Politech mailing list archives
FC: Lots of replies to antispam blacklists and cable modems
From: Declan McCullagh <declan () well com>
Date: Thu, 10 Jul 2003 02:07:46 -0400
Previous Politech message: http://www.politechbot.com/p-04943.html --- Date: Wed, 9 Jul 2003 15:00:32 -0400 From: Philo <philo () radix net> To: declan () well com Subject: Final Anti-spam blacklists comment Declan, I've gotten quite a few replies regarding my blacklist comment. While I don't agree with all of them, I wanted to acknowledge that they are all well-worded arguments, and some of them have given me food for thought. While I still don't agree with blacklisting millions of users for the abuses of a handful, I will also grant that Comcast has issues which I plan to address to them, most notably trying (once again) to get them to give their business customers honest static IP's properly registered at ARIN. Thanks to the Politech community for being a true community and offering rational discourse instead of some of the vitriolic anti-spam rhetoric I feared. -- Best regards, Philo mailto:philo () radix net --- Date: Wed, 09 Jul 2003 22:39:58 +0530 From: Suresh Ramasubramanian <suresh () outblaze com> Organization: Outblaze Limited - http://www.outblaze.comThat URL says it all - and is one of the oldest such blocklists around ... http://www.mail-abuse.org/dul/enduser.html
You can just relay your mail through a static IP - say your cablemodem provider's mailservers. Or through some other mailserver you have access to, using SMTP AUTH. Whatever.
This is as old a non-issue as any. Nothing new to see here. Move on, folks ...
srs
---
Date: Wed, 9 Jul 2003 10:31:04 -0700 (PDT)
Subject: Re: FC: Anti-spam blacklists list cable modems,
hurting small publishers?
From: "Brendan O'Connor" <brendan () oconn org>
This has actually been going on for a long time. I used to operate my own
domain and mail server off a cable-modem connection and would frequently
get rejected from more paranoid sites. This issue became a much bigger
problem when AOL stopped allowing incoming may from dynamic IP's. Of
course, the Terms of Service for most cable providers explictly say that
they do not allow you to run servers of any kind, including e-mail. Oh
well, you get what you pay for.
I found that a reasonably cost-effective solution to this problem was to
lease a server on the internet with a static IP for a nominal fee ($15 a
month, IIRC) which I can use freely to host my own domain ... Not only is
the service significantly more reliable, it also has MUCH better bandwidth
than my cable connection here at home.
Regards,
Brendan
---
Date: Wed, 09 Jul 2003 12:29:46 -0500
To: declan () well com
From: Mickey Chandler <micklc () earthlink net>
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
some of the blacklists are listing the IP's that cablemodem providers assign their clients.
This isn't done without reason. The rationale is that you really should be using your ISP's mail servers. They're set up for your use and in fact, most often the IP ranges listed in things such as the MAPS DUL are provided by the ISPs which own those ranges, not searched for by the blocking list providers.
A quick check of my spam file shows that since 4/7 I've gotten 10 spams from comcast (philo's provider). Those spams range in subject from porn to body part enlargement to "internet detective" software to mortgage offers.
Now certainly, 10 in 2 months isn't an overwhelming number (just a little under 1% of my total for the time period). But, it does show that spammers are using comcast IPs to send out their messages.
If you have a legitimate reason for running an outbound mail server, you should first of all make sure that running a server is ok with your provider, and then write the blocking list provider and ask to be removed. I run one on my little DSL box since it's ok with my provider and don't have problems with being blocked, but this isn't quite the problem for me since I pay for a static IP.
--
Mickey Chandler
micklc () earthlink net
"History will be kind to me for I intend to write it."
Winston Churchill
---
Date: Wed, 09 Jul 2003 09:57:25 -0700
From: Steve Gertz <steve () brooktree net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130
Declan,
As a mail administrator, it's my concern to reduce the amount of spam my
users get. Someone behind a cable modem (or dial-up internet connection)
attempting to send email to my servers directly is not acceptable. The
spam levels are too great to allow this.
The user can easily send outbound mail to their provider's mail server,
allowing for easier tracking in the case of spam, and is completly
transparent to the publisher.
Regarding the red herring of 'trying to keep the spirit of the internet alive,' the mail administrators on the other end of the line want to keep it alive, but we need you to be pollite and follow the rules.
Steve
---
Date: Wed, 9 Jul 2003 12:59:27 -0400 (EDT)
Subject: Re: FC: Anti-spam blacklists list cable modems,
hurting small publishers?
From: "Ryan Dlugosz" <ryan () dlugosz net>
To: declan () well com
Declan McCullagh said:
> Declan, some of the blacklists are listing the IP's that cablemodem
> providers assign their clients. This is screwing small publishers -
> often cablemodem is the only broadband we can get (no DSL out past a
> DLC), so their unilateral decision that "cablemodem=spammer" has
> screwed a lot of people.
Hi Declan, I have a bit of experience with this situation & I'd offer the
only "good" solution that I found to Philo...
Many ISPs (such as AOL) and blacklist providers are treating all mail from
servers located in "residential IP blocks" as spammers. It's a sad truth,
but many spammers do in fact live on the residential IP blocks, using
their cable modem connections & mass mail applications to distribute their
pitches. Also, it is a common occurrence to find an open relay to spam
through on residential IP blocks, either because of carelessness in
configuration/administration or just because the owner doesn't even know
that they're running it.
I don't necessarily agree with the policy that these ISPs are adopting,
but I can see a line of reason behind all of it. I ran into this problem
some time ago, as I host my own email & messages to a friend's AOL account
were mysteriously bouncing with an error similar to the one you're
receiving. The only good solution to this problem is to send mail from a
host that is not located on a residential IP block.
You can do this in one of two ways. You can either pay more money to your
ISP and get a "business account" with static addresses, or you can route
your mail through another SMTP server. I chose the later, as my ISP
already provides me with an outgoing SMTP server that I'd previously never
used. You can still run your own SMTP server, but you want to set it up
so that it routes all outgoing mail to the ISPs SMTP server. This is
straightforward in sendmail, and should also be in most all other SMTP
servers. Now all mail is coming from a server which does not live on the
res-block, so the blacklists and ISPs will not reject it.
Clearly, the arbitrary block on mail originating from residential IPs
hurts people like you and I who like to run their own services, but I
imagine that we represent a minute percentage of the broadband user
community. It's annoying for us, but the group that should *really* be
upset about this are the users of those ISPs! I know that I wouldn't
stand for this kind of treatment from my provider.
Good luck with the email & feel free to contact me off-list if you've got
more specific questions on how to configure things.
-Ryan
PS - Declan, thanks for a great list!
--
Ryan Dlugosz
ryan () dlugosz net
http://dlugosz.net
---
Date: Wed, 9 Jul 2003 10:29:28 -0700
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) From: Tom Collins <tom () tomlogic com> To: declan () well com Content-Transfer-Encoding: 7bit On Wednesday, July 9, 2003, at 08:45 AM, Declan McCullagh wrote:
Declan, some of the blacklists are listing the IP's that cablemodem providers assign their clients. This is screwing small publishers - often cablemodem is the only broadband we can get (no DSL out past a DLC), so their unilateral decision that "cablemodem=spammer" has screwed a lot of people.
Out here (in Phoenix), Cox recently started blocking all outbound SMTP connections from their cablemodem customers. This forced many of my hosting customers to start using Cox SMTP servers instead of connecting to our server via SMTP AUTH. It's quite inconvenient for those with laptops who connect from multiple locations.
My friends who have been affected by this speculate that Cox is trying to pressure customers into upgrading to its business class of service (which is, of course, more money).
Their decision seems to be based on the fact that my IP is listed as "dynamic" as it's issued by a DHCP server and listed as dynamic in ARIN. However, my IP hasn't changed in over a year. I think they're being asinine and seriously misguided. Most importantly, they're doing the baby/bathwater thing and hurting those of us who are trying to keep the spirit of the internet alive.
Philo, and others in the same situation, may have to resort to routing all outbound mail through their ISP's mail server to avoid bounces. Either that, or a colo server that they have control over (and can configure to accept inbound SMTP on alternate ports if necessary). Of course, if the ISP's server has problems, it can slow delivery of the mail.
I worry that after forcing customers to use their (ISP's) SMTP servers, they'll limit each customer's sending ability in some way (limited number of recipients, limited message size, etc.)
--
Tom Collins
tom () tomlogic com
Visit sniffter.com for info on the Sniffter hand-held Network Tester
---
Date: Wed, 9 Jul 2003 13:20:59 -0400 (EDT)
From: "Matthew G. Saroff"
To: Declan McCullagh <declan () well com>
cc: politech () politechbot com
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
What is going on is a failure of the free market to come up with a
solution.
Spammers have a way of communicating advertisements at such a low
unit cost, that it pays to send your email to everyone.
The economics are such, that it pays to send email to a thousand
people even if only one can actually read it (Chinese spam).
In response to perceived problems of user annoyance, consumption
of system resources, the market supplies solutions. These solutions vary
from sophisticated heuristic programs, to those that try to determine the
intent of the sender (which includes black lists).
The spammers develop techniques to evade this, and the coping
mechanisms become more intrusive and aggressive.
Absent a greater societal solution (legislation), I see this as
leading to email, becoming gated communities, where only preapproved
access is allowed.
--
Matthew Saroff
"A modern conservative is engaged in one of man's oldest exercises in
moral philosophy; that is, the search for a superior moral justification
for selfishness." -- John Kenneth Galbraith
p.s. please delete the email if you forward to Politech.
---
From: "Alex Neuman van der Hans"
To: <declan () well com>
Subject: REMOVEMYEMAIL RE: Anti-spam blacklists list cable modems, hurting
small publishers?
Date: Wed, 9 Jul 2003 12:07:58 -0500 Organization: Neuman Consulting This is easily circumvented by using your ISP's (your Cable Provider's?) SMTP server for outgoing e-mail. You can still use your own server for incoming mail, just point your server to deliver all outgoing mail to your ISP's server. Alex Neuman Panamá City, Republic of Panama --- Date: Wed, 9 Jul 2003 13:03:00 -0400 From: "Christopher A. Petro" <petro () christopherpetro com> To: Declan McCullagh <declan () well com> Cc: philo <philo () saintchad org>Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small publishers?
On Wed, Jul 09, 2003 at 11:45:51AM -0400, Declan McCullagh wrote: > Their decision seems to be based on the fact that my IP is listed as > "dynamic" as it's issued by a DHCP server and listed > as dynamic in ARIN. However, my IP hasn't changed in over a > year. I think they're being asinine and seriously misguided. Most > importantly, they're doing the baby/bathwater thing and hurting those > of us who are trying to keep the spirit of the internet alive. This is not a terribly unreasonable restriction. Many ISPs do (and should) block outgoing port 25 for normal customers. The ISP provides its own mail server that can be used for sending outgoing mail. For personal use that works just fine. The better ISPs with this policy allow you to sign a contract allowing them to arbitrarily cut off your access if they see spam in exchange for opening port 25, but I wouldn't expect that sort of flexibility from a cable provider. Sending the mail through the cable ISP's mail server will fix this problem unless they place a restriction on the number of messages. Since I assume he has residential, rather than business, cable service this would also not be an unreasonable restriction. Residential cable contracts normally disallow anything but personal use, and anything involving bulk mailing is probably at least organizational, if not commercial. He may be able to get business cable service with fewer restrictions and an IP that's not in a listed dialup block, depending on the ISP. Because they do allow outgoing port 25, he could also relay the mail through another server if someone would allow him to do so. -- Christopher A. Petro .. petro () christopherpetro com .. 917-346-1536 --- Date: Wed, 09 Jul 2003 12:59:22 -0400 From: Brad <brad () crisp net>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3; MultiZilla v1.4.0.2) Gecko/20030312
X-Accept-Language: en-us, en MIME-Version: 1.0 To: declan () well comSubject: Re: FC: Anti-spam blacklists list cable modems, hurting small publishers?
I just want to highlight his last point, it's not "cabe modem = spammer" it's "dynamic ip = spammer". I agree that dynamic IP's shouldn't be blocked and I certainly don't. However, dynamic users should be able to use an upstream SMTP server provided by their ISP. I wonder what exactly they are "publishing" that can't be sent through their ISP's smtp? Nevermind that every cable modem terms of service I've seen forbids commercial server on residential dynamic connections...
--- X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.3 To: declan () well comSubject: Re: FC: Anti-spam blacklists list cable modems, hurting small publishers?
In-reply-to: Your message of "Wed, 09 Jul 2003 11:45:51 EDT."
<5.2.1.1.0.20030709114509.0ae4d0e0 () mail well com>
From: Dave Close <dave () compata com>
Date: Wed, 09 Jul 2003 09:53:33 -0700
Sender: dave () compata com
philo <philo () saintchad org> wrote:
>Declan, some of the blacklists are listing the IP's that cablemodem
>providers assign their clients. This is screwing small publishers -
>often cablemodem is the only broadband we can get (no DSL out past a
>DLC), so their unilateral decision that "cablemodem=spammer" has
>screwed a lot of people.
Philo seems to be one of those who doesn't complain until "they" come
for him, by which time all those who might have supported him have
already been taken. We all need to recognize that the problem can't be
resolved by adjustments to the blacklist algorithms. So long as the
lists do indirect blocking - blocking, not spammers, but addresses which
may have been used by, or are related to those used by, spammers - they
will inevitably block some legitimate users. Some say we should just
accept this collateral damage. Did philo complain about blocking legit
dial-up users?
--
Dave Close, Compata, Costa Mesa CA "You can't go to Windows Update
dave () compata com, +1 714 434 7359 and get a patch for stupidity."
dhclose () alumni caltech edu -- Kevin Mitnick
---
X-Sender: dlaflamme1 () pop east cox net
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Wed, 09 Jul 2003 12:53:23 -0400
To: declan () well com
From: Nick Laflamme <dplaflamme () alumni nd edu>
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
I'm confused by Philo's complaint. Is Philo saying that the blacklists are
blocking the SMTP servers run by the service providers that provide cable
modem access to their clients, or are the blacklists blocking the end-user
IP address ranges?
My home access provider is a cable modem provider. I point all of my outbound SMTP traffic at their SMTP engine; they relay it to the rest of the world. It doesn't sound like Philo is using such a scheme. If so, why not?
The assumption doesn't seem to be "cable user == spammer"; it seems to be "distributed SMTP server == spammer." I don't think this would vary for other connection methods, unless those connection methods come with dedicated IP addresses. Even then, I'd be shocked if Philo's provider wouldn't lease a dedicated IP address for an additional fee. :-)
Just a thought, Nick --- To: declan () well comSubject: Re: FC: Anti-spam blacklists list cable modems, hurting small publishers?
In-reply-to: Your message of "Wed, 09 Jul 2003 11:45:51 EDT."
<5.2.1.1.0.20030709114509.0ae4d0e0 () mail well com>
From: Dave Close <dave () compata com>
Date: Wed, 09 Jul 2003 09:53:33 -0700
philo <philo () saintchad org> wrote:
>Declan, some of the blacklists are listing the IP's that cablemodem
>providers assign their clients. This is screwing small publishers -
>often cablemodem is the only broadband we can get (no DSL out past a
>DLC), so their unilateral decision that "cablemodem=spammer" has
>screwed a lot of people.
Philo seems to be one of those who doesn't complain until "they" come
for him, by which time all those who might have supported him have
already been taken. We all need to recognize that the problem can't be
resolved by adjustments to the blacklist algorithms. So long as the
lists do indirect blocking - blocking, not spammers, but addresses which
may have been used by, or are related to those used by, spammers - they
will inevitably block some legitimate users. Some say we should just
accept this collateral damage. Did philo complain about blocking legit
dial-up users?
--
Dave Close, Compata, Costa Mesa CA "You can't go to Windows Update
dave () compata com, +1 714 434 7359 and get a patch for stupidity."
dhclose () alumni caltech edu -- Kevin Mitnick
---
Date: Wed, 9 Jul 2003 13:23:20 -0400
From: Steven Champeon <schampeo () hesketh com>
To: Declan McCullagh <declan () well com>
Cc: philo () saintchad org
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
on Wed, Jul 09, 2003 at 11:45:51AM -0400, Declan McCullagh wrote: > > --- > > Date: Tue, 8 Jul 2003 21:29:28 -0400 > From: philo <philo () saintchad org> > To: declan () well com > Subject: Blacklist Complaint: Fwd: Postmaster Notify: Delivery Failure. > > Declan, some of the blacklists are listing the IP's that cablemodem > providers assign their clients. This is screwing small publishers - > often cablemodem is the only broadband we can get (no DSL out past a > DLC), so their unilateral decision that "cablemodem=spammer" has > screwed a lot of people. A small correction: it is not "cablemodem = spammer" that has been decided; it is "cablemodem = sucker running vulnerable OS cracked by spammer and now acting as source of nine tenths of the spam on the net". So, get a fixed IP address from your service provider and have them set you up with reverse DNS that doesn't look like a compromised box likely to be running an illicit smtp proxy. I've been using a set of patterns that match dsl, cable, dialup, etc. hosts for some three months now (I'm up to over 600 patterns, for nearly as many different providers worldwide) and as a result, I have cut my spam load from a peak of 1500/day in mid-May to ~40-60/day today. Spam costs us all money. Your claim - that our fighting spam by blocking an address you or your provider hasn't bothered to list as fixed - is specious and ignores the aggregate costs of fighting spam from open proxies and trojans, spread across every mail server and abuse desk, versus the relatively small cost to you to get your provider to change your rDNS so you look like a non-dynamic host. > Their decision seems to be based on the fact that my IP is listed as > "dynamic" as it's issued by a DHCP server and listed > as dynamic in ARIN. However, my IP hasn't changed in over a > year. I think they're being asinine and seriously misguided. Most > importantly, they're doing the baby/bathwater thing and hurting those > of us who are trying to keep the spirit of the internet alive. I do appreciate your efforts to "keep the spirit of the Internet alive". I'm trying to keep the spirit of the Internet alive for my users and myself, by making email usable again, and your dynamically-assigned IP looks like every other dynamically-assigned IP on the Net, which is the source of 95-98% of the spam we're getting these days. Please bite the bullet and get proper rDNS, as the spirit of the Internet would have you do in the first place, if you're going to be running a mail server. > Philo > > > 571 dialup user rejected; see: http://www.mail-abuse.org/dul/enduser.html Another list in widespread use is the PDL: http://dialups.visi.com/ http://www.pan-am.ca/pdl/ I don't find it very effective, frankly, which is why I started writing my own rules to block mail from dynamic IPs. Here's some recent (mid-June) statistics regarding how much spam is coming from dynamic IPs: Of a total of 977 rejected messages on one server (June 16th, between 4am and approximately 6pm): - 647 'did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' 49 attbi.com 39 comcast.net 17 dsl-verizon.net 11 net.ar 16 rr.com 12 swbell.net 19 t-dialin.net - 89 were rejected as being direct from cable/dsl/dialup 11 attbi.com 11 comcast.net 5 dsl-verizon.net 3 ntl.com 3 rogers.com 2 rima-tde.net 2 swbell.net 2 t-dialin.net 2 tie.cl 2 fuse.net - 241 were rejected as spam 192 of these were sent to spamtraps 49 of these were sent from known spammer domains Of a total of 2751 dropped connections on my low priority MX since 4am Sunday: 178 attbi.com 177 comcast.net 68 t-dialin.net 63 rr.com 41 dsl-verizon.net 27 charter.com 25 btopenworld.com 24 videotron.ca 24 ntl.com 23 verizon.net 23 swbell.net 22 interbusiness.it 19 co.uk 18 rogers.com 17 net.ar 16 optonline.net 15 ameritech.net 14 net.br 14 ne.jp 12 surfer.at 12 mindspring.com 12 mchsi.com 11 com.ar </snip> All of these hosts are in dynamic netblocks. The "did not issue" hosts were those running spamware that chokes on a multiline SMTP greeting (or, possibly, MTA software such as Mimesweeper, which also fails to accept a multiline greeting) but in any event, the connections were made in such a way as to suggest a spammer at work: the same delivery address was targeted, often from /different/ sender addresses, from a wide variety of dynamic hosts, in a sort of round robin rotation. If I reject a delivery attempt to a spamtrap from, say, dsl-ull-92-76.42-151.net24.it, within a few seconds the spammer tries to deliver to the same address, but this time from 2-222-44-252.client.insightBB.com, then 202.155.121.155, then from c-24-245-68-107.mn.client2.attbi.com, then from 200.46.19.167, then from adsl-64-168-213-146.dsl.lsan03.pacbell.net. I have logs full of these. I also have archives full of spam that was rejected from dynamic ranges I knew about several times before they found a dynamic IP I didn't know to block - hence the 600+ rules in my sendmail config to block as many such netblocks as I can - always based on the rDNS, so having a rDNS that didn't match a known dynamic naming convention would let mail from you through to my servers. IMHO, it's your responsibility to register your IP as static and get a rDNS entry set up that reflects this non-dynamic nature. You'll do more to fight spam, reduce the stress of possibly having your mail rejected, and do more to restore the spirit of the Internet by being a responsible Netizen. Cheers, Steve -- hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com Book publishing is second only to furniture delivery in slowness. -b. schneier --- Date: Wed, 9 Jul 2003 13:52:58 -0400 From: Rich Kulawiec <rsk () firemountain net> To: Declan McCullagh <declan () well com> Cc: philo <philo () saintchad org>Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small publishers?
On Wed, Jul 09, 2003 at 11:45:51AM -0400, Declan McCullagh wrote:
> Declan, some of the blacklists are listing the IP's that cablemodem
> providers assign their clients.
True. All DNSBLs have different policies, and *some* of them list IP
addresses that are one or more of:
- IP addresses assigned to dialups
- IP addresses assigned to DSL connections
- IP addresses assigned to cable connections
- dynamically allocated IP addresses (e.g. DHCP)
This is because IPs in this class are a HUGE source of spam. (See below.)
This, in turn, is partly because such connections are readily available
at low cost, but it's also because hundreds of thousands of such systems
are in use (or ready for us) as a distributed spamplifier, because they
are running open proxy servers. And that in turn is either because their
owners configured them that way, or installed software that configured
them that way, or because they've been infected by viruses/worms which
are designed for that purpose. (Windows + broadband = happy spammers.)
Note that other DNSBLs may also choose to list such IP addresses for
other, different criteria such as:
- non-functional/non-responsive ISP "abuse" address
- receipt of numerous spams from entire IP block
- ISP failure to address spam and other abuse issues
Again, it depends on which DNSBL. You can find out which ones are listing
you (and why) by going to
http://combat.uxn.com/
and using it to search the DNSBLs (that it knows about) for your IP
address, then following the resulting links. (Another useful site
for doing this: http://www.openrbl.org/)
> This is screwing small publishers -
No, it's not doing any such thing. They can either:
- use their ISP's mail servers for outbound mail -- which
is what they SHOULD be doing anyway if they have a
dynamic address, and may be mandated by their TOS
- get a static IP (which most services offer as part of
"business-class" service)
- and/or get proper forward and reverse DNS set up so that
it's clear to everyone who/what is on that IP
- use a "smarthost" - an external mail server which handles
their outbound traffic (very easy to set up)
among many other options.
> often cablemodem is the only broadband we can get (no DSL out past a
> DLC), so their unilateral decision that "cablemodem=spammer" has
> screwed a lot of people.
No such decision has been made. The decision has been made (by those
DNSBLs which list these IPs, and presumably, by those people who are
using those DNSBLs) that "cablemodem IP address = unacceptably high
probability of spam". Based on available data, that appears to be
an very sound decision.
> Their decision seems to be based on the fact that my IP is listed as
> "dynamic" as it's issued by a DHCP server and listed as dynamic in ARIN.
It's impossible to say without knowing the specific IP in question, which
DNSBLs list it, and then querying those DNSBLs to find out why.
For example, *some* IP addresses are not only marked as "dynamic", they're
marked as "dynamic and known spam source" or "dynamic and open proxy".
> I think they're being asinine and seriously misguided.
I don't think so at all. It's a highly effective anti-spam tactic, and
is an extension of the listing of known dialup IP addresses which has
already been in place for a number of years.
If there's anything "asinine and seriously misguided", it's the complete
failure of the ISPs running these networks to properly manage them: their
incompetence and neglect has made it necessary to put these measures in place.
(This is not to overlook the other places where responsibility needs to
be placed: the owners of those systems are responsible for what the systems
do, and of course the spammers are responsible for hijacking them.)
For example, my guess is that you are at 68.38.193.22, which appears to
be part of Comcast's cablemodem network in Virginia. Here is a list of
just the Comcast systems which attempted to deliver spam to one (1) of
the mail servers I'm running during just one (1) day; I've listed each
one only once, even though some of them made multiple attempts:
bgp01039934bgs.southg01.mi.comcast.net
bgp01550497bgs.anapol01.md.comcast.net
bgp458735bgs.avenel01.nj.comcast.net
bgp590601bgs.jdover01.nj.comcast.net
bgp952755bgs.canton01.mi.comcast.net
bgp965052bgs.derbrn01.mi.comcast.net
c-67-160-100-181.client.comcast.net
c-67-161-110-208.client.comcast.net
c-67-162-14-188.client.comcast.net
c-67-162-172-233.client.comcast.net
c-67-162-44-18.client.comcast.net
c-67-163-153-109.client.comcast.net
c-67-163-87-228.client.comcast.net
c-67-166-125-65.client.comcast.net
obj1204.shmptn01.nj.comcast.net
pcp01160215pcs.rocsth01.mi.comcast.net
pcp01189487pcs.waldlk01.mi.comcast.net
pcp01204582pcs.nrockv01.md.comcast.net
pcp01257907pcs.whaven01.ct.comcast.net
pcp01329652pcs.chrstn01.pa.comcast.net
pcp01713183pcs.nrockv01.md.comcast.net
pcp01741346pcs.howard01.md.comcast.net
pcp01757297pcs.gambrl01.md.comcast.net
pcp01768425pcs.audubn01.nj.comcast.net
pcp01944238pcs.canton01.mi.comcast.net
pcp02105240pcs.towson01.md.comcast.net
pcp02159548pcs.paduca01.ky.comcast.net
pcp02426223pcs.kensgt01.pa.comcast.net
pcp02604896pcs.ivylnd01.pa.comcast.net
pcp02644507pcs.verona01.nj.comcast.net
pcp02731045pcs.ivylnd01.pa.comcast.net
pcp03453737pcs.indpnd01.mo.comcast.net
pcp03570379pcs.wodhvn01.mi.comcast.net
pcp03673255pcs.grosep01.mi.comcast.net
pcp04041869pcs.walngs01.pa.comcast.net
pcp04097478pcs.neave01.pa.comcast.net
pcp067262pcs.glst3401.nj.comcast.net
pcp748483pcs.manass01.va.comcast.net
pcp945502pcs.cstltn01.in.comcast.net
tyum () pcp03469239pcs indpnd01 mo comcast net
If I had included all the other cable modem networks, DSL providers,
and dialup connections, this would be a MUCH longer list.
Now consider that the particular mail server in question here has exactly
one user -- me -- and try to imagine what this list would look like if
it were compiled from the inbound mail logs of a sizable ISP, company,
or university.
You might want to take that list to Comcast and ask them when they will
be willing to address the torrent of abuse coming from their network,
of which this is just a tiny sample.
Perhaps if they were to adequately address these issues, it wouldn't be
necessary for the rest of the world to take steps to defend themselves.
But until that happens, I don't see any reason why all of us should
bend over and grab our ankles just because Comcast doesn't (to date)
appear ready, willing and able to properly operate their network.
In other words, you need to realize that the DNSBL listing is not the
source of your problem: it's merely a symptom. The problem exists at
your ISP, and only your ISP can solve it. Since you are (presumably)
paying them to operate their service in a professional manner, perhaps
you should demand that they do exactly that.
---Rsk
---
To: declan () well com
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
References: <5.2.1.1.0.20030709114509.0ae4d0e0 () mail well com>
From: Russ Allbery <rra () stanford edu>
Organization: The Eyrie
Date: Wed, 09 Jul 2003 11:12:57 -0700
Declan McCullagh <declan () well com> writes:
> Date: Tue, 8 Jul 2003 21:29:28 -0400
> From: philo <philo () saintchad org>
> To: declan () well com
> Subject: Blacklist Complaint: Fwd: Postmaster Notify: Delivery Failure.
> Declan, some of the blacklists are listing the IP's that cablemodem
> providers assign their clients. This is screwing small publishers -
> often cablemodem is the only broadband we can get (no DSL out past a
> DLC), so their unilateral decision that "cablemodem=spammer" has
> screwed a lot of people.
They're not deciding cablemodem = spammer. They're deciding that
cablemodem = should use their ISP's mail server. This is normally a very
simple configuration change.
If their ISP is not providing a mail server, that's another problem, and
certainly a serious one. But if their ISP has their own mail server, they
can solve this problem simply and easily by switching to it for outgoing
mail.
The reason why this is done is because cable modem and DSL address blocks
tend to be *full* of people running systems who have no idea what they're
doing. In particular, open proxies (people running proxy software with
remote access enabled and with no or insufficient passwords) are a huge
problem. They are widely and actively abused by spammers on a daily
basis, perhaps even more so than open relays these days. Generally all of
that spam goes out directly from the system with the open proxy on it,
since the spamware won't know how to route through the ISP's mail server.
This means that blocking all SMTP connections direct from cable modem
connections and instead accepting mail routed through the ISP's SMTP
server blocks all of that spam.
There are other reasons for this as well, but I think this is the largest
one these days. I agree that it's a damnable inconvenience; as an
experience systems administrator, I would always much prefer to send my
mail out directly from my own systems, be able to watch my own mail
queues, and be in direct control of the disposition of my mail. But the
fact of the matter is that the vast majority of systems on the Internet
are run by naive or incompetent administrators, and those of us who know
what we're doing are suffering from restrictions put in place to keep
those who don't know what they're doing from causing too much damage.
Don't blame the people doing spam filtering for this one. They're just
trying to use what measures they can, and as spam filtering goes, this one
is extremely effective at stopping spam, relatively benign, and easy to
avoid. Blame the people who set up proxies on their systems without
having any idea what they're doing, the authors of the proxy software for
not adding sufficient security controls, and the authors of operating
systems without sufficient security protection against viruses (viruses
installing open proxies is becoming more common).
--
Russ Allbery (rra () stanford edu) <http://www.eyrie.org/~eagle/>
---
Date: Wed, 9 Jul 2003 14:48:52 -0400
From: Mike
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
Please redact my email address if published. Thanks.
On Wed, Jul 09, 2003 at 11:45:51AM -0400, Declan McCullagh wrote:
> From: philo <philo () saintchad org>
>
> Declan, some of the blacklists are listing the IP's that cablemodem
> providers assign their clients. This is screwing small publishers -
> often cablemodem is the only broadband we can get (no DSL out past a
> DLC), so their unilateral decision that "cablemodem=spammer" has
> screwed a lot of people.
Nobody has been screwed. He can still send mail through his ISP's
server. It's a trivial change in one config file to tell sendmail to
forward everything through the ISP's server.
He can still recieve mail from anywhere, and his outgoing mail can
have any "from" address he wants. What's the problem?
If spammers weren't hijacking systems on cable, this wouldn't be
needed. Sadly, the rest of us now need to protect our systems.
In addition, philo will probably find that his AUP with his cable
provider prohibits him from running mail or web servers on their
connection. There are plenty of other places to get hosting, if not
not connectivity to his home.
--
mike
---
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting small
publishers?
From: Shaya Potter <spotter () cs columbia edu>
To: declan () well com
What's the problem?
It's against the TOS of almost all cable modem providers to run a server
on one's own machine.
Beyond that, almost all cable modem providers allow you to send e-mail
through their smtp servers.
If you are in a situation where they only allow you send email from
username () cable-modem company com, then there are plenty of fairly cheap
(in reference to cable modem fees) servers that one can pay for that
provide smtp via smtp authentication.
the only small issue would be where a cable modem company prevents all
outgoing traffic on port 25. I say small, because there's no real
limitation of using smtp on port 25, you can use it on any port.
Yes, we have a limit on our privacy, but the spam problems is a serious
issue, and spammers would jump all over dynamic address blocks if they
could.
---
X-Sender: bs663385 () pop skynet be
Message-Id: <a0600123bbb323d0af7be@[192.168.0.3]>
In-Reply-To: <5.2.1.1.0.20030709114509.0ae4d0e0 () mail well com>
References: <5.2.1.1.0.20030709114509.0ae4d0e0 () mail well com>
Date: Thu, 10 Jul 2003 01:52:26 +0400
To: declan () well com
From: Brad Knowles <brad.knowles () skynet be>
Subject: Re: FC: Anti-spam blacklists list cable modems, hurting
small publishers?
Cc: philo <philo () saintchad org>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 11:45 AM -0400 2003/07/09, Declan McCullagh quoted philo as saying:
Declan, some of the blacklists are listing the IP's that cablemodem providers assign their clients. This is screwing small publishers - often cablemodem is the only broadband we can get (no DSL out past a DLC), so their unilateral decision that "cablemodem=spammer" has screwed a lot of people. Their decision seems to be based on the fact that my IP is listed as "dynamic" as it's issued by a DHCP server and listed as dynamic in ARIN. However, my IP hasn't changed in over a year. I think they're being asinine and seriously misguided. Most importantly, they're doing the baby/bathwater thing and hurting those of us who are trying to keep the spirit of the internet alive.
Problem is that many people who are using cablemodems are wide-open security-wise, and are severely infected with one or more viruses/Trojan Horses/spyware/adware programs, and are being used and sorely abused as open proxy/open relay spamming servers.
Recently, the Mail Abuse Protection Service (MAPS) added an "open proxy" black list, and this has been extremely effective in blocking much of the latest round of spam. This list is also, by far, the biggest list that MAPS has ever hosted, needing over fifty megabytes of RAM to store, and requiring that sites who subscribe to the MAPS RBL+ service via zone transfer (so that they can serve the data locally) are forced to upgrade to the very latest release of BIND 9 so that they can use the "IXFR" (incremental zone transfer) feature.
If you want to run a business over a DSL line, you either need to get a static IP address (not a dynamic IP address that supposedly hasn't changed in a year), or you need to use the mail relay servers from your provider, or you need to contract with a third party to provide secure mail relay services through their machines (either authenticated but unencrypted with SMTPAUTH, or authenticated and encrypted with TLSSMTP).
Oh, and make sure that your site really is secure against being used as an open relay or open proxy.
I'm sorry. That's just the way life is these days.
--
Brad Knowles, <brad.knowles () skynet be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Current thread:
- FC: Lots of replies to antispam blacklists and cable modems Declan McCullagh (Jul 10)