[Coco] Re: Thanks for the Princeton Bit.Listserv.CoCo Mail List. DRAFT

John E. Malmberg wb8tyw at qsl.net
Tue Feb 3 00:41:50 EST 2004 

Stephen H. Fischer wrote:
> 
> The gateway from Usenet needs to be investigated to make sure that no SPAM
> can get in that way. The SPAM posted to Usenet CoCo newsgroup is not under
> the control of the listserver, there is no method to stop it from being
> posted, but it can be kept out of the mailing list. It will have to wait
> until the problem is solved Internet wide. I have heard a promise about
> e-mail by 2006 but no words about newsgroups.

You have the facts wrong.

The spam is coming from the mailing list server input, not from the 
newsgroup.

If the princeton mail server shuts down, or the link from it to 
bit.listserv.coco is broken, 99.999% of the spam in the newsgroup will 
stop immediately.

There are less than 5 spam postings per year in bit.listserv.coco that 
did not originate from the Princeton mail server.

For several years, I reported all the spam that came in through 
spamcop.net and checked where the spam was coming from, so I know what I 
am writing about.

If you look from the newsgroup postings that may not be evident until 
you look to see the posting address.  If it is "dex.pathlink", then the 
posting came from the mailing list.  If that text is missing, it came 
from the newsgroup.

You will be hard pressed to find any spam with that text missing.

 From the mailing list, the same text is present in the header.  When 
looking at the headers of mail received from the Princeton mailing list, 
you will almost never see "dex.pathlink" present in spam.  You will 
likely have to look for almost a year of archives to find a spam posting 
that originated from the newsgroup.

 From a content filter perspective, on the mailing list, you can 
whitelist with no further checks if "dex.pathlink" is present.

And from content filtering from the newsgroup, you can whitelist all 
postings where "dex.pathlink" is missing.


The princeton mail server is the listserver, and is effectively acting 
as an open relay for known spam sources.  The listserver has total 
control of the spam, and should be easily be set to eliminate it.

The SpamAssassin settings for the Princeton mail server are incorrect. 
They are not using the proper metrics and as a result are incorrectly 
flagging real posts as spam.  So the tagging that they are doing can not 
be used by end users with out losing real posts.  This should be 
extremely easy to fix.  But that fix would still let through the recent 
forged subscriptions as most of them are not from previously identified 
spam sources.

The gateway software to the newsgroup is also slightly defective.  It is 
not properly reporting the source of the mail messages as it should be. 
  Instead of the source address, it is putting a random address from the 
mail posting.  If it were posting the correct source I.P., then almost 
all of the spam could be separated from the real postings with out 
looking at the content.


With out the troll's subscriptions, all the spam that is coming into the 
Princeton mail server is coming from known compromised computers, or 
from known professional spam operations.  And at least 99% or more of it 
can be removed from the princeton mail server with a simple change to 
the mail server that will not cause any real postings or real e-mail to 
be affected.


Any mail server that is accepting e-mail from known open proxies is 
going to get the same spam that the princeton list is getting.  It is a 
waste of CPU cycles, bandwidth and disk space to accept e-mail from a 
known open proxy.

Princeton is rejecting spam from open relays.  The difference between an 
open relay and an open proxy, from a mail server perspective is that an 
open relay might send a real e-mail once in a while, while the chance of 
an open proxy sending something other than spam is virtually NILL.

So any mail server that is rejecting spam from open relays, really has 
no excuse to be accepting spam from open proxies, except for ignorance 
by it's management.


Roger Taylor wrote:
 > I really think that someone from the list actually did attack the
 > list, probably more than one person, after some real heated battles
 > were going on.

There is no evidence to support this.  The same spam is hitting all mail 
servers that accept e-mail from known compromised machines, or from 
machines known to be owned by spammers.

The xbl.spamhaus.org will block most of these with out blocking any real 
e-mail.  The sbl.spamhaus.org will block the professional spam gangs.

The xbl.spamhaus.org has been operating as cbl.abuseat.org for over a 
year, and there has been zero reports on any forum that I monitor of any 
real e-mails being blocked by it.

All users have reported a significant and reliable reduction in spam.

But it is clear from analysis of the spam that was infecting the 
Princeton list before July 2003, that it was not any higher than the 
spam attempting to be delivered to all networks.

 >  There were a lot of porn messages that started coming in that said
 > the Princeton list was subscribed.

That is a standard lie that the spam contains.  Almost all spam says 
that.  If anybody clicks on the unsubscribe list, it either does 
nothing, or just signs up what ever address that was being unsubscribed 
with more spam.

Anyone that was attempting to unsubscribe the Princeton list from the 
porn spammers was really just signing it up for more spam.

The FTC issued a warning about that a few years ago.


It is quite clear that until the troll attacked the Princeton mail list, 
the only spam that was on it was because Princeton is not up to date 
with keeping spam out of mail servers.

The stats on the spam sources of the Princeton mailing list before the 
troll matched the stats from other measuring points on the web on the 
amount of spam their domains were rejecting.  And that basically proves 
that no member of the list before this summer deliberately caused any 
spam to be sent to it.

The spam was coming in through poor mail server management, nothing more 
sinister than that.  And easily corrected.

But as we have no official standing with Princeton, we can not request 
that they start operating their mail server or even the mailing list in 
a way that reliably keeps the spam out with out blocking real e-mail.

The way they are doing it now is needlessly increasing their expense, 
which will cause them to have to cut back in other areas, or increase 
tuition, beg for more donations.

But lets put it to rest, that when the spam started, it was not because 
someone attacked the list.

The first wave of spam was from Korea passing a pro-spam law similar to 
the one that the U.S. Congress just passed, and the response of the 
Korean spammers resulted in almost every mail server in the world stop 
accepting any e-mail from Korea.  Korea has changed their law, and now 
has jail terms for spamming, as a result, most of the Korean spam is 
gone.  There are a few rogue Korean ISPs left, but the bulk is gone.

The second and subsequent waves of spam was from open proxies that are 
apparently installed by viruses like the SOBIG.  These spam sources are 
reliably identified by resources like the xbl.spamhaus.org and other 
open proxy lists with in a few minutes of their spam runs.

-John
wb8tyw at qsl.net
Personal Opinion Only

More information about the Coco mailing list