1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spambag

Discussion in 'Networks' started by zebulebu, Oct 27, 2006.

  1. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Had an interesting incident at work today. Our mail is routed through a government-maintained network, run by an accredited provider to ensure compliance is maintained with all the ridiculously detailed policies that we need to ensure are upheld.

    Late in the afternoon I got a call escalated to me by second line support, who were unable to figure out why mails to a certain domain were often being dropped. Quick & dirty analysis of the headers in the NDR showed that the domain that the mails were going to was being 'protected' by spambag.org.

    Now I've come across this RBL before - I remember a couple of years back the maintainers took at upon themselves to block every single IP run by one of the largest telcos in the world as they had, allegedly, been lax in convincing one customer to stop implementing their mail servers as open relays. I had hoped that they'd changed their ever-so-slightly-paranoid ways, but it would appear not.

    Our mail is relayed out by any one of eight relays and, interestingly, only one of them has been 'identified' as a spam source. It is technically impossible for this particular relay to be configured and implemented any differently than any of the other seven, so I'm not entirely sure why this particular one has been blacklisted.

    Anyhoo, long story short, I have contacted the mail admin at the organisation concerned and advised them to talk to the maintainers of spambag about getting that address removed, or at the very least putting it in a manual whitelist until they pull their fingers out of their arses. I've also suggested that they use a 'real' RBL - as opposed to one which still has the air of being maintained by a nanae-nut from 1998.

    Honestly, I wish admins would realise that all these stupid little homebrew RBLs are actually making the spam problem WORSE than it should be. With modern spamming techniques, they're utterly useless anyway and just serve to piss off people with their ridiculously over-zealous listing policies. By the time an effective botnet gets identified, Mr Spammer will already have sent a ridiculous amount of spam from his zombie army and moved on to the next one. If the frothing-at-the-mouth crowd would only concentrate their resources on helping spamhaus et al develop a reliable, robust set of XBLs it would certainly help to eliminate the irritating problem I've had today. Still - i suppose that, whilst organisations like the one I've been dealing with today are stupid enough to use them, these independent RBLs will still exist and point to the 'S' on their chest as proof that they're 'serving the community'

    (gets off soapbox, has a beer to relax...)
     
    Certifications: A few
    WIP: None - f*** 'em
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    I had a similar problem a few weeks ago. A client could not sent emails to a domain as supposedly the I.P was blacklisted for spam. Eh? The exchange server was fine, no silly ‘open relay’ config and was patched up and AV was installed. The server was being blocked by sorbs.net.

    After following all the instructions on the email I signed up to remove the I.P but this was ‘rejected’. Arrgh! After closer investigation it appears that sorbs.net had blocked a range of I.Ps provided by the ISP and it just so happened that my client has one of the I.Ps.

    I contacted the ISP and said they are aware of the problem and are trying to get the I.Ps removed from the black lists!

    Complete waste of time! I don’t know why companies cant invest in a decent spam solution. :mad
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    I hear your pain. I've been victim of the 'bulk block' before - or rather, a client has. They weren't too happy when I turned up and went through their NDRs, figured out the problem and told them it was because one of the ranges the (rather small) ISP used was blocked by one of the smaller RBLs as a spammer haven - despite no other RBL/XBL identifying it as such. this wouldn't have been a problem, except almost every client this organisation communicated with on a regular basis used the same RBL...

    Its frankly a shabby state of affairs to be in. I've little sympathy for mail/security admins that use these extra-paranoid lists either - they should know better and, if they don't, research the subject properly before just jumping in feet first with any old provider.

    I've no doubt that the organisation I'm dealing with at the moment has a decent spam-filtering solution in place. I know for a fact that their ISP uses MessageLabs, which should knock out around 98% of open relay & botnet spam. It would appear that, unfortunately, someone has been a little over-zealous internally and implemented an RBL-based solution on top of this.

    Its very frustrating...
     
    Certifications: A few
    WIP: None - f*** 'em
  4. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    IMHO for too many companies using some random black-list system saves them from thinking (which hurts them).

    People who actualy understand how mail/spam/etc works are rare. The rest just follow the herd.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Absolutely correct. I've been studying it for months now - when i started I 'thought' I knew about spam, but quickly discovered that I knew about 2% of the subject. Now I reckon I'm at around 20-25% of the knowledge level required to consider myself 'competent'.

    The whole area of RBLs/XBLs is a fuzzy one for me tbh. If someone sitting at home wants to create an RBL, then great - let 'em. However, I start to question the sense of mail admins using these lists (which are not sanity-checked) on their corporate mail servers. Like I think i said in the first post, if they all just got together and helped out Spamhaus and implemented a couple more XBLs between them for resiliency - preventing spammers from running a DDoS on what would amount to a SPOF - the spam problem would certainly be more effectively tackled.

    I'm currently working on a way of implementing IronMails at work. CipherTrust's stuff is frighteningly effective - unfortunately, their appliances don't have a native method of examining all IPs in a mail header - they only look at the last hop, which is useless for us because all our mail is screened and comes from the one trusted source!
     
    Certifications: A few
    WIP: None - f*** 'em
  6. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Sue me for giving this thread a bump, but it's close to my interests, and the input so far has been excellent. Thanks Guys ... look forward to more .....

    :)
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  7. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    EDIT: Just realised this thread still has the pixels drying onscreen - soz, my bad. Thought it was from the past !!!! :oops:
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  8. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    zebulebu,

    What is a RBL?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  9. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Zeb correct me if I am wrong,

    but I think RBL stands for Realtime Blackhole List? It contains the IP addresses of identified spammers.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  10. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Hi prof.

    No - you're not wrong RBL does indeed stand for Realtime Blackhole List (for those who are interested, XBL stands for eXtended Block List - used by Spamhaus)

    Unfortunately, the nature of the various RBLs used by organisations in filtering spam has always been somewhat controversial. Many of them started life as lists run by people on an anti-spam crusade. Whilst ridding the world of spam may be a laudable sentiment, there are plenty of people out there who take things to extremes. A favourite technique of anti-spammers is blocking entire ranges of IPs used by ISPs if they deem them to be 'spammer-friendly'. This is done in order to put pressure on the ISP to curtail spam activity on their ranges. This has led, in the past, to ridiculousness like blocking a range of hundreds of thousands of Cable & Wireless IPs because of the actions of one spammer. Sadly, many of the RBLs in use by companies today are still maintained as a 'homebrew' shop by one nerd sitting in his parents' basement. This has led to the daft situation of multi-million dollar organisations (or, in my case, an enormous rail franchise) using lists of spammers that are drawn up at the whim of someone who has no commercial interest in the matter.

    What's frustrating about this, from my point of view, is that admins don't NEED to use any of these RBLs to combat spam. There are perfectly good commercial organisations dedicated to fighting spam that will provide you with a blackhole list that is carefully vetted, more regularly updated to identify bots & botnets, and less prone to placing entire RIPE/APNIC/ARIN/whatever ranges that have been assigned to a single ISP on a blocklist.

    There is oodles of controversy about this online - just trawl through some of the anti-spam newsgroups for more info.
     
    Certifications: A few
    WIP: None - f*** 'em
  11. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Good info Zeb, I dont know much about spam, but this is interesting to know.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  12. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    zebulebu,

    Firstly, thank you for confirming the meaning of "RBL."

    Secondly, there in lies the controversy. You stated "...using lists of spammers that are drawn up at the whim of someone who has no commercial interest in the matter." (emphasis mine). I've heard stories like said "commercial organizations" who have either voluntarily or involuntarily "sold their souls" to the "dark side." Case in point of involuntary sale of soul is Lavasoft's Ad-aware was forced by court order to remove blocking of Gator adware/spyware. Who knows which "commercial organization" has voluntarily sold their soul to adware/spyware/spam companies for the commercial interest of revenue and profits?

    Also, another issue of "commercial vs. non-commercial" is cost. Usually, commercial products cost more than non-commercial. Commerce itself wants to reduce costs as much as possible so that their profits are as high as possible. So if there's a lower cost non-commercial option to a higher cost commercial option, it is only an economically logical decision to go with the lower cost option. This is the same economically logical decision being made when choosing the lower cost Linux option to the higher cost Microsoft option.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  13. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Great post RH.

    I wasn't expecting this post to go buy without plenty of comment!

    When i wrote that line about 'Commercial Interest' I was tempted to put in a rider which said something like 'of course, this brings into the whole question of whether spamfighting should be a commercial task at all' - but I let it go because otherwise the post would have become too unwieldy.

    I am well aware of the LavaSoft case - as well as several others in recent months where supposed 'good guys' have 'sold their souls'. I mean, lets be honest here, the recent nonsense where BitTorrent have allegedly cut a deal which stops them from being liable for content violations in exchange for 'stamping out' illegal content is pretty laughable when you consider that, although P2P is a fantastic tool for marketing and sharing legit files, probably about 98% of the stuff shared via P2P is subject to copyright in some manner.

    I'm sure there are commercial organisations that have attempted to con people into buying their anti-spam stuff only for organisations to find out that it is either ineffective or actually attracts MORe spam. However, I can;t exactly see this being much of a viable business model, especially since spam is so visible to end-users. How long do you think it would take a company to figure out their new anti-spam provider had sold them down the river? About an hour I reckon. More than one or two instances of this would quickly result in said company being shut down.

    The cost issue is another good point too. Cost is always a consideration for any enterprise when purchasing technology - especially something that may have as significant a capital cost as a spam appliance/filtering software. However, whilst the sentiment of having something that runs on *nix/*nux looking after your mail because its lower-cost than its Windoze equivalent might be a mouth-watering one for many companies, there are plenty of other things to take into consideration which are often overlooked by open source proponents. Certainly not the least of these is the fact that there are far more skilled Windoze admins out there than there are nixnux guys. This makes the setting up and maintenance of an open-source mail server for a small business (i.e. one that can't afford dedicated IT support staff) much more problematic.
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...