headers
Chris Lewis | 5 Sep 2011 18:25
Favicon

Re: Blacklisting email accounts?

Sorry for the old post - deliverability issues.

On 08/30/2011 06:08 PM, Jason W. wrote:

> With PCs being owned and email accounts being owned, has anyone
> considered blacklisting individual email accounts? Within the past
> month, I've gotten an influx of spam from people who I have
> communicated with. Given the content, I doubt these people would be
> sending me random links to foreign websites designed to own my PC.
> Some of these senders are people who I haven't communicated with in
> years, but my email address is probably in their email box or address
> book. It's all been consumer-grade email (Comcast, AOL, Yahoo, etc.)
> from people for whom it would not be a stretch to imagine them getting
> owned.

Consider the following points:

- Most "infected user" spam is designed from the very beginning to be
difficult or impossible to tell _who_ is infected.  Why would the
spammers make the ISP's (or our) job easier?  Believe me they don't,
they make it as hard as possible.

- If you get bot spam, you can be virtually certain someone else is
getting bot spam forged in your email address.  It doesn't mean you're
infected.

- Your proposal could naively be implemented by "blocking every from
address ever seen in spam".  Most spam is forged.  We'd _all_ be
blacklisted.  Heck, some bots specialize in forging the from to be the
recipient.  You'd be blacklisting yourself ;-)
(Continue reading)

Permalink | Reply | 9 comments |
headers
Martijn Grooten | 5 Sep 2011 20:08
Favicon

Re: Blacklisting email accounts?

> - few users would be able to reliably and accurately determine _who_ was
> infected, and there'd be far more false positives than true positives.

And even blocking only the true positive addresses, i.e. only the ones that have really sent spam, is likely
to cause a lot of false positive emails.

I do agree that spam sent from friends' compromised accounts is a serious problem (and not just for email:
also on Facebook, Twitter etc.). Not because of their quantity but because they are less likely to be
blocked by spam filters and more likely to be believed to be genuine.

However, effectively blocking someone from sending email sounds like a cure worse than the disease.

Also, I know of cases where people who seemed to adhere to all the good practises had their accounts
compromised. I don't see much educational value in telling people that they did something wrong, we're
not sure what but we hope the punishment will stop them from doing it again.

Martijn.

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Permalink | Reply | 1 comment |
headers
Al Iverson | 5 Sep 2011 20:44
Favicon
Gravatar

Re: Blacklisting email accounts?

On Mon, Sep 5, 2011 at 1:08 PM, Martijn Grooten
<martijn.grooten <at> virusbtn.com> wrote:
>> - few users would be able to reliably and accurately determine _who_ was
>> infected, and there'd be far more false positives than true positives.
>
> And even blocking only the true positive addresses, i.e. only the ones that have really sent spam, is
likely to cause a lot of false positive emails.
>
> I do agree that spam sent from friends' compromised accounts is a serious problem (and not just for email:
also on Facebook, Twitter etc.). Not because of their quantity but because they are less likely to be
blocked by spam filters and more likely to be believed to be genuine.
>
> However, effectively blocking someone from sending email sounds like a cure worse than the disease.

I actually tested this back in 1999/2000. I created an experimental
filter called FAD - From Address Deterrent, and I tried to convince
Vixie to incorporate it into MAPS. Chris and Martijn are spot on --
even back then, the vast majority of spam had forged from addresses,
and you ended up blacklisting a harmless, unrelated party. Doing the
math on my big spamtrap feeds a few years later, I found that spammers
seemed to change the from address an average of once every third email
message. My math was simplistic but the point was sound, in that
spammers have enough from addresses to rotate their way around kind of
blocking too easily. Look at the amount of spam that comes from
somebody with an address "near" yours -- they're often taking spam
list entry #701 (the last sucker they spammed) and using that as the
from address when spamming list entry #702 (you).

From address blocking, or even from domain blocking, is only going to
catch a bit of mainsleaze and a lot of ESPs. Whether or not you want
(Continue reading)

Permalink | Reply | 0 comments |
headers
John Levine | 5 Sep 2011 23:22

Re: Blacklisting email accounts?

>- Most "infected user" spam is designed from the very beginning to be
>difficult or impossible to tell _who_ is infected.

This wouldn't be useful for bots, but I could see it for stolen
account spam.  I get a surprising amount of it -- every day after I
send out the spam reports, I invariably get back several responses
from postmasters saying, sigh, another phished account.  For bot spam,
you can just block all mail from the IP, but for stolen accounts, the
system is OK, and it's just the one address that's spamming.

In my experience, it's not hard to tell the difference.  With stolen
accounts, the address matches the received lines, and the received
lines generally have a familiar from of a webmail or Exchange server.

R's,
John
Permalink | Reply | 5 comments |
headers
Chris Lewis | 6 Sep 2011 05:12
Favicon

Re: Blacklisting email accounts?

On 11-09-05 05:22 PM, John Levine wrote:
>> - Most "infected user" spam is designed from the very beginning to be
>> difficult or impossible to tell _who_ is infected.
> 
> This wouldn't be useful for bots, but I could see it for stolen
> account spam.  I get a surprising amount of it -- every day after I
> send out the spam reports, I invariably get back several responses
> from postmasters saying, sigh, another phished account.  For bot spam,
> you can just block all mail from the IP, but for stolen accounts, the
> system is OK, and it's just the one address that's spamming.
> 
> In my experience, it's not hard to tell the difference.  With stolen
> accounts, the address matches the received lines, and the received
> lines generally have a familiar from of a webmail or Exchange server.

In this class of spam, it's generally easy to figure out _where_ the
compromised user existed, and often easy to tell the IP by which it was
compromised, but seldom do you get a correct email address for the
phished account, or at least, not one that you could trust.  That
applies for sendsafe style infections - the originating IP is a _bot_,
and the email is sent via AUTHSMTP (which usually doesn't nail the
From:).   The provider can tell who it was.  The recipient can't.

With the freemails, you usually don't get a reliable email address.
Except for that "breakin and spam contact list" variety.  Which are
quite rare (but highly noticable when you see one).

Then there's another issue.  How do you signal the DNSBL when the
compromise is fixed?
(Continue reading)

Permalink | Reply | 3 comments |
headers
Jason W. | 6 Sep 2011 07:18
Picon

Re: Blacklisting email accounts?

On Mon, Sep 5, 2011 at 5:22 PM, John Levine <johnl <at> taugh.com> wrote:

> This wouldn't be useful for bots, but I could see it for stolen
> account spam.  I get a surprising amount of it -- every day after I
> send out the spam reports, I invariably get back several responses
> from postmasters saying, sigh, another phished account.  For bot spam,
> you can just block all mail from the IP, but for stolen accounts, the
> system is OK, and it's just the one address that's spamming.
>
> In my experience, it's not hard to tell the difference.  With stolen
> accounts, the address matches the received lines, and the received
> lines generally have a familiar from of a webmail or Exchange server.

This is exactly what I have seen. In each case, the hand-off MTA
matches their provider, so I know that their provider sent it to me. I
have seen AOL, Hotmail, Yahoo and Comcast. One is a neighbor who I no
longer converse with over email but I now her account is spamming me
(and the entire neighborhood) about sex sites. I can't see her doing
this on purpose :)

In most cases (>75%), it's from people who I have communicated with in
the past and now have no problems with blocking because I don't
communicate with them (over SMTP) currently and have no plans to do
so. If I (or any of the handful of users I MX for) ever did, I'd
remove the line from a text file and it's undone. But I get that there
would be scaling problems for other MXs;)

Chris' point about whether it was their account used to send the spam
is understandable - I brought up this idea assuming that there is a
pretty good indicator that the account has been owned (e.g. my
(Continue reading)

Permalink | Reply | 0 comments |
headers
Chris Lewis | 6 Sep 2011 07:51
Favicon

Re: Blacklisting email accounts?

On 11-09-06 01:18 AM, Jason W. wrote:

> Chris' point about whether it was their account used to send the spam
> is understandable - I brought up this idea assuming that there is a
> pretty good indicator that the account has been owned (e.g. my
> neighbor). I find it interesting that I would get mostly spam from
> people who I have communicated with and not random FROM addresses on
> whatever system has been owned (e.g. random comcast, aol, hotmail,
> yahoo users).

What a lot of people don't appreciate is that spam volumes and types are
intensely variable.  One's spamload can be radically different from the
next person's.

I (personally) get hundreds of spams per day of all kinds.  And yet,
I've only been hit _once_ by one of those spams.  I don't think my traps
(>10M/day) see much.  I've never noticed them during surveys of what the
traps get.

It was easier to phone the person and warn them.  They already knew, and
it was already fixed.
Permalink | Reply | 1 comment |
headers
Martijn Grooten | 6 Sep 2011 10:43
Favicon

Re: Blacklisting email accounts?

> I (personally) get hundreds of spams per day of all kinds.  And yet,
> I've only been hit _once_ by one of those spams.  I don't think my traps
> (>10M/day) see much.  I've never noticed them during surveys of what
> the traps get.

I monitor 50+ mailing lists (discussion lists) and I do notice them from time to time. My very rough estimate
would be that it accounts for close to 0.1 per cent of all mail sent to these lists. And that is after the
lists' spam filters have done their work.

Given the nature of these emails, I think they are unlikely to make it to traps.

> It was easier to phone the person and warn them.  They already knew,
> and it was already fixed.

In the few cases I've personally dealt with, the 'victims' had noticed before I had the chance to warn them.
Password changed, problem solved. I never really found out whether this was because the spammers did not
get hold of the passwords in the first place (but used session cookies, malware running on the desktop
etc.) or because they just couldn't be bother to change it.

Martijn.

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Permalink | Reply | 0 comments |
headers
Ian Eiloart | 6 Sep 2011 12:44
Picon
Favicon
Gravatar

Re: Blacklisting email accounts?


On 5 Sep 2011, at 17:25, Chris Lewis wrote:

> 
> - If you get bot spam, you can be virtually certain someone else is
> getting bot spam forged in your email address.  It doesn't mean you're
> infected.
> 
> - Your proposal could naively be implemented by "blocking every from
> address ever seen in spam".  Most spam is forged.  We'd _all_ be
> blacklisted.  Heck, some bots specialize in forging the from to be the
> recipient.  You'd be blacklisting yourself ;-)

I'd suggest that there might be some value in doing this for domains that neither DKIM sign, nor publish SPF
records. Ultimately, until domain owners start taking responsibility for ALL use of their domains, this
is going to remain a problem. 

--

-- 
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
Permalink | Reply | 0 comments |
headers
John Levine | 6 Sep 2011 16:15

Re: Blacklisting email accounts?

>In this class of spam, it's generally easy to figure out _where_ the
>compromised user existed, and often easy to tell the IP by which it was
>compromised, but seldom do you get a correct email address for the
>phished account, or at least, not one that you could trust. 

Odd, my experience is quite different.  The address typically looks
real and matches stuff in Received: lines.  Perhaps I'm fooled by
unusually brilliant header forgery, but it doesn't look like it.  This
stuff doesn't appear to be bots, it's sent using phished credentials.
For the systems that log the connecting IP, it's often in Nigeria or
China.

R's,
John
Permalink | Reply | 2 comments |

Gmane