This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.


21 October 2006


From maillist Cypherpunks.

Date:	Thu, 19 Oct 2006 17:00:40 -0700
To:	Eugen Leitl <eugen[at]leitl.org>
From:	Bill Stewart <bill.stewart[at]pobox.com>
Subject: Re: Client host rejected: 85/8 banned for abuse
Cc:	cypherpunks[at]jfet.org, measl[at]mfn.org

At 12:16 PM 10/19/2006, Eugen Leitl wrote:
>Are you sure? 85/8, that's a lot of unreal estate.
>
>  <measl[at]mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554
>      <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for
>abuse
>      (in reply to RCPT TO command)

The whole /8?  I'd certainly say it's a lot -
it's not even a single Class A owned by a carrier like AT&T or UUNet,
but has a number of different ISPs in different countries owning
chunks of it.  leitl.org has a /24 that's part of an ISP /18 in Germany,
and I saw some Swisstel in another /18 there.

That's the kind of global overkill I'd expect from an
irresponsible spam-blocker list like SPEWS,
and even for them that would be pretty excessive.



Date: Fri, 20 Oct 2006 08:24:47 -0500 (CDT) From: "J.A. Terranson" <measl[at]mfn.org> To: Bill Stewart <bill.stewart[at]pobox.com> Cc: Eugen Leitl <eugen[at]leitl.org>, cypherpunks[at]jfet.org Subject: Re: Client host rejected: 85/8 banned for abuse On Thu, 19 Oct 2006, Bill Stewart wrote: > >Are you sure? 85/8, that's a lot of unreal estate. > > > >  <measl[at]mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554 > >      <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for > >abuse > >      (in reply to RCPT TO command) > > The whole /8?  I'd certainly say it's a lot - > it's not even a single Class A owned by a carrier like AT&T or UUNet, > but has a number of different ISPs in different countries owning > chunks of it.  leitl.org has a /24 that's part of an ISP /18 in Germany, > and I saw some Swisstel in another /18 there. > > That's the kind of global overkill I'd expect from an > irresponsible spam-blocker list like SPEWS, > and even for them that would be pretty excessive. Ahhh, but I have a *lot* more flexibility here than SPEWS does.  I can set filters by individuals, and I have little need for the vast majority of IP space - therefore I filter very hyperagressively for this domain. Prior to this "overreaction", I was receiving approximately 25K spam emails per day (on an *average* day - there have been *much* worse!). Now, I see less than several hundred: a fair trade for the rare false positive (about 75% of which come from this list, and of which I see less than a dozen per year). I have literally dozens of /8s on block: All of APNIC, AFRINIC, South America, Israel, Russia and neighboring real estate... You get the idea. The policy here is that if an abusive email gets through: (1) If generated by a hosting company, the entire allocation to that hosting company is blocked; (2) If from dynamic space, it was missed the first time, so added now; (3) If from a microallocation (/25-/32) I block the micro, and if from a company with significant space, but what appears to be just a compromised host, the /24 in which that host lives. It works. -- Yours, J.A. Terranson sysadmin[at]mfn.org 0xBD4A95BF "Surely the larger lesson learned from that day is that other men, all over the world, took inspiration not from the heroism of the rescuers in New York or the passengers flying over Pennsylvania, but from the 19 hijackers - the twisted brilliance of their scheme and their willingness to sacrifice their lives to make a political and, as they saw it, religious statement." Richard Corliss/Time Magazine 11 Aug 2006
Date: Fri, 20 Oct 2006 15:35:58 +0200 From: Eugen Leitl <eugen[at]leitl.org> To: "J.A. Terranson" <measl[at]mfn.org>, cypherpunks[at]jfet.org Subject: Re: Client host rejected: 85/8 banned for abuse On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote: > Ahhh, but I have a *lot* more flexibility here than SPEWS does.  I can > set filters by individuals, and I have little need for the vast majority > of IP space - therefore I filter very hyperagressively for this domain. The nice thing is that you never see those false positives. But for this list, you'd never seen my message. > Prior to this "overreaction", I was receiving approximately 25K spam Wow, wonder how you managed to attract that. I only get several hundreds a day (malware is already filtered at MTA level), which spamassassin catches quantitatively. I'm thinking about starting blocking .gif/.jpeg/.png by MTA, which would catch the rest of them. If I ever got fancy I could use greylisting and firewall throttling of Windows hosts, or similiar shenanigans. But, blocking by RBL, never. > emails per day (on an *average* day - there have been *much* worse!). > Now, I see less than several hundred: a fair trade for the rare false > positive (about 75% of which come from this list, and of which I see less > than a dozen per year). > > I have literally dozens of /8s on block: All of APNIC, AFRINIC, South > America, Israel, Russia and neighboring real estate... You get the idea. I get the idea. You could just block the entire IP address space, which would cut your spam rate down to zero. Ever tried that? > The policy here is that if an abusive email gets through: > (1) If generated by a hosting company, the entire allocation to that > hosting company is blocked; > (2) If from dynamic space, it was missed the first time, so added now; > (3) If from a microallocation (/25-/32) I block the micro, and if from a > company with significant space, but what appears to be just a compromised > host, the /24 in which that host lives. > > It works. I would call it the "nuclear glass approach" to spam. If this works for you, great, but I don't know too many people who'd subscribe to your approach (to which RBL hardcore nazis look like teletubbies). -- Eugen* Leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820            http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
Date: Fri, 20 Oct 2006 21:50:02 -0700 To: Eugen Leitl <eugen[at]leitl.org> From: Bill Stewart <bill.stewart[at]pobox.com> Subject: Re: Client host rejected: 85/8 banned for abuse Cc: "J.A. Terranson" <measl[at]mfn.org>, cypherpunks[at]jfet.org At 06:35 AM 10/20/2006, Eugen Leitl wrote: >On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote: > > Prior to this "overreaction", I was receiving approximately 25K spam >Wow, wonder how you managed to attract that. It's easy to attract a lot of spam - luck of the draw, or having your name widely spread in archives, or having ever provided free email services. >I'm thinking about starting blocking .gif/.jpeg/.png by MTA, [...] Also overkill, but highly effective. >If I ever got fancy I could use greylisting and firewall throttling Greylisting turns out to be a big big win - most zombieware doesn't ever retry, so you lose that spam. Another popular spammer trick lately has been to hijack unused address space, usually unused small blocks in larger allocations, spamming madly for a few minutes, then dropping the BGP advertisement so nobody can traceroute back, and never reusing addresses so you don't care if it's blacklisted. Greylisting totally protects you from this technique, because a typical half-hour delay means that the spammer's gone, but Alif's techniques are likely to lead to the legitimate space getting blacklisted, while the spammer is living behind some entirely different ISP that openly accepts bogus BGP requests. Another defense against this spammer trick, if you've got a big enough network connection to accept full BGP routes (i.e. you're a medium-large service provider, but not a home system) is to not accept any email from a BGP address block that has existed for fewer than 24 hours or some similar threshold that's long enough to make address thieves go away or get traced, but short enough to not bother legitimate email much ("453 The Wizard Says Go Away and Come Back Tomorrow") > > I have literally dozens of /8s on block: All of APNIC, AFRINIC, South > > America, Israel, Russia and neighboring real estate... You get the idea. The ISP where I get most of my email lets users pick countries or regions to reject mail from, using lists that are more precise than "burn the /8".  I decided a few years ago to reject all mail from China, Korea, Brazil, and Argentina, and that cut out more than half my spam load, and I didn't know anybody from those countries; I'll accept mail from Japan and Israel but it gets extra filtering, since I do know some people there but it's mostly spam (unfortunately, they don't have an option to filter by character set; anything in alphabets I don't read is highly likely to be spam, though at work I do get email in mixed English and Japanese or Chinese...) >... >I would call it the "nuclear glass approach" to spam. If this works >for you, great, but I don't know too many people who'd subscribe to your >approach (to which RBL hardcore nazis look like teletubbies). A _real_ nuclear glass approach would be to start advertising BGP routes for the addresses that spam you, which would drop them off the net for anybody who's within a few hops of you, and wouldn't even give you much extra network traffic, because it would kill the TCP handshake responses from any new email sessions.  I work at a Tier 1 ISP, which would mean that it would be blocked from most of the US, and somebody with a LINX account could do the same for half of Europe, but fortunately they don't give me the keys on days that the spammers have been makin' the ganglia twitch... and you could accomplish the same thing non-destructively with a block-list if enough people trusted your service. In reality a legitimate ISP would never do this or permit their users to do it, because it could not only cause chaos for the entire Internet, but it would trivially blow through the route-cached capacity of most of the routers on the Internet. There was an event a decade or so ago when some small ISP announced that their T1 line was the best route to reach everything at Sprint or MAE-West or something, so about 1/3 of the traffic on the Internet was trying to get through there before the line smoked, and most ISPs put in a lot of route protection then. The address-space hijackers shouldn't be able to do it either, but there are enough ISPs that are sloppy about managing route advertisements that they get away with it.