TELECOM Digest OnLine - Sorted: Re: Trial Shows How Spammers Operate

Re: Trial Shows How Spammers Operate

Scott Dorsey (
26 Nov 2004 13:49:29 -0500

Dan Lanciani <> wrote:

> (Scott Dorsey) wrote:

>> You _might_ do a lot better just to extract the first Received: line from
>> the header and send a complaint to wherever that came from. For example,
>> take the following procmail rule:

>> # Comcast dynamic addresses

>> :0
>> |* ? /usr/local/bin/formail -xReceived: -uReceived: | grep
>> |cat $HOME/spam - | Mail -s "Your Spam"

>> We can basically be sure that if something comes from a dynamically
>> allocated address on comcast, that it's spam from a zombie machine, so
>> the false positive rate on this is basically zero. Real mail from
>> comcast customers comes from the comcast mail server.

> I think that that would be an extremely bad idea for several reasons.
> First, it would fail to fulfill the primary purpose of responding: to
> inform false positives that an error has been made.

No, it informs the ISP from which the message was sent that the error
has been made. In most cases today, this would be the ISP that
provides service to the zombie machine that is infected with a
spam-propagating worm. In the rest of the cases, it would probably be
the ISP providing service to the spammer. Only in the case of a
spammer running a direct service themselves would mail to the contact
addresses of the site in the first received line actually go to the

The last received: line can be believed. The from: lines cannot be
believed, ever.

In the case of the rule I gave, it will send a message to comcast's
abuse address whenever mail sent from a dynamically-allocated comcast
address arrives. There is NO REASON for anyone on a
dynamically-allocated block to be sending mail directly; mail sent
from Comcast users should go through their mail server and not from
their direct address. So the only mail you will ever get from these
blocks will be spam, mostly from zombie machines.

> Almost as important, it would require me to automatically create
> _outbound_ SMTP connections as a matter of course. That really is
> unsolicited email and, while I don't agree that it is actually "spam",
> it would provide the C/R haters ammunition to have my mail server
> blacklisted.

No, it might cause the abuse desks at ISPs to start blacklisting you.
Hell, half of the abuse desks today just throw away all the incoming
mail anyway, I suspect. But it will do nothing to offend the "C/R
haters" because it's not a C/R confirmation.

> No, really, it won't make me feel better. :) I try to "feel" as little
> as possible about spam. I would feel very bad if I incorrectly
> reported someone for spamming, though. IMHO, too much "feeling" about
> spam -- keeping the War on Spam raging -- is a big part of the
> problem. There is a lot of empire building going on with hundreds of
> blacklists trying to punish various behaviors (apparently including in
> some cases the behavior of wanting to fight spam differently from the
> list's owner) yet ultimately doing little to prevent the increase of
> spam (let alone reduce it). This worries me in the same way that the
> anti-virus companies' dependence on the virus worries me.

The problem is the explosive growth of the network, and the consequent
incompetence of most of the larger backbone sites, which are run by
people who do not understand the nature of the early internet. I
suspect that this will settle down in the US, but as the net expands
throughout the industrializing nations, it's just going to get worse.

But C/R is a really bad idea. Trust me on this one. C/R is not
fighting spam, it's just making the problem worse, because it's
sending a huge number of messages to people who are unrelated to the
issue. That's bad, and it is just going to piss people off.

>> If every single one of us here went and injured a single spammer, the
>> spam problem would be more or less gone. In fact, if one person beat
>> Ralsky up with a baseball bat, I think we'd all see about a 50% drop
>> in spam.

> Yes, it seems to be ok to propose totally absurd solutions since there
> is little danger of their being implemented.

When spam was new, that sort of thing was being implemented all the
time. The guys who spraypainted "SPAMMER" on the front door at uunet
... the guys who set Jeff Slaton's car on fire. These are the sort of
behaviours that used to be common ways of dealing with spamming, and
it's about the only sort of thing that the spammers really understand.

> Oh, and I also understand the argument about zombies using their
> host's legitimate relay. (a) I don't see a lot of that kind of
> traffic and (b) I'm not convinced that I owe such users (whose machine
> would be, after all, spamming me) the duty to silently absorb their
> spam. They are not quite the same as the competely innocent victims
> or forgery.

Check the headers. You will find that 90% of the spam you receive
today is being routed through zombie machines. Blocking dynamic
addresses cuts down the vast majority of that.

> Anyway, as I said the the other correspondent in this thread, please
> feel free to have the last word. I realize that this is a religious
> issue and could be debated forever. However, I ask that you not
> assume that I haven't done some fairly extensive analysis before
> implementing my solution.

Does that include looking at breakdowns of where the spam comes from?
Not where the From: field says it comes from, but where it actually
comes from?


"C'est un Nagra. C'est suisse, et tres, tres precis."

[TELECOM Digest Editor's Note: A question on spam for anyone who
wishes to answer: I have been allowing my computers to stay turned
on all the time, although there is always 8-10 hours per day (or
overnight actually) when I am not using one or more of them. My
assumption is because I run so many protective things on them,
(Spybot, AVG 6.0, Ad-Aware, Mail Washer, etc) and the 'bots' of
these things do their work during the night while I am asleep so I
do not have to waste time waiting for the bots to run during the
day, that I am safe, and of course there is a firewall router on
line as well. But a couple people have independently stated that
I should turn all computers off when not actually sitting here to
supervise them. And on a couple occassions I have seen the disk
drive on my Linux computer (which also has Win 2000 on it) spinning
for relatively long periods of time when the machine was otherwise
idle or not being used. But I would hate to think I was being used
as a spam sender overnight when I was not here to watch over things.
What are your thoughts? I know I have recieved from many of you
total garbage things which implies to me that either your own
computer has been compromised or at least your email address has
been forged. Do any of you get things allegedly from me which is
garbage that I 'sent' you? Should I turn the system completely off
when I am asleep/not home? PAT]

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Tony P.: "Re: How Do I Learn an Unknown Number?"
Go to Previous message: Andrew: "Re: 'Frontline' Files an Eye-Opening Credit Report"
May be in reply to: Monty Solomon: "Trial Shows How Spammers Operate"
Next in thread: Dave Garland: "Re: Trial Shows How Spammers Operate"
TELECOM Digest: Home Page