|Do Cell Phone Companies Notify DNSBLs?|
I don't think they do.
The last time my email server got hacked, I caught it a few hours later and it already had 600K emails in the outbound queue.
When I shut down the mail server and took some time to investigate, looking for clue, the first thing that caught my eye is it wasn't sending spam to just any old email address. The spams being sent were sequential phone numbers addressed to the SMS mail gateways.
Luckily I shut it down quick with 600K emails queued up and then I waited for the hammer to drop with the DNSBLs blacklisting my IP and it never happened.
Apparently the cell phone companies don't report it to the DNSBLs, not even sure customers are reporting the spam to them when they should as they get charged for spam text messages. Strange.
Perhaps I stopped it before enough damage was caused by continued spamming and that spared me the DNSBL blacklisting.
I was wondering if this has happened to anyone else without getting red flagged as this is a serious gap in spam reporting if in fact this is the case.
My primary mail server was in a blacklist a few years ago for a few hours. I never found the reason and it wasn't a high-use blacklist anyway. Whatever the listing reason, it had to have been trivial. I had no problem extricating the IP from the list. I suspect it was email rather than SMS, in those days.
My experience of blacklists suggests that spam is defined in two ways: the blacklists themselves run honeytraps; and they rely on honeytraps set up by interested, contributing parties. Within the latter I doubt there are many (any?) ISPs (in your case read cell phone companies). It would mean spending money. :(
I regularly receive emails with a spam flag set in the header, sometimes also in the subject, and with anti-spam flags set to sometimes quite high levels. The ISPs concerned just pass them through, whether or not they themselves have tagged the emails.
I am not aware of SMS honeypots being used. I doubt many people would bother unless they received a lot of spam from one source; and in any case most people do not differentiate sources. Also: would it serve any real purpose? It would mean SMS providers reading blacklists and I doubt that happens to any extent.
I wonder at some large ISPs' attitude to spam and blacklisting. They COULD be very useful in detecting and listing spam but aren't. Yahoo has several of their mail IPs in spamcop (unsurprising given the amount of spam yahoo originates) and uce-protect reports a range of UK Virgin mail server IPs should not be removed from the blacklist, order given by Virgin. In both cases they have impacted my customers at some point.
Many DNSBL's have a time out provision that if you wait the block goes away without human interaction. One must understand that using DNSBL as a sole means of determining SPAM rejection is incorrect and most warn of doing so. Best practice is setting a weighting factor per list so that minor lists have lesser influence. Obviously a OPEN RELAY list would be the highest priority.
Others DNSBL's require more effort by the sever owner to get removed up to and including paying a fee for removal.
SPAM from Yahoo can be sorted out fairly easily as they issue monthly updates (in a Yahoo Group) of authorized sending IP's that are more detailed than querying DNS for Sender ID data. On some sites being aware of and implementing this factoid cut the Yahoo SPAM by >50%!
Usually it is a 24-48 hour ugly to get noticed... and about the same time to have it go away if caught and corrected. Is that a report? Maybe... maybe it is just doing business.
Hoople - Without rejecting on just one of the half-dozen blacklists I use for my two servers I would be inundated with spam and phishing. I've seen two false positives this past year and both deserved to be blacklisted. That excludes yahoo, whom I have rejected about a dozen or so times in the past few months via blacklist. I now have a good whitelist of their outgoing mail IPs but it would help immensely if they published them.
Yahoo cannot manage their mail properly and haven't been able to for a long time. Yes, probably spam TO them is blocked but they are responsible for originating an astonishing amount through their lack of care in monitoring their own customers' mail properly. I get more spam/etc through their servers than through hotmail/outlook or google, whose main contribution to spam is from so-called SEOs and hosters touting for business ("Be top of Google!").
By the way, have you ever tried to get on a yahoo whitelist? I did, a few years ago. I gave up in disgust.
A year ago I discovered a lot of yahoo email accounts had been stolen, including address and password. I know these details were not found through incautious users because I know someone who has more sense than to fall for phishing or virus but whose account began sending spam; it stopped when he changed his password. The result was spam and phishing sent out through those accounts without any knowledge by the account holder. Several of my customers or their customers suffered similarly.
They have never acknowledged this, but yesterday they said account details had "just" been stolen "from a third party database". The resulting mail, first of which I saw yesterday, was the same format and generation as last years'. I KNOW this was from a stolen account because the first one I trapped was "from" my nephew, who killed his yahoo account 8 years ago after using it for only a few months.
The only thing I can currently say in yahoo-mail's favour is: they include the originating IP in the header, which can be used to reject some mail based on known spam sources (eg by country); google is the only large ISP I know of who do not do this, claiming privacy is the reason - ironic, yes?
dstiles - I never said to not reject based on knowledge of several spam lists. Too many reject emails if an email appears on one spam list, even an obscure one! Most true spammers appear on several at once, a point worth noting. Some end users (endLusers) click the spam button all the time to deleted emails after discovering it's two less clicks! How can you explain to a mailbox owner a rejection triggered by a list entry that had NOTHING to do with the sending domain?
Most of my day job contracting assignments involve email front ends (anti-spam and content hygiene) of large enterprises, 20 thousand mailboxes and up. Weighting of multiple spam factors then carefully tuning how much each factor influences rejection helps immensely. Several other anti-spam methods like tar-pitting, grey listing and other forms of IP reputation including white listing get combined with these measures. Analysis of the message content after acceptance needs to be factored in to get a true spam score. I'm seeing increased use of DNS records (domain keys & sender ID) being integrated to IP reputation.
I'm pretty confident that you are dealing with a spam level an order of magnitude lower (or more) than these installations. No insult intended - jealous actually! A typical Monday early morning has two T1 sized 'lines' (logical bundles) saturated from 8am to ~10:30am with about 18 gb of data, roughly 2 million emails with upwards of 98% of it SPAM. Some days the spam level drops to 92% others it blips to 99.5%. Several multi-cpu appliances are close to or at 100% utilization doing just the pre-acceptance tasks.
[edited by: Hoople at 3:51 am (utc) on Feb 2, 2014]
Yes, the ease of separating the true Yahoo mails vs fake is what I referred to.
|The only thing I can currently say in yahoo-mail's favour is: they include the originating IP in the header, which can be used to reject some mail based on known spam sources (eg by country); google is the only large ISP I know of who do not do this, claiming privacy is the reason - ironic, yes? |
Beyond that you can gather from users a safe sender list of Yahoo ID's to allow thru your spam filtering. Outlook email clients share this safe sender data with the Exchange server that then can do the final rejections. Yes, it depends on the user doing so but they can't complain about it (without risking being identified as a high maintenance person) as they only have to mark it once!