[Dshield] Cut Off China

Al Reust areust at comcast.net
Mon Jun 27 04:01:47 GMT 2005


Adrien

While Joannes did a very good summary, I can expand on that a bit. I was 
requested to evaluate a Windows Email Gateway solution and help construct 
it. It was required to be a bastion host and pass through a firewall and 
talk to Exchange 5.5. So after the evaluation pieces parts were ordered. 
The Admin that was assigned to construct it, deferred to my capabilities 
insuring that it would stand up in a DMZ and would probably be hit very 
hard. It was...

So after monitoring the production server for 6 months now, and extracting 
headers and blocking whole netblocks from, China, Korea, large chunks of 
Brazil and pieces and parts of Japan all are actively being blocked. That 
reduced the SPAM over 30+ percent. The interesting part was that the first 
goal was to remove only the "Adult SPAM," by making those entries it 
affected other types of SPAM.

So the begging question becomes, where is the rest coming from? Of the 
remaining 50-70% an Extremely Large part is "Opt-In"... and yes, Opt-in is 
traffic'd from within the US (larger percentage)... If you would like I can 
give you a URL to drop in anyones email address and it is just about 
guaranteed to generate tons of SPAM within 24 hours, but that would be 
counter productive to our jobs.

So despite searching/harvesting email addresses from search engines, blogs 
etc (that was how it started)... Many "users" are caught in the word 
"Free."  IF (with what I have seen) I could collect on all the "Free 
Computers, Free Laptops, MP3 Players etc..." or the "Free $1,000 US Dollars 
or Gift Cards" for your opinion... I could open my own computer store and 
never run out of hardware. I could also have an income of 6 figures... Just 
from the "Free Internet"...

Hmmmmmm, we are all fighting to keep the Internet as Free as possible. 
Where have we failed to Educate Users? When It comes down to it, what is 
the co$t of Free?

We know that our time and efforts are what  keeps it relatively free! It is 
sometimes making the hard choices as to which is a BOT spewing SPAM, which 
BOT is trying to "own a computer" and what happens when someone is putting 
their "private/business email address" (where it should not have been 
dropped). The Education and Policies, that we fight to put in place is what 
helps to prevent them from dropping that email address...

So over the course of the last 6 months, I have had the chance to review 
over 300,000+ pieces of SPAM to insure that legitimate email is not 
trapped. I have had the chance to extract email headers to find the 
culprits... The Culprit tacks back in "most cases," to the "user" typing an 
email address where they "Should Not be." So without those email addresses, 
SPAMMERS would have no one to send to... The "verified" email list is the 
one that makes money. BTW there is no such thing as Opt-Out.

So yes, IIS 5.0 SMTP will allow reject from 221.0.0.0 netmask 255.0.0.0 The 
only problem is that the more entries you make, the larger the metabase. 
Add more RAM! Check often...

More below...

At 05:27 PM 6/26/2005 -0400, you wrote:
> > Greetings:
> >
> > This is going to get lengthy, but I hope you'll bear with me because it 
> might
> > explain to the "seasoned pro's" how the "newbie" (like me) mind works. I
> > totally agree with jayjwa and Ken Coney concerning the blocking of junk
> > traffic from China, and other Countries that don't play by the rules. 
> In fact
> > - I'd go so far as to block ALL traffic from these Countries. I'll explain,
> > but first - a little about myself so you know where I'm coming from.
>
>Hmm, if we appled that logic, traffic from the US would be cut off
>from entering Canada. The two countries who target Canadian IPs
>on a regular basis are China and the US.


See the note about Opt-in

>:)
>
>In fact, all spam does not trace back to China, nor any other
>country. Spam traces back to, you guessed it, the US of A.
>That is where the targeted demographic is, and that is where
>money trail traces back to. Follow the money a little further
>Mike, it doesn't end up where you think.

Yes the SPAM industry in the the US is alive and well.. It is mostly 
(IDtenT) ID10T users that help to promote it...

>I am not arguing for, or against blocking all traffic from
>any country, far from it. Your logic does not seem to bear
>up under scrutiny.

The logic is that each admin needs to decide what they will continue to 
allow... IF it affects only one user then, you can explain or allow them to 
go elsewhere (AUP)... IF it affects 5,000, 10,000 or more users then the 
cost of 1 user is not worth the effort. It is choices, yes some of them 
become tougher than others...

>Cheers,
>Adrien
>
><snip>

R/

Al






More information about the list mailing list