Date: 06 Aug 2002 10:25:53 -0700 From: Ken McGlothlen <mcglk@artlogix.com> To: Roman Neuhauser <neuhauser@bellavista.cz> Cc: questions@freebsd.org Subject: Re: I KINDLY NEED YOUR ASSISTANCE Message-ID: <86wur3x5jy.fsf@ralf.artlogix.com> In-Reply-To: <20020806092046.GQ1066@freepuppy.bellavista.cz> References: <5.1.0.14.0.20020804120643.02df9810@mail.face2interface.com> <20020805025023.K94408-100000@m-net.arbornet.org> <20020805091120.GB1066@freepuppy.bellavista.cz> <86it2p2mfn.fsf@ralf.artlogix.com> <20020805025023.K94408-100000@m-net.arbornet.org> <86n0s12mgo.fsf@ralf.artlogix.com> <20020806092046.GQ1066@freepuppy.bellavista.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Roman Neuhauser <neuhauser@bellavista.cz> writes:
| this is somewhat schizophrenic for my taste. you block whole countries, but
| /dev/null'ing ALL CAPS SUBJECTS would be too tight?
Believe it or not, yes.
I know how that sounds, but it's the unfortunate truth of spam.
Most of the spam I get comes from South Korea, China and Brazil. That goes for
the FreeBSD list as well. It has nothing to do with nationalism, linguistic
bias, or anything like that. It *does* have something to do with culture, but
only in a technological sense, in that sysadmins in those countries don't seem
concerned with securing their servers or booting spammers.
If I had blocked all-cap subject lines (assuming "Re:" doesn't count), I would
have missed out on the following messages just this month:
08/01: IT'S A BOY!!!
WHAT?!
BRANDON
08/02: CARING FOR THE ORPHAN KITTEN
08/04: Re: I KINDLY NEED YOUR ASSISTANCE
08/05: Re: I KINDLY NEED YOUR ASSISTANCE
I'M SICK AS A DOG
08/06: STILL SICK
Re: I KINDLY NEED YOUR ASSISTANCE
All of those were legitimate messages. In fact, of my spam folder, the
majority are mixed case.
Content filtering is prone to error, and easily defeated. I've seen filters
that test for digits at the end of the subject line---a common tactic for
spammers---which has generated false positives for subject lines of
Remember our meeting this morning at 10
There are others, like "make money fast", which generates false positives on
things like
I hate those make money fast scams.
So I'm deeply skeptical of content-based approaches.
On the flipside, here's the spam I've blocked:
08/01: From Marsha_Smoth@aeoz.com (via the Philippines)
From gitmaster@hotmail.net (via South Korea)
From rasheedbako@fedminofworks.com (via linkserve.com.ng)
From Success@Microsoft.com (via China)
From mqayyum@stylustech.com (via China)
From mmaxwell@stylustech.com (via China)
From mtc.niessen@stylustech.com (via genuity.net)
mrivera1@stylustech.com (via China)
Marketingwap@millenniumdata.com (via UUnet)
mailer@sekisat.co.kr (via South Korea)
denarii@sevenrich.com (via South Korea)
yiuks8902@lycos.co.kr (via South Korea)
godfingers@lycos.co.kr (via South Korea)
master@sensekorea.com (via South Korea)
jsn1@usa.com (via China)
cinortyek2002@yahoo.se (via multi.fi)
qm1ptga@netian.com (via South Korea)
egabriel@oh.mah.se (via South Korea)
tcltk1t@hotmail.com (via ntli.net)
webmaster@imfashion.com (via South Korea)
freeboy1972kr@yahoo.co.kr (via South Korea)
bz119@korea.com (via South Korea)
I don't think I need to go into the other five days. You get the picture. Not
a single legitimate email in the 94 spams people have tried to send me so far
this month. (Anything not labelled "China" or "South Korea," by the way, was
blocked by bl.spamcop.net.)
The problem isn't really the content, punctuation, or the spelling of the text
inside the messages---it's the people that send spam, and the ISPs that permit
them to do so. Blocking the messages at the connection level gives better
results, reduces traffic, and encourages ISPs to implement antispam policies.
Furthermore, the nice thing about a bounce message is that you can explain why
you're bouncing the message. I also provide a sneakemail.com address that will
get to me, so that if it's a legitimate email, it can be sent. In the last
year, I've only gotten *one* legitimate email from South Korea through that
sneakemail.com address, from the administrator of kreonet.re.kr, who took the
time to tell me about his new antispam policy---so I reinstated his network.
If more South Korean organizations were willing to take action against
spammers, I'd remove the country-wide block.
| btw, besides the subjects, i also send to /dev/null aol, yahoo, juno, msn,
| lycos, etc, plus any other domain from which i receive a single spam
| message. 45 domains atm.
Also a bit sweeping, assuming you're going off the From address, which can (and
usually is) forged. There's a lot of legitimate users at the ISPs you mention;
/dev/nulling doesn't do anything to inform the sender (if legitimate) why the
message bounced. Furthermore, the spam still makes it onto your network; even
if it is being quickly /dev/nulled, it still took time to download and filter.
I have nearly 9000 hosts and subnetworks in my block list. I don't think I've
ever had a false positive (the kreonet sysadmin sent directly to my
sneakemail.com address after having scanned his maillogs collecting statistics
on his freshly booted spammer). And if I did have a false positive, there's
still a way to reach me that's clearly stated. The spam never even makes it
onto my network.
So you might understand why I prefer the approach I'm using. Though I do admit
to some discomfort about blocking entire countries, it's not actually
schitzophrenic.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wur3x5jy.fsf>