[Dshield] Cut Off China
areust at comcast.net
Mon Jun 27 04:01:47 GMT 2005
While Joannes did a very good summary, I can expand on that a bit. I was
requested to evaluate a Windows Email Gateway solution and help construct
it. It was required to be a bastion host and pass through a firewall and
talk to Exchange 5.5. So after the evaluation pieces parts were ordered.
The Admin that was assigned to construct it, deferred to my capabilities
insuring that it would stand up in a DMZ and would probably be hit very
hard. It was...
So after monitoring the production server for 6 months now, and extracting
headers and blocking whole netblocks from, China, Korea, large chunks of
Brazil and pieces and parts of Japan all are actively being blocked. That
reduced the SPAM over 30+ percent. The interesting part was that the first
goal was to remove only the "Adult SPAM," by making those entries it
affected other types of SPAM.
So the begging question becomes, where is the rest coming from? Of the
remaining 50-70% an Extremely Large part is "Opt-In"... and yes, Opt-in is
traffic'd from within the US (larger percentage)... If you would like I can
give you a URL to drop in anyones email address and it is just about
guaranteed to generate tons of SPAM within 24 hours, but that would be
counter productive to our jobs.
So despite searching/harvesting email addresses from search engines, blogs
etc (that was how it started)... Many "users" are caught in the word
"Free." IF (with what I have seen) I could collect on all the "Free
Computers, Free Laptops, MP3 Players etc..." or the "Free $1,000 US Dollars
or Gift Cards" for your opinion... I could open my own computer store and
never run out of hardware. I could also have an income of 6 figures... Just
from the "Free Internet"...
Hmmmmmm, we are all fighting to keep the Internet as Free as possible.
Where have we failed to Educate Users? When It comes down to it, what is
the co$t of Free?
We know that our time and efforts are what keeps it relatively free! It is
sometimes making the hard choices as to which is a BOT spewing SPAM, which
BOT is trying to "own a computer" and what happens when someone is putting
their "private/business email address" (where it should not have been
dropped). The Education and Policies, that we fight to put in place is what
helps to prevent them from dropping that email address...
So over the course of the last 6 months, I have had the chance to review
over 300,000+ pieces of SPAM to insure that legitimate email is not
trapped. I have had the chance to extract email headers to find the
culprits... The Culprit tacks back in "most cases," to the "user" typing an
email address where they "Should Not be." So without those email addresses,
SPAMMERS would have no one to send to... The "verified" email list is the
one that makes money. BTW there is no such thing as Opt-Out.
So yes, IIS 5.0 SMTP will allow reject from 184.108.40.206 netmask 255.0.0.0 The
only problem is that the more entries you make, the larger the metabase.
Add more RAM! Check often...
At 05:27 PM 6/26/2005 -0400, you wrote:
> > Greetings:
> > This is going to get lengthy, but I hope you'll bear with me because it
> > explain to the "seasoned pro's" how the "newbie" (like me) mind works. I
> > totally agree with jayjwa and Ken Coney concerning the blocking of junk
> > traffic from China, and other Countries that don't play by the rules.
> In fact
> > - I'd go so far as to block ALL traffic from these Countries. I'll explain,
> > but first - a little about myself so you know where I'm coming from.
>Hmm, if we appled that logic, traffic from the US would be cut off
>from entering Canada. The two countries who target Canadian IPs
>on a regular basis are China and the US.
See the note about Opt-in
>In fact, all spam does not trace back to China, nor any other
>country. Spam traces back to, you guessed it, the US of A.
>That is where the targeted demographic is, and that is where
>money trail traces back to. Follow the money a little further
>Mike, it doesn't end up where you think.
Yes the SPAM industry in the the US is alive and well.. It is mostly
(IDtenT) ID10T users that help to promote it...
>I am not arguing for, or against blocking all traffic from
>any country, far from it. Your logic does not seem to bear
>up under scrutiny.
The logic is that each admin needs to decide what they will continue to
allow... IF it affects only one user then, you can explain or allow them to
go elsewhere (AUP)... IF it affects 5,000, 10,000 or more users then the
cost of 1 user is not worth the effort. It is choices, yes some of them
become tougher than others...
More information about the list