Wandering Thoughts archives

The shifting SBL, as experienced here

I still sort of run a mail server which gets a low enough connection volume that I can monitor the logs directly. This MTA rejects connections from SBL listed IPs, at a sufficiently low volume that I almost always look into the actual SBL listing (partly because I may want to apply my own blocks, including IP-level ones).

In the beginning, the volume of SBL hits was low but most of the actual SBL listings were for network ranges (not just single IPs) owned by what I privately characterized as 'the worst of the worst'. These were the people and organizations who spammed so many people so often that they finally convinced the SBL that they were very definitely dirty. Hits were rare partly because there never were really large numbers of these people, partly because I and other DNS blocklists blocked such people before the SBL, and perhaps partly because these people just didn't target me very often.

(I and a fair number of other people felt that the SBL was far too conservative and gave spammers way too many chances, but the SBL had its standards and that was it.)

I'm not sure when things started shifting, but this is not the pattern that I see today. The modern SBL experience is that most SBL hits are from single IPs that are listed as probably compromised or, to a lesser extent, from IPs that are on the SBL CSS. Hits from genuine SBL listed dirty blocks seem to be rare.

Out of curiosity I pulled eight days of records from the department's main mail gateway and looked through them for SBL rejections. Of the 80 IPs that (still) had SBL listings, the SBL CSS accounts for 35, 177.47.102.0/24's SBL136747 listing for four, and a random sampling of everything else shows single (compromised) IPs.

(Yesterday is a bit different. There are 27 IPs that are still SBL listed, with 21 of them on the SBL CSS. But two of the remaining were for bad netblocks and one IP was listed for spammer hosting. The other three were the usual single compromised machine pattern.)

I don't know what this means, if anything; I just find it interesting.

(I can come up with all sorts of potential theories but I will spare you all; they're generally obvious anyways. Just in case there's any doubt, I should note that I'm all for the SBL listing all sorts of spam sources and so I have no objection to the apparent new inclusion of compromised machines that are spewing advance fee fraud and phish spam and so on.)

What I think changed to make spam deliveries not cost-free

As I covered in my entry on why stupid spamming is wasteful, I used to think that spam deliveries were basically free (and so spammers shotgunned everything because, well, why not) and now I feel otherwise. This is not just a shift of my view; I actually feel that the situation itself changed. Which raises the obvious question of what changed to do this.

My tentative answer is that spamming became commercialized, and specifically that it became a sophisticated business. As it did so, we saw it increasingly segment into subfields with specialists and services as people realized both that you could make money selling the specialized services and that it made more sense to buy the services than do the work yourself (or alternatively, the existence of buyable services drew people into spamming who previously would not have done so). In particular, one thing that happened is that people began to rent out and sell spam sending capacity in various forms; as the spam business became sophisticated, people could buy and sell so much time on so many compromised proxies or so many delivery attempts or the like. This put a value on sending capacity, even if it was your own organically developed sending capacity (since you could always make money by renting it out to other people instead of trying to send out your own spam).

I also think that sending may have gotten more harder and expensive (in terms of time and lost opportunities). Back in the early parts of the 00s, things were in a sense really bad; there were oceans of open proxies (and before them oceans of open relays), ISPs generally didn't care, anti-spam precautions were relatively undeveloped (even at large providers), and so on. Since then many things have shifted quite far. The open proxy problem has gotten much better on many fronts (ISP cooperation, effective DNS blocklists, etc), anti-spam precautions have gotten more sophisticated in ways that hinder rapid sending, and so on.

(One inobvious but important shift is that many mailers will now drop your SMTP connection if you try to do unauthorized pipelining. Back at the height of the open proxy era spam senders simply blasted an entire SMTP conversation at you in one go, ignoring return codes and speeding up their lives. Now that doesn't really work (and spammers have by and large stopped trying to do it as a result).)