Client host rejected: 85/8 banned for abuse
Are you sure? 85/8, that's a lot of unreal estate. <measl@mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554 <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for abuse (in reply to RCPT TO command) On Thu, Oct 19, 2006 at 08:35:04PM +0200, Mail Delivery System wrote: Content-Description: Notification
This is the Postfix program at host v64.ativel.com.
I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The Postfix program
<measl@mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554 <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for abuse (in reply to RCPT TO command)
Content-Description: Delivery report
Reporting-MTA: dns; v64.ativel.com X-Postfix-Queue-ID: D9B6C1E000C72 X-Postfix-Sender: rfc822; eugen@leitl.org Arrival-Date: Thu, 19 Oct 2006 20:34:57 +0200 (CEST)
Final-Recipient: rfc822; measl@mfn.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; host mx1.mfn.org[204.238.179.8] said: 554 <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for abuse (in reply to RCPT TO command)
Content-Description: Undelivered Message
From: Eugen Leitl <eugen@leitl.org> Date: Thu, 19 Oct 2006 20:34:57 +0200 To: "J.A. Terranson" <measl@mfn.org>, cypherpunks@al-qaeda.net Subject: Re: TOR redux User-Agent: Mutt/1.5.9i
On Thu, Oct 19, 2006 at 12:31:38PM -0500, J.A. Terranson wrote:
For those who may have missed it..
Don't see anything Tor. What's the scoop?
-- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
At 12:16 PM 10/19/2006, Eugen Leitl wrote:
Are you sure? 85/8, that's a lot of unreal estate.
<measl@mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554 <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for abuse (in reply to RCPT TO command)
The whole /8? I'd certainly say it's a lot - it's not even a single Class A owned by a carrier like AT&T or UUNet, but has a number of different ISPs in different countries owning chunks of it. leitl.org has a /24 that's part of an ISP /18 in Germany, and I saw some Swisstel in another /18 there. That's the kind of global overkill I'd expect from an irresponsible spam-blocker list like SPEWS, and even for them that would be pretty excessive.
On Thu, 19 Oct 2006, Bill Stewart wrote:
Are you sure? 85/8, that's a lot of unreal estate.
<measl@mfn.org>: host mx1.mfn.org[204.238.179.8] said: 554 <v64.ativel.com[85.10.225.64]>: Client host rejected: 85/8 banned for abuse (in reply to RCPT TO command)
The whole /8? I'd certainly say it's a lot - it's not even a single Class A owned by a carrier like AT&T or UUNet, but has a number of different ISPs in different countries owning chunks of it. leitl.org has a /24 that's part of an ISP /18 in Germany, and I saw some Swisstel in another /18 there.
That's the kind of global overkill I'd expect from an irresponsible spam-blocker list like SPEWS, and even for them that would be pretty excessive.
Ahhh, but I have a *lot* more flexibility here than SPEWS does. I can set filters by individuals, and I have little need for the vast majority of IP space - therefore I filter very hyperagressively for this domain. Prior to this "overreaction", I was receiving approximately 25K spam emails per day (on an *average* day - there have been *much* worse!). Now, I see less than several hundred: a fair trade for the rare false positive (about 75% of which come from this list, and of which I see less than a dozen per year). I have literally dozens of /8s on block: All of APNIC, AFRINIC, South America, Israel, Russia and neighboring real estate... You get the idea. The policy here is that if an abusive email gets through: (1) If generated by a hosting company, the entire allocation to that hosting company is blocked; (2) If from dynamic space, it was missed the first time, so added now; (3) If from a microallocation (/25-/32) I block the micro, and if from a company with significant space, but what appears to be just a compromised host, the /24 in which that host lives. It works. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF "Surely the larger lesson learned from that day is that other men, all over the world, took inspiration not from the heroism of the rescuers in New York or the passengers flying over Pennsylvania, but from the 19 hijackers - the twisted brilliance of their scheme and their willingness to sacrifice their lives to make a political and, as they saw it, religious statement." Richard Corliss/Time Magazine 11 Aug 2006
On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote:
Ahhh, but I have a *lot* more flexibility here than SPEWS does. I can set filters by individuals, and I have little need for the vast majority of IP space - therefore I filter very hyperagressively for this domain.
The nice thing is that you never see those false positives. But for this list, you'd never seen my message.
Prior to this "overreaction", I was receiving approximately 25K spam
Wow, wonder how you managed to attract that. I only get several hundreds a day (malware is already filtered at MTA level), which spamassassin catches quantitatively. I'm thinking about starting blocking .gif/.jpeg/.png by MTA, which would catch the rest of them. If I ever got fancy I could use greylisting and firewall throttling of Windows hosts, or similiar shenanigans. But, blocking by RBL, never.
emails per day (on an *average* day - there have been *much* worse!). Now, I see less than several hundred: a fair trade for the rare false positive (about 75% of which come from this list, and of which I see less than a dozen per year).
I have literally dozens of /8s on block: All of APNIC, AFRINIC, South America, Israel, Russia and neighboring real estate... You get the idea.
I get the idea. You could just block the entire IP address space, which would cut your spam rate down to zero. Ever tried that?
The policy here is that if an abusive email gets through: (1) If generated by a hosting company, the entire allocation to that hosting company is blocked; (2) If from dynamic space, it was missed the first time, so added now; (3) If from a microallocation (/25-/32) I block the micro, and if from a company with significant space, but what appears to be just a compromised host, the /24 in which that host lives.
It works.
I would call it the "nuclear glass approach" to spam. If this works for you, great, but I don't know too many people who'd subscribe to your approach (to which RBL hardcore nazis look like teletubbies). -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
At 06:35 AM 10/20/2006, Eugen Leitl wrote:
On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote:
Prior to this "overreaction", I was receiving approximately 25K spam Wow, wonder how you managed to attract that. It's easy to attract a lot of spam - luck of the draw, or having your name widely spread in archives, or having ever provided free email services.
I'm thinking about starting blocking .gif/.jpeg/.png by MTA, [...] Also overkill, but highly effective.
If I ever got fancy I could use greylisting and firewall throttling Greylisting turns out to be a big big win - most zombieware doesn't ever retry, so you lose that spam.
Another popular spammer trick lately has been to hijack unused address space, usually unused small blocks in larger allocations, spamming madly for a few minutes, then dropping the BGP advertisement so nobody can traceroute back, and never reusing addresses so you don't care if it's blacklisted. Greylisting totally protects you from this technique, because a typical half-hour delay means that the spammer's gone, but Alif's techniques are likely to lead to the legitimate space getting blacklisted, while the spammer is living behind some entirely different ISP that openly accepts bogus BGP requests. Another defense against this spammer trick, if you've got a big enough network connection to accept full BGP routes (i.e. you're a medium-large service provider, but not a home system) is to not accept any email from a BGP address block that has existed for fewer than 24 hours or some similar threshold that's long enough to make address thieves go away or get traced, but short enough to not bother legitimate email much ("453 The Wizard Says Go Away and Come Back Tomorrow")
I have literally dozens of /8s on block: All of APNIC, AFRINIC, South America, Israel, Russia and neighboring real estate... You get the idea.
The ISP where I get most of my email lets users pick countries or regions to reject mail from, using lists that are more precise than "burn the /8". I decided a few years ago to reject all mail from China, Korea, Brazil, and Argentina, and that cut out more than half my spam load, and I didn't know anybody from those countries; I'll accept mail from Japan and Israel but it gets extra filtering, since I do know some people there but it's mostly spam (unfortunately, they don't have an option to filter by character set; anything in alphabets I don't read is highly likely to be spam, though at work I do get email in mixed English and Japanese or Chinese...)
... I would call it the "nuclear glass approach" to spam. If this works for you, great, but I don't know too many people who'd subscribe to your approach (to which RBL hardcore nazis look like teletubbies).
A _real_ nuclear glass approach would be to start advertising BGP routes for the addresses that spam you, which would drop them off the net for anybody who's within a few hops of you, and wouldn't even give you much extra network traffic, because it would kill the TCP handshake responses from any new email sessions. I work at a Tier 1 ISP, which would mean that it would be blocked from most of the US, and somebody with a LINX account could do the same for half of Europe, but fortunately they don't give me the keys on days that the spammers have been makin' the ganglia twitch... and you could accomplish the same thing non-destructively with a block-list if enough people trusted your service. In reality a legitimate ISP would never do this or permit their users to do it, because it could not only cause chaos for the entire Internet, but it would trivially blow through the route-cached capacity of most of the routers on the Internet. There was an event a decade or so ago when some small ISP announced that their T1 line was the best route to reach everything at Sprint or MAE-West or something, so about 1/3 of the traffic on the Internet was trying to get through there before the line smoked, and most ISPs put in a lot of route protection then. The address-space hijackers shouldn't be able to do it either, but there are enough ISPs that are sloppy about managing route advertisements that they get away with it.
participants (3)
-
Bill Stewart
-
Eugen Leitl
-
J.A. Terranson