The US has reclaimed its position as the world's leading spam-relaying country, but you'd be wasting your time looking for junkmail crimelords... In the last three months, almost one-fifth (18.3 per cent) of all global spam has been pushed through computers in the US, according to figures from anti-virus firm Sophos. However, …
Not sure if I should be proud that the UK is not listed or not. Perhaps it's not listed because our internet is so bad or we have too few computers!
I'd say it's that we are generally more warey of what can happen so more people have AV/firewalls than the yanks.
Also it seems that UK website (no matter how small) are usually made more secure instead of some bloke reading "Learn PHP in 24 hours" and thinking he's a web developer..
Can't ISPs detect zombified PCs?
Wouldn't it be great if ISPs could detect zombified PCs by means of traffic profiling? Then the appropriate users could be given a number of warnings about their PC being a spam bot. The warnings would give the user ample time to sort out their PC but if it still persisted then the ISP would black list that user. Problem solved!
Re: Can't ISPs detect zombified PCs?
Ok, do you want to volunteer to have your traffic profiled first?
Re: Can't ISPs detect zombified PCs?
My mail logs say not.
Every few days, I get a botnet spam my domains with thousands of mails. Most of them come from dynamic ranges, the vast majority from well-known ISP's (sometimes foreign and in places you don't expect to be bothered about cleaning up spam, sometimes not), and all of them just relentlessly try and try again.
Nothing gets through to give them a "good" server response to encourage them to try again, so they have my addresses and just keep spamming them, presumably even if they'd been dead for years. Most appear on lists of botnets (e.g. CBL) and have been there for years and when they have these attacks presumably they are sending out mail to thousands upon thousands of domains.
If they get through the SpamHaus lookup (about 1% do), then they are usually only sending to fake made-up emails anyway (which I block because they don't correspond to any account) - they wouldn't even deliver even if I did no checks at all. 99.999% of them fail on simple things like using SPF domains in their from address, or not having reverse DNS, or not bothering to try again if greylisted. The remainder is bounce-back spam from legitimate (but stupidly configured) mail servers - sometimes even GMail themselves.
I actually have a rule in my mail setup that if GMail, after refusing a certain email because it doesn't correspond to the lookup IP / SPF record in the from-address, then bounce back the delivery message to the SAME DOMAIN (which is, technically, RFC-compliant but incredibly stupuid - "let's tell the user we KNOW is faked that this email is not going to be accepted because the user who sent it is faked!") gets a nasty message from my mail-server response.
Yesterday, I only got 2500 attempts to send email. I have a handful of personal domains that aren't used for anything except the website on them (and my proper mail accounts are elsewhere) but I still get thousands of emails sent from ISP's dynamic ranges every day and they just don't care. One of them managed to get an "You already have 135 concurrent connections" error from my Postfix server (which, you can tell, is some going and their connection attempts had been going for hours before and after that), despite being on a well-known German ISP, and nothing was done about it. I just blacklisted the IP myself and moved on.
Even in this country ISP's aren't looking and don't care (out of 51,000 mail attempts last month - of which two were genuine emails - 562 came from btcentralplus.com) . Internationally, the situations only worsens (thousands upon thousands each from ono.com, comcast.net, rr.com, etc.). Hell, the Russia, Uruguay's and everything else in my logs barely add up to what I get from any given large ISP in the US/UK altogether.
God knows what would happen if I had a domain that was used for email and popular. I'd hate to think of the load that sort of spam would generate.
Self-regulation of email on the ISP's end is non-existent. Any of those attacks would be stopped dead by a mail limit (e.g. 1-2 a minute or whatever, queued as appropriate) or someone watching the mail logs with any kind of knowledge. They don't care.
If you don't recognise "hinet.net" and various other domains, then you aren't running a mailserver exposed to the Internet. And if you do, then you'll know that the ISP's are doing big-sod-all, even in countries that have laws against it.
Re: Can't ISPs detect zombified PCs?
Most half-decent ISP's will contact the customer when there is an abuse report showing SPAM coming from their IP range.
Where I work we've had them too telling us we're infeced with malware that is connecting to a sinkhole IP..
Re: Can't ISPs detect zombified PCs?
And that does what, precisely? The customer ignores them, or cleans up one-time and meanwhile I have another 567 users of theirs still spewing spam. Shut them all down? Next week I'll have 500 different ones again.
By the time I send all those abuse reports, just for my tiny, one-user domain, even with an automated system I've wasted twice the amount of time it takes to block them myself (and hundreds times the amount of time it takes to just block that ISP permanently) - and next week I won't see "less spam" from comcast, roadrunner, etc. It'll just be the same again. You think they are only spamming me and nobody else noticed?
As I said, lots of the IP's I capture have been on Spamhaus because of the CBL listing (which verifies they are part of a botnet) for a LONG time (not just PBL which lists all dynamic IP's), and nothing much happens. Sure they disappear for a week and then reappear, but that's it. Meanwhile I still have at least 500 IP's on a single major cable supplier in the US spamming me at regular intervals.
You can play whack-the-mole if you like, the fact is that if *I* see it (and to thousands of email addresses that have NEVER existed), guess what those people will thousands of domains, millions of emails received, and hundreds of thousands of valid addresses for customers do. Do they report every email? Sure as hell not. Hell, I could probably get myself blocked/ignored from the abuse@ addresses of several British ISP's alone just by reporting every email I get from their ranges.
I'm getting 2500 email attempts a month that aren't genuine emails and are obviously spam, from dynamic, home-user, IP ranges belonging to major ISP's. I could spend my life reporting and chasing them and still get nowhere, even if all those IP's were instantly shutdown and could never send an email ever again.
The fact is, if the ISP's cared, they'd monitor their users outgoing ports and stop email except if it goes through their official SMTP server (like LOTS of responsible ISP's do). Not perfect, but at least then you can spot for yourself, rate-limit and shut people down. Those ISP's don't care, they're letting people who are on IP's listed on policy-block-lists (that should never be sending email direct, and if they do are incredibly unlikely to ever get through to any email account that usehs SpamHaus etc.), and on known-botnet lists to send as much email as they like, unchecked, for weeks, months, sometimes years at a time.
abuse@ and postmaster@ generally only work if the problem is huge, if the reporting entity is an ISP, or if the domain is a user-owned domain. Been the same for decades. There's probably no way that someone like comcast or roadrunner or even BT are even reading every abuse report at all - there's not enough hours in the day.
Looking at the figures
I'm not too surprised that France is that high up. Many of their businesses (large & small) are actively running bulk email campaigns; they don't consider what they are doing is spamming people (although they hate spam just as much as we do).
I had a conversation with a couple of people over there and they were horrified that I consider what they were doing as anything other than normal business practice. Having managed a set of email addresses for them on one of our mail servers, I introduced them to some better practices and their junk mail levels dropped considerably.
Had a similar re-action from those in the Fatherland; although I think a lot is generated because they are actively engaging with the countries in the east that they
once tried to invade are trying to sell to.
I think that the UK is further down the list primarily because we are actually doing slightly better at keeping the b****** out. Not enough to be overly pleased with ourselves, but a little pat on the back would be appropriate.
Turning the question on its head.
Why is the US so bad at securing it's PC's?
So many as a percentage of it's population?
No one running AV/out of date AV/unconfigured firewalls?
I also think it would be very interesting if you could pin down a geographical spread. Do most of these botnet PC's live in say Arkansas, Palo Alto or Berkley?
Let's be clear nearly 1/5 of all this crap comes from this 1 country., and that's over 2x more than its nearest competitor.
Re: Turning the question on its head.
Turning the firewall on its head might be a better idea.
e.g. US IP > /dev/nul
The sad part
I'm fairly sure about a third of us here in the US wouldn't get all the way through the headline before starting the chant:
"We're number one! We're number one! Take that you slackers! We more than doubled China! Woohoo! U-S-A, U-S-A!"
The email system I really want
Is it too much to ask for an email system that the spammers strongly dislike? I know there will always be a bit of crap, but still... All of the major email companies live by the motto of "Live and let spam", and the spammers love filters, too. Hey if YOUR side (from the spammers' sociopathic perspective) of the marginal cost of spam looks like zero, then what do you care of the REAL costs of another million spams? If the spammer finds one more sucker, he thinks his RoI is infinity.
What I want is an email system that has integrated anti-spammer tools of such power that the spammers will understand that it is stupid to send ANY spam to that system. If they do, the users of the system will use the anti-spammer tools to cut the spammer away from his suckers before he can get any money. The spammers' websites will get nuked, their dropbox email addresses will get shuttered, their phone numbers will receive calls from the local police, the companies they slander will know and hopefully sue the spammers, and even their pro bono juju priests will fear the rain of shite. What would that email system be worth? Can you imagine no spam? (Well, actually I can't, because some spammers are amazingly stupid, but I certainly think that the clever spammers can be motivated to crawl under less visible rocks if they can't get any money.)
The #2 feature I want is scheduled delivery for future (local) times. However, that is a distant #2. There are a variety of other features that would be nice, too, but mostly it's the SPAM I do NOT want.
re..Looking at the figures
The problem in France is twofold..
1) It is not illegal for businesses here to send other businesses unsolicited email..
2) Most domestic users know just enough English to click on "to see my sexy pictures, click here, love Katrina"..
From the compromised machines I see belonging to friends and neighbors, and the French B2B spam that hits my business email addresses ..I'm surprised the figure isn't higher, although the USA being highest, doesn't surprise me at all..'scuse me while I check my credit rating, and order that new electric wheelchair ( apparently the US government will help me towards it's cost )..if one was to follow the money ( that is to say whose products/services are being pushed by the spam ) the trail for almost all spam received worldwide leads back to USA corps..
Re: re..Looking at the figures
"The problem in France is twofold..
1) It is not illegal for businesses here to send other businesses unsolicited email."
Ah - that might explain the incessant spam from Bigbillou, thanks to spam-friendly OVH. I would love to read of the demise of these scum.
inetnum: 126.96.36.199 - 188.8.131.52
descr: OVH SAS
descr: Dedicated servers