[R-390] QTH.NET and the sorbs conspiracy

[mikea]

On Wed, Dec 07, 2005 at 08:01:51AM -0500, Jim M. wrote:
> Apparently Tom Norris is using Google mail (gmail).  Google embeds 
> advertising to pay for the "free" service.  Does this advertising find its 
> way into outgoing emails and get blocked by sorbs?  The sorbs website is 
> http://www.us.sorbs.net/   maybe that can help.

I do mail filtering and security for a living, as you might infer from my
sig block. This is a subject which pays my salary and determines whether my
annual evaluation will be good or bad. It's near and dear to my heart, and
I've been doing it long enough (10 years now) to be able to speak abouot it
with some credibility.

As others have written earlier in this thread, SORBS distributes a list of 
IP addresses and blocks from which spam is known to have come. SORBS does  
not block anything; it provides a means for others to decide to block or   
not (or, in my case, to add to a score or not) depending on whether or not 
the sending IP address is listed in SORBS.                                 

Google Mail (gmail.com), as handy as it undoubtedly is, is a prolific
source of spam, and so gmail.com's outbound mail servers are listed in
SORBS. Google has been unresponsive to repeated complaints from *BIG* 
outfits, like AOL, Cox Cable, and Time-Warner, about the volume of spam
coming from its IP space, and I suppose that the SORBS operators got 
enough valid reports of these spams to cause gmail to be listed. _I_ use
gmail, and _I_ think it should be listed, because of all the spam I get
from gmail. 

This is not vigilantes riding to Save The Internet. It's not people who 
want to hurt other people. It's _NOT_ a conspiracy, despite what the 
subject says. It's just people who run mailservers, trying to keep spam 
from consuming their bandwidth, disk storage, processor busy, and
administrative resources. This is self-regulation at work. Absent a
contract, we're not obliged to accept mail from anyone else, and even an
ISP has the right under existing law to apply such filters as it sees fit
to use.

Here's what I've seen so far in December: 
         Mails   spamassassin   rejected      scanner       total mails 
         Total   says 'spam'    by ruleset    says virus    undelivered 
 Dec   1 20051  6334 (31.59%) 4549 (22.69%) 1385 ( 6.91%) 12268 (61.18%)
 Dec   2 19744  6822 (34.55%) 4329 (21.93%) 1710 ( 8.66%) 12861 (65.14%)
 Dec   3 13282  5908 (44.48%) 3944 (29.69%) 1225 ( 9.22%) 11077 (83.40%)
 Dec   4 13394  5413 (40.41%) 3999 (29.86%) 1418 (10.59%) 10830 (80.86%)
 Dec   5 18456  6103 (33.07%) 5173 (28.03%) 1540 ( 8.34%) 12816 (69.44%)
 Dec   6 18769  6483 (34.54%) 4533 (24.15%) 1511 ( 8.05%) 12527 (66.74%)

The "spamassassin says 'spam'" column is based on the total score of a
piece of mail after SpamAssassin checks body and headers against some
thousands of rules, specifically including SORBS. If the score is over a
threshold that I set, the mail is marked as spam and not delivered.

That's how things work here at ODOT and at other places which use 
MailScanner and SpamAssassin. Other places may just check the SORBS 
list and various other DNSBLs, and reject mail which comes from listed
servers. We could do that, but it's a bit Draconian for my management
right now. 

We just spent $20K on hardware to run the mailfilter software, and I 
get paid something like $40K per year. That last is public record, so
I don't mind sending it to the list. That's a bunch to spend just to 
get the spam down to a manageable level, but it's what it takes here.

The problem is that spam makes up something like 60% to 90% of all the 
mail on the Internet, and it's only getting worse. I catch flak because
I don't catch enough; that means I should screw down the filters, but 
doing that means that I'll plonk too much real business-related mail. 

Each ISP or other mailserver administrator has to make his own decisions
on what to do, and it's damned hard. 

When I complain to ISPs about the spam they (or their subscribers) emit, I 
usually include one or more of these as food for thought: 

o         End-to-end connectivity is the "coin of the realm" for
          internet operations. Use it wisely. You only control
          your end of it.

o         ISPs sell connectivity to the world. They provide
          connectivity to their own facilities. The "product"
          they sell depends upon the forebearance of millions of
          other systems whose cooperation is REQUIRED for them
          to not be fraudulently selling something they cannot
          provide.

o         Being a "good net neighbor" isn't just some geeky hippy
          touchy feely nor politically correct concept. It's the
          core usability of the Internet, and inherent in its
          technical designs. It's the way it works, and it isn't
          going away.

o         "You are a _guest_ here, and an uninvited one at that.
          Stop behaving as if you were the landlord."

o         Part of being a provider is taking responsibility for
          what leaves your network. If every provider did this,
          each provider would be spending most of their time
          managing mail from ONE network, their own. Instead,
          every provider has to manage the mail flow from every
          other provider. Huge waste of resources. -- CM Borgia

o         This is about doing the right thing, not about having 
          the contractual right to do a questionable thing.

-- 
Mike Andrews 
mikea at mikea.ath.cx, mandrews at odot.org
Information Security
Oklahoma Department of Transportation