Discussion:
Why are callouts bad?
(too old to reply)
Anti Spam Bloke
2007-01-17 12:40:43 UTC
Permalink
Innocent question, I hope:

cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.

Anyone care to explain, please...?
Andrew - Supernews
2007-01-17 12:51:26 UTC
Permalink
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
Callouts are bad because you are using the resources of third parties
without their permission.
--
Andrew, Supernews
http://www.supernews.com - individual and corporate NNTP services
Johann Steigenberger
2007-01-17 14:10:19 UTC
Permalink
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
See:
http://www.uceprotect.net/en/index.php?m=10&s=13

and also:

http://groups.google.com/group/news.admin.net-abuse.email/tree/browse_frm/threa
d/4aef5b85308a9706/5b8c3b95b381b338?rnum=1&hl=en&q=uceprotect+open+letter&_done
=%2Fgroup%2Fnews.admin.net-abuse.email%2Fbrowse_frm%2Fthread%2F4aef5b85308a9706
%2F5b8c3b95b381b338%3Ftvc%3D1%26q%3Duceprotect+open+letter%26hl%3Dde%26#doc_5b8
c3b95b381b338

Regards

Johann
--
Project UCEPROTECT-Network: Join now - It's free - It's consequent
Together we can stop all spammers on this planet!
http://www.uceprotect.net
Bill Cole
2007-01-17 14:57:07 UTC
Permalink
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
The vast majority of mail (60-99%+ depending on site) is spam sent with
forged sender addresses. This means that your callouts will mostly be
testing addresses that have nothing to do with your spam. What you will
be doing to most sites will be indistinguishable by the victims from
what "dictionary attack" spammers do to harvest addresses. When a
spammer settles on random addresses in one domain to forge for a few
thousand messages (a pattern some do follow) you'll go make a few
thousand callouts to that domain's mail servers for no purpose that has
any value to that domain.

On top of that, the practical value of such callouts has dropped a great
deal as more ill-managed sites have taken to using them. Some spammers
have adapted by using the same address set for their forged senders as
their targets (i.e. more apparently valid addresses) and there are many
sites that do not reliably provide address verification at RCPT time. In
some cases that failure is a legacy of a simpler time, in some cases it
is a response to address verification attacks.
--
Clues for the blacklisted: <http://www.scconsult.com/bill/dnsblhelp.html>
Current Peeve: "This page was written to render correctly in any standards
compliant browser" on pages with hundreds of HTML errors.
Anti Spam Bloke
2007-01-17 15:41:26 UTC
Permalink
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
OK, OK, understood...

Is there a way of blocking incoming callouts?
DC Hart
2007-01-17 17:05:49 UTC
Permalink
On Wed, 17 Jan 2007 15:41:26 -0000, "Anti Spam Bloke"
Post by Anti Spam Bloke
Is there a way of blocking incoming callouts?
No. Even if you could, you still have an abusive wasted of resources.
I prefer to break it and verify everything. If it becomes useless,
fewer people will use it - saving "us" all cycles and bandwidth.

An interesting phenomenon is that some of the idiots using SAV are
then creating backscatter from Symantec Email Insecurity and other
filtering mechanisms.
--
"Black Hole": The economic effect of administering a DNSBL
Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
Johann Steigenberger
2007-01-17 19:03:20 UTC
Permalink
Post by DC Hart
An interesting phenomenon is that some of the idiots using SAV are
then creating backscatter from Symantec Email Insecurity and other
filtering mechanisms.
Even more interesting is the question why *NO OTHER LIST THAN UCEPROTECT*
is threatening those abusers.

If *all* blacklists out there would list every SAV abuser out there, then
SAV would be *dead* in only a few days.

Problematically we seem to be alone fighting SAV abuse, at least at this time.

UCEPROTECT runs its list to stop abusers - globally.
It does not matter to us:
- if customers of abusive companys can communicate by email.
- if all spammers and their supporters will go bankrupt.
- if antispam industry will also be useless after all spammers will be gone.
- if people do no longer need UCEPROTECT too afterwards.

We had a good life and were good in business before spam came and forced us to
build UCEPROTECT, and we also will have a good life after spam will be
permanently gone.

BTW: Did you ever wonder about why we are hating spammers so much that we have
started UCEPROTECT?

Some of you will still remember to Spamford Wallace <***@cyberpromo.com>

This guy just overdid spamming first...
If you ever had to suffer from our listings, say "thank you" to this guy.

Without the spam that guy did send to us, we would possibly never have started
UCEPROTECT.

NEVER *ask* an Bavarian for trouble...
You could be so sorry afterwards...
--
Project UCEPROTECT-Network: Join now - It's free - It's consequent
Together we can stop all spammers on this planet!
http://www.uceprotect.net
Randolf Richardson
2007-01-17 19:49:14 UTC
Permalink
On Wed, 17 Jan 2007 11:03:20 -0800, Johann Steigenberger
Post by Johann Steigenberger
Post by DC Hart
An interesting phenomenon is that some of the idiots using SAV are
then creating backscatter from Symantec Email Insecurity and other
filtering mechanisms.
Even more interesting is the question why *NO OTHER LIST THAN UCEPROTECT*
is threatening those abusers.
Frisk Software, who produce F-Prot Anti-Virus, have written open letters
to the anti-virus industry about abusive anti-virus software that sends
"virus detection" notices to forged sender addresses. Interestingly,
these notices also include a web site address and effectively advertises
the product that "so smartly detected the virus" perhaps in the hopes that
the recipient of the notice will purchase the software.

More details on the letters written are linked to official sources from
here:

Resources - Anti-Virus and Anti-SpyWare
http://www.lumbercartel.ca/resources/anti-virus.html#f-prot

In my view, Frisk Software is anti-spam, as they've spoken out against
abusive tactics -- after all, what possible justification is there, aside
from promoting brand name visibility, for anti-virus software to send
notices to systems regarding viruses that forge the sender eMail
addresses? It's totally reasonable to expect anti-virus companies to
understand these fine points.
Post by Johann Steigenberger
If *all* blacklists out there would list every SAV abuser out there, then
SAV would be *dead* in only a few days.
Problematically we seem to be alone fighting SAV abuse, at least at this time.
UCEPROTECT runs its list to stop abusers - globally.
- if customers of abusive companys can communicate by email.
- if all spammers and their supporters will go bankrupt.
- if antispam industry will also be useless after all spammers will be gone.
- if people do no longer need UCEPROTECT too afterwards.
We had a good life and were good in business before spam came and forced us to
build UCEPROTECT, and we also will have a good life after spam will be
permanently gone.
This is the primary role of DNSBLs in general, in my view.
Post by Johann Steigenberger
BTW: Did you ever wonder about why we are hating spammers so much that
we have started UCEPROTECT?
Some of you will still remember to Spamford Wallace
This guy just overdid spamming first...
If you ever had to suffer from our listings, say "thank you" to this guy.
[sNip]

One spam is too many in my view. We should be careful not to allow the
line to be moved. Considering the things that are typically promoted in
spam, such as pornography (because even young children use eMail), child
pornography, hate promotion, penis enlargers, vagina softeners, and of
course all the rest of the scams involving stocks, money laundering, etc.,
it makes perfect sense NOT to make any exceptions for spammers.
--
Randolf Richardson - kingpin+***@lumbercartel.ca
The Lumber Cartel, local 42 (Canadian branch)
http://www.lumbercartel.ca/
DC Hart
2007-01-18 00:29:18 UTC
Permalink
On Wed, 17 Jan 2007 19:03:20 +0000 (UTC),
Post by Johann Steigenberger
Post by DC Hart
An interesting phenomenon is that some of the idiots using SAV are
then creating backscatter from Symantec Email Insecurity and other
filtering mechanisms.
Even more interesting is the question why *NO OTHER LIST THAN
UCEPROTECT* is threatening those abusers.
If *all* blacklists out there would list every SAV abuser out
there, then SAV would be *dead* in only a few days.
I was thinking the same thing about backscatter. I am VERY lonely on
most of the listings. SAV is difficult for a number of reasons
including the fact that it is not consistent. Furthermore the
envelope is ambiguous. IMO, backscatter is the more serious
issue which means that, to differentiate, you have to subtract
backscatter that went to the data phase from presumptive probes.

Eventually, though, the spammers will use more real return addresses
and SAV will die. They may not be the brightest bulbs in the
chandelier of life but they do adapt to their environment like
lizards.

Many of the people using SAV probably don't really understand what
they are doing. It doesn't scale well.
--
"Black Hole": The economic effect of administering a DNSBL
Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
Johann Steigenberger
2007-01-18 02:10:37 UTC
Permalink
Post by DC Hart
Post by Johann Steigenberger
Even more interesting is the question why *NO OTHER LIST THAN
UCEPROTECT* is threatening those abusers.
If *all* blacklists out there would list every SAV abuser out
there, then SAV would be *dead* in only a few days.
I was thinking the same thing about backscatter. I am VERY lonely on
most of the listings. SAV is difficult for a number of reasons
including the fact that it is not consistent. Furthermore the
envelope is ambiguous. IMO, backscatter is the more serious
issue which means that, to differentiate, you have to subtract
backscatter that went to the data phase from presumptive probes.
I do not think that you are alone when it comes to listings of
backscatterers...I always did list them.
And i never made a difference between Backscatter and SAV.

Nullsender to a nonexisting address and GAME OVER. Listed for 7 days. It is so
easy.
Why should i waste resources on allowing anyone hitting a nonexisting
address to start data phase?
It is just another lamer who will learn what it means to be listed at
UCEPROTECT...
Post by DC Hart
Many of the people using SAV probably don't really understand what
they are doing. It doesn't scale well.
That was the reason i wrote this "open letter to maintainers of software having
that feature"
--
Project UCEPROTECT-Network: Join now - It's free - It's consequent
Together we can stop all spammers on this planet!
http://www.uceprotect.net
Paul Johnson
2007-01-19 21:09:17 UTC
Permalink
Post by DC Hart
Eventually, though, the spammers will use more real return addresses
and SAV will die. They may not be the brightest bulbs in the
chandelier of life but they do adapt to their environment like
lizards.
It's too bad they're not actually lizards; I could make a killing reselling
snowblowers as antispammerblowers.
--
Posted via a free Usenet account from http://www.teranews.com
Vernon Schryver
2007-01-17 16:06:21 UTC
Permalink
Post by Anti Spam Bloke
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
OK, OK, understood...
Is there a way of blocking incoming callouts?
The same mechanisms that defend against other dictionary attacks apply.
Those include:

1. use DNS blacklists or other blacklists to refuse traffic from bad
SMTP clients (mail senders)

2. use a sendmail or Postfix milter or similar mechanism to rate limit
individual SMTP clients.

3. Use some sort of IP reputation system. For example, the next
release of the commercial DCC client program for use with sendmail
will use the new sendmail feature to notified of aborted Rcpt_To
commands and will count them as if they sent mail emptier than
empty messages. Since such messages are identical, the IP addresses
of SMTP clients that play dictionary attack games will be bad.

4. answer RCPT_TO commands with 250-OK even if the mailbox is invalid,
and reject the message at the end of the DATA command.

I think #4 and #2 are the most common defenses against dictionary attacks.


Bill Cole made the case again "callouts" well, except that he was too
gentle. A "callout" _IS_ a dictionary attack with the same immediate
goal purpose as any other dictionary attack. Spammers and those trying
to filter spam with "callouts" are trying to answer the same question,
"Is this mailbox valid?" Those who say that their dictionary attacks
are ok because they are trying to defend themselves against spam are
more dishonest than spammers who admit trying to profit by stealing
your CPU cycles, bandwidth, and system adminstration work.


Vernon Schryver ***@rhyolite.com
Laurence F. Sheldon, Jr.
2007-01-17 15:28:05 UTC
Permalink
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
Please don't feed the troll.
--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/
Laurence F. Sheldon, Jr.
2007-01-17 15:38:07 UTC
Permalink
Post by Laurence F. Sheldon, Jr.
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've
been reading that callouts are considered, by some, to be a network
thread or as bad as spamming itself.
Anyone care to explain, please...?
Please don't feed the troll.
Maybe I should have explained. This person has been here under this nym
for a month at least, during which time the topic has been discussed ad
disgustum. I find it fery hard to believe that it (this person) has not
read or had an opportunity to read-up on this subject.
--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/
Anti Spam Bloke
2007-01-17 15:42:01 UTC
Permalink
Post by Laurence F. Sheldon, Jr.
Post by Laurence F. Sheldon, Jr.
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or
as bad as spamming itself.
Anyone care to explain, please...?
Please don't feed the troll.
Maybe I should have explained. This person has been here under this nym
for a month at least, during which time the topic has been discussed ad
disgustum. I find it fery hard to believe that it (this person) has not
read or had an opportunity to read-up on this subject.
--
Requiescas in pace o email
Ex turpi causa non oritur actio
http://members.cox.net/larrysheldon/
It's called having been ill...and away. Sorry.
Cary
2007-01-17 16:19:59 UTC
Permalink
On Wed, 17 Jan 2007 12:40:43 -0000, "Anti Spam Bloke"
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
My domain is presently getting hit by a lot of callouts due to a
forgery. Not as bad as some of the past occurances, maybe admins are
getting smarter, or the spammer is using my domain less in these runs.
I've set up a filter that is catching them and recording the IP. Those
that are the worst will be go into the local block list. Its rare to
get removed from that. All are getting tarpitted for at least a week.

In the past this type of attack has greatly loaded down my server
making me upgrade my systems to handle the load. I should not have to
be using my resources to handle other servers spam filtering. Those
servers that think I should are not allowed to contact my server if
any longer.

Cary
--
Your have the right to say whatever wish.
But just as you may not open my door to say it,
you also may not put it in my email box.
Your rights end when they meet my firewall.
Stephen Satchell
2007-01-17 18:14:21 UTC
Permalink
Post by Anti Spam Bloke
cPanel WHM allows for callouts as an 'anti-spam' feature, but I've been
reading that callouts are considered, by some, to be a network thread or as
bad as spamming itself.
Anyone care to explain, please...?
1. I incorporate all the answers you have already seen about pounding
the servers of innocent third parties.

2. Well, my CPanel servers did not cache any of the answers (as far as
I can tell), so in addition to pissing off a bunch of people for asking
their server a question they shouldn't be asked, your server earns the
name "woodpecker" because it will do the same test multiple times in a
short interval, if you are unlucky enough to see parallel spam runs
using the same source list.

THEREFORE

I shut it off on mine. People are a lot happier.
Continue reading on narkive:
Loading...