taint.org: Justin Mason’s Weblog

• Vint Cerf interviewed on spam, malware etc. : pretty much the EFF party line, I think: “every man for himself”. also talks about net neutrality
  (tags: vint-cerf internet filtering spam malware abuse network-neutrality anti-spam eff)

• video of a fake e-Passport being accepted by airport security reader : an e-Passport for “Elvis Aaron Presley”, no less, happily scanned by an Amsterdam passport security station. hahahaha!
  (tags: elvis funny security e-passports video via:slashdot rfid)

• Facebook adds Ireland as a Friend : ‘Dublin will be the centre for Facebook’s international operations and will provide a range of online technical, sales and operations support to Facebook’s users and customers across EMEA region.’ good news
  (tags: facebook dublin ireland web2.0 emea)

• RFC-5321 (Obsoletes: 2821) : The newest rev to the Simple Mail Transfer Protocol (via fanf)
  (tags: rfcs rfc-2821 standards internet smtp email rfc-5321)

• RFC-5322 (Obsoletes: 2822) : the newest rev to the Internet Message Format for email (via fanf)
  (tags: via:fanf rfc rfc-2822 rfc-5322 standards email internet)

Tags: abuse, anti-spam, dublin, e-passports, eff, elvis, email, emea, facebook, filtering, funny, internet, ireland, malware, network-neutrality, rfc, rfc-2821, rfc-2822, rfc-5321, rfc-5322, rfcs, rfid, security, smtp, spam, standards, via:fanf, via:slashdot, video, vint-cerf, web2.0

• Linux x86_64 frozen by heavy I/O on Dell PowerEdge 2950 : starting to think we may be running into this on our build machine; annoying. bookmarking for future reference
  (tags: poweredge dell hardware linux drivers performance sysadmin)

• Wikipedia:Articles for deletion/Deletionpedia : hahaha. WP deletion gnomes argued that Deletionpedia should not have an entry due to non-notability, just 24 minutes after that entry was created
  (tags: wp wikipedia funny deletion processes bureaucracy deletionpedia)

• Atrivo/InterCage depeered : the ISP’s AS (AS27595) is now offline, due apparently to coordinated lobbying of its upstreams
  (tags: atrivo isps abuse intercage spam malware hosting)

Tags: abuse, atrivo, bureaucracy, deletion, deletionpedia, dell, drivers, funny, hardware, hosting, intercage, isps, linux, malware, performance, poweredge, processes, spam, sysadmin, wikipedia, wp

Over the past few weeks, I’ve increasingly heard of spam and abuse problems originating in Amazon EC2.

This has culminated in a blog post yesterday by Brian Krebs at the Washington Post:

It took me by surprise this weekend to discover that that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to [Amazon].

He goes on to discuss how EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list. A spokesperson for Amazon said:

“We have a clear acceptable use policy and whenever we have received a complaint of spam or malware coming through Amazon EC2, we have moved swiftly to strictly enforce the use policy by network isolating (or even terminating) any offending instances,” Kinton said. She added that Amazon has since taken action against the EC2 systems hosting the [malware].

However as Seth Breidbart noted in the comments, ‘note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.’ True enough – as described, instance termination simply isn’t good enough.

My recommendations:

• as John Levine noted, it’s likely that Amazon need to treat EC2-originated traffic similarly to how an ISP treats their DSL pools – filtering outbound traffic for nastiness, in particular rate-limiting port 25/tcp connections on a per-customer basis, so that an instance run by (or infiltrated by) a spammer cannot produce massive quantities of spam before it is detected and cut off.

  However, I’m not talking about blocking port 25/tcp outbound entirely. That’s not appropriate — an EC2 instance is analogous to a leased colo box in a server farm, and not being able to send mail from our instances would really suck for EC2 users (like myself and my employers).

• It would help if there were a way to look up customer IDs from the IP address of the EC2 nodes they’re using — either via WHOIS or through rDNS. Even an opaque customer ID string would allow anti-abuse teams to correlate a single customer’s activity as they cycle through EC2 instances. This would allow those teams to deal with the reputation of Amazon’s customers, instead of Amazon’s own rep, analogous to how “traditional” hosters use SWIP to publicize their reassignments of IPs between their customers.

There’s some more discussion buried in a load of knee-jerking on the NANOG thread. Here’s a few good snippets:

Jon Lewis: ‘I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you’re a paying customer, you can do whatever you like.’ (ouch.)

Ken Simpson: ‘IMHO, Amazon will eventually be forced to bifurcate their EC2 IP space into a section that is for “newbies” and a section for established customers. The newbie space will be widely black-listed, but will also have a lower rate of abuse complaint enforcement. The only scalable way to deal with a system like EC2 is to provide clear demarcations of where the crap is likely to originate from.’

Bill Herrin: ‘From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment.’

There’s also an earlier thread here.

Anyway, this issue is on fire — Amazon need to get the finger out and deal with it quickly and effectively, before EC2 does start to run into widespread blocks. I’m already planning migration of our mail-sending components off of EC2; we’re already seeing blocks of mail sent from it, and it’s looking likely that these will increase. :(

(It’s worth noting that a block of EC2’s netblocks today will produce a load of false positives, mainly on transactional mail, if you’re contemplating it. So I wouldn’t recommend it. But a lot of sites are willing to accept a few FPs, it seems.)

Tags: abuse, amazon, anti-spam, aws, blocklists, ec2, malware, policy

As all right-thinking people know by now, Challenge-response spam filtering is broken and abusive, since it simply shifts the work of filtering spam out of your email, onto innocent third-parties — either your legitimate correspondents, people on mailing lists you read, or even random people you have never heard of (due to spam blowback).

I’ve ranted about this in the past, but I’m not alone in this opinion — and frequently find myself explaining it. To avoid repeating myself, here’s a canonical collection of postings from around the web on this topic.

• Spamcop FAQ: Why are auto responders bad?:

Description: This “selfish” method of spam filtering replies to all email with a “challenge” – a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.

1. Does not scale: If everyone used this method, nobody would ever get any mail.
2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.
3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.

• Karsten M. Self: Challenge-Response Anti-Spam Systems Considered Harmful:

C-R systems in practice achieve an unacceptably high false-positive rate (non-spam treated as spam), and may in fact be highly susceptible to false-negatives (spam treated as non-spam) via spoofing.

Effective spam management tools should place the burden either on the spammer, or, at the very least, on the person receiving the benefits of the filtering (the mail recipient). Instead, challenge-response puts the burden on, at best, a person not directly benefitting, and quite likely (read on) a completely innocent party. The one party who should be inconvenienced by spam consequences ¿ the spammer ¿ isn’t affected at all.

Worse: C-R may place the burden on third parties either inadvertantly (via spoofed sender spam or virus mail), or deliberately (see Joe Job, below). Such intrusions may even result in subversion of the C-R system out of annoyance. Many recent e-mail viruses spoof the e-mail sender, including Klez, Sobig variants, and others.

• John Levine: Challenge-response systems are as harmful as spam:

The collateral damage from widely used C/R systems, even with implementations that avoid the stupid bugs, will destroy usable e-mail. [jm: in fairness, this was written in 2003.]

Challenge systems have effects a lot like spam. In both cases, if only a few people use them they’re annoying because they unfairly offload the perpetrator’s costs on other people, but in small quantities it’s not a big hassle to deal with. As the amount of each goes up, the hassle factor rapidly escalates and it becomes harder and harder for everyone else to use e-mail at all.

• Ed Felten: A Challenging Response to Challenge-Response:

I’m skeptical of CR as a response to email. If you’re the first on your block to adopt CR, and if nobody else uses anti-spam technology, then CR might provide you some modest benefit. But it¿s hard to see how CR can be widely successful in a world where most people use some kind of spam defense.

• Jeremy Zawodny: TMDA Users Can Blow Me (heh):

If these systems are so brain-dead as to not bother adding my address to the whitelist when the user sends me e-mail, I have serious trouble understanding why anyone is using them.

Is it just me? Is this too hard to figure out?

Anyway, there’s another 5 minutes I’ll never get back. It’s too bad there’s no mail header to warn me that “this message is from a TDMA user”, because then I’d be able to procmail ‘em right to /dev/null where they belong.

Ugh.

This bullshit is not going to “solve” the spam problem, people. If that’s your solution, please let me opt out. Forever.

• Michele Neylon: Why C/R is not a good idea:

C/R slows down and impedes communication by placing unwanted barriers between you and your clients/suppliers.

If you must insist on using some form of C/R please make sure that you whitelist my address before you contact me as I will not reply to challenges.

• TidBITS policy on Challenge-Response:

We will not answer any challenges generated in response to our mailing list postings. Thus, if you’re using a challenge-response system and not receiving TidBITS, you’ll need to figure that out on your own. Also, if you send us a personal note and we receive a challenge to our reply, we may or may not respond to it, depending on our workload at the time.

• Fedora Project policy on UOL — a Brazilian ISP that uses C-R extensively:

uol.com.br uses a very broken method of anti-spam. Everytime someone sends an email message to one of their members, they send back a verification message, asking the original sender to click a link before they will allow the message through. These messages are themselves a form of spam, and the resulting back-scatter of these messages is altogether bad for the Internet, the UOL member, and all of the UOL member’s contacts. UOL is aware of the complaints against them, and they refuse to correct the issue, claiming that their members love the service.

• Matt Sergeant: C-R spam solutions:

I hate C/R systems. With a passion. I absolutely will not respond to them. They go in the trash. I don’t get them very often but I get them more and more. I think they have the potential to seriously damage email communication as we know it. And I’m not alone in this opinion.

• Richi Jennings: ‘Challenge/Response makes you a spammer.’

• BusinessWeek: Stephen Wildstrom: A Spam-Fighter More Noxious Than Spam: ‘Challenge-response filtering systems are likely to wipe out e-mails you want, too.’

• and lots more at Spamlinks.net

Phew.

Tags: abuse, anti-spam, backscatter, blowback, bounces, c-r, challenge-response, email, filtering, rants, smtp

Jeremy Kister on the SpamAssassin-talk mailing list notes:

In an article written by Randy Cassingham, Randy describes ‘why e-mail abuse should be a crime’ and suggests ways to stop spam. His fifth suggestion states Ensure that your ISP is taking steps to combat the problem, such as installing SpamAssassin…

This is in Playboy July 2003 pg 53 (bottom). (and no, i usually dont read it for the articles ;) )

Plus a pretty good article in Forbes, too. A good news week for SpamAssassin…

Tags: abuse, article, cassingham, crime, list, randy, spam, spamassassin, spamassassin-talk, suggestion

The Observer and Daily Mail both got sucked in by a survey with some dubious credentials.

Date: Mon, 14 May 2001 16:32:42 -0000
From: “Martin Adamson” (spam-protected)
To: (spam-protected)
Subject: Drug abuse, the ‘Daily Mail’ and the former punk with an alien on his website

The Independent

Drug abuse, the ‘Daily Mail’ and the former punk with an alien on his website

Firm claims it talked to 20,000 teenagers for a headline-grabbing survey. But trading standards and a university are not so sure

By Chris Blackhurst 14 May 2001

It was a typically apocalyptic Daily Mail front page. “School Drug Abuse Shock,” screamed the paper’s headline on 1 May this year, “400,000 children under 16

are regular users, warns survey." Inside, the comment page carried a pulpit-thumping piece: "Why daren't we tell our children the truth about drugs?" by Mary Brett, head of health education at Dr Challoner's Grammar School in Buckinghamshire.

"The drug culture continues to tighten its grip on our young people, dragging ever more teenagers under its malign influence," warned Ms Brett.

She went on: "An authoritative survey just published confirms that there has been a dramatic increase in the number of 13 and 14-year-olds starting to take drugs, with many becoming regular users. According to the report by the Adolescent Assessment Services group (AAS), by age 16 almost 9 per cent of boys and 7 per cent of girls are taking drugs at least once a week."

The Daily Mail was not alone in highlighting the study. Under the headline "Shock rise in hard drug use among pupils", The Observer reported how the survey findings, "based on questionnaires filled in by 20,000 children in 67 secondary schools last year, contradict recent government claims that juvenile drug use is falling". The Observer quoted Jeremy Gluck, head of the Adolescent Assessment Services: "The results were very striking, drug use is much more extensive than we thought. The sheer numbers involved are very worrying. Some totals were so high that we genuinely didn't want to believe them." Mr Gluck's study was also covered by BBC2's Newsnight and by the Press Association.

A full copy of his report is available for £25 from the offices of the AAS in Swansea and he is also selling places at a conference on drugs and school-children for £95 each.

The questionnaire contains a code, which, says the AAS blurb, "allows us to follow individuals over a number of years without anyone ever knowing who they are. In this way we could survey a class of Year 6 primary school children at age 10 and follow them through secondary school every year until they leave at age 16." The questionnaire does not concentrate solely on drugs. "If an LEA or health authority wanted to know about the level of awareness to HIV and Aids in 12-year-old girls we can arrange for their inclusion and analyse the data accordingly." This year, the AAS claims to be surveying 100,000 young people.

Odd then, given the scale of such an operation, that the AAS is not in the phonebook and its offices are Mr Gluck's home in suburban Swansea. The firm is not known to any of the local bodies with a keen interest in drug problems: the Welsh Assembly, Swansea Council or South Wales health trusts. Odder still that Mr Gluck seems to have no qualifications for pronouncing on the nation's health. He is a Canadian, a former punk rocker with a band called the Barracudas, who, when he is not selling reports on drug abuse, runs his own website where he claims to be in touch with a higher being called Aona that keeps him posted about the destiny of the human race. He also once ran for a council by-election, for the "Independent Party of Wales", attracting nine votes. As well as the AAS, Mr Gluck runs another organisation, Spiritech UK, which he bills on the internet as "an online initiative dedicated to exploring the spirituality-technological interface and how we are evolving in cyberspace".

As for Mr Gluck, he describes himself as "an artist and writer by vocation, a visionary and dreamer by nature, and a meta-modernist by intent ..."

He maintains an internet dialogue with Aona, which tells him we are not alone: "The human race is not unique. There are many human-type races throughout the universe, so much so that it would be quite useless trying to quantify this fact." Earthlings are hampered at present by our DNA, which, Aona tells Mr Gluck, is not fully developed. But do not worry: "This is a restriction for earth-born human beings, yet it is also a source of their future or impending strength ­ restriction always brings out the best in a being, because it forces that being to master its nature through endurance."

Unfortunately for Mr Gluck, more down-to-earth bodies are taking a keen interest in his affairs. Swansea Trading Standards are looking into Mr Gluck's organisation. John Spence, director of Trading Standards for Swansea, said: "We've had certain information given to us among which there are issues which need to be clarified in relation to the activities in which Mr Gluck is engaged."

Alan Williams, the Labour MP for Swansea West, has asked the decidedly less than ethereal figure of Jack Straw to investigate. "I've referred the survey to the Home Office," said Mr Williams. "I wish the people who used this report had investigated its bona fides properly first." Particularly worrying is the suggestion that this could involve the surveying of large numbers of children and secret monitoring of them over a number of years.

Mr Gluck has also incurred the wrath of Swansea University. In its blurb accompanying the report, the AAS claims to be "a spin-off company from the University of Wales". Mr Gluck does work for the university. He is a part-time lecturer in IT in its adult education department. A spokeswoman for the university said: "His claim that Adolescent Assessment Services is linked to the university is not true and we have told him to remove the reference."

Mr Gluck maintained that he surveyed the children on behalf of 10 local education authorities. As well as not naming the schools the report provides no clues as to the identity of the authorities. "I can't name them because of confidentiality ­ the children must be protected," Mr Gluck said. "The whole procedure is designed to protect the anonymity of the children."

The Independent wanted to have a long chat with Mr Gluck but he was remarkably unforthcoming on detail. He acknowledged the AAS was not in the phonebook but assured us it did exist. He did not say how many people worked for an organisation that claims to survey 100,000 children. He would not say how many copies of his drugs report he has sold or how many people had paid for the conference, except that the response has been "overwhelming". The discussion, such as it was, became truncated when he was asked whether he was concerned about the referral to the Home Office.

"Before I speak any further I shall have to speak to my colleagues," he said. "The actual report is sound," he emphasised, before repeating he would have to consult his unnamed colleagues. He said he would call back. He never did.

Tags: abuse, daily, drug, mail, may, observer, punk, survey, the, use