[Coco] Re: Thanks for the Princeton Bit.Listserv.CoCo Mail List.DRAFT

[Stephen H. Fischer]

Hi,

John E. Malmberg wrote:
> Stephen H. Fischer wrote:
>>
>> The gateway from Usenet needs to be investigated to make sure that no
>> SPAM can get in that way. The SPAM posted to Usenet CoCo newsgroup is
>> not under the control of the listserver, there is no method to stop it
>> from being posted, but it can be kept out of the mailing list. It will
>> have to wait until the problem is solved Internet wide. I have heard a
>> promise about e-mail by 2006 but no words about newsgroups.
>
> You have the facts wrong.
>
> The spam is coming from the mailing list server input, not from the
> newsgroup.

Boy do I hope that you are right. I have not been able to prove it to my
Satisfaction before. You have shown what to look for so now I can prove it
to myself.

I am just talking about what I see most every day on UseNet newsgroups, many
of the same messages posted on a large number of groups at the same time.
Many posting to the newsgroups appear up to 10 times on the same newsgroup.

The cleaning up the UseNet B.L.CoCo newsgroup WAS, IS and WILL remain the
main reason for me that I wish to clean up the Princeton mail list. The
first action I took in this effort was to ask the List Owner to close the
gateway. I now know why nothing was changed.

We can find lots of sites that are able to host a mailing list.

It is NOT possible to get a new clean UseNet CoCo newsgroup created for ~
300 members. That number is pure hog wash as most of the 300 CoCo people
will use a mailing list only.

I have been hoping that if the mail list link is broken and the UseNet CoCo
newsgroup still has a lot of SPAM, more then other newsgroups, that a
possible swap for a new newsgroup might be possible. It will not ever happen
as ISP's will not start carrying a new group of 300 users. So keep your
fingers crossed that closing the gateway from the mail list will stop the
SPAM on the UseNet CoCo newsgroup


> If the Princeton mail server shuts down, or the link from it to
> bit.listserv.coco is broken, 99.999% of the spam in the newsgroup will
> stop immediately.
>
> There are less than 5 spam postings per year in bit.listserv.coco that
> did not originate from the Princeton mail server.
>
> For several years, I reported all the spam that came in through
> spamcop.net and checked where the spam was coming from, so I know what I
> am writing about.
>
> If you look from the newsgroup postings that may not be evident until
> you look to see the posting address.  If it is "dex.pathlink", then the
> posting came from the mailing list.  If that text is missing, it came
> from the newsgroup.

I did not find the "dex.pathlink", in the first message I looked at. I did
find something just as damming!

"newsgate.newsguy.com!newsp.newsguy.com" was way to the right on the "Path:"
line.

It was very far off the screen to the right when I look at the source of
messages. (Not one of OE's best abilities)

 Well, the next line is unproven to me, I will accept a statement that
includes both strings. That is, all SPAM from the mail list will have one or
the other strings present.

> You will be hard pressed to find any spam with that text missing.
>
>  From the mailing list, the same text is present in the header.  When
> looking at the headers of mail received from the Princeton mailing list,
> you will almost never see "dex.pathlink" present in spam.  You will
> likely have to look for almost a year of archives to find a spam posting
> that originated from the newsgroup.
>
>  From a content filter perspective, on the mailing list, you can
> whitelist with no further checks if "dex.pathlink" is present.
>
> And from content filtering from the newsgroup, you can whitelist all
> postings where "dex.pathlink" is missing.

I accept your statements. My head is not clear enough right now to fully
understand it.

> The Princeton mail server is the listserver, and is effectively acting
> as an open relay for known spam sources.  The listserver has total
> control of the spam, and should be easily be set to eliminate it.

And I know how to do it!!!!

> The SpamAssassin settings for the Princeton mail server are incorrect.
> They are not using the proper metrics and as a result are incorrectly
> flagging real posts as spam.  So the tagging that they are doing can not
> be used by end users with out losing real posts.  This should be
> extremely easy to fix.  But that fix would still let through the recent
> forged subscriptions as most of them are not from previously identified
> spam sources.
>
> The gateway software to the newsgroup is also slightly defective.  It is
> not properly reporting the source of the mail messages as it should be.
>   Instead of the source address, it is putting a random address from the
> mail posting.  If it were posting the correct source I.P., then almost
> all of the spam could be separated from the real postings with out
> looking at the content.

It will take getting down to a intense investigation, but I believe that the
error that you suggest is caused by the B.L.CoCo owner not doing any of his
duties for a long time. Things changed and no one was at the controls. I bet
that if you looked you would find other errors that are occurring. You may
be amazed at the power and micro managing level commands used by the list
owners for the headers. Yes, the list owners! No one else has the
responsibility or the capability to do this.

> With out the troll's subscriptions, all the spam that is coming into the
> Princeton mail server is coming from known compromised computers, or
> from known professional spam operations.  And at least 99% or more of it
> can be removed from the Princeton mail server with a simple change to
> the mail server that will not cause any real postings or real e-mail to
> be affected.
>
>
> Any mail server that is accepting e-mail from known open proxies is
> going to get the same spam that the Princeton list is getting.  It is a
> waste of CPU cycles, bandwidth and disk space to accept e-mail from a
> known open proxy.
>
> Princeton is rejecting spam from open relays.  The difference between an
> open relay and an open proxy, from a mail server perspective is that an
> open relay might send a real e-mail once in a while, while the chance of
> an open proxy sending something other than spam is virtually NILL.
>
> So any mail server that is rejecting spam from open relays, really has
> no excuse to be accepting spam from open proxies, except for ignorance
> by it's management.
>
>
> Roger Taylor wrote:
>  > I really think that someone from the list actually did attack the
>  > list, probably more than one person, after some real heated battles
>  > were going on.
>
> There is no evidence to support this.  The same spam is hitting all mail
> servers that accept e-mail from known compromised machines, or from
> machines known to be owned by spammers.
>
> The xbl.spamhaus.org will block most of these with out blocking any real
> e-mail.  The sbl.spamhaus.org will block the professional spam gangs.
>
> The xbl.spamhaus.org has been operating as cbl.abuseat.org for over a
> year, and there has been zero reports on any forum that I monitor of any
> real e-mails being blocked by it.
>
> All users have reported a significant and reliable reduction in spam.
>
> But it is clear from analysis of the spam that was infecting the
> Princeton list before July 2003, that it was not any higher than the
> spam attempting to be delivered to all networks.
>
>  >  There were a lot of porn messages that started coming in that said
>  > the Princeton list was subscribed.
>
> That is a standard lie that the spam contains.  Almost all spam says
> that.  If anybody clicks on the unsubscribe list, it either does
> nothing, or just signs up what ever address that was being unsubscribed
> with more spam.
>
> Anyone that was attempting to unsubscribe the Princeton list from the
> porn spammers was really just signing it up for more spam.
>
> The FTC issued a warning about that a few years ago.
>
>
> It is quite clear that until the troll attacked the Princeton mail list,
> the only spam that was on it was because Princeton is not up to date
> with keeping spam out of mail servers.
>
> The stats on the spam sources of the Princeton mailing list before the
> troll matched the stats from other measuring points on the web on the
> amount of spam their domains were rejecting.  And that basically proves
> that no member of the list before this summer deliberately caused any
> spam to be sent to it.
>
> The spam was coming in through poor mail server management, nothing more
> sinister than that.  And easily corrected.
>
> But as we have no official standing with Princeton, we can not request
> that they start operating their mail server or even the mailing list in
> a way that reliably keeps the spam out with out blocking real e-mail.

Please Please Please! Do not keep saying Princeton this or Princeton that.

Princeton has no one doing anything that we are talking about.

Again I state. The List Owner has the power and the responsibility to
correctly manage their list.

The list owner can set up helpers to do the job, but the responsibility is
the list owners.

> The way they are doing it now is needlessly increasing their expense,
> which will cause them to have to cut back in other areas, or increase
> tuition, beg for more donations.
>
> But lets put it to rest, that when the spam started, it was not because
> someone attacked the list.
>
> The first wave of spam was from Korea passing a pro-spam law similar to
> the one that the U.S. Congress just passed, and the response of the
> Korean spammers resulted in almost every mail server in the world stop
> accepting any e-mail from Korea.  Korea has changed their law, and now
> has jail terms for spamming, as a result, most of the Korean spam is
> gone.  There are a few rogue Korean ISPs left, but the bulk is gone.
>
> The second and subsequent waves of spam was from open proxies that are
> apparently installed by viruses like the SOBIG.  These spam sources are
> reliably identified by resources like the xbl.spamhaus.org and other
> open proxy lists with in a few minutes of their spam runs.
>
> -John
> wb8tyw at qsl.net
> Personal Opinion Only

----------------------------------------------------------------------------
---

The perhaps good news is that no one is using the Princeton B.L.CoCo except
the Spammers.

The bad news that I have just now is that the list owner for the CoCo list
has moved onto other places and interests.

He has other duties in his present job that eliminate any possible help for
us.

Getting Princeton, and in this case I clearly wish to state that I mean the
person at Princeton who has the title of Master List Owner, to accept a new
list owner for our list is the only possible path. Short of some hacker
breaking into the listserver there is no way with out the Master List Owner
accepting a new CoCo list owner to ever change anything.

Stephen H. Fischer <sfischer1 at mindspring.com>