Tux

...making Linux just a little more fun!

Spammy Job Offer

Ben Okopnik [ben at linuxgazette.net]


Wed, 28 May 2008 19:15:41 -0400

[[[ This had some other Subject line when the spammer sent it out. I chose to replace it with something more accurate. -- Kat ]]]

On Tue, May 27, 2008 at 03:03:29PM -0600, XXXX XXXXXX wrote:

> 
> Hello,
> 
> My customer located in West Austin is searching for a recent graduate
> that has significant academic / internship experience with embedded
> software development.  They seek someone with C programming experience
> in a Linux / QNX environment.
> 
> If you or someone you know qualified, please call me or have them call me directly.
> 
> My number is XXX-XXX-XXXX

Thanks for letting us know... that you're a spammer. I will not, for the moment, report you to the Federal Trade Commission's "[email protected]", the FBI's Internet Fraud Complaint Center, or your state's attorney - but that's only because this is the first time you've done this here. For now, I'll grant you the courtesy of believing you to be completely clueless and ignorant rather than assuming that you knowingly violated Texas law (http://www.spamlaws.com/state/tx.shtml) as well as your network provider's Acceptable Use Policy.

I have, however, blocked you from this mailing list. Have a pleasant day.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 29 May 2008 13:32:17 +0100

On Thursday 29 May 2008 13:33, Paul Sephton wrote:

>
> Our company operations department reports that 95% of all mail processed
> by our mail server is spam.

Have they tried greylisting? when my virtual host implemented greylisting the drop in SPAM was so marked that I wondered what was going on.

> Of course, when the spam filter incorrectly identifies mail as spam when
> it is not, a critical business communication might be lost.

Not much risk of that with greylisting. It does introduce occasional delays, but you should be able to live with that.

Neil


Top    Back


Paul Sephton [paul at inet.co.za]


Thu, 29 May 2008 14:33:05 +0200

On Thu, 2008-05-29 at 01:15, Ben Okopnik wrote:

> On Tue, May 27, 2008 at 03:03:29PM -0600, XXXX XXXXXX wrote:
> > 
> > Hello,
> > 
> > My customer located in West Austin is searching...

<snip>

> Thanks for letting us know... that you're a spammer. I will not, for the
> moment, report you to the Federal Trade Commission's "[email protected]", the
> FBI's Internet Fraud Complaint Center, or your state's attorney - but
> that's only because this is the first time you've done this here. For
> now, I'll grant you the courtesy of believing you to be completely
> clueless and ignorant rather than assuming that you knowingly violated
> Texas law (http://www.spamlaws.com/state/tx.shtml) as well as your
> network provider's Acceptable Use Policy.
> 
> I have, however, blocked you from this mailing list. Have a pleasant
> day.

Irritating, isn't it?

The worst part is that you have already paid him for using your bandwidth; You have, by providing him with the use of your server, and taking the time to answer him, effectively provided him with your services free of charge. To add insult to injury, spammers often format their mail using bandwidth-hungry graphics to bypass the spam filters.

Our company operations department reports that 95% of all mail processed by our mail server is spam.

Of course, when the spam filter incorrectly identifies mail as spam when it is not, a critical business communication might be lost.

Just how much money do you think countries around the world are losing each day due to

- loss of employee productivity

- loss of business opportunity

- unnecessary expenditure on hardware/software to deal with spam

- paying for the bandwidth that spammers use

Hugely irritating indeed


Top    Back


Paul Sephton [paul at inet.co.za]


Thu, 29 May 2008 18:33:03 +0200

On Thu, 2008-05-29 at 13:32 +0100, Neil Youngman wrote:

> On Thursday 29 May 2008 13:33, Paul Sephton wrote:
> >
> > Our company operations department reports that 95% of all mail processed
> > by our mail server is spam.
> 
> Have they tried greylisting? when my virtual host implemented greylisting the 
> drop in SPAM was so marked that I wondered what was going on.

Hey, you are right. I have not tried that yet. I just read up about it, and it's awesome. Thanks!

> > Of course, when the spam filter incorrectly identifies mail as spam when
> > it is not, a critical business communication might be lost.
> 
> Not much risk of that with greylisting. It does introduce occasional delays, 
> but you should be able to live with that.
> Neil

I certainly can live with the odd delay. I will suggest this to our ops manager first thing tomorrow.

Paul


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Thu, 29 May 2008 12:54:45 -0400

On Thu, May 29, 2008 at 02:33:05PM +0200, Paul Sephton wrote:

> On Thu, 2008-05-29 at 01:15, Ben Okopnik wrote:
> > On Tue, May 27, 2008 at 03:03:29PM -0600, XXXX XXXXXX wrote:
> > > 
> > > Hello,
> > > 
> > > My customer located in West Austin is searching...
> 
> <snip>

[...]

> > I have, however, blocked you from this mailing list. Have a pleasant
> > day.
> 
> Irritating, isn't it?

Believe it or not, no. Given Rick Moen's prompt and careful attention to handling spam on this list, the greatest majority of it never makes it through - so the little that does is more of an opportunity for entertainment and dissection than an irritant.

> The worst part is that you have already paid him for using your
> bandwidth;  You have, by providing him with the use of your server, and
> taking the time to answer him, effectively provided him with your
> services free of charge.

If my "services" consist of potentially steering a clueless idiot into doing the right thing, he's more than welcome to them.

> Just how much money do you think country's around the world are losing
> each day due to
>    - loss of employee productivity
>    - loss of business opportunity
>    - unnecessary expenditure on hardware/software to deal with spam
>    - paying for the bandwidth that spammers use

No disagreement there. There are a few good solutions - Rick, for example, has written here in LG about SPF (SMTP-based spam blocking), and I've mentioned teergrubing (tarpitting) - but too few people implementing them. It's a problem that will remain a problem until a critical mass of people in responsible positions sign on to the necessity of making the effort to deal with it.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Paul Sephton [paul at inet.co.za]


Thu, 29 May 2008 20:00:12 +0200

On Thu, 2008-05-29 at 12:54 -0400, Ben Okopnik wrote:

> On Thu, May 29, 2008 at 02:33:05PM +0200, Paul Sephton wrote:
> > On Thu, 2008-05-29 at 01:15, Ben Okopnik wrote:
> > > On Tue, May 27, 2008 at 03:03:29PM -0600, XXXX XXXXXX wrote:
> > > > 
> > > > Hello,
> > > > 
> > > > My customer located in West Austin is searching...
> > 
> > <snip>
> 
> [...]
> 
> > > I have, however, blocked you from this mailing list. Have a pleasant
> > > day.
> > 
> > Irritating, isn't it?
> 
> Believe it or not, no. Given Rick Moen's prompt and careful attention to
> handling spam on this list, the greatest majority of it never makes it
> through - so the little that does is more of an opportunity for
> entertainment and dissection than an irritant.

Thanks, Rick...

> > The worst part is that you have already paid him for using your
> > bandwidth;  You have, by providing him with the use of your server, and
> > taking the time to answer him, effectively provided him with your
> > services free of charge.
> 
> If my "services" consist of potentially steering a clueless idiot into
> doing the right thing, he's more than welcome to them.

That's a very gracious attitude you have there. I am afraid I can't lay claim to the same. I get very irritated when technologists come up with a good idea such as e-mail which some unscrupulous business people immediately interpret as a free ride. MS is actually the exception- I'm actually grateful to them; If it were not for them driving the industry, I would not have the hardware I do to run Linux. They've even had a couple of good ideas on their own, I think.

> > Just how much money do you think country's around the world are losing
> > each day due to
> >    - loss of employee productivity
> >    - loss of business opportunity
> >    - unnecessary expenditure on hardware/software to deal with spam
> >    - paying for the bandwidth that spammers use
> 
> No disagreement there. There are a few good solutions - Rick, for
> example, has written here in LG about SPF (SMTP-based spam blocking),
> and I've mentioned teergrubing (tarpitting) - but too few people
> implementing them. It's a problem that will remain a problem until a
> critical mass of people in responsible positions sign on to the
> necessity of making the effort to deal with it.

...I thought I had tried most of the run of the mill things until Neil Youngman pointed me in the direction of "Greylisting" earlier today. It seems to be a very innovative solution to the problem, in that this should lead to an actual overall decrease in total volume of spam over time. I had heard of it previously, but never took the trouble to investigate.

Paul


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Thu, 29 May 2008 14:15:07 -0400

On Thu, May 29, 2008 at 08:00:12PM +0200, Paul Sephton wrote:

> On Thu, 2008-05-29 at 12:54 -0400, Ben Okopnik wrote:
>  
> > If my "services" consist of potentially steering a clueless idiot into
> > doing the right thing, he's more than welcome to them.
> 
> That's a very gracious attitude you have there.  I am afraid I can't lay
> claim to the same.  I get very irritated when technologists come up with
> a good idea such as e-mail which some unscrupulous business people
> immediately interpret as a free ride.

This is something that happens with every single human invention; it's just a simple fact, known (or should be) to every inventor and discoverer - their inventions are going to be used for every purpose, including evil ones. It couldn't have been more than a second between the original discovery that a rock could be used to crack a coconut and the thought that it could also be used to crush an enemy's skull. Rutherford split the atom in 1919 and dreamed of free power for the entire world... and barely two decades later, millions of dollars were spent on focusing this new amazing discovery into the world's most powerful weapon. My only hope is that the idiots don't manage to kill us all off before we, as a race, grow up... I suppose you could call it the ultimate test of fitness. We may well go the way of the mammoths. As a humanist, I believe that we will survive; I have to, no other attitude makes sense. As a rational man, I see powerful weapons placed in the hands of the megalomaniacs and the idiots... and I have to hold on, hard, to my best hopes.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


René Pfeiffer [lynx at luchs.at]


Thu, 29 May 2008 21:38:57 +0200

On May 29, 2008 at 2000 +0200, Paul Sephton appeared and said:

> On Thu, 2008-05-29 at 12:54 -0400, Ben Okopnik wrote:
> > [...]
> > No disagreement there. There are a few good solutions - Rick, for
> > example, has written here in LG about SPF (SMTP-based spam blocking),
> > and I've mentioned teergrubing (tarpitting) - but too few people
> > implementing them. It's a problem that will remain a problem until a
> > critical mass of people in responsible positions sign on to the
> > necessity of making the effort to deal with it.
>
> ...I thought I had tried most of the run of the mill things until Neil
> Youngman pointed me in the direction of "Greylisting" earlier today.  It
> seems to be a very innovative solution to the problem, in that this
> should lead to an actual overall decrease in total volume of spam over
> time. [...]

It's pretty good at keeping some spam at bay, but the spammers are keeping up. Some mail admins already see spambots retrying. In addition to that most spam is now sent by using botnets. If you get frequent SMTP TCP connections from pools of dynamic addresses, the greylisting might not work. Until now if works, but it is only part of the mail filtering.

I use a combination of greylisting, (E)SMTP protocol checks, content checks, real-time blackhole lists, DSPAM (http://dspam.nuclearelephant.com/) and Spamassassin. Both DSPAM and Spamassassin get feedback of their false positives and negatives. I usually never see any spam emails; once a month some get through because DSPAM purges its old tokens from the database, but that's about it.

Best, René.


Top    Back


Paul Sephton [paul at inet.co.za]


Thu, 29 May 2008 23:11:26 +0200

On Thu, 2008-05-29 at 14:15 -0400, Ben Okopnik wrote:

> On Thu, May 29, 2008 at 08:00:12PM +0200, Paul Sephton wrote:
> > On Thu, 2008-05-29 at 12:54 -0400, Ben Okopnik wrote:
> >  
> > > If my "services" consist of potentially steering a clueless idiot into
> > > doing the right thing, he's more than welcome to them.
> > 
> > That's a very gracious attitude you have there.  I am afraid I can't lay
> > claim to the same.  I get very irritated when technologists come up with
> > a good idea such as e-mail which some unscrupulous business people
> > immediately interpret as a free ride.
> 
> This is something that happens with every single human invention; it's
> just a simple fact, known (or should be) to every inventor and
> discoverer - their inventions are going to be used for every purpose,
> including evil ones. It couldn't have been more than a second between
> the original discovery that a rock could be used to crack a coconut and
> the thought that it could also be used to crush an enemy's skull.

I tend to think that humanity first discovered that a rock could crush someone's skull, and the coconut was an afterthought, but then again I'm a cynic....


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Thu, 29 May 2008 20:19:45 -0400

On Thu, May 29, 2008 at 11:11:26PM +0200, Paul Sephton wrote:

> On Thu, 2008-05-29 at 14:15 -0400, Ben Okopnik wrote:
> > 
> > This is something that happens with every single human invention; it's
> > just a simple fact, known (or should be) to every inventor and
> > discoverer - their inventions are going to be used for every purpose,
> > including evil ones. It couldn't have been more than a second between
> > the original discovery that a rock could be used to crack a coconut and
> > the thought that it could also be used to crush an enemy's skull.
> 
> I tend to think that humanity first discovered that a rock could crush
> someone's skull, and the coconut was an afterthought, but then again I'm
> a cynic....

I have to admit to having thought that way in the past - until I realized just how passive ans supine a position pessimism represents. That view, I realized, was not consistent with my belief in myself as a man of integrity and courage. Out the door it went, with a "...and stay out!" and a boot in the ass to help it on its way. :)

...voluntary cooperation in a win-win mode is the rule in 99.95% of
human interactions, otherwise the streets would run with blood. Trade in
the market, ordinary social communication, and even our use of language
with each other are all systems of voluntary cooperation far more
elaborate than the open-source movement. Yet those we take for granted
and do not even register as cooperation, persisting despite the evidence
of our own daily experience in the belief the "natural" behavior of
human beings is a sort of dog-eat-dog Hobbesian strife [...] It's absurd
when you think about it.
 -- Eric S. Raymond
-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Deividson Okopnik [deivid.okop at gmail.com]


Fri, 30 May 2008 10:09:22 -0300

If you use spamassassin, you might want to try Traffic Control 3 too - its a nice add-on that just got a free-for-non-commercial-use licence,

some info can be found here: http://news.mailchannels.com/ and download links here: http://www.mailchannels.com/download/


Top    Back


Rick Moen [rick at linuxmafia.com]


Fri, 30 May 2008 19:23:54 -0700

Quoting Ben Okopnik ([email protected]):

> On Thu, May 29, 2008 at 11:11:26PM +0200, Paul Sephton wrote:
> > I tend to think that humanity first discovered that a rock could
> > crush someone's skull, and the coconut was an afterthought, but then
> > again I'm a cynic....
>
> I have to admit to having thought that way in the past - until I
> realized just how passive and supine a position pessimism represents.

It may or may not feed your pessimism to hear that, on initial parse of Paul's sentence, my reaction was "Wait, a coconut is a pretty poor tool for crushing someone's skull, isn't it?"

-- 
Cheers,                                     The Viking's Reminder:
Rick Moen                                   Pillage first, then burn.
[email protected]


Top    Back


Rick Moen [rick at linuxmafia.com]


Fri, 30 May 2008 19:36:16 -0700

Quoting Ben Okopnik ([email protected]):

> Believe it or not, no. Given Rick Moen's prompt and careful attention to
> handling spam on this list, the greatest majority of it never makes it
> through - so the little that does is more of an opportunity for
> entertainment and dissection than an irritant.

Rick does his best[0] on badly overstrained 11-year-old hardware[1] running a system whose pending rebuild on less-ancient hardware is overdue. Greylisting is a must, after completing migration to the replacement host, and meanwhile one of the more effective things I do to tune the existing setup is feed recent spam to the Bayesian classifier. I resumed doing the Bayesian retraining within the past couple of weeks, after neglecting it for a long time. The improvement was immediate and dramatic.

> No disagreement there. There are a few good solutions - Rick, for
> example, has written here in LG about SPF (SMTP-based spam
> blocking)...

SPF doesn't block spam. It does permit detecting and disallowing of "Joe-job" forgeries, which is a valuable thing in itself.

[0] For values of "best" approximating benign neglect at best with a good additional dose of "the cobbler's children going barefoot", for good measure.

[1] I have everything I need, except free time. Existing system description, for comedy's sake: circa-1997 VA Research, Inc. model 500 2U rackmount server, w/256MB RAM and 2 x 9GB SCSI-2 hard drives -- which also runs all of my other Internet operations including usage by quite a few remote shell users -- one of whom is, like me, a GNU Screen addict, which is death to available RAM.


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Sat, 31 May 2008 00:14:20 -0400

On Fri, May 30, 2008 at 07:23:54PM -0700, Rick Moen wrote:

> Quoting Ben Okopnik ([email protected]):
> > On Thu, May 29, 2008 at 11:11:26PM +0200, Paul Sephton wrote:
> 
> > > I tend to think that humanity first discovered that a rock could
> > > crush someone's skull, and the coconut was an afterthought, but then
> > > again I'm a cynic....
> >
> > I have to admit to having thought that way in the past - until I
> > realized just how passive and supine a position pessimism represents.
> 
> It may or may not feed your pessimism to hear that, on initial parse of
> Paul's sentence, my reaction was "Wait, a coconut is a pretty poor tool
> for crushing someone's skull, isn't it?"

As any good Viking could have told you, it's an awful tool for crushing a skull... mainly because the nearest coconuts were several thousand miles away. A rock was much handier. :)

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Sat, 31 May 2008 00:32:03 -0400

On Fri, May 30, 2008 at 07:36:16PM -0700, Rick Moen wrote:

> Quoting Ben Okopnik ([email protected]):
> 
> > There are a few good solutions - Rick, for
> > example, has written here in LG about SPF (SMTP-based spam
> > blocking)...
> 
> SPF doesn't block spam.  It does permit detecting and disallowing of
> "Joe-job" forgeries, which is a valuable thing in itself.

You're right; it's not a directly-intended result. However, it does tends to block spam as a secondary effect in many cases - since spammers often spoof the source addresses to get around the RBL and such.

The interesting part of this is that a lot of spammers are publishing their SPF records in order to pass SPF checks. This, as I see it, is a big win: if you're spammed from a server that has a published SPF record, you will now know that it's that server rather than some spoofed victim - and will be able to deal with it appropriately.

> [0] For values of "best" approximating benign neglect at best with a
> good additional dose of "the cobbler's children going barefoot", for
> good measure.

Your "benign neglect" has worked quite well over time. I recall what it was like before you took up the job.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Rick Moen [rick at linuxmafia.com]


Fri, 30 May 2008 21:52:30 -0700

Quoting Ben Okopnik ([email protected]):

[SPF:]

> You're right; it's not a directly-intended result. However, it does
> tends to block spam as a secondary effect in many cases - since spammers
> often spoof the source addresses to get around the RBL and such.
> 
> The interesting part of this is that a lot of spammers are publishing
> their SPF records in order to pass SPF checks. This, as I see it, is a
> big win: if you're spammed from a server that has a published SPF
> record, you will now know that it's that server rather than some
> spoofed victim - and will be able to deal with it appropriately.

Yes. In fact, right there, you've efficiently recapped the entire now-traditional series of debate points on SPF.[1] Well done. ;->

I spoke up mostly because the most-common, and least sensible, criticism of SPF is that it "does nothing to block spam, and spammers merely publish SPF records" -- which misses the point entirely, for exactly the reasons you cite, and wastes readers' time on a red herring. (Also, even if SPF didn't ensure that reputation loss affected the real malefactors' sending domains, its ability to protect reputable domains from forgery would be worthwhile.)

[1] Well, almost. The collection would be complete if we had "SPF is no good because it's not the same as DKIM/Domain Keys." This is a moronic argument for a number of reasons, including the fact that the two schemes for authenticating envelope senders are not mutually exclusive. (For completeness's sake, I'll also mention Microsoft's extension to SPF, called "SenderID", but it has patent-encumbrance problems.)


Top    Back


Rick Moen [rick at linuxmafia.com]


Fri, 13 Jun 2008 14:00:57 -0700

Speaking of my strategy, here's me getting the sharp end of someone else being awfully militant -- and, in my view, overreacting to my system's spam-detection measures.

Date: Fri, 13 Jun 2008 13:54:54 -0700
From: Rick Moen <[email protected]>
To: Keith Burris <[email protected]>
Cc: [email protected]
Subject: Re: [Fwd: Mail delivery failed: returning message to sender]
Quoting Keith Burris ([email protected]):

> I'm sending this to let you know, if you're not already aware, that
> [198.144.195.186] is listed on the backscatterer.org RBL. We're kind of
> aggressive and block rather than increment the message's SA score.
> 
> Usually that works OK but this is a case where it doesn't.
> 
> I'll whitelist [198.144.195.186] on our end.
> 
> I am a little surprised that you're using call backs, though.

Hi, Keith. I do use a particular type of callout, in a way that I have taken care to make sure is (IMO, and I'm willing to be convinced otherwise) not abusive.

1. I recognise backscatter to be a very serious problem, and try to make sure my systems are not guilty of same.

2. My Exim4 MTA is configured to callout to the claimed delivering domain's MX and test using RCPT TO (_not_ VRFY) that the claimed sender address is deliverable, and that postmaster@ and abuse@ are deliverable. Claimed delivering domains that fail those tests get told 550.

It doesn't perform these tests on every attempted delivery; test results get cached and reused, specifically to avoid abuse.

The guidelines at http://www.backscatterer.org/index.php?target=sendercallouts seem to suggest that systems get listed if they do such callouts at all, without regard to whether the level of such traffic is problematic or not. I understand their perspective, but do not concur with the implied "No level of callouts is permissible" assumption.

I attempt to operate a reputable mail system -- though of course I could be misguided or be guilty of operating a misconfigured system. I'll study the backscatterer.org RBL docs more closely, but my immediate inclination is that I'm not misguided in this case.

Best Regards, Rick Moen, owner/sysadmin of 198.144.195.186 (linuxmafia.com, unixmercenary.net, and lists.linuxgazette.net) 650-283-7902 cellular


Top    Back


Rick Moen [rick at linuxmafia.com]


Fri, 13 Jun 2008 15:28:22 -0700

I of course wrote back to thank him.

(If we publish this thread, we should redact out his contact telephone numbers, please. Mine, by contrast, is completely public.)

[[[ Done else-thread as well. -- Kat ]]]

----- Forwarded message from Keith Burris <[email protected]> -----

Date: Fri, 13 Jun 2008 15:23:55 -0700 (PDT)
From: Keith Burris <[email protected]>
To: Rick Moen <[email protected]>
Cc: [email protected]
Subject: Re: [Fwd: Mail delivery failed: returning message to sender]
Hi, Rick --

<snip>

>
> The guidelines at
> http://www.backscatterer.org/index.php?target=sendercallouts seem to
> suggest that systems get listed if they do such callouts at all, without
> regard to whether the level of such traffic is problematic or not.  I
> understand their perspective, but do not concur with the implied "No
> level of callouts is permissible" assumption.
>

Given that we drop before DATA (unless postmaster@ or abuse@) if a system is on the backscatterer.org RBL, I guess that's more-or-less implicit agreement with the assumption on our part. I'm not so sure I'm comfortable with that decision. It's been a while since I implemented that RBL and I don't recall them having a "wait for the listing to expire or pay us 50 euros" policy which I see there today. That adds to my discomfort level.

> I attempt to operate a reputable mail system -- though of course I could
> be misguided or be guilty of operating a misconfigured system.  I'll
> study the backscatterer.org RBL docs more closely, but my immediate
> inclination is that I'm not misguided in this case.
>

Sure. I didn't mean to suggest otherwise. I added linuxmafia.com server to our whitelist because I felt that backscatterer.org got it wrong; I saw no reason to honor their listing. In writing you, I just wanted to point out that the server was listed there.

Regards.

Keith

----- End forwarded message -----


Top    Back