Client host rejected: 85/8 banned for abuse

Fri Oct 20 21:50:02 PDT 2006

At 06:35 AM 10/20/2006, Eugen Leitl wrote:
>On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote:
> > Prior to this "overreaction", I was receiving approximately 25K spam
>Wow, wonder how you managed to attract that.
It's easy to attract a lot of spam - luck of the draw,
or having your name widely spread in archives,
or having ever provided free email services.

>I'm thinking about starting blocking .gif/.jpeg/.png by MTA, [...]
Also overkill, but highly effective.

>If I ever got fancy I could use greylisting and firewall throttling
Greylisting turns out to be a big big win -
most zombieware doesn't ever retry, so you lose that spam.

Another popular spammer trick lately has been to
hijack unused address space, usually unused small blocks in
larger allocations, spamming madly for a few minutes,
then dropping the BGP advertisement so nobody can traceroute back,
and never reusing addresses so you don't care if it's blacklisted.
Greylisting totally protects you from this technique,
because a typical half-hour delay means that the spammer's gone,
but Alif's techniques are likely to lead to the legitimate space
getting blacklisted, while the spammer is living behind some
entirely different ISP that openly accepts bogus BGP requests.

Another defense against this spammer trick, if you've got a
big enough network connection to accept full BGP routes
(i.e. you're a medium-large service provider, but not a home system)
is to not accept any email from a BGP address block that
has existed for fewer than 24 hours or some similar threshold
that's long enough to make address thieves go away or get traced,
but short enough to not bother legitimate email much
("453 The Wizard Says Go Away and Come Back Tomorrow")

> > I have literally dozens of /8s on block: All of APNIC, AFRINIC, South
> > America, Israel, Russia and neighboring real estate... You get the idea.

The ISP where I get most of my email lets users pick countries
or regions to reject mail from, using lists that are more precise
than "burn the /8".  I decided a few years ago to reject all mail
from China, Korea, Brazil, and Argentina, and that cut out
more than half my spam load, and I didn't know anybody from those
countries; I'll accept mail from Japan and Israel but it gets extra filtering,
since I do know some people there but it's mostly spam
(unfortunately, they don't have an option to filter by character set;
anything in alphabets I don't read is highly likely to be spam,
though at work I do get email in mixed English and Japanese or Chinese...)

>...
>I would call it the "nuclear glass approach" to spam. If this works
>for you, great, but I don't know too many people who'd subscribe to your
>approach (to which RBL hardcore nazis look like teletubbies).

A _real_ nuclear glass approach would be to start advertising
BGP routes for the addresses that spam you, which would drop them
off the net for anybody who's within a few hops of you,
and wouldn't even give you much extra network traffic,
because it would kill the TCP handshake responses from
any new email sessions.  I work at a Tier 1 ISP,
which would mean that it would be blocked from most of the US,
and somebody with a LINX account could do the same for half of Europe,
but fortunately they don't give me the keys on days that
the spammers have been makin' the ganglia twitch...
and you could accomplish the same thing non-destructively
with a block-list if enough people trusted your service.

In reality a legitimate ISP would never do this or permit their
users to do it, because it could not only cause chaos for the
entire Internet, but it would trivially blow through the
route-cached capacity of most of the routers on the Internet.
There was an event a decade or so ago when some small ISP
announced that their T1 line was the best route to reach
everything at Sprint or MAE-West or something,
so about 1/3 of the traffic on the Internet was trying
to get through there before the line smoked,
and most ISPs put in a lot of route protection then.
The address-space hijackers shouldn't be able to do it either,
but there are enough ISPs that are sloppy about managing
route advertisements that they get away with it.