Date: 06 Aug 2002 10:25:53 -0700 From: Ken McGlothlen <mcglk@artlogix.com> To: Roman Neuhauser <neuhauser@bellavista.cz> Cc: questions@freebsd.org Subject: Re: I KINDLY NEED YOUR ASSISTANCE Message-ID: <86wur3x5jy.fsf@ralf.artlogix.com> In-Reply-To: <20020806092046.GQ1066@freepuppy.bellavista.cz> References: <5.1.0.14.0.20020804120643.02df9810@mail.face2interface.com> <20020805025023.K94408-100000@m-net.arbornet.org> <20020805091120.GB1066@freepuppy.bellavista.cz> <86it2p2mfn.fsf@ralf.artlogix.com> <20020805025023.K94408-100000@m-net.arbornet.org> <86n0s12mgo.fsf@ralf.artlogix.com> <20020806092046.GQ1066@freepuppy.bellavista.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Roman Neuhauser <neuhauser@bellavista.cz> writes: | this is somewhat schizophrenic for my taste. you block whole countries, but | /dev/null'ing ALL CAPS SUBJECTS would be too tight? Believe it or not, yes. I know how that sounds, but it's the unfortunate truth of spam. Most of the spam I get comes from South Korea, China and Brazil. That goes for the FreeBSD list as well. It has nothing to do with nationalism, linguistic bias, or anything like that. It *does* have something to do with culture, but only in a technological sense, in that sysadmins in those countries don't seem concerned with securing their servers or booting spammers. If I had blocked all-cap subject lines (assuming "Re:" doesn't count), I would have missed out on the following messages just this month: 08/01: IT'S A BOY!!! WHAT?! BRANDON 08/02: CARING FOR THE ORPHAN KITTEN 08/04: Re: I KINDLY NEED YOUR ASSISTANCE 08/05: Re: I KINDLY NEED YOUR ASSISTANCE I'M SICK AS A DOG 08/06: STILL SICK Re: I KINDLY NEED YOUR ASSISTANCE All of those were legitimate messages. In fact, of my spam folder, the majority are mixed case. Content filtering is prone to error, and easily defeated. I've seen filters that test for digits at the end of the subject line---a common tactic for spammers---which has generated false positives for subject lines of Remember our meeting this morning at 10 There are others, like "make money fast", which generates false positives on things like I hate those make money fast scams. So I'm deeply skeptical of content-based approaches. On the flipside, here's the spam I've blocked: 08/01: From Marsha_Smoth@aeoz.com (via the Philippines) From gitmaster@hotmail.net (via South Korea) From rasheedbako@fedminofworks.com (via linkserve.com.ng) From Success@Microsoft.com (via China) From mqayyum@stylustech.com (via China) From mmaxwell@stylustech.com (via China) From mtc.niessen@stylustech.com (via genuity.net) mrivera1@stylustech.com (via China) Marketingwap@millenniumdata.com (via UUnet) mailer@sekisat.co.kr (via South Korea) denarii@sevenrich.com (via South Korea) yiuks8902@lycos.co.kr (via South Korea) godfingers@lycos.co.kr (via South Korea) master@sensekorea.com (via South Korea) jsn1@usa.com (via China) cinortyek2002@yahoo.se (via multi.fi) qm1ptga@netian.com (via South Korea) egabriel@oh.mah.se (via South Korea) tcltk1t@hotmail.com (via ntli.net) webmaster@imfashion.com (via South Korea) freeboy1972kr@yahoo.co.kr (via South Korea) bz119@korea.com (via South Korea) I don't think I need to go into the other five days. You get the picture. Not a single legitimate email in the 94 spams people have tried to send me so far this month. (Anything not labelled "China" or "South Korea," by the way, was blocked by bl.spamcop.net.) The problem isn't really the content, punctuation, or the spelling of the text inside the messages---it's the people that send spam, and the ISPs that permit them to do so. Blocking the messages at the connection level gives better results, reduces traffic, and encourages ISPs to implement antispam policies. Furthermore, the nice thing about a bounce message is that you can explain why you're bouncing the message. I also provide a sneakemail.com address that will get to me, so that if it's a legitimate email, it can be sent. In the last year, I've only gotten *one* legitimate email from South Korea through that sneakemail.com address, from the administrator of kreonet.re.kr, who took the time to tell me about his new antispam policy---so I reinstated his network. If more South Korean organizations were willing to take action against spammers, I'd remove the country-wide block. | btw, besides the subjects, i also send to /dev/null aol, yahoo, juno, msn, | lycos, etc, plus any other domain from which i receive a single spam | message. 45 domains atm. Also a bit sweeping, assuming you're going off the From address, which can (and usually is) forged. There's a lot of legitimate users at the ISPs you mention; /dev/nulling doesn't do anything to inform the sender (if legitimate) why the message bounced. Furthermore, the spam still makes it onto your network; even if it is being quickly /dev/nulled, it still took time to download and filter. I have nearly 9000 hosts and subnetworks in my block list. I don't think I've ever had a false positive (the kreonet sysadmin sent directly to my sneakemail.com address after having scanned his maillogs collecting statistics on his freshly booted spammer). And if I did have a false positive, there's still a way to reach me that's clearly stated. The spam never even makes it onto my network. So you might understand why I prefer the approach I'm using. Though I do admit to some discomfort about blocking entire countries, it's not actually schitzophrenic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wur3x5jy.fsf>