Forgot your password?
typodupeerror
Spam Censorship

Spam Blackhole Lists Redux 329

Posted by CmdrTaco
from the doubling-every-42-days dept.
tsu doh nimh writes "Are spam blackhole lists good, bad or indifferent? That appears to be the question they're tackling in this Washington Post story. It has some interesting back and forth between supporters of the lists and those who claim they condone censorship." J adds: Brad Templeton recently offered some comments on the most extreme pro-blacklist position.
This discussion has been archived. No new comments can be posted.

Spam Blackhole Lists Redux

Comments Filter:
  • by craenor (623901) on Wednesday May 14, 2003 @10:42PM (#5960638) Homepage
    By tossing spammers into blackholes...just a thought.
  • by Anonymous Coward on Wednesday May 14, 2003 @10:47PM (#5960660)
    It just depresses me that everybody thinks it's OK to drop undesirable segments of the Internet. Doesn't seem to run well with the spirit of Free Speech, and really if you think about it it just makes things like DRM and various recording industry proposals to kill P2P seem reasonable.

    And they're not. They go against the spirit of the Internet. What makes it great is that everybody HAS a voice, and when we start talking about who should have a voice and who shouldn't we start to sound a lot like fascists. Doesn't matter that it's speech we don't agree with, because it's just a matter of time before the whole thing is so watered down that nobody in their right mind will bother to use it (like amateur radio nowadays...)

    • Nobody is forcing you to use a blacklist on your mail server. Forcing people to accept this trash, err spam, is free speech? I think the freedom to accept whatever mail you want is crucial. Next time I get DoS'd I'll remember your comment and think.. hmm.. I should let them flood the hell out of me because if I blocked them, that'd be quite fascist.

      Let the people choose. I use SpamCop as a RBL and I still get a decent amount of spam. This weekend, I plan on adding some broad ACLs so my mail server won't ha
    • by An Onerous Coward (222037) on Wednesday May 14, 2003 @11:04PM (#5960769) Homepage
      I can see where you're coming from in a "theoretically, Communism should work" sort of way. But from a practical standpoint, free speech only works if people have the ability to tune out some messages and concentrate on others.

      Imagine that you're having a lively conversation at a dinner party. There are a dozen different groups of chatters in the room. The spammer mentality recognizes the opportunity here: If I just brought in a megaphone, then everyone would be able to hear what I have to say.

      The problem is twofold: Everyone has a message that they want others to hear, and thanks to the marvels of the Internet, everyone with a broadband connection has a huge megaphone. At some point, it becomes difficult to pick out the messages that are important to an individual, and the medium as a whole suffers. The solution here is to silence the proverbial megaphones.

      The difference between Spamhaus and the RIAA is that Spamhaus is interfering with "speech" that interferes with more constructive speech, and the RIAA is trying to interfere with speech that interferes with their monopoly on certain messages.

      • The difference between Spamhaus and the RIAA is that Spamhaus is interfering with "speech" that interferes with more constructive speech, and the RIAA is trying to interfere with speech that interferes with their monopoly on certain messages.

        I disagree. The difference between anti-spam address lists and the RIAA tactics is that anti-spam address lists are utterly and completely voluntary. There's a problem when ISPs start ignoring traffic from certain segments.. But to say that everyone has free speech a
        • You are absolutly correct, and this is the one point that antiblacklist people choose to ignore yet is th emost important. Use of the lists is completely voluntary. The operators of these lists are in no way interfering with anyones right to free speech. If you don't want your ISP to use these lists tell your ISP. If you run a mail server and think these lists are wrong then don't use them; however, don't bitch about those of us that feel this is a good preventative measure and knowingly use the lists to bl
    • I don't know who the hell modded this up, but I'm out of mod points or I'd put it down for sure.

      There's a difference between free public speech, and invasion of privacy. Would you call it free speech if someone broke into your house and talked dirty to your underage daughter?

      These lists are not about stemming free speech... they're not stopping anyone from setting up a webpage or some other form of information server, they're about stopping invasive practices from people... shoving their CRAP down other
      • The big point of the article is that the blackhole list are sometimes subverted by persons with a political agenda. If a group of people don't like what I'm saying, they can sign up for my mailing-list and then complain to the black-list that I'm sending spam to them, with enough compalints I find that the Emails to the people who want and agree to recieve my emails are unable to do so.

        Even worst is when whole blocks of addresses are block just because a spammer has been using one address in the block. Thi
    • by Monoman (8745) on Wednesday May 14, 2003 @11:25PM (#5960880) Homepage
      Since when does someone else's freedom of speech *require* me to listen?

      In the case of spam, it is on my dime too!

    • Fine. You send me your e-mail address & I'll forward messages from all those people whose freedoms you're concerned about preserving.

      Yeah... just think of it, you'll singlehandedly be preserving their constitutionally granted right of free speech.
    • The free speech argument doesn't hold water because the spammers are criminals.

      Spammers illegally harvest email addresses, illegally steal computing resources from insecure servers, illegally hack servers to send email and take great pains to conceal their identity.

      Everyone still has a voice on the internet -- as long as that voice isn't 12 million emails sent to millions of random people.
    • Blacklists do not have to violate the end to end priciple of the internet. If I run my mail server and chose to run a blackhole list on my own email, and I give my users that choice as well, no "censorship" has occured. Now, if I run a mail server and a blackhole list without asking, I have indeed violated people. It's that simple. Give people static IPs, let them run their own mailservers if they want and the rest will work itself out. Everyone has a right to speak, but no one has to listen.

      I'd prefe

    • Free Speech (Score:5, Informative)

      by Detritus (11846) on Thursday May 15, 2003 @12:02AM (#5961077) Homepage
      If you live in the USA, the Bill of Rights enumerates your right of free speech. That does not make it an absolute right. Try exercising your right to free speech on my property and I will have you arrested for trespassing.
    • See, you raise an interesting point which is really farther-reaching than just the spam question. The idea that there is a "spirit of the Internet," like the slogan "Information Wants To Be Free," has been around pretty much since universities first signed on to the Internet, and is at once responsible for many attitudes regarding appropriate behavior and regulation of the 'Net while being little more than a myth.

      This idea is discussed in Larry Lessig's [stanford.edu] Code and Other Laws of Cyberspace (which was actual

    • Doesn't seem to run well with the spirit of Free Speech

      In my view everybody has the right, absolutely, to free speech. However, I have the right, absolutely, not to be forced to hear it, or even know that somebody is speaking at all, if that is my wish.
    • Wow. If you really feel that way, why don't you give out your phone number to the rest of us people on the earth (since we are on the subject of free speech and all). I'm pretty sure everyone would want to share their opinion with you.

      World estimated population = 6 billion.

      Even if you get only 1 call per minute, that means you'll be answering your phone for the next 11000+ years. I hope you have a good pool of highly paid secretaries to answer all those calls.

      -- end scenario --

      So, now that I've scared t
    • Kids (Score:3, Insightful)

      Haven't you ever heard of a newsgroup killfile? Guess what? They were were around and extremely popular long before the "internet" went mainstream.

      If I want to use someone's spam blacklist it's no different than if I want to use someone's killfile. You have to the right to speak, but I don't have to listen.
  • by ajuda (124386) on Wednesday May 14, 2003 @10:48PM (#5960667)
    Why don't we just create a system where we all only accept mail that has been PGP encrypted with our public keys? That way spammers will have to burn through a whole lot of clock cycles to get their crap out and as an added benefit, we will get a bit more privacy.
    • Well, we're all free to do that. Any one of us can chose to only accept e-mail that is pgp signed, or comes from an approved list of senders, or contains the phrase "this mail is not spam" in the header.

      That's the beauty of the internet. We can all do it the way we want. I am afraid of what will happen when some people start imposing their ideas of how things should work on the system.

      Often what starts as common sense restrictions becomes a straightjacket.
    • Why don't we just create a system where we all only accept mail that has been PGP encrypted with our public keys? That way spammers will have to burn through a whole lot of clock cycles to get their crap out

      Not to mention making mailing lists completely useless.
      • Well, that's simple to work around. Just create a white list of public keys you trust not to sign with your public key. The list signs the mailing list with the private key. The mail goes out, you have it on your public key white list, so you accept the mail. If your mailing list/mail server is at all scriptable, you should be albe to script having the message signed just before it leaves the server. So it should be doable, to using current technology. In fact, mailing lists would be a good place to s
    • No more annoying emails from Mom. Or from anyone else who won't learn how to use PGP.
  • bit bucket (Score:5, Insightful)

    by TheSHAD0W (258774) on Wednesday May 14, 2003 @10:49PM (#5960676) Homepage
    I think black hole lists are a great thing, but I will admit, they are certainly censorship, and the customers of an ISP using such a list may disagree with some or all of it.

    Perhaps the solution is to design a standard format for a black hole list, and add that functionality to email applications? If the end users had such access for themselves, then they could decide whether they wanted someone else to censor their mail (and whether they wanted to bypass that censorship for certain specific people or networks).

    And yes, I know there is software that does this, but it's all proprietary. Is anyone interested in adding a generic functionality to, say, Mozilla? Perhaps the ability to import an XML list of bans from one or more specified URLs, run by volunteer blackhole list sponsors?
    • Many ISPs actually provide you as the end-user the ability to turn this feature on or off through a simple website form, which to me would be the best option.

      Requiring it as an option in the email client puts just another task on the end-user's computer that's better handled back at the server.
    • in my opinion, it is absolutely appropriate and fair for a company (or individual if he controls the server) to block access to it's mail server for any reason they choose.
      (with the exception of government servers. The government has the additional responsibility of ensuring their servers do not block any speech that would be protected by the constitution, and that would probably make blacklists impossible for them)

      In the case of an ISP, I do think it should be disclosed to their clients so that those clie
    • Blacks holes lists are not a great thing. They are a necessary thing.

      I believe that a black list is something that is loaded into a firewall router by an ISP. It is NOT something that a computer sits there and reads each message to find. Read the article, see where the ISP guy explains that filtering is no good, because if he has to filter it, then it's already costing him money? That's what black lists prevent -- the email from even reaching the ISP WAN link.

      What if a spammer gets a new IP address,

    • The black hole lists do not give the end user any idea of what is blocked. Likewise people may not know that they are black holed.

      In my opinion, it would be better to create a more robust email clients that give the end user the ability to control their mail. For example, just a simple function like letting the clients download and process the headers, before downloading the body of the mail would eliminate a bulk load of network traffic caused by spam.

      The fact that a bunch of sysadmins are running arou
    • Adding a blacklist at the receiving end will only help the user using it, and one can only hope that spammers will eventually realize that much of their traffic is simply not getting through, and figure out a different sort of scam to pull on people. Unfortunately this doesn't solve some of the more serious problems with spam, such as congestion of mail servers and backbone pipes. I've heard some statistics quoted that some 80% of traffic on much of the core routers appears to be spam. A blacklist in the

    • Re:bit bucket (Score:3, Insightful)

      by Erik Fish (106896)

      they are certainly censorship

      You keep using that word. I do not think it means what you think it means.

      The word "censorship" strongly implies content filtering perpetrated by a government. Blackholes are not content based -- they operate much more on the "consent" level (either you have permission to send e-mail to me from the IP you're using or you don't -- what is in the message is irrelevant).

      Blackholes are not perpetrated by the government (except within its own offices or in particularly opp

  • blackholes... (Score:2, Insightful)

    by zbowling (597617) *
    Blackholes. Just another thing for spammers to get around, just to sell you penis enlargment products, prime morgage rates, and how to make $50,000 in 5 days. How about a new email system all together. Solve all these dang problems.
  • If you have been placed on a blacklist, then something must be wrong with your system(s). If the problem is with insecurity and unrestricted relaying, you must fix that before becoming un-blacklisted. If the problem is with a customer, you must deal with them before you can have your IP/domain removed from the blacklist. We need a central service to look at cases and see when someone is "clean." Until they are, there system could still contribute to the spam problem and must be blacklisted.
    • There are no protections for domains or email addresses on the internet. If you gave me your email address, I could send you an email as you. It's not any one person's problem; it's built into the system. Never blacklist a domain, there is no point. Blacklist IPs. They are almost impossible to fake without hijacking network hardware (i.e. routers).
  • To RBL or Not RBL... (Score:4, Interesting)

    by TexTex (323298) * on Wednesday May 14, 2003 @10:54PM (#5960702)
    I'm wondering what the slashdot fans seem to lean towards. Is it viewed as better, or easier, to simply flip on a few RBLs and prevent the messages from ever touching your server...or would you rather use these alongside sorting technology to channel spam towards a designated folder?

    Spamassassin and the like do a decent job of helping the spam problem, but my users still complain that their SPAM box has 80 messages a day...even if they get no false positives.

    Personally, I'd rather have control over this than my ISP...as at least I can control how I choose to filter or not to filter. And I think the brute-force nature of an RBL often offers piece of mind but without adequate logging or reporting to guarantee you're only blocking what you intend. I'll settle for a full SPAM box any day...
    • My opinion is both are good. I have no problem with people using RBLs to categorically block addresses that are known to produce spam in large quantities or whose output is primarily spam.

      I also have no problem with people sorting their mail automatically and deciding for themselves what to keep and what to dump.

      With respect to ISPs, I think it is appropriate for them to use RBLs as long as it is disclosed to the users. The people affected by the blocking to have a right to know the specifics of the limit
    • rbl all the way........why waste a single fucking bit of network bandwidth on spammers?

      If anything, i am militant above and beyond RBL's......

      i add entire colo's to my port 25 blocking firewall if they host spam hauses. If their hosting spammers, then i dont need ANY of their smtp traffic.
    • by mi (197448)

      Spamassassin and the like do a decent job of helping the spam problem, but my users still complain that their SPAM box has 80 messages a day...even if they get no false positives.

      My SpamAssassin is configured to reject the suspicios e-mails with a polite message: 550 This looks too much like spam. Please, contact your intended recipient with a short plain-text message

      This way, I don't have to worry much about false positives -- the innocent senders (if any) will immediately know, what happened and will

    • That depends on your point of view, if your a dial-up users on for crap phoneline that'll only connect at 28K or an ISP access provider that has to lease a oc48 instead of a T3 then you'll lean toward BL. black hole list, to save bandwidth. If your on broadband then local filtering is probably preferable.
  • by djupedal (584558) on Wednesday May 14, 2003 @10:54PM (#5960703)
    What do you call 100 spammers, chained together, and tossed into the ocean to drown?


    A start...
    • You're trapped in a room with Osama bin Laden, Saddam Hussein, and a spammer. Thankfully, you're armed with a handgun. Unfortunately, you only have 2 bullets. What do you do?

      Shoot the spammer twice.
  • No quarter (Score:2, Insightful)

    by mao che minh (611166) *
    Spammers deserve no quarter.

    Spam is the direct result of an abuse of the existing system(s). It costs companies money, money that they would not be spending otherwise. Spam is not like traditional advertising, like in TV, in which the advertiser actually pays for the ads (since they are usiing the hosters resources and/or popularity). On the contrary, the Spammers pay no fees, and force the hosts to take financial losses.

    Immediate death is the answer. Kill them. They are like animals. AND WE SHOULD TREA

    • Well, then there's that whole collateral damage thing...

      I'd say the safest way to do it is to use an RBL that has an efficient removal process to handle mistaken listings. Or you could only run your heaviest filters on messages flagged by the RBL. I'm not running a mail server right now (thank heavens) so that's just off the top of my head.

      Any mail admin who is using RBLs alone isn't doing the whole job. I can't see it being professionally responsible (in the strictest sense) to rely on a sole source for
  • Uhh, no. (Score:3, Informative)

    by Motherfucking Shit (636021) on Wednesday May 14, 2003 @10:56PM (#5960719) Journal
    Blockquoth the article,
    It is unknown who runs SPEWS, and the Web site -- spews.org -- offers few answers. The site's registration information at various Internet WHOIS databases is deliberately false, with the e-mail contact listed as not@available.org.
    Someone hasn't figured out the -h flag to whois, apparently. Depending upon the flavor of whois being used, any queries for .org domains will now list "not@available.org" as the contact email addresses unless the sponsoring registrar's server is queried.

    SPEWS' WHOIS record isn't really hiding anything when you ask the right server:
    # whois -h whois.joker.com spews.org
    domain: spews.org
    status: production
    origin-c: chip@sendmail.ru#3
    organization: Visit Lake Biakal!
    owner: chip level domains
    email: chip@sendmail.ru#3
    address: po box 61, Baikalsk-2
    city: Irkutsk region, -- 665914
    postal-code: 665914
    country: RU
    admin-c: chip@sendmail.ru#3
    tech-c: chip@sendmail.ru#3
    billing-c: chip@sendmail.ru#3
    registrar: JORE-1
    created: 2001-07-07 15:50:12 UTC caserv
    expires: 2003-07-07 15:50:12 UTC
    source: joker.com
    Whether or not that address really exists, I don't know - but I doubt SPEWS is about to put obviously bogus information (e.g. not@available.org) in their WHOIS record. The spammers would just file a complaint with ICANN.
    • Mod parent up. The article makes it sound like SPEWS is deceitful and underground -- it's not, and the whois contact info is legit. It's too bad the original article misconstrued the result of their failed whois query.

      I've observed many exchanges between SPEWS staff and people complaining, and found the SPEWS people to be quite reasonable. They try their best to make their listing accurate.
  • by gorbachev (512743) on Wednesday May 14, 2003 @10:58PM (#5960725) Homepage
    ...are just as bad as most analogies.

    What is the difference between asking ISPs to cut spammers and sking ISPs to cut users, who set up porn websites?

    Well, the latter is not against the TOS of the ISP. The first one is.

    The latter is not threatening to destroy Email. The first one is.

    The latter is not stealing. The first one is.

    But I guess this one's just another personal opinion of an EFF Director, and not representitive of EFF's opinion on these issues...

    Proletariat of the world, unite to kill spammers. Remember to shoot knees first, so that they can't run away while you slowly torture them to death.
  • by hillct (230132) on Wednesday May 14, 2003 @11:00PM (#5960737) Homepage Journal
    The SBL and other blackhole lists are a valiable tool in the war on SPAM. The problems with their use arise only when upstream providers of client email services, make use of such systems either without the knowledge of the end users or without providing those users optionality in the use of the system. I and many other readers of /. run their own mail servers for recipt of personal email rather than depend on the mail services of their ISPs. These indevidual mail servers can be configured as you see fit with as lax or stringent mail acceptance rules as desired. When upstream providers of mail services implement such systems there is the possibility that the end users would be unaware of the mail they were not recieving. These systems must be implemented with discretion.

    As for the consequences for the sender, of sending to a recipient who may not recieve the mail, due to the appearance of the sender's IP address on the SBL or other such lists; the sender is responsible to insure that they recieve service from a reputable ISP who does not cater to spammers. This presumes that due diligence was performed before any IP is added to an SBL list. This also asumes that any mail recipient using such lists is responsible for using a reputable list provider where they are confident of the due diligent performed in generating the list. The whole system (not unlike many other elements of internet architecture) depends on the good faith / good will of the participents.

    The primary responsibility lies with the email recipient who selects an SBL type list that is as lax or stringent about the content of the list, as the email recipient is comfortabe with, since the relative levels of stringency maps directly to how much legitimate mail that recipient will have rejected.

    --CTH
  • by Mohammed Al-Sahaf (665285) on Wednesday May 14, 2003 @11:02PM (#5960750)
    There will always be some sites improperly secured that allow the spammers to relay their material. I find almost all the emails I get now are bounced through DSL boxes. Blackholing them doesnt help because you're actually blacklisting legitimate users and the spammers themselves are hidden. Having said that, I think such blackholes are important as an incentive to force ISPs to enforce their Terms of Usage. A lot of the SPAM i get is bounced through the same ISPs, or ISPs in eastern countries like Taiwan who dont seem to care about complaints.
    • What you meant to say:

      We are not afraid of the Spam. Allah has condemned the spammers and they will all die. There is no spam on the internet. The spammers have been defeated in battle after battle. They will commit suicide on the firewalls of our ISPs. God will roast their stomachs in hell.
    • Open relays on DSL lines are no longer valuable if we add a DNS field for SMTP servers authorized to send for a domain. Then, you need to actually own the domain to send mail for it (to servers that require the DNS field). Anonymity gone.
  • Yes and NO (Score:5, Insightful)

    by d3ut3r0n (664760) on Wednesday May 14, 2003 @11:04PM (#5960771)
    Yes it is a form of censorship, but NO this is not about free speech - SPAM is not free in the cost sense. It costs money to move it around - if you don't believe me, then you have no idea how the internet works.

    Sure, if you get SPAM at work, you personally don't absorb the cost... and sure, if you have uncapped internet access, sure you don't absorb the cost. BUT SOMEONE DOES. I don't get SPAM at work but do on some personal email addresses and I, like many other people outside the united states, DO NOT have unlimited download limits.

    So those who want the right to speak freely about their latest porn sites, sex products, can pay, albeit a tiny amount of money, per email we receive.

    Another thing about free speech, it doesn't mean you can talk as loudly as you want in the middle of the street at 3am - no, you WILL be approached by authorities for disturbing the peace - just try it. SPAM is not really all that much different - you don't have the option of not hearing it, the same way as you don't have the option of not hearing someone blaring music or screaming at 3am while trying to sleep. While the remedy might sound easier to delete a SPAM message than bother the local police for noise complaints, you don't have the noise every day, and hundreds of times.

    Free speech might mean not being censored, but it doesn't mean you can do it at other people's expense of inconvenience.

  • Reply with a DOS (Score:2, Interesting)

    by Ichijo (607641)
    All we need is a nice perl script to suck x bytes of bandwidth from a given IP address. It will attempt to do this with pings, recursive http or ftp, or whatever services it can find. (Real maliciousness such as Pings of Death is unnecessary.)

    So Every time a mail server receives a suspected spam, it would fork() off this script against the server that sent the spam. With enough receiving servers configured to do the same, *poof*! The offending mail server is, almost instantaneously, effectively taken off t
    • DOS-E-DO (Score:3, Interesting)

      by jefu (53450)
      I agree - but I think this should just be legalized and have someone put an open source program that could selectively do this with http/email/...

      After all, in some way the spammers are DOS'ing the internet as a whole, increasing the demand and use of potentially shared resources such as bandwidth, mail servers and so on. As often happens there does not seem to be any reasonable way to actually charge them for these resources. Legal solutions seem unlikely to work - and given the legal solutions we've se

  • by jamesh (87723) on Wednesday May 14, 2003 @11:13PM (#5960818)
    I set my mail server to tag emails rather than block them (move to spam folder on workstation), so i see some interesting things...

    When i first tried it 6 months ago, it magically worked, 99% of spam ended up in my spam folder.

    Now the blocking ratio is down to about 10%... and here's why. There are 3 MX records for us:
    A - linux server - MX = 10
    B - msexchange server - MX = 20
    C - isp's server - MX = 30

    messages delivered to A are tagged (if spam) and forwarded to B. B exists in the MX records for redundancy. C is used because A and B are on the same site.

    What i'm finding though, is that spammers send emails to B or C. When A receives the email, it has come from B or C, not the original spammer, so suddenly the blocking doesn't work anymore.

    dammit.

    It can only work if everyone in your MX record list does it, and my isp is the biggest in Australia so it's an awfully large machine to move.

    I have tried adding in more dummy MX records, so that A is first, middle, and last. That seemed to work for a bit but not for long. I might have more success adding different ip addresses for A and peppering the MX list with those... but it's a bit messy.
  • d. None of the above (Score:4, Interesting)

    by mcubed (556032) on Wednesday May 14, 2003 @11:19PM (#5960848) Homepage
    I don't think blacklists are good, bad, or indifferent. The questions are how fairly are they implemented, how rigorously are the claims against the blacklisted party checked out, and how accessible are the administrators of blacklists for appeals. Obviously, there are problems with some of the implementations, as detailed in the Washington Post article -- and these particular problems read to me less like the typical growing pains of any developing concept than like design features. I wouldn't trust any blacklist who's operators hide behind a veil of secrecy anymore than I'd trust ad-ware.

    Still, how effective can a blacklist, however well implemented & maintained, really be? Isn't this one of the easier types of blocks for spammers to get around?

    If everyone would just stop trying to grow their penises, turn $5 into $5000, and visit XXChristyXX in her all-nude sorority, spam would wither and die. Lately, I've received some very helpful emails about how to stop spam and make money in the process, secrets I will be sharing with about 16 million fellow computer users very shortly.

    --Michael
  • by Monoman (8745) on Wednesday May 14, 2003 @11:22PM (#5960860) Homepage
    The lists seem to be similar to the Better Business Bureau (in the US).

    "OUR MISSION is to promote and foster the highest ethical relationship between businesses and the public through voluntary self-regulation, consumer and business education, and service excellence." www.bbb.org

    The BBB is an organization without authority. It is a voluntary system to People can lodge complaints about a business. People can also inquire about complaints against a business.

    I may choose not to do business with any other businesses that do not have what I consider acceptable BBB records. Is it really the BBB's fault? Is their system flawed?

    I don't think so. The BBB only provides information. Depending on how much I value the BBB or information, I will choose to do business with a company.

    Blacklist are not much different. Organizations sign up for their information *voluntarily* and understand that there may be some "false positives" or disputed cases. Organizations weight the benefits and risks and make their own decision.

    If a blacklist proves to block to much email then organizations might try another blacklist or not use one.

    Thats it for now.

    ok .. it is late and I am not sure where my point is going.
  • Do you have a list of all women from Earth that you don't want to sleep with? I guess no. Instead, you have a list of all women from Earth you want to sleep with. Musch better as the second list must be much shorter than the first one :)

    Same thing should be with email. No need to blacklist bad IPs (which might not belong permanently to a spammer) or email addresses (also very temporal). Instead, list all people you trust or all their features that make the being trusted by you. You can guess that I mean e

    • Do you have a list of all women from Earth that you don't want to sleep with? I guess no. Instead, you have a list of all women from Earth you want to sleep with. Musch better as the second list must be much shorter than the first one :)

      Actually, I've known many guys for whom the first list would be shorter.

  • by Thurn und Taxis (411165) on Wednesday May 14, 2003 @11:37PM (#5960934) Homepage
    Here's my response to Brad Templeton's post:

    What if, at the end of Brad's list, we add:
    h) trading child pornography
    i) plotting terrorist attacks
    j) promoting cannibalism

    On his list, items a, f, and possibly g are potentially illegal - the others are clearly legal in the U.S., although they may violate service agreements with some ISPs. Nonetheless, even the possibly illegal actions are perceived as minor crimes, like speeding - if you found out your neighbor was doing these things, you wouldn't start looking for a new place to live. The three items I listed above are different - if any reasonable person even suspected that their neighbor was planning or committing one of those acts, they'd be calling 911 (or your local government's equivalent, unless you live in a country that supports terrorism / kiddie-porn / cannibalism) in a jiffy.

    Spam is different from both of these. It's legal in most places, which distinguishes it from the three items I've mentioned, but it's looked upon with nearly equal horror as a violation of trust. If spam were made illegal (particularly porn spam), it could easily be lumped in with these other categories (okay, spam doesn't directly involve killing/torturing other people, but when you get spam that lists your full name and discusses rape, that's bordering on assault).

    I think most people would consider it ethically responsible for their ISPs to report kiddie-porn traders, terrorists, and cannibals - at the very least, it would be irresponsible of the ISPs to not report such activities if they were aware of them. The difference, which Brad's post ignores, is that some activities (kiddie-porn, terrorism, spam) cause or can potentially cause DIRECT phsyical or emotional harm to other individuals (and before you argue this point with regard to spam, think carefully about how you would distinguish between soliciting children for sex and sending porn emails to children), while other activities (copyright infringement, NAT) don't.

    To (hopefully) temper the debate, I'll add that I would oppose a "one strike and you're out" rule. It's easy to imagine someone being tricked into downloading unpleasant images, and it's easy to imagine someone sending out spam without knowing any better. But after being warned, the punishment the second time should be more severe.
    • by btempleton (149110) on Wednesday May 14, 2003 @11:56PM (#5961034) Homepage
      The question I ask is not what should we wish to punish (for we all would like to see spammers get what they deserve) but who should be responsible for the punishing and who should get the punishment.

      Blacklisters say, "punish the ISP for providing bandwidth to the spammer."

      I see the ISP more like the phone company. You don't blame the phone company because people can trade kiddie porn or plot crimes or terrorism over the phone. You don't call for the phone company and all the people with phones in the same phone exchange to be punished until they rise up against the child pornographer among them.

      If we say "it's OK to blame and make accountable the ISP for the actions of the spammer" you turn the ISP into a policeman of the bits rather than just a provider of bandwidth.

      I worry about the precedent in doing that. There are a lot of other internet activities people want to punish, as I pointed out, and how do we tell them they can't use the ISP as their tool of punishment.

      As we've seen in the Verizon case, the RIAA can force an ISP to hand over your real identity without proving you did anything. We want to be careful about where this leads.
      • I see the ISP more like the phone company. You don't blame the phone company because people can trade kiddie porn or plot crimes or terrorism over the phone.

        You don't blame them if they don't know about it. Once they've been informed that someone has been placing 500 prank calls/day or whatever, and they refuse to do anything, it's perfectly reasonable to blame them.

        I don't know of any blacklist that adds ISPs simply because one or two spams have come from their network. The ISP has to refuse to stop
      • So if some ISP is hosting someone who is eating up your bandwidth with ping packets, and never stops, you're going to consider that to be just like the phone company and not try to get them to stop it ... or if you do ask them to and they ignore you, you're not going to blame them for hosting someone who attacks other networks?

        I don't know of any cases where the existance of music trading, or kiddie porn, has denied me of the resources and services I have paid for on the internet. Those may or may not be

  • by Indy1 (99447) <spamtrap@fuckedregime.com> on Wednesday May 14, 2003 @11:47PM (#5960977) Homepage
    i noticed this chunk of the article

    "Blacklist operators call this "collateral damage," admitting that it is an unfortunate side effect. But for people like Haselton, who can go unaware for weeks that their messages are dissolving into the ether, collateral damage can seriously hinder someone's ability to communicate via the Internet."

    Unaware? Why the fuck didnt he check his smtp logs and notice all the 553's ? When you hit a mail server that rbl's you, it sends you a 553 bounce.
    Also, many user's mail servers will notify the sender of the bounce and give them a copy of the bounce message so they know why it got bounced.

    Collateral damage is why you NEVER ever host your servers with a spam friendly outfit. Our company recently hosted a client's email server, and the FIRST thing we did was run the colo against every blacklist we could think of. We also asked them their policy on handling abuse emails, and spammer termination. Read news.admin.net-abuse.email , its full of good info on how to avoid spam friendly hosters.
  • If this or any of the other methods to curb spam condone censorship, then so do the 'OFF' buttons on my radio and television.
  • Ever wonder? (Score:3, Interesting)

    by MegaHamsterX (635632) on Wednesday May 14, 2003 @11:55PM (#5961026)
    Ever wonder why IM has taken off like it has, you don't get fucking spammed.

    Blacklists suck, they don't work. Blacklist an ip address or range and a new guy gets it and can't send mail, real fucking smart and real fucking frustrating to be the admin, use the reverse domain name all you want, but don't involve the ip address.

    Do you think ISPs want spammers, spammers are a pain in the ass to deal with, they are the squeeky wheel at an ISP and they rarely pay their bills after bitching about everything.

    An extension to smtp and pop3 is needed, smtp stopped working years ago and people now ignore their email, often you need to call someone to check their email and search for you amongst all the spam in their box.

    I'm an admin, not a programmer, but I would do it this way if I was a programmer.

    mail is received, the host starts out with a zero rating and the user does as well.

    A global bayesian filter then ranks this piece of email, the email is then delivered to a users box with the rating attached for the domain and the user.

    The user may sort by this rating to filter out spam from non spam, it is optional at this point, but if the user is using software with the necessary extension, the user can then check if the email is spam or good and have the domain's rating adjusted slightly, and the user's rating fully in the negative or positive, if negative the sending user will not have mail accepted again unless someone uprates the user.

    If enough complaints arrive from the sending domain, the domain is blackballed and cannot escape since multiple users have decided that this domain is sending inappropriate email according to the TOS of the receiving ISP.

    So, to be more specific, sorry to make this so long, but maybe it will inspire someone.

    Connection established with port 25, reverse checked for presence on blackball list, if present drop connection silently. No reverse also gets dropped.

    Check for from line with specific user name, if user is on blackball list drop connection silently.

    Receive email and grade with bayesian filter using global ruleset, this filter cannot blackball domain or user no matter how much it looks like spam, but can make it nearly so.

    Deliver mail, if user confirms mail is spam, blackball user and downgrade domain further, this may actually blackball the domain if enough mail is sent and the filter grades it badly enough (based upon average grade).

    Since Dialup and DSL connections do not control their own reverses, it would be trivial to add a simple filter that would refuse mail delivery from these sources, except from their own isp, and then the outgoing mail would be run through a filter, if the rating dropped for the user into negative territory as reported by receiving servers the user would lose their bulk smtp privledges and have thier outgoing mail throttled in a severe fashion with all mail containing bcc and cc mail rejected, and the number of emails per hour limited to stave off potential damage.

    The SMTP extension comes into play with a network of these mail servers, blackballed domains would be automaticlly sent to a neighbour in p2p fashion, but ratings would only be accepted if the neighbour server had a valid key, that would be exchanged amongst admins and a network of trust would form.
    If a domain becomes blackballed, a user/domain notification takes place alerting that site to the fact mail from their domain/user is not being accepted, at this point an admin could get involved, but my guess is that more often than not the domain will remain there.

    Anyhow flame away, my asbestos suit is on :-)
  • by almaw (444279) on Thursday May 15, 2003 @12:22AM (#5961181) Homepage
    It's simple - when a mail comes in you send an e-mail back to the sender with a cookie in the subject line. That e-mail requests they send you a confirmation e-mail to get onto your whitelist, which also causes the original e-mail they sent you to be de-queued and delivered.

    If you feed your inbox/archives into your whitelist, 99% of people who e-mail you won't even notice the system is running.

    I used to get about 200 spams a day. I tried RBLs, I tried spamassassin. None of it worked reliably - RBLs were only catching about 20% of my spam and spammers now get around spamassassin by looking at the rules when they craft e-mails. False positives were also a problem - sure, it's quicker filtering suspected spam into a spam folder for batch-checking, but it's still a serious hassle with >80 dubious borderline spams a day, and tens slipping straight through the spamassassin/RBL net into your inbox.

    Happily for those of you running your own mail servers (or sitting on a *nix box which delivers mail locally via procmail), you can get a program which will do this for you for free. It's called Active Spam Killer, it's written in Python, and you can get it here [paganini.net].
  • There is no good, bad, or indifference to the use of RBL lists. They are the currently the only way to combat, what is in essence, criminal behaviour. There are no first amendment rights issues involved here. Read it for yourself if you think otherwise, (http://www.billofrights.org/).

    These people steal bandwidth and services from both the originating and the receiving companies and ISPs. They pedal blatantly false products (Are you stupid enough to think that you can enlarge the flaccid size of your penis
  • There seem to be several basic problems that people have with blacklists. One is that they are "censorship" or harm "free speech". No, they are not censorship and some people evidently didn't pay attention in civics class (or whatever they call it today). Free speech is about limiting the government's ability to squash speech. Not about private enterprises blocking unwanted access to their networks. If you don't want to use blacklists, most ISPs give you that option or you can change ISPs. There may b
  • Stolen idea (Score:3, Interesting)

    by darthtuttle (448989) <meconlen@obfuscated.net> on Thursday May 15, 2003 @02:39AM (#5961746) Homepage
    I got this idea from a friend, so don't give me credit, but it seems good.

    Adjust the RFC such that a mail type header is mandatory and define the mail types. Personal, bulk, subscribed, non subscribed, comerical, non comerical, etc. Define these in a technical sense. Then pass a law that says it's illegal to lie in the headers of an email. The law only has to say that it's illegal to go against the standard. The standard says it must be included to be legitimate email, and the standard can be changed and adjusted without lengthy legal processes (but there should be *some* process) to meet loopholes people find.

    This makes it easy to identify spam, and provides penalties for lying.

    Your still going to have spammers who lie, and you can identify these somewhat easily from the parts of headers they can't fake and the government should go after them. The spammers who want to operate within the bounds of a system and think people want their Bulk comerical email will have to identify it as such, and it's easy to dump it at any place in a network that you own. An IMAP client should be able to read the header and delete before ever downloading.

    It doesn't solve all the problems, but it provides a solution without government censorship.

    And why hasn't anyone made it a technical standard that there are no open relays and that relay by MX is not legal.
  • by dcs (42578) on Thursday May 15, 2003 @08:56AM (#5963140)
    That article is complete bullshit.

    First, if an e-mail is not delivered, the recipient receives a notice of the fact, as long as he is properly identified as the source of the e-mail.

    Second, I have had a number IP addresses in our range blocked by a whole host of different DNSBL, for many different reasons. The *ONLY* blacklists I never got removed from were those which block ranges for a whole region (like South America or Brazil).

    Moreover, the process might take two or three days (though it's seldom more than 24 hours), but it's always VERY clear.

    That article reads more as a pro-spam article in disguise.

Never trust an operating system.

Working...