM -0000, hamann.w@t-online.de wrote:
>>
>>
>>>Hi,
>>>
>>>if I did not miss anything in this thread, the victim HAS a static IP on
>>>
>>>
>the cable/dsl link and
>
>
>>>pays more for the access than dynamic ip would cost with the same
>>>
>>>
>provider.
>
>
>>>The provider, however, reports a full ip block (which may have a few
>>>
>>>
>percent of
>
>
>>>static ip's) as dialup.
>>>I believe the extra money they get on the fixed ip should allow them to
>>>- either report correctly or
>>>- create a mail relay where authenticated users can use their own domain
>>>
>>>
>name as sender
>
>
Yes, they should have a separate block of IP addresses for those
that pay the added cost. And those don't get reported to the SORBS DUL
list. Maybe other lists if they actually do spam but not DUL.
>So because he is on an address block listed as dialup he gets no chance
>to issue an SPF for his site. Ah well.
>
He could but unfortunately SPF doesn't solve the problem. The very
same zombie machines that are spewing spam are also DNS servers offering
SPF records for the domain they claim to send from. And those domains
are either registered with false or forged information or registered
anonymously, thanks to the policies of some registrars, aided and
abetted by ICANN. Spammers are adopting SPF faster than the rest of the
Internet.
It's a difficult situation we're in and there is no silver bullet.
We need every resource we can use, including good block lists, SPF as a
rule in SpamAssassin and more. It's very depressing and getting worse,
according to my mail servers' statistics. We need everyone with a clue
to help by sending mail in ways that support the resources we use
instead of whining that they can't do something the way they want. Don't
blame me and the other mail server admins if you can't get mail to our
systems because you are sending from a machine on a DSL modem. Blame the
spammers and those that buy from them!
--
Bob Amen
O'Reilly Media, Inc.
http://www.ora.com/
http://www.oreilly.com/
Re: reply from sorbs
Posted by jdow <jd...@earthlink.net>.
From: "Nicolas" <st...@oxstone.com>
To: <us...@spamassassin.apache.org>
Sent: 2004 November, 28, Sunday 02:12
Subject: Re: reply from sorbs
> On Sun, Nov 28, 2004 at 10:11:12AM -0000, hamann.w@t-online.de wrote:
> > Hi,
> >
> > if I did not miss anything in this thread, the victim HAS a static IP on
the cable/dsl link and
> > pays more for the access than dynamic ip would cost with the same
provider.
> > The provider, however, reports a full ip block (which may have a few
percent of
> > static ip's) as dialup.
> > I believe the extra money they get on the fixed ip should allow them to
> > - either report correctly or
> > - create a mail relay where authenticated users can use their own domain
name as sender
> >
> > Wolfgang Hamann
>
> I think he has a dynamic IP over a DSL line. That's what I understood.
> Am I wrong?
>
> Nicolas, Paris.
So because he is on an address block listed as dialup he gets no chance
to issue an SPF for his site. Ah well.
{o.o}
Re: reply from sorbs
Posted by Nicolas <st...@oxstone.com>.
On Sun, Nov 28, 2004 at 10:11:12AM -0000, hamann.w@t-online.de wrote:
> Hi,
>
> if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and
> pays more for the access than dynamic ip would cost with the same provider.
> The provider, however, reports a full ip block (which may have a few percent of
> static ip's) as dialup.
> I believe the extra money they get on the fixed ip should allow them to
> - either report correctly or
> - create a mail relay where authenticated users can use their own domain name as sender
>
> Wolfgang Hamann
I think he has a dynamic IP over a DSL line. That's what I understood.
Am I wrong?
Nicolas, Paris.
--
--- OxStOnE -------------- O
- Z750 & Linux ------- ._ /\_>
--- Powered ---------- (x)> (x)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~