BIGGEST DDoS ATTACK IN HISTORY hammers Spamhaus Anti-spam organisation Spamhaus has recovered from possibly the largest DDoS attack in history. A massive 300Gbps was thrown against Spamhaus' website but the anti-spam organisation was able to recover from the attack and get its core services back up and running. CloudFlare, the content delivery firm hired by Spamhaus last …
@handle - that's not necessarily the case. Spamhaus is the reason I can't use a desktop email server (which I started after an important ISP-server email disappeared into the blue costing me a large wad...with a desktop server, it gets delivered, or you get an error message...either way you know whether it got through).
They do have a very high-handed attitude...it's basically "fuck you if you don't like it; but you're not sending emails from that (ISP's) IP range". And it's not just spammers who are effected. I admit that I'm probably a minority here; but they did put a serious spanner in my day-to-day operations.
"your ISP's IP range gets listed if your ISP asks for it to be listed. or if the SPECIFIC IP has been used to spam repeatedly.
which part of that is hard to understand?"
Sorry, but that simply is not true. They will do blanket blacklists of IP ranges that THEY consider (based on outdated IP range lists) for example "dyncamic IP ranges". This is totally unrelated to any actual spam activity but they don't give a f'ing damn to adjust those lists to prevent from innocent/legitimate users being seriously effected by their listings. A lot of those ranges are not valid anymore because them have been re-assigned since "we are running out of IPv4 addresses"...
But to make it also clear, I do not condone the actions that some people have taken to get back at them. But SpamHaus and a couple other vigilante black list distributors need to make sure they are actually targeting the real bad guys and not just everybody else in "the neighborhood" as well...
They may well do, but what is the alternative? white list every single person who parks on an IP address, sends 10,000 spans and then switches off and moves on, with very little traceability?
The point is by REQUIRING email to go THROUGH a responsible authenticated relay someone is able to STOP ABUSE.
Its a bit like saying 'I have a Porsche that is capable of driving 140mph in safety up the M1, why am I not allowed to do it?' and the simple answer is, because plenty of people who are not able to do it safely or at all, need to be restricted to what they can in fact handle. Get yourself a race track, or rent someone else's.
And the answer for mail is the same, you wan run your own mail server? well get on a fixed IP address and run it. And preferably not with an ISP that is full of dorks sending penis enlargement pill adverts.
As I understand it, Spamhaus adds IP space either because spam originates there, or because it hosts web sites that are being promoted by spam (which in many cases may come from elsewhere such as botnets). They call this 'spam support'. Responsible hosts will generally clear out such spam support services. Some are clueless, and some actively decide to take spammers money in return for 'bullet proof' services - i.e. not pulling the plug for abuse of the AUP.
In such cases, Spamhaus can escalate blocks - effectively enlarging the range of IP space covered by a block to turn the screw on the host, because it starts to cover their legitimate business customers as well as the spammers on their network. The idea is that miscreant networks will find that they end up losing legitimate customers if they continue to provide service to illegitimate ones.
One can argue about whether such actions are justified, but ultimately it's up to any network to decide whether it wants to use Spamhaus's lists or not.
My personal opinion is that Spamhaus does an excellent job, and forcing networks to choose between legit business and spammers is fully justified. It's bad if it affects your company or personal email, but you should vent spleen at your network for whatever spam problem has caused Spamhaus to list them, rather than at Spamhaus.
It's difficult to run a mail server at home any more due to the lengths mail server administrators must go through to limit incoming spam. Dynamic IP? Sorry, my mail server won't accept your messages. R-DNS or MX doesn't resolve correctly? See ya. Listed on Spamhaus, SpamCop or Manitu? Not takin' your message. Oh yeah, send more messages my honeypots so my bayesian filter get even better....those addresses have been spread far and wide! Throw in a good dose of greylisting, backscatter protection and tarpitting and I manage to block *almost* all incoming spam (which currently makes up 57.5% of my servers' incoming messages). It really does make it rough for the "guy at home" trying to run a mail server though...nobody but the spammers to thank.
As for getting de-listed from Spamhaus...I've done it, shortly after switching providers a few years ago. It was not a huge deal, I contacted my ISP (again, you probably won't get much help from them with a "consumer" account...I didn't have problems since I have a business-class service) and it was resolved within a day.
You forgot to mention DKIM and SPF :-)
Difficult to get working, but can be done. Also, it helps if you choose an ISP which doesn't segregate its home and business IP addresses into different ranges. It's not supposed to be easy though.
One ISP I used in the past would only open port 25 once it had tested the configuration of your mail server to make sure it wasn't an open relay.
It's difficult to run a mail server at home any more due to the lengths mail server administrators must go through to limit incoming spam
I manage it. I'm not running it on a souped up Cray either. Just a Fit-PC2. 1.1GHz of Intel Atom goodness(*) with 1GB of RAM and Windows 7. On a typical day it gets several dozen spam mails sent to it and sometimes a week or two of someone attempting a dictionary attack. Seems to run fine for me. I'll concede that since we use disposable addresses 99.9% of the spam is sent to the bit bucket without ever reaching a users inbox but since I'm filtering by RCPT TO it still has to be downloaded.
Good old VPOP3.
(*)Stop laughing at the back. It consumes less than 10w of power an hour.
You mean it runs on just ten Watts. A Watt is a unit for the rate of use of energy. What you pay for are units of energy. You could have said 0.01 kw/h per hour ... perverse but correct.
BTW I run an Atom server as well, though I'm wondering if it should morph into a Rasberry Pi soon.
Sounds good, do you use it to send outgoing mails too? I run an SME server linux distro at home and have absolutely no problems with spam - yes, we get a few, but no more than with other providers. Having said that, I won't even bother to let it send mail out directly, as I'm using a BT dynamic address. And yes, I use a dynamic DNS service.
Don't you mean "it consumes less than 10w"? Sorry...
"@handle - that's not necessarily the case. Spamhaus is the reason I can't use a desktop email server (which I started after an important ISP-server email disappeared into the blue costing me a large wad...with a desktop server, it gets delivered, or you get an error message...either way you know whether it got through)."
No, Spamhaus is not the reason you can't use a desktop email server. Spamhaus doesn't prevent you from doing so; it simply lists your desktop email server for what it is, and other folks choose not to accept email from it.
Let's put the blame where it belongs. It is not Spamhaus' fault you can't do what you want; it's the SPAMMERS' fault you can't do what you want. I'm sure you're 100% legit and would never send unwanted commercial email, but for almost everyone else running desktop email servers--sometimes without their knowledge or consent--that is most decidedly not the case. The collective Internet has finally thrown up its hands and said "enough."
Spammers are why we can't have nice things. Blame them. They're the villains here.
It's about power and control. Spamhous have achieved a powerful position and can now effectively decide who can send email and who cannot. They must use this power responsibly. There used to be a time when SMTP was a system that forwarded email for anybody needing it. Those open SMTP servers have been secured due to abuse by spammers.
>It's about power and control. Spamhous have achieved a powerful position and can now effectively decide >who can send email and who cannot. They must use this power responsibly. There used to
Wrong on soooo many levels. Spamhaus publish an RBL. It's up to server owners and ISPs to decide whether they use it or not.
>Let's put the blame where it belongs. It is not Spamhaus' fault you can't do what you want; it's the SPAMMERS' >fault you can't do what you want. I'm sure you're 100% legit and would never send
Indeed. And while we are at it - all those mailservers that don't bother checking the SPF entries to see if an IP address is allowed to send mail for a domain - well - you are the ones causing me to get hundreds of bounce messages to my home domain because the spamming scum are forging emails that look like they are coming from my domain. And no, my server isn't cracked. No, my home machines are not running any worms or trojans. If the mail servers bother to check the source IP, they'll find it's a US IP address (mostly) and NOT AUTHORISED TO SEND EMAILS PURPORTING TO BE FROM MY DOMAIN!
Bah. It's almost enough to want to you nuke the source IP.
Exactly so.
If you want to control your mail, do what I did: get a virtaul server on a fixed IP address that is yours and yours alone, and set it up as an SMTP receiverer and (authenticated) relay and use it.
THEN when 70% of your incoming mail is from spambots, do what I also did, Configure it to use spamhaus and watch the spam reduce by a factor of 8.
You might also do as I did and monitor its logs to see what us being junked. I never found after a weeks worth of logs were picked through line by line ONE SINGLE email that was valid, rejected.
Compare and contrast google mail which routinely rejects mail I send to people on a mailing list t 'because there are too many recipients on the bcc: list' I.e. it is unable to tell whether a mail addressed to many people who are NOT mentioned in the To: line for privacy reason, is spam, or genuine desired mail.
Spamhaus is the reason I can't use a desktop email server
Uhm, and the fact that many MTA admins, myself included, have turned on the demand for an associated PTR record before incoming mail is accepted has nothing to do with that ?
Sorry but I think you make a bogus argument; chances are very high your desktop MTA also wouldn't be able to drop mail to any of my servers, AOL's servers, Microsoft's Hotmail / Outlook servers (these also start to adopt the Sender Policy Framework btw) and most likely Verizon's.
Even without the help from Spamhaus. Simply because your IP most likely doesn't meet quite a few demands.
and it should be pointed out they are a commercial organisation. They have two companies registered, one is the charity, the other is the business - which is now very powerful and can dictate whoever remains online or not... ironically their profit-earning business (which is very lucrative) sends out huge data-streams, a lot of which are considered spam. :)
@moiety, if were trusting your ISP to handle any part of the sending, receiving or even whispering loudly about your email, when said email could have an, er, "large wad" riding on it, then consider it a salutary lesson that I should think many of us here have learned to our cost in our early days. ISP-provided mail services, even down to outgoing relays, are a horrible liability.
And WTF is a "desktop email server"? Serious question.
Exactly his point. I run a 'desktop' email server. Actually a Linux box but to send to AOL I have to set my smarthost to my ISP SMTP. Email arrives at peoples inbox much quicker if I send it directly from my server. I just need a way of redirecting only those that must go through my ISP.
You can certainly run a mail server on a desktop if you wish, but you'd do well to relay outgoing email from it through a smarthost which Spamhaus doesn't block, e.g. your ISP's smarthost, and which doesn't block you due to not knowing your address as one of theirs or if it can't authenticate you, or due to you sending more than the smarthost operator policy allows. It also helps greatly if you have a static IP address, or one which changes very, very infrequently for incoming mail. You'll have to ensure the incoming domain MX record is pointed at your IP address, preferably dynamically if you IP changes.
I've done this experimentally and successfully for small volumes for years, but I put my production email server and services for non-experimental work on a £15/month hosted virtual machine which has a static IP. I use the production email server as my own smarthost, and use authenticated SMTP from my home system to relay outgoing.
"Spamhaus is the reason I can't use a desktop email server"
Bull. You can most certainly run your own server to accept mail for your domain - I don't think there is anybody using ANY DNS RBL to filter where they send mail TO.
And for sending outbound email - if you cannot configure your email server to use a smart relay to another server, such as your ISP's server, then you probably aren't going to configure your mail server correctly in other areas, such as relaying spam.
The gold coins are closer to the nut than you apparently realize. I'm not saying that you can somehow remake the spammers into decent human beings. I'm saying that if you take away their "gold coins", then most of them would crawl under less visible rocks. That is why I think there should be a larger focus on breaking the spammers' business models at the downstream end, not upstream where Spamhous and Microsoft have been firing their big cannons.
The usual numeric analysis focuses on the small return ratio of the spammers, but we should think of it differently. The key ratio is the LARGE number of people who hate spam versus the SMALL number of suckers who feed the spammers. What we need are better tools to allow the large number of spam-haters more actively cut the spammers away from their small number of suckers and victims. Given how much value it would add to their email systems (and Yahoo should be especially desperate for value these days), I really don't understand why they don't integrate such tools into their email systems.
Let me pick a really trivial example, the spammers who are using link shorteners from LinkedIn and Twitter to route their suckers. They are obviously doing this because the links last long enough to reach some suckers, so the obvious countermeasure is to negate those links more quickly. (Actually, cutting the links would be less effective than redirecting them at some webpage that would educate or scare the suckers who have clicked on them.) The email system should have a mechanism to report the problem, perhaps even with an incentive if you're the first annoyed person to report the link.
Am I the only person who would like to feel I am personally making the spammers' miserable lives even more miserable? I don't think so--but it wouldn't take too many people like me with better spam-fighting tools to really cut the spammers.
"That is why I think there should be a larger focus on breaking the spammers' business models at the downstream end, not upstream where Spamhous and Microsoft have been firing their big cannons."
Fully agree with you there.
What we need are better tools to allow the large number of spam-haters more actively cut the spammers away from their small number of suckers and victims."
I've worked on developing anti-spam tools for some time. A problem here is that the primary motivation for doing so is to get a cleaner message stream without losing wanted messages. Putting spammers out of business has to be secondary to this primary objective. Spamhaus have done excellent research here also, which has led to prosecutions and jail terms. But the need to have a very low false positive rate means some false negatives inevitably get through, enough probably for the small proportion of suckers to support the spammer business model.
So I agree with what you are trying to achieve, but I think this probably needs to be recast as a social, educational and legal solution, because it probably can't be handled as a technical model without very major changes to the email model as it now exists. It might become possible to do more of the latter in the sense of requiring much higher authentication and reputation lookup standards when accepting SMTP over IPV6, and then everyone gradually letting IPV4 SMTP become marginalised before switching it off entirely.
"I've worked on developing anti-spam tools for some time."
I have another - possible - solution.
The crux of the matter is that spam is basically cost-free to the sender. Imagine an ISP or email service that would let a user send out, say, 5,000 emails a month for free. (That's an arbitrarily-chosen number, used for the sake of illustration.) After that allowance is exhausted, the user must pay - again, using arbitrarily-chosen figure - a penny for each additional 100 emails.
5,000 emails is a lot of email but many, many orders of magnitude less than what a spammer needs to send in order to make a profit.
Now imagine if several such ISPs allowed its users the option to only accept email from similar ISPs/email services. Spam would no longer be cost-free to the spammer, and spam sent from non-participating ISPs/email services would be immediately rejected. (Not even returned to sender; just consigned to the bit bucket.)
This is not a complete plan, obviously, (and Microsoft had the idea of charging a very nominal sum for sending emails quite a few years ago), but considering the huge number of spamming emails that must be sent in order to make any money for the spammer, I would think that this would seriously reduce and might even come close to eliminating spam.
let's see....
A DDOS attack this size takes time, effort and $$.
Spamhaus provides a service which hurts a rather infamous sector of the intarwebs, and seriously helps quite a number of operators to keep the headache down to a minimum.
This sector, by all accounts over the last two decades, has proven to be very profitable for people with the proper mercenary attitude.
Even the Big Ten of monopolists bad guys nowadays have not garnered enough ärger to get the fanatics up upon the Barricades for something this size. If Anonymous, or any other activist society could ever agree on [something] they might take a shot, but at the moment it simply isn't there.
If it isn't the "Good Guys" , then it's the Opposition. Occam's Razor, a close shave every time.
This post has been deleted by its author
both beaten by Auntie at 27 March 2013 Last updated at 13:03.
But it just goes to show what is going on out there and probably a sign of things to come. I wonder if my boss will be glad I insisted our DDoS solution to give protection against R-DNS attacks in addition to the usual Layer 3/4 and 7 attacks.
And there will have to be some re-writing of vendors material now. 300?! mighty big stuff.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
