A lot of things have changed in the past 6 years (1997-2003):
Stocks, Accounting, War and Treason
- The Internet boom came shortly after SpamShield's initial release, July 1997
- Y2K came, and passed, and nothing god'dam happened, other than a boatload
of people making an even bigger boatload of money updating legacy systems
from way-back-then, that they should have programmed correctly to begin with.
- Then, the Internet bubble/boom was followed by the dot-com bust.
- A bust that started sometimes around the time when a clueless & witless
convicted drunk driver from Texas with a
25-year history of alcohol and drug-abuse, was declared President of the United States
by the Supreme Court. A court that thought counting votes fast was more important than
counting them right - and lifted a lying scumbag, insider-stock-dealing, unindicted
team of felons into the Whitehouse. Slow to realize that they'd set a trend, the
Supreme Court's principle of counting fast instead of counting right would soon become
an ever-recurring theme of the "New Economy" : the beginning of the end of a bright
and shiny future for the Internet - for now, at least.
With campaigns of fear, uncertainty and doubt (FUD) that many will easily
remember from the
1960's and 70's, this team of felons has already deprived the American people and
the world of more freedoms, liberties and justice than Osama BinLaden can ever dream
of depriving us in ten lifetimes. Welcome to the War on Everything TM
- Without a doubt, the bursting of the dot-com bubble has to be seen in this climate
of treason, betrayal, accounting and stock-fraud. The Internet is now ruled by
big business, with their clueless and witless
lawyers, appearing as litigious scumbags that will sue anything in their way that
even remotely threatens their existing business model - it's the American way after
all, and the rest of the world tends to follow us like lemmings: down the road,
against traffic in a one-way, or over and beyond the cliff with a 500 ft. drop:
the direction doesn't matter. We always have the satisfaction of being first though.
- Large ISPs/NSPs caught in the dot-com death spiral of mounting debt, stock price drops
of 98% and diminishing revenue and profits (what a dirty word!) are now writing pink
(dirty) contracts with spammers - because
if you're facing going Chapter 11, any revenue will do, no matter how dirty, and
especially if you can charge 5-10 times the going rates for a T1, with your financially
depressed upstream provider barely emitting a grunt. But dare the MPAA/RIAA finding
an MP3 or DIVX file on your servers, no matter that it was actually a copy of what
you legally bought, and the www-server copy was in unadvertized URL-space, just
for your own use.
- In this climate, complaining to ISPs/NSPs as an individual has become useless: only
massive complaints from diverse sources and threats of blackholing are keeping most
providers at bay, forced to remove spammers, at least the ones not paying premium
pink-contract rates. Reporting services like SpamCop.net,
which we highly recommend, are the only viable amplification of individual's
voices in the war on spam at this time.
- As the revolution progresses, it eats its children. And as we know, sometimes
brilliant ideas of a given time mutate into
something incredibly ugly and reactionary, using the ways and means once used
only by the revolution's enemies. Which of course by no means diminishes the
brilliance of the original idea itself.
- Vixie's original BGP and DNS-based RBL has not just mutated into a
but his original idea spurred a large variety of different blackhole lists,
now commonly called DNSBLs: DNS-based blocking lists. They don't do any
blocking on their own (only Vixie's BGP4-based feeds of the RBL did this) ,
but they are directory services, listing portions of the Internet's address space (and
some list domain names as well). They list hosts and networks by any criteria
human creativity has brought about: from
Spamhauses over lists describing networks belonging
to individual ISPs/NSPs, down to lists that describe countries : it's all there.
Sysadmins can do garden-variety shopping for lists
that fit their (and their corporation's) state of mind and general consensus, and then
proceed to deny service (and not just SMTP/email service) for entities appearing on such lists.
- SMTP mail relays are no longer open by default: Not Sendmail anyway,
but it's still easy to screw up and accidentially open a server for
relaying. A large number of open mail servers remain on the Internet, as the
statistics section at ORDB.org
will tell you. There is the general feeling that lots of these machines have been
abandoned in a corner under a desk somewhere, their owners don't care, their SAs have
been downsized, and their corporate overlords most certainly don't care about the security
threats emanating from them, or their impact on other systems in the world. Until the
evil scumbag lawyers working for their competitors that got cracked through these machines
find out, that is.
- open SMTP relays (or the information about their existence) are traded on a black market,
with prices ranging somewhere from $5 for a junk IP on a slow satellite link that is
listed on 5 DNSBL's, up to $100 for one not-yet exploited IP of a mail server sitting
on a quiet T1 of a dot-com in chapter 11 with "noone home". Needless to say honesty and business model
of such "open relay suppliers/traders" seems to intersect greatly with that of
professional carders, e.g.: hard-core credit card thieves and traders. Nothing like
selling the same damn cardz to 5 suckers simultaneously and making profits that would
make Enron blush and feel embarassed about their "corporate restraint" in the California
energy market. Meanwhile, the useless fucks at the FBI, busily building Ashcroft's new
police state, are busy busting people downloading MP3s and DVD-rips in their dorm rooms:
Political priorities. And a text book example how Jack Valenti's (or Hilary Rosens')
hush money can grease the wheels of power and set their priorities as straight as
New threats and mechanisms of email abuse have emerged since, with the most rampant ones being:
- Since about 2000, website hosters find spammers
uploading CGI programs like Merlin Pro (see explanation at
Spamhaus.org), that then turn their high-bandwidth-connected machines into
a spam factory with an output somewhere north of a million mails an hour. Most
of them woke up to this fairly quickly, filtering their web-hosting machines'
outgoing SMTP traffic properly, channelling it through their own mail servers,
where it could be controlled with programs like SpamShield TM.
It nevertheless brought about the need for DNSBLs that were relying on more
than just SMTP open-relay testing.
- Sometimes in 2001, open proxy servers of every kind (SOCKS, Squid) became popular
with spammers: no DNSBLs were covering them, they were easy to exploit, and there
were (and continue to be) more of them than open relays, most of which had finally
found their ways into DNSBLs and were starting to become useless to them.
- A large number of so-called "permission-based" marketers began to appear sometimes
after 1999. They come in all shapes and forms now, with most of them managing
their client's mailing lists extremely poorly: some of them are still "single-opt-in"
lists, easily abused with a a Perl script and the open proxy server of a Korean
middle school: keep running that "Millionz" CD against the sign-up form on their
website again, bro! "Permission-based" is already a muddied term: most if not all
of them do "affiliate marketing" : e.g.: taking the
email addresses obtained from a list owner (with his consent, and paying him),
and using them for a "related" mail campaign. Nevermind that consent cannot be
sold, and signing up for "Florida Redneck News" should not get you spam, err.:
mail from NASCAR. Some of these marketers are not taking SMTP "550 Go away, no
trespassing" lines for an answer, continue to email defunct and never-existing
accounts indefinitely into the future - or at least trying to: this kind of
trespassing scum even has a name now:
"Nadine"-spam. Or in other words: "This list is 87% permission-based, contents
may have settled during shipment". Thieves, trespassers or simply SPAMMING CRACKWHORES
are probably the best words to describe these "operations" that only do one
thing with complaints received: list-washing the lists in question, by removing
complainers, but keeping the other 10-90% involuntary members.
- MAILTO: HTML tags have become big "take me" signs for spammers, running spiders
scraping the world-wide-web 24hrs/7days for email addresses to steal and compile
into their "Millionz" lists. Basically, the idea of having a working MAILTO:
link on a webpage is not just a bad idea, it has become a thing of the past.
Illegal web-scraping (violating websites' terms and conditions that generally
permit viewing, but no further use of the data displayed) has largely replaced
and dwarfed stealing email addresses from Usenet - who's denizens saw the light
a lot earlier (about 1998) and began to obscure their email addresses in any
form imaginable, to derail Usenet email-address-scrapers.
Web poisoning, which remains a great way of putting sand into the grinding
wheels of the spam mills.
Some websites now have time-expiring, CGI-generated email addresses, real ones,
used to contact real people, with encoded IP and time/date-stamps of the
attacking spider/scraper: addresses that tend to expire within days, and are
subsequently usable as spamtraps. Sites like
Mailmoat and Mailexpire (currently
out of service) that manage "expiring" email addresses for users are beginning to
fill a great need.
- SMTP-cracking, or "SMTP dictionary attacks" came to light in the popular press
(in the form of a USA Today article, as far as we are aware) around 1999:
the process of illegally breaking and entering into ISPs and company's mail
servers via the SMTP mail service (and running RCPT TO:, EXPN or VRFY commands
against a pre-generated list of usernames found by first+lastname of users on
Usenet, and from addresses scraped/stolen from Usenet and the WWW).
It involves trying to uncover every account and email address on a system by means
of "trial and error". Given that virtually all computer systems are keeping
their list of users confidential, this is nothing short of illegal cracking, with
the intent to obtain one part (of two) of a telecommunications access device (TAD)
as defined by federal law: an account name and a password make up a TAD.
Needless to say that SMTP dictionary attacks can use up an extreme amount of
resources: we have seen attacks against DS-3 (45Mbps)-connected servers at
a rate of up to 2000 addresses per SECOND. Soon after, the thus stolen addresses
appear on "Millionz of verified email addresses!" CDs, abused for further acts
of illegal trespassing by either spam or a POP3 password-cracking attack. Thankfully,
there is defenses for this kinda of scanning as well: tarpitting the attacking servers,
by intentionally slowing down responses. A demonstration patch for the obsolete
Sendmail 8.9.0 is here, it's known
to work up to at least Sendmail 8.9.3.
In brazing acts, probably subjecting themselves to legal firepower greater than
their own, some spammers have gone as far as starting dictionary attacks against
the mail servers of public corporations, trying endless permutations of
the corporation's officers' names as listed in SEC disclosure documents, to crack
and get to these corporation's "decision makers" : what's
John Sidgemore's email address worth, anyway?