War to Spamming or the dark side of your mailbox

The story of Spamhaus

The Spamhaus Project is an international organization based in Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activities. Its name, Spamhaus, is a pseudo-German expression coined by Linford to refer to an internet service provider or other firm that spams or knowingly provides service to spammers[3].

The Spamhaus Project is responsible for compiling several widely used anti-spam lists, including DNS-based blacklists (DNSBLs) and whitelists (DNSWLs). These lists are used by internet service providers and email servers to reduce the amount of spam that reaches their users. In 2006, the Spamhaus services protected 650 million email users from billions of spam emails a day[3].

The Spamhaus Block List (SBL) targets verified spam sources, including spammers, spam gangs, and spam support services. Its goal is to list IP addresses belonging to known spammers, spam operations, and spam-support services. The SBL’s listings are partially based on the ROKSO index of known spammers[3].

The Exploits Block List (XBL) targets illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, and other malware-related activities. The XBL is used to block IP addresses that are known to be exploited by spammers and cybercriminals[3].

The Spamhaus Project also maintains a Register of Known Spam Operations (ROKSO), a database of spammers and spam operations who have been terminated from various internet service providers. This database allows ISPs to screen new customers, ensuring that listed spammers find it difficult to get hosting[3].

The Spamhaus “don’t route or peer” list is a text file delineating CIDR blocks that have been stolen or are otherwise “hijacked” by spammers. It is intended to be incorporated in firewalls and routing equipment to drop all network traffic to and from the listed networks[3].

The Spamhaus Group consists of a number of independent companies which focus on different aspects of Spamhaus anti-spam and cyber threat intelligence. The Spamhaus Project SLU, a not-for-profit company based in Andorra, tracks spam sources and cyber threats such as phishing, malware and botnets and publishes free DNSBLs. Commercial services are managed by a British data delivery company Spamhaus Technology Ltd., based in London UK which manages data distribution services for large scale spam filter systems[3].

Spamhaus has received several awards for its contributions to the fight against spam and cybercrime, including the National Cyber Forensics Training Alliance 2008 Cyber Crime Fighter Award, the Internet Service Providers Association’s Internet Hero of 2003 Award, and the Greatest Contribution to anti-spam in the last 10 years presented to Spamhaus by Virus Bulletin Magazine[3].

Spamhaus has been involved in several conflicts, including the e360 lawsuit in 2006, where David Linhardt, the owner-operator of American bulk-emailing company “e360 Insight LLC”, filed suit against Spamhaus in Illinois for blacklisting his mailings[3].

Citations:
[1] https://www.spamhaus.org/who-is-spamhaus/
[2] https://www.spamhaus.org/authors/the-spamhaus-team/
[3] https://en.wikipedia.org/wiki/The_Spamhaus_Project
[4] https://www.spamhaus.org/resource-hub/ip-reputation/what-does-spamhaus-do/
[5] https://www.spamhaus.org/blocklists/spamhaus-blocklist/

The history of fighting against spamming is a multifaceted story that involves various tactics and motivations. From humorous responses to more vengeful approaches, individuals have engaged in scambaiting to combat spam texts. Some, like Bosslet and Tanamor, find entertainment in responding to spammers with outlandish jokes, while others take more extreme measures, such as creating elaborate hoaxes to trap scammers. However, these actions can have consequences, leading to potential risks like exposing personal information or falling victim to financial harm. The rise of spam texts, with billions being sent globally, has prompted individuals to push back through scambaiting, a phenomenon that reflects a modern struggle against unwanted digital intrusions[1][1].

Citations:
[1] https://www.technologyreview.com/2022/06/20/1054435/people-trolling-spam-texts/
[2] https://thebulletin.org/2023/10/rage-against-the-machine-owners-luddite-lessons-for-the-21st-century/
[3] https://www.theverge.com/features/23931789/seo-search-engine-optimization-experts-google-results
[4] https://www.goodreads.com/en/book/show/18509663
[5] https://tvtropes.org/pmwiki/pmwiki.php/Main/ButtonMashing

Anti-spam lists

The term “blacklist” in computing refers to a list of banned or distrusted entities, such as users, programs, or network addresses, that are denied access or considered unacceptable[1]. The concept of blacklisting has been used in various contexts, including employment and computing, with the latter involving the use of access control systems to deny entry to specific lists or ranges of users, programs, or network addresses[1].

The term “blacklist” has been associated with negative connotations due to its historical origins, which can be traced back to the 1600s when it was used to label censure and punishment of workers involved in labor unions[2]. The term has also been linked to the rise of slavery in the Americas, although its etymology does not directly refer to skin color[2].

Despite these associations, the term “blacklist” has been widely used in computing industries, particularly in the context of “IP whitelisting” and “IP blacklisting”[2]. However, there have been concerns about the continued use of such language due to its potential to perpetuate racism, regardless of its linguistic origin[2].

In response to these concerns, some companies and open-source communities have chosen to deprecate the use of “whitelist” and “blacklist” in favor of more neutral language that describes the function of the list without reinforcing existing racial biases[2]. An IETF draft technical proposal has also been underway since 2018 to avoid potentially exclusionary terminology in computing[2].

In summary, the term “blacklist” in computing refers to a list of banned or distrusted entities that are denied access or considered unacceptable. While the term has historical origins associated with negative connotations, its continued use in computing industries has been a subject of controversy due to its potential to perpetuate racism. As a result, some companies and open-source communities have chosen to deprecate the use of “whitelist” and “blacklist” in favor of more neutral language.

Citations:
[1] https://en.wikipedia.org/wiki/Blacklist_%28computing%29
[2] https://en.wikipedia.org/wiki/Blacklisting
[3] https://www.w3.org/TR/WCAG21/
[4] https://www.investopedia.com/terms/b/blockchain.asp
[5] https://www.simplilearn.com/tutorials/blockchain-tutorial/blockchain-technology

 

The strategy of the internet provider regarding spamming focuses on implementing effective solutions to minimize exposure to spam and protect users from unsolicited electronic messages. Internet providers like Vodafone Australia use commercial spam filtering products to scan emails for potential spam, sort them into spam folders, and update spam definitions regularly[2]. Additionally, internet providers encourage users to report spam, block suspicious messages, and use third-party antispam filters to reduce vulnerability to spam emails[2]. The aim is to create a safer online environment by combating spam through proactive measures such as filtering, reporting, and blocking unwanted messages.

this is responsible for compiling several widely used anti-spam lists. Many internet service providers and email servers use the lists to reduce the amount of spam that reaches their users. In 2006, the Antispam organization services protected 650 million email users, including the European Parliament, US Army, the White House and Microsoft, from billions of spams emails a day. Antispam organization distributes the lists in the form of DNS-based Blacklists (DNSBLs) and Whitelists (DNSWLs). The lists are offered as a free public service to low-volume mail server operators on the Internet. Commercial spam filtering services and other sites doing large numbers of queries must instead sign up for a rsync-based feed of these DNSBLs, which Antispam organization calls its Data feed Service.

Citations:
[1] https://pta.gov.pk/media/paper_spam_090508_1.pdf
[2] https://www.vodafone.com.au/about/legal/spam
[3] https://www.techtarget.com/searchsecurity/definition/spam
[4] https://www.gmo.jp/en/terms/aboutmail/
[5] https://www.cps.gov.uk/legal-guidance/cybercrime-prosecution-guidance

Antispam organization outlines the way its DNSBL technology works in a document called Understanding DNSBL Filtering

1. The Block List (SBL) targets “verified spam sources (including spammers, spam gangs and spam support services).” Its goal is to list IP addresses belonging to known spammers, spam operations, and spam-support services.[9] The SBL’s listings are partially based on the ROKSO index of known spammers.
2. The Exploits Block List (XBL) targets “illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, virus-infected PCs & servers and other types of trojan-horse exploits.” That is to say it is a list of known open proxies and exploited computers being used to send spam and viruses. The XBL includes information gathered by Antispam organization as well as by other contributing DNSBL operations such as the Composite Blocking List (CBL).
3. The Policy Block List (PBL) is similar to a Dialup Users List. The PBL lists not only dynamic IP addresses but also static addresses that should not be sending email directly to third-party servers. Examples of such are an ISP’s core routers, corporate users required by policy to send their email via company servers, and unassigned IP addresses. Much of the data is provided to Antispam organization by the organizations that control the IP address space, typically ISPs.
4. The Domain Block List (DBL) was released in March 2010 and is a list of domain names, which is both a domain URI Blocklist and RHSBL. It lists spam domains including spam payload URLs, spam sources and senders (“right-hand side”), known spammers and spam gangs, and phish, virus and malware-related sites. It later added a zone of “abused URL shortners”, common way spammers insert links into spam emails
5. The Botnet Controller List (BCL) was released in June 2012 and is a list of IP addresses. It lists IP addresses of which Antispam organization believes to be operated by cybercriminals for the exclusive purpose of hosting botnet Command & Control infrastructure. Such infrastructure is commonly used by cybercriminals to control malware infected computers.
6. The Composite SnowShoe (CSS) is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. Listings can be based on HELO greetings without an A record, generic looking rDNS or use of fake domains, which could indicate spambots or server misconfiguration. CSS is part of SBL.
7. The Antispam organization White List (SWL) was released in October 2010 and was a whitelist of IPV4 and IPV6 addresses. The SWL was intended to allow mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown. Only verified legitimate senders with clean reputations were approved for whitelisting and there were strict terms to keeping a Antispam organization Whitelist account.
8. The Domain White List (DWL) was released in October 2010 and was a whitelist of domain names. The DWL enables automatic certification of domains with DKIM signatures. Only verified legitimate senders with clean reputations were approved for whitelisting and there are strict terms to keeping a whitelist account. Antispam organization also provides two combined lists. One is the SBL+XBL and the second is called ZEN, which combines all the Antispam organization IP address-based lists.
9. The Antispam organization Register of Known Spam Operations (ROKSO) is a database of spammers and spam operations who have been terminated from three or more ISPs due to spamming. It contains publicly sourced information about these persons and their domains, addresses and aliases. The ROKSO database allows ISPs to screen new customers, ensuring that ROKSO-listed spammers find it difficult to get hosting. A listing on ROKSO also means that all IP addresses associated with the spammer (their other domains, sites, servers, etc.) get listed on the Antispam organization SBL as “under the control of a ROKSO-listed spammer” whether there is spam coming from them or not (as a preemptive measure).
10.  Don’t Route Or Peer listThe Antispam organization Don’t Route Or Peer (DROP) List is a text file delineating CIDR blocks that have been stolen or are otherwise “totally controlled by spammers or 100% spam hosting operations”. As a small subset of the SBL, it does not include address ranges registered to ISPs and sublet to spammers, but only those network blocks wholly used by spammers. It is intended to be incorporated in firewalls and routing equipment to drop all network traffic to and from the listed blocks.[20] The DROP webpage FAQ states the data is free for all to download and use. In 2012 Antispam organization offered a BGP feed of the same DROP data.

Note There is a special version of ROKSO, available to law enforcement agencies, containing datas on hundreds of spam gangs, with evidence, logs and information on illegal activities of these gangs considered too sensitive to publish in the public part of ROKSO. The enforcement organisations visit their devices (laptop, desktop or smartphone) looking for criminal evidences (bank infos, message templates, photos. They are using a very specific search engine working like Google but 1000 times more powerful. The IP again is the key to researching the  devices for a very thorough and comprehensive review. If you are in this listing its bad time for you. We know that the true cybercriminals are protected in specific countries.