[Dshield] Need some help testing

Stasiniewicz, Adam stasinia at msoe.edu
Wed Jul 4 18:24:49 GMT 2007 

Hi,

Let me directly address a couple of points jayjwa made.  

In regards to "Email is all but ruined". You are obviously entitled to your
own opinion, but I think you are being a bit over dramatic.  It seems you
are presuming that your bad experience with email is the norm.

Though technically spammers could use ISPs SMTP to send mail and possibly
down the road it could become a larger issue.  But the current spam fighting
situation shows that spam from "legitimate" servers makes up only a small
amount of total spam.  This is why reputation based spam filtering (RBLs,
rDNS, SPF, etc) are proving to be very effective (especially against the
latest wave of image based spam). 

I realize you send your email directly from your home computer without first
relaying to your ISPs SMTP server.  In the modern world, that is really not
feasible to do.  I would highly recommend you try to send email via your
ISPs email server, you will see a significant drop in rejected/lost
messages.

My last point.  Last time I check AT&T and the "privileged few" did not
bribe Congress to pass laws mandating everyone setup "block-all RBL[s]" or
"draconian filter[s]".  It is in fact humans like you and me (some being
quite smart) that devised and implemented these spam fighting systems.  Does
this mean that to send email everyone needs to follow a few rules?  Yes, but
the cost is worth the benefit of having a spam free inbox. 

Regards,
Adam Stasiniewicz

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of jayjwa
Sent: Wednesday, July 04, 2007 3:28 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Need some help testing


On Mon, 2 Jul 2007, Mar Matthias Darin wrote:

-> I have written an antispam tool (linux based) called DynaStop, originally

-> for Exim,but will work with any MTA that can call an external process 
-> and act on return codes.

>From its website:

----------
This can be a pivotal factor in e-mail filtering and server load management
as
dynamic IP addresses are typically used for dial-up, dhcp, and DSL accounts.
All of which have a designated mail exchange server that all outbound mail
flows as defined with many if not most large Internet Service Providers
(ISP)
such as Road Runner, ATT, Qwest, PacBell, BellSouth, EarthLink, AOL, and
many
more around the world if their terms of service or acceptable use policy.
----------


Yet more "let's off-load the spam problem on the people least likely to be 
able to fight for themselves, cuz who cares if their mail is blocked?" 
solutions? When will people read their logs and see that most real, verified

spam is coming from the so-called "official" ISP's mail servers and large
email 
providers?

Let's think like the enemy for a second. If I'm a spammer, and I want to hit

home with my crap (millions of email, phishes, etc), where am I going to
send 
it from? A source already heavily blocked, a system that's not even a
bonafide 
mail server, a computer that's likely putting out 6Kbps (max) where I'll
have 
to wait hours for even a few megabytes of stuff to go, a system already 
locked-down in DNS-RBL, or will I use systems with 1) high through-put, 2)
not 
listed in RBL, 3) popular mail carriers almost everyone is likely to take
mail 
from? I'm sitting on the same Internet as everyone else, and I report spam 
from Hotmail, Yahoo, those so-called "proper" ISP MTA's and other major
email 
providers as I dare %97 of all spam.

The spam that IS coming from dynamic hosts is being routed through those 
servers anyway! Check that 'received' block before the 'proper' mail server:

Ah! there's the dial-up, dhcp, DSL account. Hidden nicely. It's like a wolf 
putting on sheep's skin for a second: "Here, look, I'm a sheep, take my
mail!" 
Spam block avoided.

Email is all but ruined as a means of communication. And it's not because of

spam itself, because spam arrives *with* email. It's because of email being
so 
choked off by well-meaning but mis-guided anti-spam measures that *stop* 
email. I've tried to contact a number of people on this list about different

things, and the usual response is bounce from a block-all RBL or a bounce
from 
a draconian filter. That's why people with valid email accounts have those 
'contact.php or contact.html' forms: they're unreachable by email...a victim

of their own devise.

When did controlling one's own email become a luxury of the privileged few? 
How much to get my own "officially approved" server sitting on it's own
domain 
with back and forth DNS on a static line? Does anyone have an ISP for sale,
so 
I too can send email on my own (hope they take credit)? No RFC says mail 
servers are only for the ones with deep pockets.

This was not the way the Internet was set up. It's equal to censorship, and 
that's never good. It works like this: let's cut up the Internet into major 
corporations and companies (Road Runner, ATT, Qwest, PacBell, BellSouth, 
EarthLink, AOL etc.). Next, we make not signing on with these guys and going

it on your own too expensive for the common joe-average. We enforce that by 
setting up filters and block lists on traffic from anyone but those places. 
Finally, force all the sign-on's to sign AUP's that say trying to step
around 
those is forbidden: no in-bound traffic; no servers; no mail servers. Maybe 
block port 25 for good measure. Now those 7 or so (how many ever) have an 
effective strangle hold on all Internet traffic, with the people running
these 
lists and making these filters helping them control their fellow peers.

Is this the Internet everyone wants? It'll be like TV! What to watch to
night? 
Fox, NBC, ABC, AOL, Yahoo? Park yourself in front of your computer- no 
keyboard required because you ain't sending anything...oh no. You've been 
blocked. Filtered. Censored out.

No thanks.

-- 
[RBL:Just A Bad Idea]
  http://www.ifn.net/classic/rblstory.htm
  http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html
_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list