On Wed, 10 Jul 2002, Lisa Koch wrote:
> by our system. Our total spam may amount to nearly half our email traffic.
> This is a big burden for a system that operates on a shoestring budget.
Send me your spam. Seriously, tar it up and send it to me. I've seen a
few clients get a sudden surge in spam. It turns out that they are being
scammed to sign up for open relay protection services.
> (snip)
> > There are a number of things that we do to protect our relays and identify
> > abusers, and I do a lot of analysis on the spam sent. Most of the spam is
> > not commercial. Marketers want to sell products. Antispammers want to
> > annoy people into banning spam/closing relay service/etc. So the
> > non-commercial spam is sent by antispammers. Since nearly all of the spam
> > is non-commercial, it follows that nearly all spam is sent by
> > antispammers.
>
> I'm not sure I understand what you're saying here. It almost sounds like
> you are running open mail relays or hosting spammers, and trying to defend
> them.
Yes, we run open relays for customers. So do many ISPs. Most of what is
spewed about open relays is false. If half of what were said were true,
open relays would be bad. Open relays are necessary in some situations,
and there is no way to "secure" open relays where they are necessary,
though many people simply don't need open relay.
The open relays rbl antispammers try to abuse open relays, and when they
have their "anti-spammer" hats on, they make false claims about open
relays. But they are the abusers. They are the ones sending spam. There
are a few real commercial spammers, such as Data Com Marketing, the
like. They are not using open relays, and they can easilly be blocked.
We have no spammers. We have never (strangely enough) had any spammers to
kick out. I've actually been wondering why that is. I think it might have
to do with the fact that we access list our customers so that they can't
spoof addresses.
Spoofing doesn't quite describe what spammers do though: We usually
reverse scan people who try to abuse our relays. Every once in while, they
have an snmp port open, sometimes to public. In the past, I've set up
cron job to walk this snmp server once an hour. The results are
interesting. You get lots of interesting information. The arp table shows
who they have been talking to recently, the route table, etc. Basically,
they have a machine in a colo facility with a modem. (to keep snmp
contact, you have to use the colo address, not the dialup address) The
modem dials to a dialup provider. The default route stays with the colo
address. So when they connect to our server, their outbound packets go
through their colo provider, using the dialup IP address. (the colo
apparently doesn't filter for its own addresses). Returning packets go
via the dialup provider. Of course, in an SMTP transaction, there are
many more, and much larger, outbound packets (from SMTP client point of
view) than inbound packets.
Since we filter our customers to originate only their address space, this
probably also makes us unsuitable for spammer colo. Our filters also
prevent all sorts of abuse from being launched, such as DDOS attacks and
other things that happen either from viruses or breakins, or just the
rogue employee.
While we have dialup, its basically only available for employees of our
customers, and isn't visible enough to be abused by the commercial
spammers.
While they don't like our webhosting is unclear. Maybe we are just too
expensive. I don't know. Maybe the open relay people are the only
spammers that do that sort thing and they don't like me, or just won't
give me their credit card.
--Dean
---
Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'.
Mail administrative requests to `[EMAIL PROTECTED]'.
