SpamOps claims about Email Authentication and open relays

Dean Anderson <dean@av8.com> Fri, 24 June 2005 23:09 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DlxIh-0003ED-Ck; Fri, 24 Jun 2005 19:09:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DlxIf-0003E5-Cq for ietf@megatron.ietf.org; Fri, 24 Jun 2005 19:09:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA06248 for <ietf@ietf.org>; Fri, 24 Jun 2005 19:09:26 -0400 (EDT)
Received: from cirrus.av8.net ([130.105.36.66]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DlxhF-0000q1-Rw for ietf@ietf.org; Fri, 24 Jun 2005 19:34:56 -0400
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id j5ON91Ki002313 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 24 Jun 2005 19:09:03 -0400
Date: Fri, 24 Jun 2005 19:09:00 -0400
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@cirrus.av8.net
To: Doug Royer <Doug@Royer.com>
In-Reply-To: <42BA081C.20101@Royer.com>
Message-ID: <Pine.LNX.4.44.0506241722160.32315-100000@cirrus.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 2.7 (++)
X-Scan-Signature: ee80a2074afbfe28d15369f4e74e579d
Cc: ietf@ietf.org
Subject: SpamOps claims about Email Authentication and open relays
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Brian Carpenter asked that the subject be changed.  I've also removed the 
IESG from the cc-list.

Doug, you've been misled. Inline.


On Wed, 22 Jun 2005, Doug Royer wrote:
> I have not been following this topic closely.
> To the point of open relays being a problem.
> 
> I think that the judgment as to if open replays are a problem
> or not depends on which spam lists you are on.
> 
> With my system and by grep-ing through my last 4 weeks of logs
> there were 22,870 of 26,157 spams blocked by my usage of two open
> relay DNS-black lists blocking them from 14,131 UNIQUE IP addresses.

You cannot know from logs whether you are blocking spam or ham. You can
only see that you blocked messages. Like many before you, you've been
misled, but you probably feel much better thinking that you are blocking 
spam.

I'm not sure which blacklists you consider being "open relay" blacklists.
Since fall 2003 after most of the open relay blacklists shut, the
remaining "blacklists" don't search for or block open relays anymore.  
(though SORBS started up in March, 2005) Indeed, Matthew Sullivan of SORBS
recently tried to convince people on Nanog that he/SORBS was never
interested in open relays, but rather in open proxies. This claim (like
many of Sullivans), is belied by the facts: SORBS stands for "Spam and
Open Relay Blocklist", and there is a SORBS project on sourceforge from
2002, with an open relay scanner program.

> 6,676 of which have no reverse-DNS. They seem to be in IP blocks of 
> 10-12. The other 2,616 spams that were DNS-blocked were from
> non-open-relay lists. I still get 20-50 spams that make it to
> my inbox every day.
> 
> The SORBS pages say they have over 3 Million such open relay or open
> proxy (hacked or not) sites.

SORBS/Sullivan is a documented liar, and Sullivan's associate Alan Brown
(formerly of ORBS) has been proven in court to be a liar on 3 separate
court cases.  And Brown's only regret in those cases is that he told the
court the truth when asked if he had subscribers. ORBS was shut for
contempt of court when Brown published his blacklist instead of complying
with a court order to remove false entries.  You should review
http://www.iadl.org, although it is not complete.

> Spammers seem to setup open relays and use them. 

I think you are incorrectly analyzing headers. See below.

> And as I do not think that there are 14 thousand spammers, my guess is
> that the spammer machines change their IP nightly or find a lot of open
> relays.

I keep logs of TCP SYN packets to port 25 over a group of about 68,000 IP
addresses, and run non-production queue-only relays that serve as
honeypots for open relay scanning.  No one is scanning for open relays,
and no one has been scanning since most of the open relay blacklists shut
in 2003, with the exception of SORBS which only restarted in March.  
Prior to 2003, only open relay blacklists were doing the scanning. We
tested these blacklists as previously described, and fouund that they were
associated with, and a necessary component to open relay abuse. Block the 
open relay blacklists and prevent their scanning, and open relays aren't 
abused.

Further, I don't delete or block spam to several personal mailboxes.  
Years ago, I used to be able to go through my recently received spam and
quickly find an open relay abuse delivering spam to my av8 (and non av8)
email addresses. Today, this is the closest I could find:

Received: from dial-66-59-238-35.lcinet.net (dial-66-59-238-35.lcinet.net 
[66.59.238.35])
        by odie.av8.com (8.9.3/8.8.5) with SMTP id QAA24726
        for <uucp@av8.com>; Fri, 24 Jun 2005 16:43:27 -0400 (EDT)
Received: from chastiser ([235.245.195.212] helo=lurched.lcinet.net)
        by dial-66-59-238-35.lcinet.net with SMTP id 17C396B7
        for uucp@av8.com; Fri, 24 Jun 2005 16:43:26 -0400

Note that 235.245.195.212 is not allocated. This is a forged header.  
66.59.238.35 isn't running an open relay. Indeed, I could not find a
single open relay spam in a sample of 15 of the 605 spams I've received in
the last 24 hours. But I did find forged headers pretending to be open
relay. Though that is also becoming the exception. Much spam doesn't even
bother with forged headers.

> If it were not for open-relay DNS black lists, I could not run my
> company.

These are probably doing you more harm than you realize. Or are you a
promoter? (there are basically two kinds of users of these blacklists: The
misled who don't know, and the promoters, who know and don't care)

Most "open relay"  blacklists are revenge lists, and while they may block
some real spam [or possibly block pretend spam that they generated--they
call this "mailbombing"], their purpose is revenge and extortion.  This is
well documented: ORBS and its successors, SORBS, Osirusoft, Monkeys.org,
IMRSS. Most people "in the know" know that none of these blacklists are
suitable for blocking spam, and few ISPs or professional mail staff use
them.  You will just wind up blocking non-spam email.  Very few people use
these lists. We can tell:

We have been blocked by these lists since 1997, and have very little
problem with their "blocking". This is due to the relatively low number of
"subscribers".  Last month, we had just 2 issues with SORBS. Yet SORBS
blocks all of our IP address space claiming it to be hijacked.  Both
issues were with university student-run servers (GATech and UCLA). Neither
University's professionally-operated mail systems used SORBS. We had no
problem getting in touch with the professional University IT staff who
told us in both cases that the offending servers were student-run, and who
the student administrators were. One student admin was very surprised to
find out about SORBS. He said SORBS was recommended by some web site, and
he didn't know its revenge-oriented nature and false claims. He seemed
genuinely surprised, and after verifying for himself, genuinely shocked
and apologetic. The other admin was different: He clearly aware of SORBS,
and was very beligerent, telling me to "see figure 1", and other things.  
His supervisor, however, was surprised, and much less willing to block
non-spam email.  Both quit blocking.

See http://www.pathname.com/~corpus/NET.age for some stats on how much
spam and ham is blocked by SORBS and other blacklists.  The NET.age corpus
isn't that big, but still interesting because it is hand sorted into spam
and ham and compared.  SORBS is the only blacklist whose "Hijacked"
category blocks ham.

> About 90% of the the spam that is in my logs seems to be from open
> relays.

You are probably being "mailbombed" by the blacklist.  I have found that
blacklist subscribers sometimes have uniquely interesting spam profiles.  
If your blacklist is way more "effective" than it should be, something is
fishy.  Much spam is sent by residential machines, and many residential
ISPs use DHCP. So their IP addresses naturally change over relatively
short periods.  Ordinary blacklists should have difficulty keeping up with
this---Indeed, it should be just about impossible to keep up with DHCP on
millions of residential computers.  When the blacklist knows the dynamic
IP address of the abuser before it conducts abuse, something is wrong.

> I read your paper. And FYI,  I can name ONE person that is responsible
> for about 60% of the spam that makes it into my inbox. So it is possible
> that a few spammers are reading the anti-spam lists.

No doubt spammers do read anti-spam lists. The FBI also reads the
anti-spam lists. 

I rather doubt that one person is responsible for 60% of your (or anyone
elses) spam.  There were more anti-spammers than that abusing open
relays---we've tracked them down to the point were the FBI investigated,
and they were fired, and they __still__ didn't think that open relay abuse
was wrong.  But I agree that it probably isn't 14 thousand, either.

> I can not me certain that the open-relay DNS-black lists are not
> blocking other traffic. I only know which lists I subscribed to
> after trial and error and looking at the logs to see which stopped
> more spam.

You can be certain they are blocking other traffic: Just look up
130.105/16 and 198.3.136/21 in ARIN and in SORBS.  Just google for ORBS. 
Or go to www.iadl.org, or www.dotcomeon.com.   


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   







_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf