Latter-day Village Square

Fighting SPAM

I hate spam (single piece anonymous mail) with a passion. It clogs up the internet, costing billions of dollars in lost bandwidth and disk space, which we as consumers, ultimately pay for. More importantly, it robs us of one of our most important possessions; time.

On the LDV server, I employ several spam blocking lists to help us filter out the spam trying to get into our email lists and personal email inboxes. I also report ALL spam messages that make it through those filters to Spamcop; one of the lists we use. I like to think that helps make SpamCop more effective. Yes, it’s reporting a problem after it has already happened, but if it helps someone else avoid spam coming from that server, then I feel my time is not wasted; other  Spamcop users are doing it for us.

Lately, I noticed a pattern developed in the locations where spam is coming from. These spammers, many of whom are run by eastern European mobs and crime syndicates, as reported by internet and security lists, use a rotating list of compromised computers and locations to launch their spam attacks. When I report spam to Spamcop, it returns the IP (internet location) of the original sending computer, as well as the abuse email address of the ISP responsible for that address. For some time, the following ISPs (country of origin in parens) appeared day in and day out as the source of my spam:

• Ttnet.net.tr (Turkey)
• Tpnet.pl (Poland)
• Kornet.net (Korea)
• Wanadoo.fr (France)
• Italia.it (Italy)
• t-ipnet.de (Germany)
• kiso.kr or bora.net (Korea)
• a few other minor players in Russia, Thailand, and the Phillipines

Each batch of spam would come from a different IP, so Spamcop and the other blocklists would not stop the flow of email, as the launch point would keep changing. NOTE: Most of these IPs are dynamic DSL connecting points, so each time the spammer connects, they are given a different IP address. Brilliant; their spewing address changes rapidly enough that the blocklists will not list them (blocklists tend to be conservative, not wanting to stop legitimate emails or traffic from an unsuspecting user of these ISPs services).

I started tracking the IPs from these frequent offenders, just saving them to a simple text file, sorted by ISP and then IP. After about 30 entries (about two weeks worth of spam) from ttnet.net.tr, I used DNSStuff.com to determine the entire IP address range of the DSL connecting points. E.g., for ttnet.net.tr in Turkey, those 30 IPs all fell into these ranges:

78.160.0.0 - 78.191.255.255
85.96.0.0 - 85.111.255.255
88.224.0.0 - 88.255.255.255

Risking the possibility that a legitimate LDV customer might try to connect and register from Turkey, I blocked these ranges at our data center hardware firewall, meaning I prevented ALL internet traffic from those locations; browser requests, email, IM. That’s it, the email from there just doinks on our firewall and dies; no rejection notices (so the spammer will even know our server continues to exist), no blocklist notices (our server sends a note to any blocked server telling them which blocklist we used to reject their email), and no objectionable messages getting to our server. NOTE: we have no current subscribers from Turkey, I checked our records. I believe the potential loss of Turkish subscribers was less important then stopping the spam garbage from coming in. Since I did this, our server has received no emails identified as coming from Turkey.

Now I continue to track the other offending ISPs. I say offending IPs, because they all received abuse reports from Spamcop about the fraudulent use of their networks. They simply choose to ignore the problem (they could track down who exactly sent the spam; I provided the location (IP) and the time of the emails. Their logs can show them who was connected at that time. I know this from working for an ISP; that information is ALWAYS available.) When I have an IP range sufficiently identified to outweigh the value of any potential subscribers (we do have at least one legitimate subscriber using kornet.net as an ISP) from there, I will block it.

Now you know at least one of the things I do from midnight to 7-8 am when everyone else is sleeping.