As the Spam Turns 408
Anonymous writes "The SBL has added Verio's corporate mail servers
to its blocklist which protects nearly 100 million mailboxes, because of the number of spam gangs on the Verio network.
Verio also provides connectivity to AS26212, a collection of 9 of the most notorious spammers netblocks. AS26212 - the new spambone? - is also connected to he.net and bbnplanet.net."
Spamford Wallace where are you???? (Score:2, Funny)
Oh no! (Score:5, Funny)
Re:Oh no! (Score:5, Funny)
male oriented spam (Score:2, Insightful)
Re:male oriented spam (Score:3, Insightful)
This is depressing... (Score:3, Insightful)
Only the corporate site was blocked (Score:5, Informative)
In the comment from Spamhaus it is clearly stated that only the Verio corporate mailserver is blocked in order to protect their ISP users.
Re:This is depressing... (Score:3, Insightful)
I've had people sign up to get info from a site i run, and upon receiving the first e-mail that they explicitly requested, write back in all caps "HOW DID YOU GET MY ADDRESS??? STOP SENDING ME THIS!!!"
Couple that effect with vigilante spamblock operations (whose haughty tone assumes EVERYONE reported to them is evil) and you have people being slimed who are doing legitimate business on the web.
Yes, I agree people who forge headers or don't properly cull lists are negligent. They are buffoons who should be blocked. But hey, what are you going to do, block yahoo.com?
Re:This is depressing... (Score:4, Interesting)
What is "your site", if its "your site", you are CEO of Reozone.com? If thats true, do you affilate with them?
Let me tell the real story. You had some sort of an innocent mailing list, than you sent that reozone.com URL with your affilate link to them.
Oh blocking Yahoo.com? gmx.de blocks them, Novell Myrealbox blocks their mailing list service because of non-serious abuse policy (even they are a potential huge customer). Also, when a yahoo mail user spams you, I have a record like, 2 hours later his account has been deleted.
SO EVERYONE CLICKS ON YOUR REFERER ID'ED URL ON SLASHDOT GIVES YOU MONEY?
bleh
Re:This is depressing... (Score:3, Insightful)
How about facing this fact.
ISP's that don't do something to combat spam are going to have customers leave over it.
There are other ways of maintaining the list. I have heard the arguements many times, but fundamentally, its up to the sender to be certain that the recipients want to receive the email.
First of all, is the sign up process a Double Opt-In [everything2.com] process? A pita to implement if it isn't done already, but good luck keeping an accurate list without it. It also helps establish a trust with the people who want the mail. 99% of the spam I still get claims that at some point in time I signed up for this list.
Secondly how active is the list? Someone signing up for a list that doesn't generate any traffic for 6 months is a sure way to have people think your spamming them, even if they did actually ask to be on the list.
As far as the spam lists, I've had to deal with there overzealous behaviour as well. They block mail servers that have an open relay hole in them very fast. The more zealous the site, the less likely I am to use the list. No ISP is doing their customers a service by using lists that are ready to block every IP out there and damn them to hell for ever.
Re:This is depressing... (Score:2)
If you do business with people who has no respect to others, you deserve it. Kind of.
Re:This is depressing... (Score:3, Insightful)
When spammers pay me for the privelege of advertising in my box, then we'll talk business.
Rich
Great, more censorship (Score:3, Insightful)
Re:Great, more censorship (Score:5, Informative)
Re:Great, more censorship (Score:2)
It is censorship.
Re:Great, more censorship (Score:2)
The ISP is private property. The owner of property can say who speaks on that property. An analogy: If you come to my house and stand on my lawn and start talking, it is NOT censorship for me to tell you to get off my lawn if you're going to talk. You're perfectly free to talk somewhere else.
Re:Great, more censorship (Score:2)
I'd rather have an ICP (connection) than an ISP any day.
Re:Great, more censorship (Score:2)
Re:Great, more censorship (Score:5, Informative)
I don't want to sound like a callous jerk, but it doesn't sound like the original poster knows what it's like having thousands of users screaming for some sort of server-side spam filtering. For their $18 or whatever a month, the majority of them want their ISP to do something about the viagra/pr0n/MMF spam in their mailbox. ISP's just need to make the right decision in letting the users decide if they want filtering or not. Users can always go elsewhere if the ISP wants to enforce filters the user doesn't like.
My $.02 USD.
Re:Great, more censorship (Score:2, Interesting)
I specifically choose ISP that follow spam black-out lists. Makes my life a lot easier. It's my choice to choose my ISP.
Kids with their Yahoo! or Hotmail account usually don't care about spam, but I do, because each piece of spam causes me to loose billable time.
Re:Great, more censorship (Score:2, Informative)
Besides, if they decide to take the initiative and prevent this sort of thing from happening, they can be reinstated. Sounds good to me.
Why content filtering is not enough (Score:5, Insightful)
Bayesian filters, SpamAssassin, and other client-side content filters can indeed reduce the amount of spam that you see. As such, they can reduce some major costs of spam for the average Internet user, small site, or business: costs such as annoyance, offense, wasted time, and harm to productivity thereby caused -- that is to say, the end-user costs of spam.
However, they have no effect on the cost of the bandwidth and other resource costs of spam, which are substantial for large ISPs and large businesses -- and for the Internet as a whole. In order to perform content filtration on a piece of mail, you must receive it and store it first, which has its costs. (Consider that large ISPs regularly report that anywhere from one-third to two-thirds of their mail is spam.)
Only forms of spam filtration which do not permit the spammer to send the spam to your mail server can reduce the bandwidth cost of spam. In practicality, that means filters which apply to one or more of the following (in increasing order of cost):
(Note the SMTP envelope is not the same as the mail headers, which are part of the SMTP DATA. An SMTP server is permitted to reject mail before DATA, but is not allowed to drop the connection in mid-DATA. If you do not understand this, read RFC 2821.)
DNSBLs -- such as SBL, MAPS RBL, and SPEWS -- all apply to the IP address of the sending system. Domain-based rejection lists (which are not commonly published) apply to the DNS name of the sending system. RHSBLs, and relay checking, apply to the SMTP envelope.
Keep also in mind that one function of some (but not all) DNSBLs is not merely to filter out spam, but to discourage it from being attempted in the first place. By rejecting mail from networks which have proven themselves to tolerate spammers, we tell network operators that if they wish to be able to send us mail, they must kick off their spammers. It's their choice which they do; they just have to choose which is worth more to them: being able to send mail to sites that don't like spam, or being able to host network-abusers with impunity.
(Incidentally, you will find precious little sympathy for calling spam filtering "censorship". Censorship, as those who have experienced it understand, happens when some party uses violent force to stop a view or expression from being published by its advocates (at their cost). Spammers aren't trying to publish their views at their own cost and being violently restrained from doing so: they're trying to steal the use of others' equipment to publish their stuff.)
Re:Why content filtering is not enough (Score:5, Informative)
Sure, DNSBLs and other blacklists help. They should be used. The content filtering is just perfect for covering that last mile (if spam passes all the blacklisting mechanism). It _might_ deterr spammers from spamming, but I doubt it. Spammer notices that his last mailing bounced, and he uses another open relay.
If a spammer knows that Bayesian filters and Spamassassin/Razor type content filtering are widely deployed, it will act as a quite effective deterrant for sending spam. Maybe.
What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble. Of course many have closed their relays, but a lot still have open ones. Especially administrators in the Middle East and Asia need to be LARTed badly, since that's where 90% of my spam is relayed from. Once all open relays are killed, the spammer has only 2 alternatives, either set up his own SMTP, or use the one his ISP allocated to him. Both are easy to track and put an end to. The spammer would have to register for a new account and the more often that happens, the sooner his/her name will be blacklisted. Heck, if anti-spam laws are legislated, the spammer could end up in jail. Jail is the ultimate deterrent. There's nothing like the prospect of being assraped by Bubba to deterr spammers.
With respect to the "filtering spam is censorship" comments, well... Content filtering is my way of plugging my ears with my fingers because I do not want to know what you are trying to sell me/scam me into. The DNSBLs are a LART to teach the admins not to run an open relay.
Re:Why content filtering is not enough (Score:5, Insightful)
"If we close the open relays, spam will go away" is actually what a lot of spamfighters thought five years ago. A common opinion then was that spam was basically a technical problem, like a security hole or smurfing [netscan.org], and that applying the appropriate technical fix to mail servers would prevent it.
Unfortunately, that hasn't worked. First off, open relays are not the only technical problem that makes spamming easier. Open proxies [monkeys.com] are just as common today -- and worse, since they hide the tracks of spammers. (They're also used by all sorts of other abusers.) Moreover, open proxies are harder to get people to close down, since blocking access from them to mail servers doesn't usually affect their legitimate users -- and thus doesn't draw their attention.
Second, it has been increasingly realized by most spamfighters that spam is a social problem, not merely a technical one. The problem isn't just that there are abusable resources, but that there are people who are willing to abuse them for profit, and other people who are willing to aid and abet those abusers in order to reap a share of that profit.
As a parallel, consider burglary. Sure, it is good to employ technical means such as deadbolt locks and alarms to block or deter burglars -- but nobody thinks that burglaries are solely technical problems, and that we should pursue only better locks rather than the arrest of burglars. Burglary is a social problem; specifically, a problem caused by some people's willingness to violate others' rights. We call those kind of problems "crimes".
Spam is a particularly frustrating crime since anyone who considers the proprieties of the situation can recognize it as lawless, but few legislatures have chosen to formalize its criminality in statute. It's lawless because it defies the property rights of mail server owners, alienating their resources for the spammer's use without permission. That's often covered by statutes regarding theft of service, computer crimes, or various sorts of tort, and there have been a number of cases wherein spamming was recognized by judges and juries as such. However, in many jurisdictions there's no statute to point to that says "spamming is a crime".
Third, there's also an social-technical problem. There's a small number of crooks who can profit themselves greatly by finding means of sending spam. Each of them has a much greater incentive to locate these means than any individual spamfighter does. This is a social problem in a different sense: insofar as spamfighting relies on discovering paths for spam propagation and getting them shut down (e.g. closing open relays) the crooks are always going to be several steps ahead.
By targeting organizations and persons known to be sources of spam, rather than the victims they exploit to send that spam, we can get around that problem. The number of large-scale spammers is actually rather few. Steve Linford's ROKSO [spamhaus.org] (Registry Of Known Spam Operations; same guy as the SBL) lists around 100 organizations which have been thrown off of ISPs three or more times for spamming.
Fundamentally, I agree with you that the problem is one of education. However, it is not merely the education of ISP technical staff that must take place. It's the education of everyone involved -- technical staff, their managers, mail software authors, spammers, the legal system, spam recipients, and businesses that might consider spamming. Everyone needs to wise up about spam.
As someone who pays for his bandwidth... (Score:2)
Speaking of spam, I wonder how much bandwidth all the spamcop reporting uses up.
Basically every piece of spam creates at least five times the bandwidth usage...
1. Send the full headers back to spamcop
2. receive a report link
3. visit the link
4. send reports out to X number of abuse addresses.
Re:Great, more censorship (Score:3, Insightful)
By the time the Bayesian filters are engaged, it's already too late. The bandwidth has already been wasted, and should some legitimate mail be rejected, your mail server is now obligated to return a bounce message which means tons of spam bounces will sit in the queue. The right time to block spam is when the SMTP connection first arrives, but before any mail is actually sent. I won't be doing it any other way.
Client-side filtering is NOT the solution (Score:3, Insightful)
While you may only check your mail from one machine, not everyone does. And most people don't have the luxury of setting up an IMAP server so they can access their post-filtered mail remotely. (I do, but a cable modem connection isn't the most reliable, so I often find myself having to read raw unfiltered spam-laden mail.)
Also, wireless access to email from cell phones (either "dumb" WAP browsers or "smart" integrated PDA/phone solutions) is becoming more common. Have you tried downloading 100 messages over a 14.4 connection, only 5 of which weren't spam? Have you tried sifting through 100 subject lines on a cell phone screen. (It's painful even on a Palm PDA screen like my Kyocera 6035's). Thanks to the proliferation of spam in my inbox, I cannot even THINK about using my wonderful phone for email, something which it would normally be excellent for.
It doesn't matter how good client-side filtering is (mine is a manually maintained blocklist, plus a few rules to detect malformed HTML that is always spam and fake Yahoo/Hotmail/Netscape addresses not coming from their servers.), the client still must pay for bandwidth, and in the case of wireless users, per-minute download time at 14.4 (Or in 2.5G systems like Sprint Vision and Verizon Express Network, per-kilobyte.)
Simply put, it costs the user money to receive spam, therefore something needs to be done about it before it reaches them. Server-side blocking reduces user costs in:
a) Download time/bandwidth for the mail
b) Storage costs on the ISP server that are passed on to the user in the form of higher fees.
These are both costs that cannot be negated with client-side filtering.
Re:Great, more censorship (Score:2, Informative)
Really? You mean blocking 995 out of 1000 [paulgraham.com] isn't "nearly perfect"? 99.5% seems pretty damn close to perfect to me...
Re:Great, more censorship (Score:5, Insightful)
(I'd like to point out that the link you provided claimed "0 false positives" which is exactly what I'm talking about.)
Re:Great, more censorship (Score:2, Insightful)
in case it gets slashdotted (AC,not karma whoring) (Score:5, Informative)
129.250.36.0/24 is listed on the Spamhaus Block List (SBL)
Nov 17 2002 - 15:3hrs GMT
Verio, Inc. Corporate Mail Relays
This SBL listing of Verio, Inc. corporate resources for Knowingly Providing Spam Support Services, is made with sadness on the part of the Spamhaus Project team because we know Verio has an extremely good Abuse Team and an excellent Acceptable Use Policy. We are certain Verio's spam problems are caused by greed-driven executives overriding the Abuse team and making a mockery of Verio's Acceptable Use Policy.
Things have gone seriously wrong at Verio. Verio is in management crisis and Verio's Sales management has made an unwise decision to generate additional cash by purposefully selling connectivity to well-known spam gangs enabling blatant spam operations to operate from the Verio network.
A number of hard-core notorious spam gangs run by spammers with criminal records for fraud or theft are now hosted knowingly by Verio, therefore the volumes of Verio-hosted spam have increased dramatically. Gangs including "US Health Labs" and "Cyrunner" (running two separate fake ISPs "UNIPXNET" and "IXXNET" off Verio with fraudulent registrations designed to misdirect spam complaints) are flooding the Internet non-stop in spam for "pre-teen-sex", "make-penis-fast", viagra, loans and mortgage scams.
Verio's broadband business unit's president is believed to have personally approved the sale of 100+ high-bandwidth lines to US Health Labs, knowingly for spam purposes. These are sales made knowing that US Health Labs, run by professional spammers Mike Cunningham and Andrew Amend, are a spam gang whose sole business and sole use of Verio's network is for the relentless and illegal spamming of millions of U.S. Citizens.
Another long-term professional spam operation, IMG Direct run by Steve Hardigree and Frank Bernal moved to Verio on 1 November after being thrown off Sprint. Another spam operation, Gordon Lantz, like the others thrown off almost all major U.S. networks, is about to go live on Verio having been approved and scheduled for installation.
With increasing alarm, the Spamhaus Project has watched spammers moving to Verio due to Verio Sales Managers knowingly doing business with notorious 'porn & pills' spam gangs. Spamhaus believes that Verio's CEO is ordering the Abuse department to disregard the AUP and that is a situation that, as well as illuminating a disastrous state of affairs for Verio customers and shareholders, is unacceptable to us.
This SBL listing of Verio's Corporate Mail Relays is intended to not impede the normal communications of Verio customers, but to concentrate boycott action on Verio executives. Executives who appear willing to supply Spam Support Services foregoing ethics and integrity in return for promises of larger line purchases from spam operations.
Email from Verio Corporate Mail Relays is currently being refused by 98 Million international SBL users. If you are currently experiencing mail difficluties due to this listing, please contact your Verio account manager/Verio Customer Support now. A Verio executive needs to contact Spamhaus.
SBL Listings of spam gangs hosted by Verio [spamhaus.org]
Verio spam complaints (current issues) [google.com]
The 'Cyrunner' spam gang (aka "UNIPXNET" and "IXXNET") [spamhaus.org]
The 'US Health Labs' spam gang [spamhaus.org]
Where does the money come from? (Score:2, Offtopic)
And then there's the penis enlargement . . .
So who *is* buying this stuff? And if they are that stupid, where did they get all that money?
Re:Where does the money come from? (Score:4, Funny)
Ironically enough, Solomon had 700 wives and 300 concubines (1 Kings 11:3 [gospelcom.net]). In other words, he had sex with strangers.
- Sam
Spam comes from unlikely places... (Score:5, Funny)
I replied with a cheap goatse.cx link. It went something like "Sure, I'll do it--but can you please check my [a href="http://goatse.cx"]website[/a] tomorrow--I will post a picture of an open door to indicate that you have been granted the go-ahead. If not, it will mean I need another day for my paperwork to be prepared. I have been having troubles with my bank lately, and they might be looking into me, but fortunately I have the right friends. I think email is much too insecure for this." I guess trolls do provide something useful for the community.
Re:Spam comes from unlikely places... (Score:5, Funny)
Haha, that is good, but I can one-up you on that... I've told this story recently in another slashdot thread but I'll actually post the guy's response this time.
Here is my response to the original spam:
Hello, Mr. Abu, it is wonderful to be doing business with you!
My name is James Kirk with phone#202-406-5850 and fax#202-406-5031. [these are the phone and fax number for the US Secret service electronic crimes bureau]
Company: Utopia Planetia Fleet Yards
Company Address: 33601 Lyon Street, San Francisco CA 94123
I look forward to receiving this money!
-James [yes, the james kirk name was inspired by the haxial.org thing]
The guy e-mailed me back and asked me to phone him on his private line. I looked up the phone exchange and it indeed was in Nigeria.
Then I got another e-mail from him an hour later:
Subject: WHY?????
Dear Kirk,
If you were not interested in assisting us, you sholud have kindly told us so
that we can look for another foreign partner who might be interested in
assisting us, instead of agreeing to assist, and giving the number of your
secret service for us to contact.
Why could'nt you be man enough to tell us that you are not interested.
Well, I wish all the best, as we continue our search for a reliable person
that will be genuinely intersted in assisting us.
He actually called it. I got some of the other scammers to fax their documents to the fax number. One guy e-mailed me back and said that the lady on the line didn't know of any James Kirk there. Teehee...
Re:Spam comes from unlikely places... (Score:2)
Re:Spam comes from unlikely places... (Score:3, Interesting)
adobe [trialware registration] or buy.com sells your addy to porn spammers. I've never actually gotten a nigerian money scam email, my dad is like "I get them all the time". Of course filtering html email and filtering the word "unsubscribe" in the body to trash tends to work really well for keeping yahoo free of spam.
Re:Spam comes from unlikely places... (Score:3, Informative)
Congratulations! (Score:3, Interesting)
I used to subscribe to a few filter lists on my mail servers, but the operators are such assholes about things that the lists are now useless, filtering out more valid email than bad (when you consider that a few intelligent local filters can eliminate 90% of spam).
Spam to spammers (Score:5, Interesting)
Re:Spam to spammers (Score:5, Funny)
Re:Spam to spammers (Score:4, Funny)
Hrm, isn't that John Gilmore's ISP? (Score:5, Funny)
Re:Hrm, isn't that John Gilmore's ISP? (Score:5, Interesting)
But they will sell to spammers.
Just set up your Baysian Spam Filter... (Score:2, Insightful)
Is that why spam in my Hotmail account has dropped (Score:4, Interesting)
Re:Is that why spam in my Hotmail account has drop (Score:3, Interesting)
Re:Is that why spam in my Hotmail account has drop (Score:3, Interesting)
Anyway, I used to plow through at LEAST three screenfuls of garbage at a time this way on Hotmail, but in the past few days, I've been doing only one screenload and getting all of it. So maybe something has happened.
Of course, it's going to come back very soon, so don't get too used to this. It's strange how we've sort of come full circle from being an agricultural economy and shoveling horseshit all day, to having an industrial revolution, and then computers, and worldwide computer networks, and after all this we end up still having to shovel mountains of horseshit around on a daily basis.
Re:Is that why spam in my Hotmail account has drop (Score:4, Informative)
Viro when did you lose your way? (Score:5, Informative)
Their anti-spam policies were so draconian that we had to move to exodus. When did they become pro-spam?
Re:Viro when did you lose your way? (Score:3, Insightful)
They have 1 center on the west coast, and another on the east in Virginia (in the tech corridor near DC). I've been to the one in Virginia and to the one in NYC, since my employer provides services to them.
About 2/3rds of the Spam I receive at home is from Verio or Exodus. Both are VERY cash strapped, although expect to see Verio doing a little better since they consolidated their hosting faclities. Although 99% of my spam is now cleanly filtered out before I read my Inbox, I know it must be taking a toll on my provider. Twice in the last week the mail server has ran out of disk space and quit accepting mail.
The major problem with these "opt-in" marketing programs is that you might agree to signing up to one list, and then they automatically sell your information to illegal spammers, who pound you with email and won't quit. I think its pretty obvious that tradional advertising doesn't work, but instead of laying off for a while, they either go the illegal route, or pervasive route. (ok, both are pretty pervasive) Advertising works to a degree, but at what point do you stop? Is there no means that a company will not go to market a product? This is obvious fodder for a discussion in ethics in business.
Re:Viro when did you lose your way? (Score:3, Insightful)
Personal information has become a cash commodity. Company's are doing whatever they can (legally, illegally, and pseudo-legally) to stay afloat. This just proves how bad capitalism really is if left unrestrained.
Spam for Collectionists (Score:2, Interesting)
I guess it was one of the most aggressive spamming campaigns I have ever been victim of.
Now, those who support these spammers will have to suffer the consequences. But, who will have to pay the bandwidth when my E-Mail Backup service provider come to tell me that I've reached the limit?
There ought to be a law... (Score:5, Interesting)
After all, it's really just a consumer protection issue: Verio claims to have an active abuse department, and is thereby misleading people who assume that spammers on Verio's network will be shut down.
Re:There ought to be a law... (Score:2)
Re:There ought to be a law... (Score:2)
I'm not USian, so I may be entirely wrong here... but isn't it possible to prosecute someone privately? Ie, you think they've broken the law, the police don't want to file charges, so you file them yourself (and take the place of public prosecutor)?
It would be perfectly good enough if third parties could take an ISP and a spammer to court and get the court to order the ISP to enforce their abuse policy.
Re:There ought to be a law... (Score:2)
IANAL--but I don't think so.
Unless the crime is also a tort against you, I don't think you have standing to sue.
However, if you're harmed by the crime and the DA doesn't prosecute--and they've got ample evidence to convict--you might be able to take the DA to court to force the issue.
'course, that was something I saw on Law & Order, so i have no idea if it's true or not...
It would be perfectly good enough if third parties could take an ISP and a spammer to court and get the court to order the ISP to enforce their abuse policy.
If you get spammed via an ISP's misconduct and suffer damages (lost work, wasted time, etc.) you probably have standing to take the ISP to court to force them to properly secure their system.
Unfortunately, if you've got the kind of money/time to be taking ISPs to court for a nuciance, you probably can just get real spam blocking installed...
Re:There ought to be a law... (Score:2)
What would happen if spammers were forced to add a "Precedence = spam" (P=S) (or something other than "bulk") line to the mail headers?
I think there would be two immediately helpful results:
An ISP could say in its user agreement that one could send spam from their servers as long as it contained a P=S header line. Or there could be a law on the books requiring spam to contain the P=S header line. I feel this is good because it does not make spam illegal (I feel that would be going too far and would probably be too hard to police) but it does make it manageable.
With this in place, ISPs could easily manage their spammers and their spam. Users could easily manage their incoming spam, and miscellaneous routers all across the internet could easily dump spam trying to take up precious routing time.
Of course, this has its shortfallings. It would only apply to spam coming from ISPs with such rules and from jurisdictions under such laws. That said, I bet it would significantly cut down on the amount of spam, and the locations where such spam could originate from.
So, am I making sense or being ridiculous?
Re:There ought to be a law... (Score:2)
1. Joe Blow, who doesn't want to see anything but the e-mail from his family, will learn to filter out all that spam via that spam precedence.
2. All isp's will halt e-mail at the routers, seeing as it churns up bandwidth better served servicing their customers.
In the end, it would be a crap shoot. Spammers just wouldn't put the proper (whatever) in the headers.... kind of like when people rip a cd, they quietly ignore the copy-protection bit...
Re:There ought to be a law... (Score:2)
be useful, then some spammers would stop using it.
And some desperate ISP would serve them, and we'd
be right back where we started.
Re:There ought to be a law... (Score:3, Insightful)
Are you on crack?
The whole thorny issue with spam is that it's hard to stop. If it were as simple as requiring that "spam" have a special identifier it would have been done long ago. There are three major problems with this:
What you're suggesting is equivalent to making a law that any pool-shark warn the people he plays that he's a pool-shark. What would happen? Would pool-sharks actually start telling people "I'm a pool-shark, and I'm required to warn you of that before we play, still want to play?" No! They'd just find a way around the law by becoming "secret pool teachers" or "very lucky players".
Re:There ought to be a law... (Score:3, Insightful)
Am I on crack? Not to my knowledge. But is this a crazy idea? Absolutely. Remember the Niehls Bohr quote "We are all agreed that your theory is crazy. The question which divides us is whether it is crazy enough to have a chance of being correct."? Hell, if there's any place to place crazy theories, it's slashdot.
Eh, I wasn't attempting a Megan's Law type of approach (the law which requires sex offenders to notify those in their neighborhood of their crime, conviction, and where they live). Changing labels is tough to deal with. Here's my approach:
If there were a blanket law, it should be that ISPs must deal with any user which has more than X unique complaints concerning spamming by either cancelling the account, forcing a P=S flag onto all their outgoing email, or making sure the user stops spamming by other means left to the ISP. This really only leaves the ISP with two options, and forces users to either not spam or spam with a P=S flag if they're using one of the ISPs under the jurisdiction of the law.
Now this does two main things. 1) It shoves enforcement to the ISP, after all, it's the ISP's user which is spamming, and what the ISP can do is clearly outlined by the law. Just dump the user if you don't want to deal with their spamming, you are allowed by law. 2) It would set up "rouge" ISPs which don't adhere to the law. If you know which ISPs allow spamming, they're easy to block, so this really isn't a large problem.
But here's my problem with the method: it feels too much like the Scarlet Letter. The circumstances are a bit different, but forcing someone (or something, even email) to have a unique identifier so you can identify it as something you might want to avoid is a very sketchy idea. It's also probably not constitutional (equal protection... even for spammers?).
That said, I think there is something to be said for my idea. It is flawed in certain areas (I still haven't given a good answer about enforcement of the laws/rules). It still lets spam flow freely (which I feel is a good thing) but gives people the ability to quickly filter it out. It still only affects spammers under its jurisdiction. If it worked, I'd be willing to be that somewhere between 70 and 85 percent of spam would be marked as such. And even if those numbers were lower, it would drastically reduce the amount of unwanted spam people got, as well as making it much easier for spam to be dropped at routers all over the internet (thereby alleviating the costs incurred by spam on so many systems).
Hell, it's just a crazy idea.
DNS Question... (Score:2)
I will conclude by noting that the ixxnet.net autonomous
system was created on 25 july 2002, so it is now in its
third month of life; and that the ixxnet.net DNS seems to
have been put together by the same incompetent that
configured dialnil.com DNS (hint: MX).
What excatly is so incompetent about the DNS configuration? I did a host -t MX ixxnet.net and didn't see anything out of the ordinary?
-Lee
Re:DNS Question... (Score:2, Informative)
from a dig mx ixxnet.net:
ANSWER SECTION:
ixxnet.net. 1H IN MX 5 mail.ixxnet.net.
ixxnet.net. 1H IN MX 4 66.25.224.10.
And from a dig mx dialnil.com:
ANSWER SECTION:
dialnil.com. 59m51s IN MX 4 216.21.32.14.
dialnil.com. 59m51s IN MX 5 mail.dialnil.com.
RFC 1035 - "Each MX matches a domain name with two pieces of data, a preference value (an unsigned 16-bit integer), and the name of a host."
http://www.isc.org/ml-archives/bind-users/1999/
Spamhaus slashdotted! (Score:2, Funny)
stop this slashdotting immediately!
Screw more laws, just ban IPs via smart networks. (Score:2, Informative)
And, as ISPs, we simply have to monitor our resources more carefully. If we detect a lot of broadcast activity (i.e. outbound SMTP traffic) we're notified and we investigate. We collaborate.
Real technology can block spam. Laws and crap like Spamcop just make more red tape and are half ass solutions.
A temporary fix (Score:3, Insightful)
I honestly believe that the only way to free ourselves from spam is intellegent filtering. Making it illegal will only cause the spammers to move overseas, if they even notice the law at all. The internet is far too large an entity to make a difference by blocking the IP addresses of spam-friendly domains. It won't put a dent in the real problem.
Re:A temporary fix (Score:4, Insightful)
Yeah, it's cat-and-mouse, but eventually the mouse will run out of places to hide. There are a finite number of backbone providers in this world.
Heh (Score:2)
Spammers (Score:5, Interesting)
ISPs need to realise that if they're not going to do anything about it, they'll be blocked. This happened to us years ago when the ORDB started, and we fixed the problem immediately. We didn't think they were being nasty to us, we realised we had a problem, and we set about fixing it. When ISPs get globally klined from IRC networks, their customers want to know why, and put pressure on the ISP. They listen and respond.
This is no different. If yer gonna be a spammy host, prepare to be blacklisted. Reponsible, rigid, no nonsense, targetted policies are the only thing that will have ANY effect, and even they won't STOP all spam. But it sure helps.
Breaking things is not fixing the problem. (Score:3, Insightful)
We need a new solution folks, and blocking large portions of the net will not fix the problem. If you want to make *all* spam to go away, you need a different form of a solution because you can't block everyone who might want to legitimately talk to you. This decision will certainly block a whole slew of legitimate users from speaking with each other.
I'm thinking SMTP needs to be entirely rethought. Unfortunately, this isn't practical either as it'll have the same effect as deliberate breakage during the transition. (hence the reason we don't have ipv6 yet either).
Re:Breaking things is not fixing the problem. (Score:4, Insightful)
What if the someone that wants to talk to you just wants to sell your something? Or what if they want to convice you to change your opinion about something. Or what if they want to just reply to your Slashdot posting privately? How are you going to tell these apart?
The problem with spam isn't really the message. If I were to get in my mail box precisely and exactly the information I was interested in, I wouldn't have any problem with it. Maybe I would be interested in visiting just the right kind of porn site. Maybe I really would like to enlarge my penis. Maybe my printer really has run out of ink. Maybe. Maybe NOT.
But this is a hard thing to work out when you are dealing with content. For example, I often post on mailing lists or USENET and for many, I do get private replies (and spam, too). It's reasonable to assume that if you post, you've invited a reply (unless you say otherwise). But a "reply" to a posting about what I think should be in the next version of some standard should not be asking me if I need more golf balls. That's just plain off topic. Still, I have gotten replies that are completely ON topic, yet are sent by someone that is a total moron and not worth reading and a total waste of my time.
The real problem with spam isn't the content at all. The real problem is the way it is delivered, and the way it is determined to whom it is delivered.
TV commercials, radio spots, newspaper ads, and web banners, are what I call gatewayed advertising. What that means is that someone (the TV station sales department, the newspaper advertising department, or CmdrTaco while trying to get more revenues for Slashdot to keep it alive and pay for the kind of bandwidth that would create a Slashdot Effect on most web servers) is the "gateway" into the media where the advertising is presented. You don't get to put a TV commercial on without paying the TV station for the time. As much as I dislike most commercials (some I do enjoy the first time around), I also know they pay for, or in some cases at least help pay for, what I am receiving. But the whole point is, it's not going to get out of control because there is someone acting as the gateway. TV stations know they will lose viewers if there is 50 minutes of commercials every hour. CmdrTaco knows it would ruin Slashdot if every page were plastered with dozens of banner and box ads totally obscuring the content. And even if they did do the wrong thing and ruin it, I can change the channel or go to another site. There isn't a scaling issue here for these media.
But with spam, you can't change the channel. You can't choose to visit another site. And worst of all, it's not paying for a damned thing you receive.
We can make a comparison of spam with telemarketing and fax ads. Neither of these really pay for anything you receive. While it may be argued that telemarketers keep the cost of phone service down by providing more revenue for the phone company, this isn't really true. Most telemarketing actually takes place at the peak times that phone networks are busy, so the phone companies just have to scale up to that level of business. They aren't getting new revenues, and you can be damned sure that telemarketers are not paying an extra premium to the phone companies to help lower your phone bill (there are plenty of scumbags in that industry that would find ways around that).
Another comparison is with ads you get in snail mail. It doesn't really pay for anything you receive (they get huge discounts from the Postal Service for bulk packaging them so the delivery guy doesn't even have to check the addresses). But while these are annoying and a bit of a problem, it's not something that's going to grow exponentially from here because there is a "gateway" of cost. Those leaflets you get on your windshield are much the same. It's a pain to have to reach over and grab it and throw it away, and again, it hasn't paid for anything you receive. But like bulk snail mail, there is cost and someone has to roam around sticking them on.
The problem with spam isn't the content, it's that so much can be delivered so fast and to so many people that there is in effect NO GATEWAY to this. And as bandwidth gets cheaper and cheaper, and servers get faster and faster, you and your delete key will have to just work harder and harder to keep up. No wonder people are working on automating things to delete spam. And it just escalates.
So yeah, we do need to be able to continue to communicate, and this also needs to include advertising where appropriate. But there needs to be some kind of "gateway" to control it, to make sure it doesn't get out of hand, and to make sure the decisions about how much to send and to whom to send are decided on properly. And this also includes making sure it is sent to the proper email address for those of us with many (if you own a domain and have set it up so that any name on the left of the at sign works, raise your hand).
There will always be those who think it is their right to communicate with everyone. But, yet again, the issue is not about the message, but instead is about the methodology. Email is not a broadcast medium and should not be treated as such. It is a one to one communication medium. And I translate that to being a person to person communication medium. So if you want to communicate with me, you need to at least be a person, and not a machine running some spamware. Maybe SMTP needs a rethought. Or maybe not. I've thought about it and don't really have any answers (yet). But I do think the ultimate solution is going to end up having to be something that proves that it is a person who communicates with me, and gives me as much of their time in sending me the message as it takes from me to read it or listen to it. We need to find some way to communicate that does not allow the sender to automate it without that message being tagged as automated. That is the real problem with spam ... it's so impersonal ... it's all automated.
Re:Breaking things is not fixing the problem. (Score:3, Insightful)
Spam source (Score:2, Interesting)
How likely is it that the spammers get gobs of bandwidth and turn around and relay off of verio's mail servers? Isn't it *much* more likely that the spam is being sent directly from the IP addresses assigned to or owned by the spammers?
Unless I'm way off base, I think this is more a punative measure against verio than a real reduction in spam.
And yes, I do support blacklisting.
Making fun of spammers (Score:2, Funny)
100 million mailboxes protected? (Score:4, Informative)
Here's hoping this group is more responsible than SPEWS. With that (likely bogus) figure being announced, I doubt that they are.
Obligatory pitch (Score:5, Informative)
This solution doesn't do anything about bandwidth (since you will still get the same amount of spam traffic at your mail port), but it's a fuzzy-warm feeling to be in control of your own mailbox for once.
Not My Bandwidth (Score:2, Interesting)
"But," you say to me, "local filters are much better because you might not lose legit email!" I ask you: why should my mail server accept their stupid junk and waste my bandwidth just to filter it out later?
I don't want to my server to accept it. I want it bounced outright with a nice little bounce message. In a happy shiny world, I'm hoping these SMTP rejects will send a message to someone out there. It probably doesn't make a difference, but I can dream.
Yes; some legit email has been blocked. In both cases I'm aware of, the person contacted me through a hotmail account and brought it to my attention. I altered my blocking policy at that point.
I'm open to any options out there for filtering/blocking that does not require me to download it and then filter it. If I wanted to just filter my mail, I can do that using my amazing human brain (better than any spam filter out there, I assure you) and click "delete" on the spams. But I want it rejected outright from known sources.
So until a better option comes along, that's the way it is.
~Seth
About theft of service (Score:4, Interesting)
I support and believe the position that spammers or other unauthorized users of a system that I own are stealing services from me. I further believe it is OK to block their traffic from crossing my equipment.
Now, let's look at this from the telemarketing perspective...My phone at home is one of those models that has a wall wart. I believe when the phone rings, or is in use, it draws more current. So, when a telemarketer makes an unsolicited (and unauthorized) call to my phone, does that mean they're stealing my electricity? What about my most valuable resource, my time? Are they stealing my time?
I hate spam just as much as the next guy. And I don't believe ignoring people who cause a nuisance infringes their right to free speech. I do however believe the "telemarketing" lens will be used by the Judicial System when examining these issues. Sooner or later, these spammers will mount a constitutional challenge to anti-spam legislation. Well, if they are making that much money, anyway. They may not even need the money for such a battle, it seems the EFF just might take up their cause.
Some things (Score:3, Interesting)
As to your time, well, all sorts of things "steal" your time and and thus far that's not something that you have any recourse for. Besides, you waste plenty of people's time too, it's just how things go.
The big difference between telemarketing and spam is who pays the cost. When a telemarketer calls me, I don't pay a thing, even if I do choose to answer the phone. They pay all associated long distance charges, my line costs me the same amount no matter how many calls I recieve. With SPAM, it is other peopel that foot the bill. The spammers order mail servers to send out thousands of messages, which uses tons of bandwidth on their ISP, and all the recieving ISPs. I work at a university and the amount of bandwidth used to SPAM is not trivial.
This is why telemarketing is not allowed to a cellphone (in the US), you have to pay for all calls including those you didn't initate, so people aren't allowed to make sales calls that would cost you money.
Also telemarketers tend to be much less persistant and much less fraudlent than spammers. Every time I've asked to be placed on a do not call list, the telemarketers have complied (because I can sue them if they don't). Also, all the sales calls I get are really offering me a legit service. When Sprint calls me selling long distance, they will make good on the offer if I want. At least 40% of the SPAM I recieve is totally fraudlent, and spammers don't know when to quit. I have recieved over 10 SPAMs per day for the same thing, form the same company. The only telemarketer I know that tried that receantly is the Miss Cleo service, and they got shut down and fined millions for it.
loosen the floodgates (Score:3, Interesting)
Bet we'd see some real legislation and enforcement then, eh?
One solution for spam in your inbox (Score:5, Informative)
This works best if you own your own domain name and can create multiple pop boxes. It's still doable using regular email accounts, however.
Step 1: Change your email address to a previously unused address at your domain. Test it for a day, verify no spam is coming in to that address.
Step 2: Email all your trusted friends, relatives and business contacts your new email address.
Step 3: Remove your old email address links from your website and replace them with a feedback form that emails an unrevealed throwaway secondary address using your favorite web -> email gateway scripts.
Step 4: Create a bounce message at your old address, with a link to the feedback form, for all the people you forgot to email about your new address, and for people who want to contact you through your old address as they have found it on google searches or other archived postings, or your old business cards, etc.
Step 5: Receive both the new email address and the feedback form submissions on to your local mail reader. Filter them in to seperate directories. Give out your real, private address to feedback form users once they've verified themselves as being legit. If not, have a throwaway identity you can talk to them through. (the email account that the feedback form mails to) If you start getting spam at that address, simply change it.
Step 6: When you make public postings, post the feedback form URL instead of your email address. When you have to give your address away to commercial websites to sign up or download things, give them the throwaway address, or create a third address for legitimate online companies and filter that into a third folder for "commercial website email" If that get compromised by an unscrupulous business, change it. Still doesn't affect your primary private address.
You can receive the two or three addresses all at once with any modern mail reader, and filter them into folders. I personally use Eudora.
This is a really easy thing to do if you can stand changing your email address. I've had the same address since 1995, so I get about 150 spams per day. I have a filter that gets rid of most of those, but that's local and I still take the bandwidth hit, and about 20% of them get to my inbox still. Rather than try to over-filter and get a false positive, I think the above solution is a worry free and clean way to make a break from spam.
---Mike
Lower-level solution: A new protocal (Score:3, Interesting)
That could speed things up a lot.
And now a future timeline:
-Terrorist groups note that many routers are dropping "advert" spam before they reach the mail servers, start sending messages with the "advert" bit set, thus avoiding detection by bugs in mail servers
-Government catches on, starts paying close attention to posts with the "advert" bit set
-Advertising is outlawed after Bush calls the advert bit "evil"
Re:Do so, do not (Score:2, Insightful)
ad nasuem..
Re:Good (Score:3, Insightful)
Yeah.. legal, probably. After all, it is a down economy. I would not be suprised to see Spamhaus served a cease-and-desist before Verio does the Right Thing and starts punting luser spammers.
The admins & abuse people are the ones at Verio really taking it on the chin. I can only imagine the vitriol pouring in their mailboxes and publicly on forums like nanae.
-fester
Re:Good (Score:5, Insightful)
Luckily, the spamfighting community has a great deal of experience with such misbehavior. The slang expression among spamfighters for a sender of baseless legal threats is "cartooney", as in cartoon + attorney. Spammers send these out by the boatloads when their delusions suggest it will get people to stop trying to block their thefts.
Steve Linford, the operator of the SBL and ROKSO (and known in China as Stiff Linefeed) is a long-time anti-spam veteran, and has a great deal of support from others such. If Verio tries to harangue, hassle, or hornswoggle him into falsely removing them from SBL, he will have dozens of clued and supportive people on his side. If Verio files suit, Mr. Linford will have a substantial legal defense fund faster than you can say "Canter & Siegel".
Re:Good (Score:3, Informative)
In fact, they already tried the same stunt on Ron Guilmette of monkeys.com (threatened legal action when Ron expanded their listings on his system). Within (probably) minutes of the word going out on the newsgroup, many SA's, myself included, started asking for lists of Verio's IP ranges, and inserted those lists in their private blocklists.
In short: If they threaten legal action against people who are doing nothing more than expressing an opinion (in the form of publishing lists of IP addresses they think are contributing to the spam problem), and taking steps to protect their private property (by checking incoming mail connections against that same list, and selectively blocking the unwanted stuff), they're only going to dig themselves deeper into their existing hole.
Verio is second only to UUNet (also known as 'SpewSpewNet') for harboring spammers. They need a wake-up call like nobody's business. If Steve's listing doesn't do the trick, I don't think anything else will.
Re:Good (Score:5, Insightful)
The goal of the blockers is to eliminate commercial use of the Internet.
This is absolutely untrue. The goal of the blockers is to stop spam and abuse of the network and reclaim it from those who think that merely having and email address is an invitation to get spam.
dave
Re:Good (Score:2)
Indeed it is. An ISP is private property. The owner of the ISP has the right to exclude people from that property for pretty much any reason (with a few specific exceptions, such as laws against discrimination based on ethnicity, religion, etc). QED.
We would *love* to sue the people that have wrongly blocked us
Would you also love to pay the defendant's court costs plus punitive damanges for wasting the court's time with a frivolous lawsuit?
The goal of the blockers is to eliminate commercial use of the Internet.
If you don't want to be perceived as a cartooney spam apologists, you really need to avoid the tired old cartooney spam apologist cliches.
Comment removed (Score:4, Insightful)
Re:Good (Score:2, Interesting)
If you are blocked, you aren't getting off in a reasonable time, at least reasonable for the Internet. It might be reasonable for a 1850's pony express route.
The goal of most spam blockers is to eliminate commercial use of the Internet. This is the only way they can succeed. Any commercial use of the Internet is going to involve some level of what these people claim to be "unsolicited" email. And, once you send that you are a spammer.
Oh, and don't forget. If you claim not to be a spammer and put every effort into not spamming anyone the result is simply that you are lying. You can't prove you don't spam and everyone knows spammers lie. If everything you say is a lie, what is the point of discussing anything?
Yeah, I'm bitter. We got unblocked yesterday. We don't spam, but plenty of customers are wondering why we were silent for four days. Some just want their money back now.
Re:Good (Score:5, Informative)
Actually, most "spam blockers" work for organizations which commercially use the Internet. They are mail administrators for ISPs or other companies, which have directed them to reduce the impact of spam on their businesses -- to cut costs or to improve service to customers.
Spam isn't commercial use. It's criminal use.
Re:Good (Score:2, Insightful)
I define commercial use as trying to sell a product on the Internet and communicate with customers. You send one single email to an unconfirmed email address and you can be blocked for days. Do that enough and you are out of business.
I wish the Internet could be a commerce-free zone sometimes. But it is an incredibly easy way to communicate with people and offer products and services to them. However, the spam blockers want to make sure that email cannot be used to send anything that is considered to be "unsolicited". If it has the word "sale" in it, it must be unsolicited - who would ask for something like that from a friend?
You purchase something and we send a confirmation to the email address supplied. If it happens to be a joker that gave us a "spamtrap" address, we're blocked. Don't bother saying it doesn't work that way - we just got unblocked from that happening.
Re:Good (Score:5, Insightful)
No, I don't. I define it as the use of the Internet for commerce, which is to say economic activity between consenting traders and investors -- what my left-wing friends would call "capitalism". I don't consider your sending of unsolicited advertisements to "an unconfirmed email address" (how many was it really?) to be commerce. I consider it to be spamming.
You admit sending commercial email to an unconfirmed email address (how many addresses?), which turned out to belong to someone who had not solicited your message. By the usual definition of spamming as "unsolicited commercial email", that means that you admit to having spammed.
The techniques for operating confirmed mailing lists are not new. Mailing list software to operate confirmed lists has existed since well before the "e-commerce" boom. Thousands of businesses use such software. They operate confirmed, solicited commercial mailing lists ... and they don't get listed as spammers.
It sounds to me, from your description of the situation, like you failed to do due diligence, failed to take advantage of the information resources available to you -- and as a result, you spammed. In that case, the folks who listed you as a source of spam were telling the truth, weren't they?
Hey, I'm just working with what you give me. If you'd like to point to a published record of your exchange with the list operators, please do so. A Google search link into NANAE, if that's where the exchange took place, would be more than adequate.
How many addresses did you spam, again?
Re:Good (Score:3, Funny)
Yeah, and you take one thing from a store without paying for it and you can get arrested for shoplifting. Life just sucks sometimes.
Re:Good (Score:3, Interesting)
And what would it have taken to confirm that address? Perhapse ensure that you weren't opening yourself, and some unwitting third party, to abuse?
Re:Good (Score:5, Informative)
Actually, having just tried a demo of CD-R Diagnostic (an excellent program, btw), I'd like to point out that you send FOUR. Two in quick succession when the demo is downloaded, one three days later, and one five days after that.
The last e-mail says that you delete all evaluation e-mail addresses after 14 days, but the others give no indication of when it will end, there are no remove instructions, there is no explanation of how you got my address, etc. If I got this because someone typed in my e-mail address, I'd probably report you too. You should read up on the Ten Rules for Permission-Based Marketing [messagemedia.com].
Re:Good (Score:4, Insightful)
No. Email has _never_ been completely reliable. There is nothing in the RFC [livinginternet.com]s that guarantee delivery of every email.
Spam on the other hand, makes email _more_ unreliable because of the unwanted volume of it. Spam blocking is a means of reducing that volume.
No. Consensual commercial email usage is preferred. Unsolicited and unwanted email in volume is what we seek to eliminate.
Funny how you need your services blocked before you actually take responsibility for your mail server. Now had you been a competant and responsible administrator, you probably wouldn't have been on a block list in the first place.
Re:And They're off! (Score:3, Funny)
"It looks like this could be a photo finish, or an oil painting..." Spike Jones, "A Day At The Races"
The problem is, everything on the track right now is a dead horse. Worse still, these horses are being beaten by jockeys with really big... bank accounts, so they'll somehow manage to win the race every time, leaving the long-standing dark horses "customer service" and "viable communications option" in the dust.
HE.net included? Surprised! (Score:4, Interesting)
I do know that one of their employees handling spam complaints did give me a reason to pause once -- she initially accepted a spammer's response, but that action was reversed as soon as I challenged it, and the customer was terminated, and I was sent an apology making clear that this was a mistake, not a new spam-tolerant policy at the company. Later complaints were promptly and properly handled.
I believe that at least three he.net customers were terminated in the past year due to complaints I submitted. (And I was a lowly $200-per-month colo customer, and at least one of the terminated customers was much bigger.)
If he.net is leaving the door open to spam-cartels, despite warnings, then of course they should be blacklisted. I just find that harder to believe. In contrast, my experience has been than Verio is extremely spam-tolerant, even balking at terminating Spamford Wallace (they finally relented and cut him off, which resulted in his filing a frivolous lawsuit against me, costing me $5,000 to get the suit dismissed). All my more recent spam complaints to Verio have gone unanswered, and I know I have several Verio IP blocks already on my filter list, though I haven't blocked all their IP addresses.