Paul Graham Describes Dangers of Spam Blacklists 611
CRoby writes "Paul Graham posted an essay describing the danger and corruption of the main spammer blacklists today. It discusses MAPS and the SBL, the blacklist created to try to alleviate the abuses of MAPS, and suggests (maybe) another blacklist's creation."
Vigilante it ain't (Score:4, Insightful)
For some reason, journalists keep calling blackmail lists "vigilantes". But there's something they don't understand: nobody forces email system administrators to use those lists.
These lists are provided by people for free. They decide to list bad email servers, but they may as well include any server they want. After all, who's to force them to provide quality of service?
The real problem, of course, is that blacklists are needed in the first place. If ISPs did their jobs a little better (aol, hotmail and the likes), the amount of spam would already decrease significantly. And don't speak to me about chinese ISPs, since most spam comes from the US.
A Paradox? (Score:4, Insightful)
Personally, I find the need to disable more and more RBL's, because today a user might come thru OK, tomorrow, they're stuck in SORBS and considered a HIGH risk.
Pure and simple... (Score:5, Insightful)
Her ISP uses SpamBag for their blacklist. SpamBag? ScamBag is more like it.
No wonder my sister is disenchanted by email. Her yahoo account got spammed to no end, then she can't get emails from most of her friends since they get bounced back by her ISP's stupid blacklist.
Blacklists are fine and dandy in principle, but practice has shown them to be useless. IT managers, just drop them. They're more annoying than anything.
-Jellisky
Whiskey. Tango. Foxtrot. Over. (Score:5, Insightful)
Huh?
Sorry, but that's still bullshit. He states it clearly in his article: You can't screw over innocents just to make the guilty pay. Does the your government put a neighbor family through torture just because you got a parking ticket? No. It's YOUR fault and YOU should be punished. Not some innocent bystander.
Comment removed (Score:5, Insightful)
Who watches the Watchers? (Score:4, Insightful)
Blocklists are made by people for others to use if they see fit. When they become unusable, they're no longer used. Personally, I use none. The cost to me of one false positive is greater than 1000 spams that leak through. No list is that good.
Paul Graham updates his blog (Score:3, Insightful)
Why exactly is this a Slashdot story ?
Re:Paul is just pissed because... (Score:2, Insightful)
Or maybe he needs to realize that it can take some time for stuff to happen. I know so many folks who have become accustomed to immediate feedback.
Anyone know anybody who has something to do with Spamhaus? From what I understood, they were anti-spam pitbulls (this is not always a bad thing) but were also rather good at avoiding false blocks
There is a problem with blacklists (Score:5, Insightful)
The solution to blacklists is to use an AOL model in which dynamic IP blocking is used. When spam is noted from an IP that IP is automatically blocked for 24-36 hours after the last spam comes in. That way the innocents are not being blocked and the spammers email doesn't make it through. There are a couple blacklists which do this but more should.
Compare this to the opposite blacklists like BLARS which requires a thousand dollars for "him" to investigate whether an IP should be removed. I have never seen an IP which is not listed with BLARS.
Re:Definitely a bad idea... (Score:5, Insightful)
I'd take all the SPAM anyday vs. not being able to send legitimate emails.
Except that blocklists don't stop you sending email, they merely allow others to decide whether to accept that mail. Or do you think other people should be forced to accept any and every email you send?
Re:Vigilante it ain't (Score:5, Insightful)
- No, but the non-spamming sites that end up on it would certainly disagree with you, they didn't do anything to merit the block.
-
These lists are provided by people for free. They decide to list bad email servers, but they may as well include any server they want. After all, who's to force them to provide quality of service?You seem to be confused about what a vigilante is, dictionary.com gives me this: "One who takes or advocates the taking of law enforcement into one's own hands." Note it doesn't say anything about them forcing others to agree with their views or take part in them. If you decide to take legal actions in your own hands, then you are, by definition, a vigilante. So it does apply here, just because they don't force anyone to use their lists doesn't change that.
- TFA's point was that these lists start out listing just IPs/hosts/sites they know are sending spam, then later the power corrupts ("power corrupts, absolute power corrupts absolutely") them and they start using the power they've gained by their blacklist being used by many people to start trying to force ISPs to comply with them by blocking bunches of innocents at the same ISP. That indeed has happened, although I'm really not sure if it's happened here or not. The risk of it occuring is pretty high, humans are, after all, only human and it's hard to resist that temptation, especially when you're a strong enough anti-spam advocate to run a blacklist.
The real problem, of course, is that blacklists are needed in the first place. If ISPs did their jobs a little better (aol, hotmail and the likes), the amount of spam would already decrease significantly. And don't speak to me about chinese ISPs, since most spam comes from the US.So basically if we can solve how to get people to stop being, well, people and giving in to baser instincts we can stop spam. Of course we'd also stop crimes of all sorts as well and we've not managed that in hundreds of years so I'm not holding my breath for it to happen.
Re:Definitely a bad idea... (Score:5, Insightful)
He is right. That definitely is NOT how SBL actually operates. I have a site that is heavily trafficked (millions per month) and they blocked my email (from my own personal server) that has delivered mail for my site for seven years with absolutely no outgoing spam or relaying having ever occurred in its entire life.
However, a spammer with false credentials faked his way into a hosting account with my colo provider and as a result, SBL blocked multiple entire submnets, rendering my entire site and service useless for almost an entire month (we deal with auctions, meaning nobody was getting closed notices, won notices, outbid notices, addresses to send payment, registration emails, lost password emails - and when they complained, I couldn't respond to help them and explain it to them).
SBL couldn't have cared less. As far as they are concerned, if one IP is a source of spam, they all are. And they'll get to fixing it in their own damn sweet time.
But the defense of SBL fan-boys is typically "well it's VOLUNTARY!".
Yeah. Whatever. Fuck off.
What's the real story? (Score:4, Insightful)
"As of this writing, any filter relying on the SBL is now marking email with the url "paulgraham.com" as spam."
Whisky Tango Foxtrot? *BLs block IP address ranges, not URLs.
"Because the guys at the SBL want to pressure Yahoo, where paulgraham.com is hosted, to delete the site of a company they believe is spamming."
1. Given that Paul's mixing up URLs and addresses of mail servers, I'm not prepared to take at face value the statement that SBL is blocking Yahoo's mail servers to pressure Yahoo to drop a "site", rather than (say) mail services Yahoo is providing the spammer.
2. If Yahoo is providing services to a spammer and Yahoo refuses to deny those services to a spammer, than Yahoo is being "spam friendly", no matter what their reputation is, and they may well be depending on the many legitimate lists they're hosting to avoid responsibility for their actions. That's exactly the situation that John Reid is referring to in Paul's quote.
I don't know what alleged spammer this is referring to, but what Paul's written is clearly not anywhere near the whole story.
Calling a spade a spade (Score:2, Insightful)
To be honest, I like his other analogy for blacklist maintainers -- terrorists. It's much truer to the point. Vigilante in my mind at least implies an attempt to go after the bad guys and protect the innocents thanks to the pop culture influence of TV, movies, and superhero comics.
This doesn't describe blacklist maintainers.
Blacklist maintainers are cynical, bitter, little men who care nothing for the people they hurt so long as they get a spammer. They deliberately target innocents in the hopes that the innocents will complain to the higher power to get rid of the things that bothers them. This leaves little to distinguish them from terrorists other than the fact that they don't kill people. Their deeds are less dark, but their tactics are the same as the Madrid bombers who hurt innocent people to push them to choose a government more favorable to their wishes.
Sure, nobody forces email admins to use those lists. Nobody forces people in the Middle East to contribute money to Hamas either. I don't care if you think you're funding hospitals and charity for Palestinians or if you think you're fighting to keep spam off the web -- you're paying to see people get hurt too. Stop it.
Wrong (Score:4, Insightful)
spam blacklist blackmail? (Score:2, Insightful)
Loss of email hurts more too.
Re:Definitely a bad idea... (Score:3, Insightful)
I'm glad you're so flexible. In the real world, most of us aren't.
Gosh darn terrorists (Score:2, Insightful)
This is, strictly speaking, terrorism: harming innocent people as a way to pressure some central authority into doing what you want.
Can we please stop throwing the word terrorism into every sentence? Please? No? Damn.
Re:Vigilante it ain't (Score:3, Insightful)
In case you're wondering, I do use a couple of blacklists. I use them to reject mail, as intended. I like to think that the ones I use are operated by folks who take seriously the fact that people like me are using it for that purpose.
Re:Vigilante it ain't (Score:4, Insightful)
What law enforcement activities do the blacklists take into their own hands?
Re:Calling a spade a spade (Score:2, Insightful)
Re:Paul is just pissed because... (Score:5, Insightful)
Let me reword your justification of of this behaviour so others can see the flaw in it more clearly:
[66.163.161.45 is a filthy neighborhood. Lots of criminals live there. So, a group of vigilantes randomly started machine gunning people walking the street. Not something I'd do myself, I prefer to use a shotgun, but certainly more effective then using the court system. Paul chose to live there, and he should have known it's a bad area. If he gets shot at random, well, too fucking bad, he should have known better. Living there was probably not a good call.]
Some days it's hard choosing between deleting 400 spams a day and dealing with the exsistance of "spam blocking" groups. Then I read a comment from an "anti-spam" person and I think I'll be safer choosing to work that delete key.
So what (Score:5, Insightful)
Re:Abuse my hind end (Score:5, Insightful)
What else do you feel strongly about?
There are websites, I am sure, that describe in detail how to commit murder and get away with it. Some readers may find those sites, and using that knowledge, go commit violent crimes -- just as some readers of spam sites may purchase email harvesting software and then go commit the crime of sending bulk email. I assume you would support blacklisting ISPs that host violent-crime advice, since surely everyone agrees that murder is worse than spamming.
There are ISPs that host neo-Nazi propaganda calling for the murder of all non-whites. Do you think that's better or worse than offering spam software for sale? Should those ISPs be blacklisted?
Escort services? Simulated rape porn? "The Anarchist's Cookbook"? A list of abortion providers' addresses? Al Qaeda recruitment and propaganda? I want to know which of these you think is equally as bad as, or worse than, hawking a CD with a million email addresses on it. How many things do you think merit blocking all of an ISP's innocent websites?
You have your list. Others have their own lists -- and, frankly, there are a billion people who think porn is vitally important and your fixation on spam is stupid. Do you really want the internet segmented? Do you think advancing your pet cause is worth walling off the internet into warring quarters? Do you really want to wield a censor's black pen?
Re:"Power-hungry weenies" (Score:3, Insightful)
That being said, I think his comments about blacklists pretty much hit the nail on the head. Think about it: what you're ultimately doing is give some complete stranger near-complete control over what email is or isn't accepted by your system. Blacklists are something that might seem like a good idea in theory, but when you really think about them, they're not anymore. There's just too many ways they can be subverted in one way or another.
Maybe Paul Graham should look up "hyperbole" (Score:3, Insightful)
No. No... No, there's just something not right about that. I'm pretty sure that the definition of terrorism includes the idea of terror somewhere...
Ahhh. That's more like it: Terrorism: the unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons.
Yeah, violence should induce terror. Not being able to send emails to my girlfriend, as hair-raising an idea as that might be, just doesn't seem to be in the same league.
And just in case Mr. Graham is too lazy to find a dictionary to look up hyperbole for himself: hyperbole - n : extravagant exaggeration
Re:Definitely a bad idea... (Score:5, Insightful)
How is it an incentive for admins to be "responsive" when dealing with spammers if you're going to punish everyone within a certain radius for days or weeks even if the problem was terminated within hours?
What exactly is so wrong with blocking an IP at a time? You do away with the innocent bystanders while still nailing the spammers. Anyway, the reason they block the entire subnet has NOTHING TO DO WITH PREVENTING SPAM. It's merely a way of pissing off enough legitimate people to force the bad person to be dealt with (even if they've already been dealt with or it was an honestly unavoidable situation or what have you).
If you've identified chronically spam-friendly hosts and want to widen your net for them, that's great. But don't take out the entire neighborhood because of one bad neighbor.
non-mail server in SBL, what about mail server? (Score:3, Insightful)
Also, for what it's worth, I've found the SBL incredibly reliable (except recently, when I've found it's been increasingly unreachable at peak times), but I check it as one of many spamassassin rules -- I don't mark e-mail as spam just because it's in the SBL, though the way I have spamassassin score things, it doesn't take much more...
Re:Definitely a bad idea... (Score:3, Insightful)
Except that I have been listed. And I had to go through contortions to fix that situation, which did not occur because of anything I did. What were you saying about acting like a dick?
As I already said, yes, I do assume the role of telling people to fuck off on behalf of my users. And I'm accountable for that. If I choose lists with inappropriate policies, or continue to use a list after its policy has changed for the worst, then I deserve to have my users demand change or my removal. No-one is pretending that RBLs are a magic bullet, or even that that they're a "configure & forget" solution. Of course there will be false-positive listings, malicious smear attacks (which is what this case appears to have been) and so on. My experience is that the damage arising from such cases is minimal when compared to the benefit of using RBLs. Simply put, RBLs work more effectively than just about any other technique (for today, at least).
And frankly, on a practical level, what are you going to do about it? Do you think you can stop groups of people organising themselves and exchanging opinions on the activities of others?
Re:A few comments (Score:2, Insightful)
Actually, MAPS and ORBS are the most notorious in my book. Why? Because they got caught listing folks for reasons not specified in the listing criteria. (personal agendas) For that reason, they are the only two lists I know of to have lost legal challenges. MAPS cleaned up its act, and ORBS was shut down.
As far as I'm concerned, listing all even-numbered IP addresses is valid, so long as it is clearly stated in the list criteria. That way, sysadmins can decide whether the list is practical for them or not.
Love or hate SPEWS, they follow their own listing criteria to the letter. I have seen a few mistakes happen, but I've also seen them get cleared very quickly. Most of the folks claiming they are listed "by mistake", do fit the criteria for listing as stated in the SPEWS guidelines. Usually, because they are getting their service from an ISP that is knowingly harboring spammers. I have no sympathy for this, if you don't want to be lumped in with the spammers, don't support an ISP that allows spamming.
And I'm here to say, it's NOT impossible to get off an RBL. I got caught in a SPEWS listing, because my ISP got lax and allowed a spammer to stay on their network. It took six months for that listing to expand wide enough to cover my addresses. When I found out, I raised royal heck with my ISP, and told them in no uncertain circumstances that I would pull my service if they didn't clean up. They kicked the spammer, the Spamhaus listings were gone the next day, and within a week, the SPEWS listing covering me had been reduced so that I was no longer affected.
Having spammers on your ISP is like having a crack-house on your street. Can you blame folks for not wanting to come visit you?
Re:Definitely a bad idea... (Score:2, Insightful)
Was it for -- wait, let me guess -- was it maybe for spamming? Maybe next time you won't spam or let your users spam. Just a thought.
the sysadmins who run these things often WILL NOT remove youWhich sysadmins are those? Certainly that's true for my system. Once I drop a spammer into the system blacklist they're there for life. I don't have the time or energy to audit my block list, and what would be my motivation anyway?
The major RBL's on the other hand, will remove you if -- and this is the important part -- if you stop spamming. In this sense, the RBLs are doing you a great service. If the RBLs list you before I get mad enough to block you myself, then you have a chance to eventually get unblocked. Would you care to name a major RBL that continued to list you even after you cleaned up your act?
I'd take all the SPAM anyday vs. not being able to send legitimate emailsAhh, but you weren't really listed for sending legitimate emails were you? If you're willing to accept spam in exchange for the ability to send it, then that seems perfectly fine to me. All the sites that want to send spam, and are willing to receive it in return need merely not subscribe to the RBLs. Voilla! The system works.
I, on the other hand, am perfectly willing to not receive spam in exchange for your inability to send it to me. The system works again!
Collective Punishment (Score:3, Insightful)
Now here's the fascinating part: you link to the site antiwar.com which has not 1, not 2, but 423 [google.com] pages decrying the use of collective punishment.
If that's not hypocrisy, I don't know what is. Sure email's not a life and death situation, but the principle is the same in both cases. Don't like it when innocent people get their homes destroyed? You should hate it when innocent people get their IPs blacklisted.
Who's been shot? (Score:2, Insightful)
Excuse me, but who's been shot?
No one?
Then your analogy is not accurate.
Certain admins running certain email servers are rejecting/flagging his messages because they come from a "bad neighborhood".
No one is being shot or physically injured in any way, fashion or form.
And that is a valid option and a valid choice.
But I'm the admin for a company of about 150 people. 400 messages a day x 150 people = a problem.
So I use a few blacklists and deny the connections. No one gets shot, no one dies.
There is always the phone and I do include my phone number in the rejection notice. If a person gets the reject notice, that person can call me or the person s/he was trying to email and I can make a specific exception.
I've blocked over a million spam messages yet I've only had 4 calls (Bell South is staffed by idiots).
I have 3 executives here who are 100% behind my anti-spam efforts. You might not mind manually deleting 400 messages a day, but they do.
Re:Definitely a bad idea... (Score:3, Insightful)
Credit bureaus are *heavily* regulated. If they have a file on you you can get a copy of it every few months. If there is an error, there is a defined process to follow to clear it up, and they are forced by law to resend new reports to anyone who accessed your report during the time the error was present.
"Blacklists" are not regulated at all. There is no accountability, no way to protest a listing if you believe it is incorrect. No recourse.
If you can't see a difference...then I pity you and whatever school system you went to.
Re:Definitely a bad idea... (Score:4, Insightful)
For example, in order to get revenge on people they believed were spamming, MAPS would blacklist the mail server of the company hosting their site.
The problem with blacklists is that they're human controlled and extremely susceptible to egotistical vigilante-ism. If I'm getting spam from a server, I don't have to block just that server. I could block every server in the headers, for example. What I choose to add to my blocklist can be totally arbitrary, and that's the problem with blocklists controlled by individuals that can block huge IP blocks.
And, in terms of preventing the "sending" of mail, you could consider a blacklist to be a postman who would, whenever he saw a letter from a given return address, he'd destroy it. Any time you got a New Scientist magazine? destroyed, at their discretion. How many companies use a blacklist without saying what's on the blacklist, or making the blacklist easily searchable and editable? Does a user ever get a message on a regular basis "Hello so and so, you've received 274 emails this week from addresses in our blocked address list (which contains mostly spammers; click here to make a change." ? No, they don't provide that helpful information with links to the relevant information.
The mail is just blocked, it disappears into a void. By intercepting it before it reaches its intended recipient you are effectively preventing it from being sent. Because it's not the addressed recipient that decides whether or not to accept the mail according to the blacklist, it's an unnamed middle-man or middle-men. A blacklist allows any server in-between the sender and the recipient to say "no, sorry, your ass is blocked."
I do think people should be forced to accept every email that I send. They shouldn't be forced to READ them all, but they should be forced to accept them. As email becomes more and more prevalent as a form of legally recognized communication (emails are used in court as evidence) it's important to recognize the implications of interfering with that communication without disclosing such interference. Would you like it if I were your postman and every time I saw your electric bill, I took it and destroyed it because I didn't like the electric company and I didn't think anybody should be subjected to their tortures? Would you like me totally interfering with your legal communication and then not telling you, not even sending you a friendly "the electric company is evil, go solar!" letter? Would you like the way that could impact your finances, your credit, your reputation? What happens when somebody adds an obscure credit union to a blacklist and people don't get fraud alert emails from the CU, just because one server in their datacenter was compromised and used to send 10,000 spams? Do you REALLY understand, now? I still don't think you do.
The blacklist themselves aren't really responsible for breaking any rules, which they believe absolves them of acting responsibly. The fact of the matter is that blacklists are often implemented in the most infuckingcredibly ignorant ways possible, unfortunately. No e-mails as per my suggestion above, no way for the sysadmins that use the blacklist to audit/edit it, etc.
We need a wiki-style collaborative blacklist that has a membership of thousands who all collaborate on this issue. It's just one more example of how giving one person too much power before they're ready to use it responsibly with proper discretion results in a disaster. A blacklist affects too many people to be implemented so willy-nilly at only a few peoples' (poor) discretion. We need a collaboration, a large committee who will not become corrupted by power (as none of the members will individually have any power) but will be a gathering of individuals who maintain their individual opinions and ensure that the system remains fair and balanced.
Comment removed (Score:4, Insightful)
Re:Home Connectivity ISP != Your Domain ISP (Score:4, Insightful)
Basically, you're just saying "too bad, I'm tired of being screwed over by spam" and I'm saying "wtf, I'm tired of being screwed over by blacklists that can't keep their shit together". Put yourself in my shoes - when a blacklist service becomes worse than spam and the spammers who spam, what does that tell you about blacklists?
This is ONE Single IP Address that's blocked. (Score:3, Insightful)
But this is different - this is ONE IP address - the SBL record identifies it as a /32. Virtual Hosting means that it's possible to have multiple domains all using the same IP address for their email or websites, and if you're going to blacklist based on IP addresses, it doesn't get more granular than one address (unless you want to do things like have different return codes for "address has one spammer and some non-spammers".) So if one IP address has 100 legitimate users and one spammer, and you receive email from them, is it more likely that the mail is one of the 10000 (100 users x 100 messages/day) good messages, or one of the 1,000,000 spam sent by the spammer? 99% likely that it's spam; sorry if it was Paul.
Worst. Analogy. Ever. (Score:2, Insightful)
Paul hasn't been shot. Emails he tried to send have not been delivered. Drawing a comparison between physical violence and the fact that a guy can't send email is rather disingenious.
What's worse is that you still got the analogy wrong. Nobody has attacked Paul. His mail server is fine. HE CAN STILL SEND EMAIL. Other people, however, can CHOOSE to reject his email because of his IP being on a list. Nobody's touched his servers.
To use your crappy analogy, nobody's shot anybody. Instead, they've put his address on a list and then people who want to know about where the bad parts of town are can read that list and think that Paul is bad because he lives there too. Then they can throw mail he sent them away based on that.
Re:Definitely a bad idea... (Score:3, Insightful)
Re:There is a problem with blacklists (Score:3, Insightful)
I have been the victim of the formmail exploit, and been RBL'd as a result. It was not difficult to get un-blocked. Yes, it was a hassle, but I suspect those that complain about being RBL'd, are the people that send nasty, vicious, "take me off or i'll sue you f'ing jerk!" e-mails and then wonder why they weren't removed. If you're polite with the RBL maintainers they're more than happy to cooperate. Anyone who's running an RBL that isn't reasonable, won't have anyone using their list so it doesn't matter.
Re:Calling a spade a spade (Score:3, Insightful)
No. That's the defining characteristic of murderers. There are other ways to commit acts of terror. Kidnapping (without murder), rape, sabotage, etc. all can be acts of terrorism if intended to shape someone's opinion or vote. Really, the place where the analogy fails is that terrorism is inherently violent, where spam blacklists are not.
However, the core issue of spam blacklists deliberately targetting innocents to get them to demand change puts them in the same philosophical camp in my mind.
Load of FUD by Paul Graham, competitor to Spamhaus (Score:5, Insightful)
Gentlemen,
You do realize that Paul Graham is in the business of pushing Bayesian anti-spam filtering, which he claims as 'the best' solution to spam. For a long time Graham has been spreading FUD about other anti-spam solutions, in particular blocklists. We're well used to hearing utter bollocks about blocklists spread by him.
Yesterday we listed on the SBL an IP of a spammer which as luck would have it is being shared by Paul Graham. We of course can not simply give the spammer carte blanche to spam our users because Paul Graham is also using the same IP. Graham has no concern for the fact he's sharing his IP with a spammer, and rather than contact his ISP to ask what a spammer is doing sharing his IP he simply sees a PR oppurtunity to bolster his "blocklists are evil, bayesian is good" campaign. I'm only surprized this actually made Slashdot.
Steve Linford, CEO, Spamhaus
Re:Wrong (Score:3, Insightful)
RBL's don't kill e-mail, bad sysadmins kill e-mail. You're just demonstrating your own ignorance of spam-blocking techniques by saying "BL-supporters" are stupid. RBLs are an incredibly valuable tool. My systems, which process about 30,000 messages per day (60-70% spam), NEVER reject a message based on a single RBL hit. But if an IP is listed on three or more different reputable RBLs and doesn't have a very low Bayes score, that message is probably getting rejected. RBLs contribute a huge amount to my (currently > 99%) spam detection accuracy.
Re:Definitely a bad idea... (Score:3, Insightful)
Yes, I know that. They just make a list. I said that, I also said that they believe that "just making a list" absolves them from all responsibility. I also said that blacklists are implemented (by people who implement them, namely system administrators) very poorly. Were you paying attention? Do you understand?
The implementation of a blacklist is how the ISP uses it. Do they notify the customers? Do they send a weekly "You got spam from these addresses..." message? Do they enable to customers to easily edit the blacklist so that illegitimately added hosts can be removed quickly? I really don't think you understood me. heh.
It's the principle of centrally administered DNS blacklists that is at fault here, not the individual operator.
I said that a few times. Are you sure you were paying attention when you read my comment? I said that having a list maintained by people who believe themselves to be absolved of responsibility and can edit the blacklist willy-nilly without vote or consensus is bad, and we should switch to something more wiki-style that more people would have a say in.
Re:Wrong (Score:3, Insightful)
You're why sysdadmins and blacklists have a bad name. Just because you can do it, doesn't mean you should or even that it's particularly intelligent to do so.
When you're a sysadmin, you have to weigh the flood of penis pills and mortgage scams against one or two people not getting an email because the sender is hosted by someone who can't secure their mailserver. It's really an easy call. Before you start spouting on about giving users the choice of what to receive, there's also the sheer volume of spam - accepting too much email can put a serious strain on the servers and degrade the experience for everyone.
Re:Definitely a bad idea... (Score:2, Insightful)
I will thank you to stop painting everyone with the same brush. Spamhaus isn't SPEWS nor is it any other list. You don't like being listed? I wouldn't either, but then I don't spam nor do I host spammers. Deal.
And if you like spam so much, I have a metric buttload of it I'd be happy to forward to you each and every day. Send me your email addy if you've got the guts. I'm guessing you're all b.s. - IOW, you don't have the nuts or the guts to put your mailbox where your mouth is.
Terrorism? Hardly. (Score:3, Insightful)
Graham has written some insightful and well thought out stuff, but this is just sloppy:
I find it amazing that blacklists which mail servers must opt-in to use are somehow terrorism. Are you suggesting that these innocent people have some fundamental right to contact my mail server and send mail? They certainly don't; it's my mail server. I can use any methods I like to filter out mail, including chosing to rely on one of the IP blacklists. This can only be terrorism if random people have some sort of human right to send mail to my machine. I hardly think that's a right.
Come to think of it, apparently organizing against tangentally related people to stop another problem is terrorism? By that strange standard you could call advertiser boycotts terrorism: you're trying to influence some media outlet by negatively influencing advertisers on that outlet. They often have the same claim of innocence ("I didn't know that they would run that article! I just buy bulk advertising rates.")
(Now there are problems with blacklists, perhaps most significantly that many ISPs use them without informing their subscribers or allowing them to opt out. Blacklisting unaware users who happen to share a machine with a spammer's website is definately a complex question.)
Re:Definitely a bad idea... (Score:3, Insightful)
I'm with singletoned, and I think it's you that has a problem with understanding.
He(?) claimed that RBLs prevent people SENDING. He is wrong. If you agree with him that RBLs prevent sending, you are also wrong.
Reading the facts isn't enough, you need to be able to manipulate those facts and draw provable conclusions from them
Snicker. Donny Rumsfeld [bbc.co.uk] in da house!
I do think people should be forced to accept every email that I send.
Then you are no different than a spammer. And it's clear from the rest of your drivel that you really don't understand what happens when an RBL is in use. Hint : legitimate email suffering an RBL false-positive doesn't disappear into a black hole. That's one of the reasons why RBLs are so effective, even in an environment where some false-positives are inevitable. Or to put it another way, if the "collateral damage" from RBLs were anything other than insignificant, compared to the benefit they provide, then world+dog wouldn't be using them.
Re:So what (Score:4, Insightful)
And that means that you will readily accept someone else's decision on what you should and should not receive? You sound to individualistic for that, so I think you are probably missing the implications of these blacklists.
What if you want to receive email from someone, but their block is in the blacklist your ISP uses? Can you call up your ISP and ask them to remove it? Can you get your friend to change their ISP so they are in a non-blacklisted block? In the past, I've seen people whose ISPs would block, for example, the entire University of Michigan. That made it pretty tough to communicate with them.
You are absolutely under no obligation to accept anything. That's why I run a spam filter myself. But letting someone else's often arbitrary judgement control what you do and don't receive is contrary to the personal control that you (and I) want.
Speaking of which, I'm glad I'm not one of your users.
Re:So what (Score:3, Insightful)
Um, no.
The fact that there's squealing about the effect from non-spammers shows that they don't work.
Unsolicited Plug (from me) ... (Score:4, Insightful)
Considering how much my spam has been reduced by the SBL (anywhere from at least 50% up to 75%) I'd like to just say:
The mail servers under my control have always subscribed to the SBL-XBL (well, more accurately, before the XBL was established it was the SBL and cbl.abuseat.org. The latter is dedicated to short-term [72 hours, as I recall] blocking of e.g. spammers operating on DSL or cablemodem lines who are likely to appear on an IP address once or twice and then get kicked off. The CBL is now also represented in the XBL). I have so far, in the last 3-4 years or so, only been able to confirm 1 and 1/2 "false" positives in that entire time - one was from a person in China who was using a confirmed spam-haven ISP, the "1/2" from a company that, after an informative response from the CBL people, I believe were listed for appropriate reasons. In any case, the latter case cleared itself up when they were automatically re-removed from the CBL [they'd been there before] and the email lost WAS an advertisement anyway...)
I have noticed the numerous stories of overzealous blocklists, which are obviously a bad thing, but I can't think of a way to reasonably put the SBL in that category...
Besides, bayesian filtering only works AFTER the spammer has been allowed to tie up my mail server's bandwidth (and then allows them to tie up your mail server's CPU time with the bayesian analysis). I prefer to cut off known spammers before that point whenever possible. THEN I pass the remaining messages through SpamAssassin. Back in the early days of spam, I used to actually go to the effort of picking apart the mail headers and looking up the abuse addresses for the ISP whence the mail came AND the hoster of the spammers website (and on one or two occasions, even the registrar for the spammer's domain name, when I could confirm that the information was falsified). It's been a long time since I was able to keep up doing that with the volume of spam coming in, but I still can't stand the thought of allowing spammers to take ANYTHING from me that I can prevent...
Re:A few comments (Score:3, Insightful)
This is great--IF you have the leverage to do it. If you're a large (six figures a year in spending and up) customer, you can get the ISP to jump at your command. Likewise, if you're dealing with a small local ISP, you have a significant amount of leverage even if your spending is low.
On the other hand, if you're someone with a single DS1 being provided by someone like Verio, you have NO power to negotiate or threaten. Sure, you CAN leave, but for a small organization (perhaps one with minimal or even no IT support) this kind of move is difficult, if not impossible--and in any case, is going to be really expensive. And what happens when the next time (and there will be a next time) comes around? You get to go through it all again.
RBLs (when used exclusively, instead of in some kind of weighted average ala spamassassin) are like a bad action movie--you know the ones, where the cops walk into a crowded theater and open up on the bad guys, while ignoring anyone else in the line of fire. It doesn't matter who gets taken out as long as we get our man--right?
Re:RBL advice (Score:2, Insightful)
Still you obviously have a reasoned and generally reasonable stance on blacklists. Congratulations