Osirusoft Blacklists The World

ariehk writes "As of today, Osirusoft, distributer of the SPEWS and open relay blocklists, among others, is no longer operational. Servers using these lists (including the FTC) are currently rejecting ALL email. This shutdown seems to be in response to a several-week-long DDoS attack on Osirusoft, SPEWS and others, resulting in both sites being down. This has caused much discussion on n.a.n-a.e, including the suggestion that the attack is somehow related to the SoBig worm. The spammers must be hurting if they can devote these kinds of resources to attacking blocklists." Read on below a related submission.

NSXDavid writes "Earlier today our site mysteriously ended up on Joe Jared's Osirusoft SPAM blacklist which is used by lots of antispam software (like SpamAssassin and sendmail). Since he is currently under a serious DDoS attack, there was no way to appeal this decision. We contacted Mr. Jared by phone who informed us that 'everyone needs to stop using Osirusoft and that he's going to be shutting the service down.' Then he says he's going to blacklist 'the world' (aka, ban *.*.*.*) to get his point across. Later on this evening, he apparently went ahead and did just that. Succumbing to lawsuits and DDoS, a once great blacklist is dead. SpamAssassin is removing it from their config in the next release (rc3) and email admins around the globe are reconfiguring their mail servers."

ouch!

[Anonymous Coward]

long live whitelisting [spamgourmet.com]

JEFF K wins again!

[Anonymous Coward]

I guess Jeff K [somethingawful.com] and Jerry, with their 1337 h4x0r 5|!11z, have finally retaliated for the blacklisting of somethingawful.com. G

Re:Blacklists and reality

[Gherald]

Will yahoo and hotmail be on that whitelist?

Most of the spam I get comes from those domains, or at least it is spoofed to appear its from there.

Whoa

[josh crawley]

I'm glad I read this; I got a bounce message earlier saying one of my emails was blocked due to our corp. mail server being blacklisted by relays.osirusoft.com, and I drove myself just about mad trying to figure out how or why.

Good riddance to bad rubbish

[Sebastard]

My co-located server has been blacklisted by SPEWS for months now. And it's only because of a spammer elsewhere on my two-providers-up-the-chain regional ISP. And the spammer is on a different C-class entirely, yet my IP range was still included as punishment to the ISP. The fact that I suffer as a result doesn't matter to these people. Changing providers is not an option for me at this point (long story) so I've just had to live with it. I can't email several friends, and regularly field complaints from people who host on my server.

I believe in fighting spam, and I think that blacklists are a good idea to a certain degree, but I've always felt that SPEWS was too draconian, and had no option for recourse for those of us who were (as they put it) "collateral damage".

I posted to the referred newsgroup a few times, and got nothing but venom from the locals.

I'm not sad to see them go.

So what DO we do?

[RealisticWeb.com]

I would like some serious talk about just what exactly we ARE supposed to do about spam. Government moves too slow to pass an effective law, and the spammers don't abide by the law anyway. Filters don't work effectivly, blacklists are not working either apparently. Does anyone have a usefull suggestion about how to fix this problem?

One idea I've had (or maybe I've heard it somewhere else, I can't remember) is authorization. Change the protocol, or maybe just implement at server, so that before anyone can send you an email they have to request permission. In that request they would identify themselves, and before they start emailing you stuff you would have to send them back permission. Anyone that is in your contact list would automatically be given permission. If it turns out to be spam you could revoke permission. Also analyze the email header and do reverse lookup to see if the domain names resolve properly. If a domain is spoofed, deny it automatically.

Perhaps this has been done before, and I'm sure there are flaws, but I am tierd of hearing about how big a problem this is, without hearing any good ideas about fixing it. Any other thoughts?

Bayesian Filtering

[someguy456]

I can't completely describe my satisfaction with Bayesian filtering. I've been using SpamBayes [sourceforge.net] for a few weeks w/ Outlook (please don't smite me), and it hasn't let me down. I have received absolutely no spam in my inbox these last couple of weeks. Granted, I built up a collection of >500 unwanted e-mails, but it only took a couple of days :)

blacklists -- bah!

[jxliv7]

Having never been a fan of blacklists, it's good to see one fail.

A blacklist is like the death penalty -- there is no 100% surefire positive no-mistakes without prejudice way to protect the innocent.

Look at the results of blacklists as similar to the casualties produced in a war -- you may kill a good many of the enemy, but how many of them were civilians?

perhaps this is a lesson that needed learned

[Cogneato]

As someone who was blocked by both osirusoft and spews as part of their policy of blocking entire IP blocks, I feel no pity for them or for those who use them. In fact, I hope that at least some of them are learning their lessons.

The IP address of my server happened to fall a few dozen numbers away from that of a spammer. As a result, it cost me thousands of dollars in lost time and expenses to track down the issue, contact my isp and have them contact whoever it is on Mt. Self-Righteousness that takes you back off the list. Getting on the lists takes day(s), while getting off the lists takes weeks.

Blocking entire IP blocks is nothing short of techie-terrorism. In other words, you can't convince the real wrong doers to stop, so you harm the innocent bystanders to try to get them to revolt.

SPEWS and those that support them point the finger at the ISP while purposely hurting innocent small businesses like mine. It's time they take responsibility for the tools they provide, and in this way, they are no different than Microsoft.

Re:Blacklists and reality

[Anonymous Coward]

Lots of sites already do this, actually. Well, not the whitelisting, but an "email address on the website" alternative. Just use a modified form of forum software where instead of the messages getting posted onto the website, you get it posted to a personal spool where it can be retrieved at any convenient time. If the message poster wants to have a return email, they can whitelist the website owner and put their email in their message. It's a workable authentication scheme.

The main problem would be that a determined spammer could post messages at will to a board, but that situation really isn't any different from the current situation where spammers can send emails at will to anyone.

My Postfix Logs

[Alowishus]

I run a Postfix setup which uses Osirusoft as one of its blacklists, and going through my maillogs I see that the RBL was unresponsive early on the 24th, and then started answering again later in the day. It was down the 25th and most of the 26th, until it briefly came on and started answering only some of the requests with "blocked using relays.osirusoft.com, reason: Please stop using relays.osirusoft.com". But it wasn't rejecting everything as the 2nd article says - just a subset of our mail. The rejects might even have been legitimate blacklisted IPs - perhaps they just changed the rejection message so admins would see it in their logs?

Additionally Postfix is a smart enough MTA so that during the RBL downtime it didn't reject any mail - the default behavior is to deliver if the RBL can't be contacted.

How *do* we fight spam?

[michellem]

Having been myself unfairly blacklisted (not by Spews, but by another list) because of the actions of my ISP, I really have come to have serious issues about the blacklisting process. I understand the principle - get innocent bystanders pissed off at their ISPs, then have them complain to their ISPs, or switch ISPs, and then ISPs change their behavior.

The problem is that many people, for a variety of reasons (geography being one) can't change ISPs, and many ISPs (mine included) did nothing in response to my complaints (because they knew I wasn't going to move). So what does this do? It certainly doesn't help anyone!

I hate spam as much as the next gal, and I think that the SpamAssassin approach (which is to label mail as spam depending upon certain criteria) is a much, much better approach than blacklisting.

This have anything to do with changes at Spamhaus?

[Alowishus]

I recently saw a copy of this email from the Spamhaus project saying that they would no longer be making their blacklist available through other 3rd parties such as Osirusoft. Perhaps this sparked the shutdown of the Osirusoft project?

Date: Wed, 6 Aug 2003 18:42:07 +0100
From: Steve Linford
To: nanog@merit.edu
Subject: SBL soon only from sbl.spamhaus.org

If you currently use the SBL by querying the master zone
sbl.spamhaus.org then you can ignore this message.

If you are using the SBL via 3rd party composite DNSBLs and not
directly from sbl.spamhaus.org, then please read this as the
following change affects your DNSBL setup.

For a long time the SBL has been available either directly from
Spamhaus (as sbl.spamhaus.org) or via 3rd party composite zones such
as relays.osirusoft.com (as spamhaus.relays.osirusoft.com) and
blackholes.easynet.nl which import SBL data from Spamhaus. This
distribution is now changing. In order to better manage SBL
logistics, DNSBL zone and query traffic, from Monday 11 August 2003
the SBL should only be available from sbl.spamhaus.org.

The fact the SBL was available from multiple DNSBLs was causing some
confusion, plus other small factors (such as the different zones
having different build times - which for example meant that we'd tell
someone an IP had been removed, but they'd contact us a few hours
later to say it was still blocked), plus the likely emergence of
further composite lists which may add confusion, meant that it was
time to make a change now rather than in a year or two.

So, if you are not using sbl.spamhaus.org but would like to continue
using the SBL, please add sbl.spamhaus.org to your mail server's
DNSBL list.

--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org

Re:Sweet, Sweet Justice.

[doorbot.com]

He is guaranteeing that no one is using the blacklist. That way it can't be misused by someone hijacking it, or just left in place by someone who doesn't care.

Actually that was exactly what I thought happend when I dealt with my Sendmail servers this morning.

For a few minutes, I entertained the idea that the original owner had let the domain expire accidentally, and a spammer who had been blacklisted by Osirusoft sniped the domain, quickly setting up a DNSBL list to cause problems for everyone who used Osirosft. Thus admins everywhere remove Osirusoft from their DNSBLs and said spammer is (hopefully) free to spew their message without fear of blacklisting.

Clearly, there would be flaws in this spammers' plan (I use multiple DNSBLs), but that wouldn't be the first time spammers didn't think something all the way through. ;)

Re:Blacklists and reality

[srw]

> What happens when the spammers start using worms and viruses to create open relays on people you trust?

They already get through whitelists... a few months ago a person I provided free webspace for got a nasty porn spam with my address in the *from*. She was rather concerned. When she contacted me, I found that I had in fact recieved the same spam "from her." What's more, her address was a special purpose address that was only listed on the website I provided for her. A few lines lower on the site was a "Thanks to Scott Walde for providing this webspace for free" with a link to my email address. The only reason I can see for using email addresses found near each other this way is to get through whitelists. (software or human... I often scan the "from" to decide which emails to read.)

--srw

Re:Blacklists and reality

[jovlinger]

typically, there is a way for the sender to get onto the whitelist, without the recipient needing to take special action.

Alternatives are confiriming the email (respond with this specially crafted string as subject) or running some computationally expensive operation For example, postmasters of well adminstered machines may run a number factoring service: to prove that a non-whitelisted message isn't spam, they are willing to spend their computational resources to factor a largish number for you.

The idea for both of these is that the main difference between spam and legit mail is that a legit sender will have just a few recipients but many messages, and thus can afford a one-time-per-recipient hassle to get on a whitelist, while a spammer cannot.

Neither address distributed compromised senders, which is effectively a way for spammers to make others pay to get on whitelists. If whitelists become wide-spread, a worm-based mass-compromise is the only option left to spammers.

Re:Blacklists and reality

[Kris_J]

How do you reach someone for the first time?

Challenge-response using a machine-unreadable image.

Personally, I don't use whitelists as my primary spam defense, I use an aliasing service (spamgourmet) that allows me to automatically create any number of email addresses with a limited life span. Once someone appears trustworthy they get my main email address (spamcop). Since no one is supposed to know my real email address, it can be changed at a moment's notice -- like the night before last when it was filling up with viruses.

Re:So what DO we do?

[AKnightCowboy]

One idea I've had (or maybe I've heard it somewhere else, I can't remember) is authorization. Change the protocol, or maybe just implement at server, so that before anyone can send you an email they have to request permission.

You mean like TMDA? From their freshmeat description:

The Tagged Message Delivery Agent (TMDA) reduces the amount of SPAM/UCE (junkmail) you receive. It combines a "whitelist" (for known/trusted senders), a "blacklist" (for undesired senders), and a cryptographically-enhanced confirmation system (for unknown, but legitimate, senders).

The problem is, that's fine and dandy for most things, but are you sure every mailing list you're on is whitelisted? Did you remember to whitelist any companies you do business with? I'm sure their auto-responders aren't going to respond to your automatically generated cryptographically-enhanced confirmation system so you may not ever get that info about your eBay bid or the receipt for an online purchase. You may have whitelisted store.com but their confirmation mail comes from store.yahoo.com, etc. What do you do? It's an annoying problem. I say legalize the ability to punch known spammers in the nuts once per spam message. That should fix the problem.

Spammers: BRING IT ON

[krray]

I don't see the problem. Well, personally at least. I mentioned to the wife, in March I believe, that I sensed something and nailed it on the head (spammers hi-jacking Windows PC's for relaying).

I have got to say. I sure do like the Unix's. Linux, BSD, OS X -- doesn't matter. A little thinking, some *shell* scripts, and even a few hack job "vi" scripts. Version .01 of nothing that I'd want to show any REAL programmer at least. :) It's dirty, ugly, yet very effective...

I've tried spamassassin, this filter, that filter. For me, my way seems to be working _very_ nicely. I use it at home (Linux), at work (Linux & BSD) and for a few architect friends/clients (OS X). Years ago now (right after the lawyer's emailed me :)I started peppering the Internet with email address' on USENET, and then web pages, etc.

Those are my harvesting address'. Nobody should EVER email them, realistically. Oh the spammers like to try dictionary type attempts/attacks. Thanks -- I added those to the alias database as well for future attempts.

A couple of hacked up scripts (I'm working on it in C for even FASTER speed and some learning :) -- and I frankly don't personally see it anymore. Literally. NONE. I read about it in the logs, of course. :)

Can it scale? Sure -- I'm figuring between 3-500 messages a _second_ isn't a problem. More will simply get queued and then I may notice a "lag" on my server. Bring it on. 1 IP and I whack the entire /24 subnet. I arbitrarily see X number of subnets and I block the /16 subnet.

It's the /8 ball after that and those are pretty much final. 210, 211, or 212 ring a bell to anyone?

Sure -- sometimes somebody will in inadvertently get blocked. The bounced message directs them to a web page explaining what to do next. BEST solution is to call me. You know me right? Heck, you probably have my 800 number... Oh, you DON'T? Piss off then.

Heck, I even spell out a completely external email address (@Mac.com) that you can forward the blocked message to ... I'll take care of it...

Ever wonder what those MAILER-DAEMON messages are all about? The Windows user's machine _starts_ the transmit of the message and disconnect. Your mail server sits there waiting for data from them to a local user -- which becomes un-deliverable and drops a note to whatever you use for the postmaster (can't publish THAT anymore, can we?).

Re-routed now. Thanks, got ANOTHER IP subnet to black ball.

I've racked up a large chunk of the Internet already -- and the stat's only seem to be increasing. Of course I've "white-listed" specific IP's of ISP's mail servers as needed. 3 so far I think. Most ISP's will put their mail server on a different subnet than their assigned IP's. Thanks. 1 white-listing was for a dedicated single IP user who's neighbor turned out to be a spammer. He had words with his ISP -- the spammer was kicked after that turned into conference call.

Sure -- some loser ISP will see more money from the spammer and side with them. We all know those ISP's -- and I've seen the same IP ranges in their listings as mine. I doubt the legit customer will remain there for long as I know I'm not the only one blocking them. Ultimately $$$ talks and the spammers are going to run dry eventually. They're now resorting to theft of services since they can't find legit connections anymore...

REJECT(S) TODAY: 482
Subnets Blocked: 434210 (110289340 total hosts in the /24 subnets [255])
Percentage: 2.834% (3906250000 Internet addresses' [~3.9 BILLION] Served :)
Subnets TODAY? 142 (36068 total IP's)
Harvested: 49 messages
URL Lookups: 0

That's 49 messages today to some dummy account. No hits for the right web page (from a blocked message) in the logs... 142 IP's (now complete subnets

Not a smart idea.

[Metasquares]

I understand that they want to get a point across, but blocking *.*.*.* is a very bad way of doing it. This'd probably break the default and current configurations on thousands of systems relying on SPEWS for blacklisting. They should ALLOW *.*.*.* instead, which would allow anything that depended upon SPEWS to operate as it would if SPEWS simply didn't exist. Since SPEWS doesn't exist anymore, that would make perfect sense.

Blocking *.*.*.* is a way to get people to stop using the server very quickly, though.

Re:sad news, but there are alternatives

[Indy1]

if one country bombards me with spam, and i get no legit traffic from that country, then that country gets introduced to my firewall. The mail and network admins in brazil DO NOT respond to abuse complaints. I do not do business in Brazil. Ergo, its a simple solution to plonk 200.0.0.0/8 port 25 into my firewall and be done with it.

Dont like it?
Then be part of the solution and start fighting network abuse in your country. Or you can whine like the rest of the plonked spammers and watch a boatload of mail admins nuke south america. There was an informal poll held in NANAE (network.admin.net-abuse.email) on how mail server admins block all of 200.0.0.0/8. And dozens if not hundreds of people replied they do block all of it. How long before it becomes thousands of networks block your country for spam abuse?

Re:Bayesian Filtering

[Anonymous Spammer]

As a professional sender of UCE, I just want to tell you slashdotters to keep on playing with your spam filters. As long as you use spam filters on your e-mail, I can continue to reach my real intended targets, those non-slashdotters who do not know better and will buy my products or click through to my client's websites. Your filters really help cut down on the complaints to the Internet service providers I do business with, and as long as not too many complaints come in their marketing people assure me we can do business. Of course, I still waste your bandwidth and mailbox capacity, but you no longer complain to uce@ftc.gov, my access providers, or anyone else who might cause me problems. My yahoo and hotmail and other accounts for replies are lasting much longer before getting shut down because someone complained to these service providers. And my clients are even reporting that they can start mailing out 800 numbers like 1-800-901-3719 again and they will not have you damn geeks set up your modems to keep autodialing them, since you spend your own time and effort to filter the e-mail and only clueless users who might actually call will see the numbers.

Please don't bother your Congressmen or Senators proposing legislation that might not work 100%. Just keep on filtering the spam I send you, I know you would have never bought from me anyway. That you can filter legitimizes my business and my waste of your bandwidth.

P.S. To be sure of not getting a false positive, be sure to send all filtered mail to a special folder. Waste your storage space storing the mail until you manually go through every piece to be sure you didn't accidentally filter something important. Of course, this will take exactly as much effort as it would have to just check the e-mail when it first came in, not to mention the extra effort spent in setting up the filters and the extra space for storing your incoming spam folder, but what the heck. If you think that you can scan e-mail for false positives faster this way you are just fooling yourselves, if you are scanning faster e-mail that you expect to be all spam, you will miss the very false positives that you think you are looking for. And any fales positives that you do catch will have been delayed, perhaps days or more. You geeks enjoy wasting time this way, and I certainly appreciate it. It makes the work of all us spammers much easier. After all, slashdotters like Moderation abuser [slashdot.org] tell you that Bandwidth is cheap, disk is cheap, CPU is cheap , which is good, because at the rate spammers like me waste it the costs still adds up. I am gald I never pay for it, and I would just as well that everyone else takes the additude that all of the resources I waste are cheap than band together and pass laws against us. No one should care about spam because Bandwidth is cheap, disk is cheap, CPU is cheap and it is your job to filter it.

Think you've seen this before? Don't complain. Just go through lots more work to set up special filers on your computer so that you will not see it again. You should have to do that. It's the true geek solution, and I would really like it if you did.

Re:Blacklists and reality

[ComputerSlicer23]

Somewhat that is true. However, what constitutes trust of the origin of e-mail? One of the replys says to use PGP or S/MIME.

That only works if I require them to sign mail they send to me, with my public key.

Possibly having a key system of public keys and private keys. You put your own private key out there, saying you'll accept mail with anything that signs their mail with the public key. You add any mailing lists you want public key, they sign all outgoing messages with their private key. Thus you'll accep their mail.

You can white list on anybody else you're willing, using a Web of Trust from PGP if they are considered "trusted" enough. However, that will lead to problems.

However, public and private keys will suddenly become tokens of value to spammers. Suddenly people will start creating worms, and scripted attacks to pull peoples keys. They will start trying to break into machines. It'll create a black market for trusted keys the world over. They'll just be new attacks, and new problems. Creating a large scale web of trust, won't work. A worm can easily go steal the tokens of trust, and then start using them to spam with. It'll just be another arms race.

Now letting forcing people to sign with your key is probably the most doable, but it also means that running mailing list software is a real, real CPU intensive application. I'm not particularly thrilled with that.

The only way to stop spam is to make it stop being cost effective, that involves causing e-mail to be an expensive operation if it involves untrusted e-mail servers.

Kirby

Anti-spam goals do differ and complicates things

[Skapare]

There are actually two different anti-spam goals. A few people have both of these goals, but quite many people have only one or the other:

• Prevent the spam from entering my mailbox.
• Prevent the spam from using my resources (or my company's, or my ISPs).

The first goal includes such things as making sure children and sensitive adults don't see porn spam. But lots of people are simply offended by the spam, especially porn or body part enlarging spam. And others are simply offended by someone assuming they were interested in a great money saving offer for something they have no need for. This first goal seems to be what most people have, and what the current political rumblings are about.

The second goal is one a lot of people are not aware of, or don't understand. yet it is as serious a goal, if not more so, by certain groups of people. This involves reducing the network bandwidth and server processing resources used by the spam, or stopping it entirely. These things cost money, and it costs about 10 to 40 times as much money to receive (delivered) spam as to send it. It still costs 5 to 10 times as much just to take the SMTP connection, carry out the talk, discover it's a spammer, and refuse the spam.

In other words: the spam problem is not solved by blocking spammers ... just reduced in cost a good bit.

Solutions that involve scanning spam content for the nature of what spam looks like does not help reduce the costs at all. In fact it increases it because all this extra processing is now done by the server, and the network bandwidth is used to send the content that might otherwise not have been sent.

To those, like myself, whose goal is to reduce costs, SPEWS was a great tool. It was very effective in blocking spammers, plus it forced quite a number of ISPs to terminate the spamming scumbags that slipped into their networks under the guise of legitimate customers. In that way, it worked; it did what it was supposed to do. Too bad a few other ISPs were too stubborn to deal with the problem, and too many customers of spammer harboring ISPs whined more about why SPEWS was targeting them, and making excuses why they could not switch to a decent ISP (excuses that didn't apply in 99.9% of cases). Unfortunately, quite a lot of people simply never "got it" as to what the purpose of SPEWS was. The SPEWS web site was more geek/admin talk, and not well enough written for the average person to understand. I was starting to work on my own "how to get out of SPEWS" document, but I just haven't had time to put in on it.

There are a lot of things people say as to how to stop spam. The one I hear most often is that if people would just delete the spam, or if network admins would just block only spammers and no one else, then spammers would cease making money and would stop. This is simply not the case. First, not everyone will do this. We see from these recent worms and virii that way too many people don't patch their computers anyway. There will always be gullible people who respond, and there will always be spammers to take their money.

The real way, and I think possibly the only way, to stop spam, is to treat all spammers as equivalent to cyberspace terrorists. Take no prisoners, and take no excuses.

Remember, spammers don't care what people who will never respond do with the spam they send. They don't care if you press delete, or filter it out with SpamAssassin, or even block them. They don't care because you aren't going to make any difference to them anyway. And if you do block it, you won't be complaining to the spammer's ISP, and hence, they get to spam even more. To a spammer, someone who blocks their mail is better than someone who gets their ISP account terminated. This is part of why just blocking spammers is actually making the problem worse.

Re:Bayesian Filtering

[Snover]

I've had problems with the Bayesian filtering in Mozilla; I suppose it just needs a bit more work. I mean, it catches ALL my spam, without contest, but it also catches automated messages from places like amazon.com. Unfortunately, even Bayesian can't overcome this problem.

No, the real solution is to have a trained monkey personally sort through your mail beforehand.

Re:Blacklists and reality

[leviramsey]

This is exactly why I think that SoBig is the perfect spamming mechanism. AFAICT, it essentially gets around nearly every non-content-based spam filter (ie Bayesian and SpamAssassin et al).

By sending spam from an amazing depth and breadth of compromised networks, it forces blacklist operators to go into "block everything" mode, which is so draconian that users of the blacklists will disable them.

As I posted in another story, if ISPs start blocking outbound port 25, the next iteration of the worm simply uses the Outlook SMTP settings to relay through the official MXs of the ISP. Given the flood of abuse reports, many ISPs (especially larger ones) are simply going to /dev/null abuse reports; they can be reasonably sure that their servers aren't going to end up in blacklists used by a lot of people (because heads will start to roll among the admins who use the blacklists).

By pretending to come from an address that has at most two degrees of separation from the recipient, they will get around a fair amount of whitelisting (this is exploiting the greatest flaw in TMDA and the like: trust of the From: address).

Re:Good riddance to bad rubbish

[leviramsey]

I take that approach a step further: every week, I remove networks that have behaved for a certain period of time from the list.

Re:JEFF K wins again!

[Anonymous Coward]

They wrote an interesting update about their problem with SPEWS, a month back or so:

http://www.somethingawful.com/articles.php?a=1605 [somethingawful.com]

"In fact I received dozens of e-mails from network admins working for companies large and small who said exactly that with most also emphasizing that "only a lazy idiot" - to quote one of the e-mails - would use the SPEWS listing on their network."

"SPEWS provides a blocklist with zero oversight, zero accountability, and zero recourse for average users caught between their ISP and SPEWS.ORG's moral crusade. SPEWS will tell you that you in fact do have recourse and that is to switch ISPs. For Something Awful that is not economically feasible, for users in the nation of Brazil where their entire broadband provider has been blacklisted that is impossible. In addition to all this most of the SPEWS advocates on the newsgroups we so unceremoniously invaded demonstrated a willingness to add IP ranges to their own blacklists and potentially SPEWS for petty personal reasons. Complain about how SPEWS operates? Get added to the blacklist, often permanently, while they pretend that it somehow makes your situation worse."

Re:perhaps this is a lesson that needed learned

[Dimensio]

Why should an ISP believe SPEWS unless the ISP can generate evidence of their own?

It's a matter of the ISP trusting abuse reports. SPEWS does not identify itself when contacting an ISP -- they just send a standard abuse report like anyone else would.

Further, if SPEWS behaved irresponsibly, there would be evidence. Someone would be able to point toa SPEWS listing that was inaccurate, not a spammer. Despite many whiners claiming that such listings exist, no one has pointed to a single specific example.

Thank God!

[Anonymous Coward]

SPEWS' main problem was a complete lack of concrete methodology for who gets added to the list and who gets taken off. My company, who I won't name, was placed on SPEWS several months ago for the crime of being in the same state as a company with a similar name. Apparently, the people who run it have a fetish for conspiracy theories, because no less than 3 large companies were listed in the "trail" that lead to mine.

Even worse, since we were already "guilty", they wouldn't listen to our pleas of innocence, the dirty spammers that we were.

No, I don't feel sorry for these guys one bit. Their methods were about as good as the Salem Witch Trials. Most likely they weren't DDoS'd by spammers, but by people tired of the carpet bombing approach. You don't get away with banning a large ISP for one spammer, and you don't get away with trying to force your agenda on the world.

Good riddance.

Re:Sweet, Sweet Justice.

[hazem]

There are people who can get over having to hit "D" in their email clients a few times a day. Email advertising is a natural side effect of being on the internet, and it's not so bad if you're smart about it.

I think it goes deeper than that - to something more profound in the individual. I think that out of the some 6 billion people on this earth, most of them feel lonely. Getting an e-mail is great because someone out there seems to care - hopefully a friend or colleague. But then, you find it's just a commercial, or a piece of junk. In a way, you feel a bit let down... a bit more lonely, because you got your hopes up for a moment, only to have them dashed.

I have a similar feeling when I have received traditional junk mail that appears to be hand-written (particularly by a woman's writing), and appears to be possibly from some woman I once knew. I'm quite disappointed to find it's a bunch of junk for insurance, and I find myself actually angry about it.

Maybe I'm way off base here, but I think there is a psychological response that is at the heart of so many people hating spam.

So, your inbox chimes, and you have a new message and who knows what potential it may have. It's spam and it sucks. Maybe you even feel like you were fooled.

I, for one, divert any mail from a .com into my trash. I then go browse my trash every once and a while and will be pleasantly surprised when I find a legit message.

Sysadmins and ISP's of course see the actual cost side, but that's a different story.

Re:If major blacklists can be sued...

[leviramsey]

Wait until your customer sues your ISP for tortious interference and false advertising. Wait until they sue you the admin personally for a million or so and force you to either pay $250,000 to settle or endure a year with a major yellow flag on your credit record (thanks to having attachments on your assets).

I'll be laughing my ass off when that happens.

Re:Blacklists and reality

[afidel]

My ISP already does this, all incoming emails are checked to confirm that the email address's MX record is legit and the server that the message is coming from matches one of those MX records. This sometimes trips up bad mail admins or people running new mail servers, but so what?

RBL Consequences

[nsxdavid]

Spam is starting to hurt me a lot worse than I would have ever imagined. It's not the volume of spam I get, which is obscene, but rather the shotgun anti-spam efforts that we somehow get caught in.

About a month ago Earthlink decided we were sending out spam and cut us off. So, despite the fact that we have no relationship at all to spam, we were unable to communicate with any of our customers who use Earthlink. After appealing, they realized the mistake and removed the block. How did it happen? Seems that if an Earthlink customer just accuses you fo spam you can end up on the list. Thankfully cooler heads prevailed at Earthlink and the matter was resolved quickly.

We were blocked by AOL once too. How ironic since we use to be their #1 3rd party content provider back-in-da-day (remember hourly?). They should have know about us. (grin) Fortunately that was resolved too.

Then, of course, today we got hit by SPEWS and that lead to our phone call to Mr. Jared. The poor guy was frazzled, and rightly so. But we had a legit beef...

Our business is entirely web based. We have to deal with a heavy volume of customer feedback, all of which want fast responses. Any hickup and we can get really far behind. But when we get blocked, we're almost helpless. We get an email "Hey, my character got killed by a ravenous bugblaster beast from trall!" And we write back, "Oh my, let me restore your character!" only to have it be filtered out by some shotgun blacklist. They get no response and start flaming us for "not responding". A day or more of this and things get really messy.

You start to feel like you are at the mercy of some so-called "authority" that could not care less about your guilt or innocence. If he or she wants to, they can just take you out. We've participated in opensource, contributed back, done the good netizen thing... yet this real-time blacklist thing hangs over us. We never know when something else like this is going to bite us. And maybe next time there won't be any appeal. :(

I've already seen Baysian filetering defeated.

[raehl]

I've only seen it a couple times, but I get an email with a paragraph of words that are both fairly common AND fairly unlikely to appear in spam, then the spam plug. Since it has words in it that, due to your corpus of previously received mail, are very common in non-spam and non-existent in spam, it walks right through the filter.

Now, you could flag this message as spam, but then you slowly destroy half of what makes Baysian filtering work: The list of words that are not in spam.

Baysian filtering will probably be effective for a year at best.

Re:Not a smart idea.

[bigberk]

Blocking *.*.*.* is a way to get people to stop using the server very quickly, though.

And that's what he's trying to do. His site is experiencing a major denial of service attack. This is his hardware, his network connection and his business which he's going to defend. His course of action is smart, since it will rapidly eliminate all the legitimate traffic (blacklist users) and leave only the attacking IPs. Then he can get the responsible ISP's to take action, and hopefully even prosecute someone.

serves him right

[Anonymous Coward]

I have been trying for 2 months to get a site removed from this blacklist, the removal procedures from most of these sites simply dont work or are a pain in the ass, requiring support of [] in email addresses etc which ofcause ms exchange doesnt so you cant get sites that run exchange of the blacklist at all, even when they have been made secure.

Re:Blacklists and reality

[Robmonster]

These kind of challenge and response solutions are not really viable. I run a double opt-in email list with over 3000 members. A few of my users did install something like this, and it took a long time to jump through the hoops they required just for them to receive mail they had already asked for (twice)

If everyone did this....?

Say it takes 30 seconds to load in the Challenge website, read the word hidden in the .gif/.jpg type it into the box, click accept and then wait for the server to update its database.

30 * 3000 = 90,000 seconds = 25 hrs!

Granted, I'd only have to do it once for each user. Oh, thats until they decide to change their subscription address or alter a setting on their software....

Even if only 10% of the users did this it would still take 2.5 hours to sort through. Thats assuming that they al used the exact same kind of C&R system so I wouldnt have to spend extra time reading instructions to figure out exactly what I have to do each time.

I agree we need a solution, but Challenge And Response isnt it.

Re:Blacklists and reality

[DrHyde]

Hell no!

I run several mailing lists, free of charge. They currently require virtually no effort from me at all to maintain. I will not put in the effort required to jump through the challenge-response hoops - even if it's only a minute or so per challenge, that would amount to many hours of my time wasted. And I dread to think what it would be like for people who run larger lists with thousands or hundreds of thousands of subscribers.

So in the couple of occasions when I have seen that stupidity, I simply unsubscribe the user and, if they have an account on my system, delete the account and all their data.

Laugh it up, fuzzball...

[Anonymous Coward]

because I'm laughing right now. And when your unwashed freinds at nanae or whatever the fuck crufthole of usenetland decide to unleash "pandora's box" (OoOoOOooOooOooooO) and start getting fired because all of a sudden the boss isn't getting email, I'll laugh even harder. When your ISP goes titsup because people start deciding that the old 'hit d and forget it' is STILL better than missing real emails, and their freinds at AOL don't have this problem, I'll have problems breathing from all the laughter.

Re:Blacklists and reality

[Mjec]

The only way to stop spam is to make it stop being cost effective, that involves causing e-mail to be an expensive operation if it involves untrusted e-mail servers.

Apart from the problems in forcing people to pay for email (at what end, how to enforce cross compatibility etc), I want free email. It would really suck to pay even $0.01 (or even $0.001) for every message I send.

Simply deal with it. Install a decent filter, with lots of herustic and baysian checks, then deal with the one or two that leak through. Yes, spam of 50+ a day is bad, but most of that can be easily blocked by common, easy, free spam filters on any platform, even with settings so low that there are no false positives.

Alternatives such as charging for email or enforcing use of cryptography suck generally (signing requires me to type my password, or compromise my security by caching), but more than that they'll never be implimented. Forced signing (or somesuch thing) is standard with IPv6 - but has it been implimented? Try getting everyone to change; not going to happen. Install a spam filter and deal people.

Get to the root cause

[zornorph]

Every time the subject of spam comes up here on SlashDot, everyone rushes to come up with a technical solution to the problem. In the case of spam, I think the solution is not a technical one, but a social one. Spammers are driven by greed, and do their 'bulk marketing' on behalf of other companies. Instead of targeting the spammers, target the companies that are sponsoring these campaigns. I'm sure that some negative publicity will cause them to think twice about using this method to get their message out. Once people don't want to use spammers to send out bulk mailings, the spammers will move on to some other get rich scheme, and the spam will at least subside somewhat.

Instead of shooting the messenger (the spammers), go after the one who is paying to have the spam sent.

Re:Blacklists and reality

[srmalloy]

The vast majority of spam is sent with some form of false address. Developing a way to be able to trust the origin of email is the way to end the spam crisis.

It's going to be functionally impossible to fix the problem of spammers opening an account and pumping email through it until it gets closed, but the transmission of email could be hardened by changing the SMTP protocol from 'call-up' to 'call-back'.

The SMTP protocol is set up to allow a host to contact another host and dump mail to it; there's no validation that the originating host is who it claims to be in the SMTP transaction. If you change the setup for the mail transfer connection to use the following mechanism:

1. Host A contacts host B and sends its FQDN (fully qualified domain name) and a request for a mail transfer connection
2. Host B performs a DNS lookup on the FQDN sent from host A and connects back to the host identified by the resolved FQDN. Hostnames that don't resolve, or which aren't in the FQDN form, are ignored.
3. Once the connection back to the originating site is established, the rest of the existing SMTP protocol transaction occurs. The sequence of validated hostnames would be processed into the 'Path:' mailheader, or another mailheader as determined when the protocol was updated.

This would establish a traceable chain of resolved hosts from the point at which the email entered the SMTP routing to its destination. Putting an email message into a mail transfer agent would still be vulnerable to the use of hacked or temporary accounts, but the upload would still require a trackable username and password for an account on the MTA. From that point, getting an MTA to accept an SMTP connection from a bogus host would require hacking the DNS server chain so that, when the receiving MTA host received the request, the IP address the passed hostname resolved to pointed back at the spammer's machine -- otherwise, you'd get a mail transaction sequence that looked like this:

Spam.com: Hello, [mta.com], [realhost.com] has mail to send.
Mta.com: (resolves 'realhost.com')
Mta.com: Hello, [realhost.com]; you have mail to send me.
Realhost.com: [Mta.com], I don't have any mail to send you.

Not a panacea, but it would make the mail hop path trustable until you start seeing hacked mail daemons that would mangle the mail hop path of any mail going through it -- but that would still leave the host with the hacked daemon having to identify itself, from which it could be blocked.

Re:Sweet, Sweet Justice.

[onepoint]

>>There is no point in responding to SPEWS demands for the simple reason they will not bother to respond to you.

that's an outright lie, I was on there blacklist once and within 30 days I was off. I did process there request and had all my issues resolved. since then I have no problems.

Onepoint

Re:sad news, but there are alternatives

[Spruce Moose]

Here you go. [google.com]

The fact that the TXT referred to a similar netblock suggested that perhaps it was a typo (why didn't they block all of datapipe?) but nooo, no-one would entertain that possibility at all. The thread is derailed into a smug argument about how superior SPEWS is and how stupid you are for choosing your particular ISP. Real helpful.