[Tfug] Anyone using KnujOn?

[rfs_lists at mac.com]

On Mar 30, 2007, at 1:57 am, Stephen Hooper wrote:

>> Billions. Ah, your famous disparaging tone. Jolly good.
> Ahh... the disparaging tone about the disparaging tone... jolly  
> good! ;)
We both win!

> In actuality, [quoting contemporary usage of "billions and billions"]
Aside from Spamcop and KnujOn, I haven't come across any other  
companies that are really *effective*. Yeah, filtering magicks the  
spam away, but you're still receiving it -- you're still paying for  
it. Your bandwidth might be rated at a fixed fee, but that fixed fee  
goes towards the infrastructure needed to support the spam *and* the  
filtering. And as for sucking eggs you hold it like this...

> Still I can see why you don't like my tone,
Whaddyamean I don't like your tone!? Come on, with questions like  
"This M$ patch looks like it might be a virus what do I do?" in the  
age of Google (and Ixquick and Answers.dot.com (and don't you dare  
take that as Google advocacy)), how else can an experienced IT person  
respond? You ain't got exclusivity on the disparaging tone!

> ...the best spam fighter I have seen so far is gmail...
Yeah, it's pretty good filtering, but what do you *do* with all that  
spam?  Ignore it? Delete it?

>> They gather evidence and report it to the appropriate authorities and
>> get the spammers' domains closed down. They help law enforcement
>> bring cases against spammers and fraudsters by providing technical
>> evidence against them.
>
> Yes, I read that.
Have a gold star.
> I still don't understand how it is applied though.
Okay.
> They bring cases against domain owners... what domains?
The originating domains. Where that's not obvious, they use email  
forensics and circumstantial evidence to trace the originator.
> The sender's email domain?
No, because these are often Windows zombies (important point) or open  
relays.
> The domain that actually carries the product?
Usually, because that's often the originator.
> The domain that spread the virus?
Sometimes, if that's the originator.
> The bank that is being "phished".
Don't be daft!

On a side note, they also like to receive web form spam, so long as  
it has links. I only mention it because they don't in their FAQ. We  
asked 'em and they said "send it on".

> What about viri?  What has it to do with Spam?
There are a few specific spam-related viruses. Some of these are used  
to grab contact lists -- spammers will use those lists directly, and  
others will sell on to spammers. The other kind is for installing a  
mail relay, open or otherwise (if you were a spammer and had secured  
a huge number of mail relays would you leave them open for others to  
use?)
> Or is this just general net abuse you can complain against?
Well no. Just spam, including spam with a virus payload.
> Do they investigate the virus?
Where appropriate, yes.
> Don't antiviral companies already do that?
Yes. All two billion of them. Ha.
> How do they trace it effectively?
I can only guess, but the way I'd take a stab at this kind of  
technique would be to build a propagation map, going by valid dates  
and IPs, and trace it back to the source that way. Some clever  
filtering to drop date and IP spoofing would be needed to stop it  
being stupid.

KnujOn says "Send us your junk", so that's exactly what I do. Even if  
I was certain the virus *wasn't* a mail relay installer, I'd still  
send it on, because I don't know how they use the info they receive,  
and I'm not going to second-guess their techniques. For a long time,  
I wasn't reporting viri. And for even longer, I was sorting stock  
junk from regular junk to send to two different reporting addresses.  
As a registered domain we have a single reporting address, so now we  
just send the whole caboodle on.

>> ...and always having a free component.
> Again, that seems a little murky... and lawyerly.  I could say the
> toothpaste I buy always has a "free" component.  What does that mean?
> Beer?  Code?  Maybe just the reporting will remain free... Hey!  That
> would be a free component!
Come off it. Red Hat has a free component. Mozilla has a free  
component. Google has a free component. The bloody iTunes Music Store  
has a free component. If they just keep the reporting part free, then  
what's the problem? So you don't get a personalized report, so what?  
KnujOn fits into the -beer category rather than -dom. Why? Just because.

>>> What makes it great enough in your mind that you would actually
>>> advocate it?
>> Don't try to put words in my mouth Stephen -- I didn't "advocate"
>> anything, but suggested it in response to Earl's poorly worded
>> question. I then politely asked if anyone else was using it because
>> it seemed relevant. If something better comes along, I'll go with
>> that service.
>
> I am sorry for putting words in your mouth,
Thank you.
> but let's examine this.
groan. Just like being at the frigging dentist... AAAAAAHHHHHH!!!!!
> I assumed as you mentioned it in a positive context, i.e. that you
> advocated it... let's see (definition of advocate) ...
>
> 1.	to speak or write in favor of; support or urge by argument;
> recommend publicly: He advocated higher salaries for teachers.
Language evolves. These days, "advocacy" has connotations of  
eagerness, of servitude, and of ignorance. It's always been a strong  
word, hence "urge". Do you take my tone to be urging? Or do you mean  
"advocate" in an older, less eager sense?

> So back to your original email:
>
> "It's working as well as can be expected for my company. Given the
> rapidly increasing volumes of spam over the last year, we're receiving
> something like 50% of the volume we were a year ago."
>
> Which looks to me that you are writing in favor of it...  hate to be
> an english nazi (in all sorts of contexts), but what would you
> consider that stanza if not advocation?
If "as well as can be expected" is advocacy, can I pay a fine or do  
you want hard labour? It was a jot of context for my question "anyone  
else using KnujOn?".

> You can read a disparaging tone into that.  It is a silly argument we
> can continue if you like :)
No, let's argue over something else :-)  What I advocate is doing  
*something* about spam rather than just ignoring it, brushing it  
under the carpet -- i.e. filter, delete.

> I guess it sometimes seems that the RIAA is doing that same thing to
> curb illegal activity.  Seems to work real well :}
:-P to your strawman.

Someone's sending spam spoofing our domain. We've never been served  
any kind of notice. So it's a bit *unlike* the Recording Industry Ass  
of America. I guess they've got a bit of common sense -- don't annoy  
your potential customers.

>> Take a quick look through their news page: http://knujon.com/news
>>
>> (I realise that talking about KnujOn in a slightly positive light on
>> a public forum is going to get this email alias spammed to heck.
>> You'll probably see me disappear and reappear sometime.)
>
> Oh, so you were advocating it?  (again disparaging, but really, you
> are tempting me so...)
No. Advocacy is strong language. I'm giving a report on what we're  
actually using. It's nothing like rosy -- our spam still stands at  
350-500 messages a day. Which is a hell of a lot better than 700-1000.

>> Anyway, thanks for asking. If you take it as a recommendation, that's
>> your own biz.
>
> Nah... I probably wouldn't go with it based on what I have heard:   it
> would have been cool if you had been using something other than
> "barely nothing"
I was tired when I sent that reply and clean forgot all the other  
anti-spam activities we've been involved with:

To start with, two or three people were using Blue Frog at our place  
before I started. It was having a decent enough effect. Of course,  
when it went down, we needed a replacement.

In addition to Blue, a colleague was investigating spam herself and  
reporting it to the relevant ISPs. These ISPs would sometimes respond  
to individual complaints, sometimes not. Some were even arrogant or  
even abusive -- obviously MCSEs... In contrast, KnujOn and Spamcop  
get the job done because they're bigger than the individual. Kinda  
like the *theory* behind trade unions.

Thirdly, removing PDFs, Word docs, etc with exposed email addresses  
from the website. Disguising email addresses with r2l and HTML  
entities, all according to the accessibility experts' advice. Adding  
a contact form with an accessible Turing test. That kind of thing.

So yeah, "barely nothing" was wrong -- apologies.

> , then maybe the effects could be measured better,
I present: measurements. Halving our spam in the face of a worldwide  
doubling over one year -- a 75% reduction in real terms. (I'm  
extrapolating 120% over the quarter September to November 2006, cf.  
http://www.tamingthebeast.net/blog/online-world/spam- 
increase-1106.htm -- 120% ^ 4 = 207%. I could use better statistics  
than those on some random bog returned by Google. If they mean Sep- 
Nov is two months, then that extrapolates to 120% ^ 6 = 298% --  
tripling, and that 75% reduction comes to 83%.)
> and I would take it as a recommendation.
I recommend doing *something* about spam beyond deleting it. How you  
do that is your choice. Of which there currently isn't a lot -- self- 
reporting is hit and miss. And miss and miss and miss. Besides, it's  
*very* time consuming. Asking the spammers to remove you from their  
lists is going to get you spammed even more. Do you see any  
alternatives? (That's a real question.)
> I also don't like the lack of transparency (perhaps my perception)  
> on what this company actually does...
Okay, from what I gather, it's a father & son team, somewhat  
associated in a mysterious way with Castle Cops. I guess they're a  
kind of sysadmin/programmer team (y'know, the original sort of  
sysadmin), only more public. Remember when you were a mere (l)user?  
The geeks in the basement were always a bit of a mystery. Now we're  
the geeks in the basement, we wanna know more. That's exactly the  
reason why it took me a few months to start using KnujOn -- I  
couldn't find enough about 'em. They need some kind of PR -- not to  
smooth over, but to add transparency. So yep, I agree with you on  
that. I'm not trying to win you over, and that's why this isn't  
advocacy. *shrug*

> Anyways thanks.
Any time.

R.