Slashdot Mirror

"While I might believe that they offer it as a service to some of their customers, I just can't see one of the world's top five IP carriers [Teleglobe] refusing to route any part of the Internet."

Here's their part of the traceroute from the Slashdot submittor from Greece who reported being unable to access www.macromedia.com. This is as reported to me on Friday, after macromedia.com was taken off the RBL:

5 310 ms 311 ms 250 ms oteny-otenet2.ote.otenet.gr [194.153.81.13]
6 311 ms 310 ms 310 ms if-2-0-0.bb3.NewYork.Teleglobe.net [207.45.199.2 25]
7 300 ms 311 ms 310 ms if-3-1.core2.NewYork.Teleglobe.net [207.45.221.9 8]

He also reported that many of his friends in Greece were unable to access the site, writing: "Every person in business (I am web developer/designer) couldn't not see Macromedia server for the past 4 days. They 'see' internet from different ISPs. I am very certain." This meshes with your pointing out that Teleglobe often is the primary access provider for entire countries.

Teleglobe is a licensed subscriber to the RBL, but as for whether they use it to block traffic other than mail, a quick Google search on "teleglobe MAPS RBL" turns up good leads. See e.g. "JANET, Teleglobe and the RBL," in which one of Teleglobe's clients -- itself a well-known internet provider -- explains to its own customers the situation which has been forced upon them:

Does this affect things other than mail?

Yes. No connections of any kind will work in either direction between JANET and a blackholed address -- not Web, FTP, telnet or anything else.

On another page, they hopefully claim "it is not likely that any valid use of JANET requires access to such networks." Well, maybe that page needs to be updated.

You see why I think this is important?

Jamie McCarthy

reject=553 Mail from 209.210.138.47 rejected;see http://mail-abuse.org/rbl/

When it receives a connection from a client on the RSS, it logs this reason:

reject=553 Mail from 203.167.121.7 rejected;see http://mail-abuse.org/rss/

Checking my logs for the past three days, I find the following:

# grep '/rbl/' syslog* | wc -l
17
# grep '/rss/' syslog* | wc -l
2018
#

So why bother with RBL anymore, especially in light of the recent revelations about the operators abusing their position of trust? It doesn't do the job, and the criteria for inclusion have become highly subjective, even prejudicial.

In contrast, the RSS - while operated under the aegis of the same people that run the RBL - has completely objective criteria for including addresses, which anyone is able to verify if required. It also stops a hell of a lot more email than the RBL.

reject=553 Mail from 209.210.138.47 rejected;see http://mail-abuse.org/rbl/

When it receives a connection from a client on the RSS, it logs this reason:

reject=553 Mail from 203.167.121.7 rejected;see http://mail-abuse.org/rss/

Checking my logs for the past three days, I find the following:

# grep '/rbl/' syslog* | wc -l
17
# grep '/rss/' syslog* | wc -l
2018
#

So why bother with RBL anymore, especially in light of the recent revelations about the operators abusing their position of trust? It doesn't do the job, and the criteria for inclusion have become highly subjective, even prejudicial.

In contrast, the RSS - while operated under the aegis of the same people that run the RBL - has completely objective criteria for including addresses, which anyone is able to verify if required. It also stops a hell of a lot more email than the RBL.

They are getting their RBL feed via BGP. They are setting thier routers to send those packets to null0.

They have an agenda, all right, and it seems to have more to do with silencing opinions they don't agree with than anything to do with what normal people call spam.

Just goes to show -- people do listen.

The RFC gives an example of a "confirmation message" which informs the recipient that s/he has been subscribed to a mailing list, and gives instructions for unsubscribing. This is not what modern mailing-list management packages (such as GNU Mailman or ezmlm/idx mean by a "confirmation message". These packages require that a user confirm by email that s/he wants to be on the list before adding the user to the list proper. The RFC allows that the user be subscribed first, and have to take action in order to unsubscribe.

The problem should be obvious: If you have to take action to unsubscribe from a list you never asked to be on, then your mailbox can still be flooded with list email before you have a chance to get off the list. You can be subscribed without your consent by a hostile party who wants to mailbomb you. (This is more common on badly-managed mailing lists than you might think.)

Spammers today already send out (fraudulent) "how to unsubscribe" messages, whereas well-managed mailing lists require active confirmation. An RFC on how to avoid being, or looking like, a spammer should recommend that one follow the methods of the best-managed legitimate mailing lists, not those of the spammers.

I would suggest that anyone interested in responsible mailing-list operation check out the MAPS Basic Mailing List Management Principles for Preventing Abuse. A mailing list which follows these rules will be much more resistant to abuse than one which strictly follows RFC3098. Moreover, a list which strictly follows RFC3098 and which is abused will qualify its site for the MAPS RBL.

The RFC gives an example of a "confirmation message" which informs the recipient that s/he has been subscribed to a mailing list, and gives instructions for unsubscribing. This is not what modern mailing-list management packages (such as GNU Mailman or ezmlm/idx mean by a "confirmation message". These packages require that a user confirm by email that s/he wants to be on the list before adding the user to the list proper. The RFC allows that the user be subscribed first, and have to take action in order to unsubscribe.

The problem should be obvious: If you have to take action to unsubscribe from a list you never asked to be on, then your mailbox can still be flooded with list email before you have a chance to get off the list. You can be subscribed without your consent by a hostile party who wants to mailbomb you. (This is more common on badly-managed mailing lists than you might think.)

Spammers today already send out (fraudulent) "how to unsubscribe" messages, whereas well-managed mailing lists require active confirmation. An RFC on how to avoid being, or looking like, a spammer should recommend that one follow the methods of the best-managed legitimate mailing lists, not those of the spammers.

I would suggest that anyone interested in responsible mailing-list operation check out the MAPS Basic Mailing List Management Principles for Preventing Abuse. A mailing list which follows these rules will be much more resistant to abuse than one which strictly follows RFC3098. Moreover, a list which strictly follows RFC3098 and which is abused will qualify its site for the MAPS RBL.

Realtime Blackhole Lists tell your MTA if the sender is acceptable based on a DNS-type query. The two that I know of are Mail-abuse.org's RBL and ORBS

There is some concern that things get denied accidentally...But at this point, I would rather risk losing 1 piece of mail every now and then than be bombarded with 20 spams a day.

Although I dont object fining spammers or even hurling them to a fiery death, I think theres a better solution. Why not concentrate on stopping spam at service provider level. What I mean is that more service providers should focus their energy on upgrading their SMTP servers. There has been some great software written. Check out http://www.mail-abuse.org. I think this would be a safer first step.


The only statement that cannot be questioned, is that every statement can be questioned.

When I first saw this post I thought it was about the RSS, as in Relay Spam Stopper. It's responsible for the lack of spam in my inbox.. :)

(go ahead, offtopic, blah blah..)

zsazsa

• The spammer who thinks it is funny to try and send email to every name@your domain that's in the humongous book of baby names.
• The spammer who sends the email that says "Here is the information you requested".
• The spammer who continues to send to the same email address every six hours although they get a User unknown message.
• The Spammers who put click here to remove then when you do sells your email address as verified to all the other Spammers.
• Finally The spammer who will not take a hint when they see "Reject: 553 go spam someone else" on every email they send to your mail server

Sounds like AOL started using the DUL on their incoming mail servers. I really can't say I blame them. I use the DUL on my servers, basically because a good bit of spam these days is done via Direct-to-MX (ie. spammer dials up and uses a proggie to send mail directly from their computer to their victim's mail server). Blocking dialups is a quick way to deal with this problem that doesn't block too much legitimate mail.

There's always a tradeoff when you use a list like this for blocking spam. Obviously AOL decided that the spam that would be blocked outweighed the legit mail that would be blocked. And I'm fairly certain that it was a very small percent of legit mail, because I know firsthand the process that this type of decision would have had to go through before being implemented. However, I really don't think it makes them a bad Internet citizen. It's a business decision, plain and simple.

-Todd

---

Well, I'll say it explicitly now: this is mail to local users. You're right, it would be stupid of me to permit relaying so, of course, I don't allow it.

The issue is not having an open relay. Someone is sending mail to his site, and is guessing at valid addresses at his site. For example, someone might starting sending mail to jim@tempestuous.net, mary@tempestuous.net, dorzak@tempestuous.net, bart@tempestuous.net to discover that dorzak has a mail account.

Last I heard, MAP [sic] doesn't sue, MAPS wants to be sued

by using the MAPS Dial-up User List

assuming the spammers are using dialup this would force them to use a relay server (that is not listed as a dial up ip) to get mail to you, which most legitimate users mailing you would allready be doing.

of course if they use an open relay you're back to square one, but this is a decent first step.

Yeah, that MAPS.

But if you can't send mail direct from your machine to someone else's MX without using your ISP's mailserver, as is the case in your complaint, that's not MAPS' doing. It's either your ISP's decision, or the decision of the receiving system that they don't want mail direct from dial-ups.

Are you telling me you can't add
define(`SMART_HOST', smtp:my.isps.mail.host)
to your sendmail.mc file, that that's too inconvenient?

In any case, take it up with the receiving system admin, not MAPS. MAPS simply provides a handy list of dialup IP ranges.

...

Who died and made Paul Vixie King of the Internet?

Sounds like you have a problem with your ISP, not with Paul Vixie.

What MAPS does is keep a database of dial-up IPs. These are supposed to be the kinds of IPs that are used by spammers: re-assigned with every new connection, so they're hard to block. If you want off the list, ask your ISP for a fixed IP address, and then (in the unlikely event it's in the DUL), let MAPS know that your address isn't a dial-up.

Your ISP doesn't offer static IPs? Well, that sucks, doesn't it? So relay your mail through their SMTP servers.

My ISP got on MAPS' shit list, and my brother's ISP blocked all my email to my brother.

Excuse me, then you were paying money to a shitty ISP, and it's good that you left. That is exactly the effect intended when a network refuses to be a responsible member of the Internet community.

You didn't say whether your ISP was in MAPS RSS or RBL. We know to get in MAPS RSS, a mail server must:

• Be open to third-party relay.
• Be proven to have relayed spam mail in the past.
• Be unwilling to correct the problem

I challenge you to prove otherwise. So far, you are just full of hot air.

Note that they're too chickshit to block AOL or MSN -- I guess even MAPS don't have enough lawyers to fight those guys.

OK, now you're talking out of your ass. What, are you a really good troll or something? MAPS did put MSN on their blacklist.

I think MAPS is lacking in some areas, but your bad experience with a bad ISP is not going to convince me you have a legitimate gripe.

You should not have had to contact MAPS for any reason; your ISP, being the ones blacklisted, should have done what needed to be done.

You sound like an end-user. Let me tell you, it's very hard to get into the RBL if you are a competent organization with well-clued system administrators.

Here, at Central Oregon Internet, we've been using MAPS since nearly the beginning (meaning, years), and I can count the number of problems with legit mail being dropped on ONE HAND (and guess what? I'm a nice sysadmin that will allow email to come in from blacklisted hosts if a customer needs mail from there--but I will try hard to get the offending network to get themselves off the blacklist, and if I see any spam from them, they don't get any more special treatment. See, your brother's ISP sucks, too). A couple of weeks ago, MAPS checking was turned off for three days, and the amount of spam reported by our users skyrocketed. That is all the proof I need of the effectiveness of MAPS.

NOWHERE.COM takes all available measures to ensure that no spam originates from this host, or passes through it.

Specifically, we use postfix which will both refuse to relay email, as well as block based on information from the RBL The only valid hosts within the NOWHERE.COM domain are 'mx','ns1', and 'ns2'. Any other hosts claiming to be from within the NOWHERE.COM domain are forgeries.

We assure you, any spam/scam/bulk mail claiming to come from the NOWHERE.COM domain has been forged. Feel free to send a copy of the email you recieved to abuse@nowhere.com, minus threats of legal action, violence and/or death. It is actively being looked into.

Thank you.

p.s. NOWHERE.COM gets about between 5000 and 80000 pieces of email per day, which mostly comprise of bounces, threats and complaints about spamming. We have very limited resources with regard to time, cpu cycles and bandwidth. Please be gentle.

People should really enter x@x.x or something when e-mail addresses are required.

Yeah, there's also spam friendliness that will get you blocked from various networks all around the planet, thanks to ELN's habit of only replying to complaints of abuse from their network when their supposed anti-spam stance (from back when they took Sanford Wallace to court, mind you, quite a few years back) is threatened with exposure, or they're threatened with a listing on the RBL (auto-ignorebots don't count as replies).

And, at least in Florida (where a good friend has first-hand experience), in the Tampa area, the solidity of their dialups is somewhat dubious itself, dropping connections at random intervals, and providing slow connect speeds even when the local copper is in good shape.

That kind of crap is why I dumped my Mindspring address (well, that, and TigerDirect wouldn't stop spamming my address, after repeated bitchgrams to both TD and BellSouth, their upstream provider). Funding spammers and/or spam enablers is not something that sits well with me. (This post, ironically, coming from a town where UUNet dialups, like the one I'm using, are essentially the only game, if you want access to the rest of the world via a modem.)

http://mail-abuse.org/rbl/reporting.html

Should be interesting for you.

------------------

Well, obviously that's a bit excessive.

It's sad that the damages caused by these spammers was really due to lame system administration. Of course, it's odd to punish someone for doing what was pretty common not too long ago. We know, however, that in this day and age, you are extremely remiss in operating a mail server open to third-party relay.

Veritools apparently had days of downtime (it took them that long to remove the mail from the queue? A winbloze mail server or what? Or did it cause hardware difficulties? How?), and they were in RSS for two months. See their RSS entry. Did they not know, or was their mail server open to relay that whole time?

IANAL, so I don't know if a defense attorney could argue that competent system administration would have saved Veritools. If not them, then it would have been some broken mail server in Korea (and why did these idiot spammers use a local company's server? That's utterly stupid).

That being said, yes slap the spammers, hard. Veritools has probably already paid enough.

• Never buy from it - In getting rid of roaches, rule #1 is to remove their food source. Same thing here. Spammers only spam because they think it will profit them.
  
• Report it - I use SpamCop; it does 95% of the work.
  
• Automatically reject it - Tell your MTA to make use of the spammer blacklists at MAPS and elsewhere.
  
• Tell your friends - Most people don't realize that spammers inflate ISP fees and reduce service quality by clogging servers with garbage. Educate them!
  
• Tell your legislators - Some countries and US states have already outlawed spam. To help make this universal, you have to let your legal reps know how you feel. Check out The Coalition Against Unsolicited Commercial Email.
  
• Don't do business with spamhausen - Especially if you are a network admin, don't do businesses with companies that profit from spam. Check out spamhaus.org and spamsites.org for details. And make sure to let the sales droids know why you won't buy from 'em!

From what I've seen and read, ORBS has fallen from whatever grace it ever enjoyed, and it's blocking polilcy for legitimate open relays, as well as it's practice of adding to its blockedlist the mail servers of its critics has pretty much sidelined it as far as serious mail administrators are concerned. A much better list is the RSS list from mail-abuse.org. See http://www.mail-abuse.org/rss. BTW, I understand that the mail server at mail-abuse.org is on the ORBS list :(.

I'm a sys admin for a small company with two sides, one non and one for profit and with about 50 total employees in the US. I make US$50k per year, or about $25 an hour. Each day, I spend about two hours or possibly more weeding through the spam that gets sent to us from a variety of email addresses and I put filters on our mail server to then block those email addresses and in some cases the server. Then I might also send out warning emails to the admin of those servers and even an email to the fine folks at the RBL if the spammer is a repeat offender. If I'm lucky (like yesterday), I track the spammer down to the source, call the ISP, have a nice chat with their admin and find out this is the 3rd time this month the bitch has been tracked down, and presto change-o that spammer is now looking for a new ISP and T1 provider.

So, for the sake of easy math, about two hours out of my day, 5 or 6 days a week but we'll call it 5 since I'm on salary. So with 52 weeks a year, it costs my employer about US$13000 anually for MY time alone which the spammers have in effect stolen from my employer.

That doesn't count the time of the other people in office and out who get spam and have to delete it, the time I'm sure which is wasted by the foolish ones who actually read the f*cking things (lets face it... what salesman WOULDN'T read the one about how to enlarge their weiner in 30 days?).

There are, of course, some days when there is much less spam, some when there might be more since we have to list our email addresses at a variety of locations and it is unavoidable that our "info@" address will be used.

So if you think about the number of poor slobs in my situation, in the Boston area where I am, there are probably thousands. And if even half of them spend time trying to take a bite out of spam, that would add up to millions of dollars pissed through just to keep some moron from sending out this crap. And if you think about the amount of time we have to spend looking up security patches for sendmail, Exchange, etc., to keep some of the more technical of spammers from using our servers to send their junk, it would add up to even more. And for what? I can not imagine that spammers actually make enough from this to have it be worth their while! But they have to, because why else would these jackasses keep doing it?

*sigh* ah well... it gives me something to do on days I don't have users to LART.

When you sign up for service, you are told what SMTP server to use for outgoing mail. Use it. Or find whatever other way works for you. But they are not offering SMTP connection services to you. The solutions are easy, so deal with it.

I am a telocity customer. Their smtp worked for a while, but when they upgraded their mail servers I started getting "relaying denied" messages as the mail header information pointed to a domain that I host on my line. Until December it appears that the server was just concerned with my being on their network, but now they don't want the headers forged so I have to go back to using my own smtp daemon. So far I don't know of any mail that was blocked, but I am worried that something like MAPS DUL will start to list DSL blocks in the future.

On the other hand, servers listed in earthlink's MX records for earthlink addresses should be the only ones accepting SMTP connections.

Check to see if your an open relay or have been black listed at mail-abuse.org

--

A likely reason for this (and this is just a guess, mind) is that Earthlink is using something similar to the MAPS DUL and PacBell has submitted their DSL IP ranges to them.

If the addresses are not listed in DUL then they may have blocked it on their own. I do that when I get spam that was relayed but not blocked by RBL/DUL/RSS. I check the ARIN records for the exact address the spam came from and I choose the most specific network involved. That gets blocked. However, it is still possible that spam was relayed from an address listed only with the broad SWIP record covering their whole network, even if they did put your addresses in at ARIN. If that is the case, you need to complain to them because their failure to SWIP **EVERYTHING** that might possibly relay or spew spam can end up affecting you even if they do SWIP yours. If they can't fix that policy then you need to run, not walk, to another ISP (and if you have a term agreement, pass it with a note to your lawyer that they are the ones to break the agreement for not providing proper service). If you tolerate bad ISPs, there will just be more bad ISPs.

Go read this page about MAPS DUL. It will most likely explain your problem to you.

I often prefer displaying my real email on web site, on news groups, because I love fighting spammers. we have _tools_. *grin*

uce :
before spam :


http://www.devin.com/sugarplum/ to protect your webserver from search bots.
teergrubing to protect your MTA :
http://www.iks-jena.de/mitarb/lutz/usenet/teergrub e.en.html
(and of course, hide your email like that : xavieratbocaldotcsdotunivdashparis8dotSPAMfr ;-)

after spam :


http://spamcop.net/
http://www.samspade.org
http://mail-abuse.org(RBL)

tools to semi-automaticly report/fight spam :

http://freshmeat.net/appindex/console/anti-spam.ht ml

irl :

As other says, send back the empty enveloppe.

One funny thing about phone spam is the possibility to talk to the person which is trying to sell you something, like to a human being. (after all, it's often a woman poorly payed to do this job. she(he) deserve humanity). I usually ask if the person is in good mood, and it's easier to say goodbye after this.

Spam is certainly very annoying, but is it sacrificing too much of our Internet Freedom to let governments fine and even jail people for spamming?

• A freebie website from Geocities, etc.
• An appropriate Usenet newsgroup
• An appropriate IRC channel
• An appropriate web based discussion board or mailing list

Fine. That'll make it all the easier for groups like ORBS and MAPS to isolate spam-friendly IP blocks and mail servers from the rest of the Internet.

I can sacrifice the off chance of receiving something from someone I know from Switzerland if it eliminates all spam sent to my account. Sooner or later, the netizens of Switzerland will demand that their own government take action as well to end the Internet embargo.

It would be interesting to see how effective a registry could be if its address space has ended up in a few BGP black-holes. (Is this still done? It's been a while since I checked.) If the .st nameservers became unreachable, then the whole top-level domain could effectively get black-holed....

--

Some of them had nothing to do with spam,

MAPS started by listing the spammer sites. After six months of trying to get the ISP to clean up their act and being given the runaround, they gave up, and have concluded the ISP is spam-friendly. Since they have been the top listing at spamhaus.org for months, this seems like a pretty reasonable conclusion.

I'm sure that the people at MAPS think that peacefire is a swell thing. But they have concluded that the ISP is spam-friendly, and so they have listed it as such. It's a shame that Peacefire is using a spam-friendly ISP, but they have the right to decide for themselves, eh?

And since when does AboveNet have the right to blacklist entire domains and IP blocks anyway?

AboveNet is only blocking the stuff on their own networks. ISPs who have other routes to Media3 are not affected. An

One of the gripes in the article was that the MAPS evidence file for these guys was scanty. That's because the nomination for the extension was kept here:

http://evfiles.mail-abuse.org/rbl/ev/63.74.120-24. txt

This paints things in a pretty different light; it's a shame that this wasn't read by the author of this article.

That may be true, but that has nothing to do with MAPS and the RBL; ORBS isn't even listed on the RBL. So even if above.net is choosing to block ORBS traffic on their network, that doesn't seem relevant to this discussion.

I think Peacefire is fine, and I'm sure the people from MAPS like them, too.

But the point here is that the ISP has been spam friendly for ages, and they've been warned for at least six months. Despite that, they are still taking on new spam clients. And spamhaus.org considers them the the biggest host of spam-friendly domains.

The ISP, as far as I'm concerned, is spam-friendly. And I don't want my boxes to talk to spam-friendly ISPs. If Peacefire chooses to to use a spam-friendly ISP, that's their business, I'm not one to stop 'em.

Oh, you say the didn't choose? That they just didn't know? It's funny, isn't it, that Media3 didn't even warn their clients about a possible loss of connectivity to large parts of the Internet?

That's not the behavior of a reputable businessman; it's an ISP trying to shield its spammer clients by mixing in legit sites. The ISP has known this was coming for months; they should have warned their customers.

Censoring offensive material is exactly what MAPS is doing in this case. Some censorware is offended by pornography or the Ku Klux Klan and is designed to block that. MAPS is offended by websites which sell bulk email software, and is designed to block that.

Let's look at what MAPS RBL is "designed to" do. http://mail-abuse.org/rbl/candidacy.html lists criteria for being in the RBL.

• spam origination - simple enough
• spam relaying - open mail relays
• spam support services

• providing any service which uses internet resources to support spamming: webpages or email or DNS or credit card handling for spam-promoted sites, or anything-to-email gateways
• providing software or services for distributing spam, or providing connectivity to people who do
• providing lists of harvested email addresses, or software or services to create such lists

You are objecting to their inclusion of spamware as something which aids spammers and should be blocked. This gets into two fairly tricky points. First, if something is both speech and action (the "fire in a crowded theater" example), where do you draw the line between allowing free speech and preventing harmful actions? Second, to what extent is software speech, and to what extent is it a tool?

We probably agree that blocking spam is acceptable, despite the weak argument that saying the same thing over and over is speech that should be protected. And we agree that a list of techniques that spammers use would be speech that should not be blocked. You could claim that spamware is like the list of techniques. MAPS might claim that selling someone a software package whose sole purpose is to spam is no different from taking their money and doing the spamming yourself. You both have decent arguments.

I do think, however, that even if you're convinced that there's a free-speech right to distribute spamware, labelling RBL as "censorware" based on a fraction of a fraction of the list violating this very debateable "right" is massive overkill.

"...they're not blocking innocent or guilty websites, they're blocking the network." Isn't this slicing it a little thin? When you find a website you don't like, and then block all traffic from its IP number, I call that blocking a website.

This is not an overzealous or overbroad block; they are blocking exactly the network that they wanted to. They state in the docs that this approach can lead to blocking non-spam traffic, and warn you to use a different list; RSS for example; if you have a problem with this.

If you wanted to highlight the spamware free-speech argument, you could have chosen a better example. Spamware is not the only reason why Media3 is on the RBL, and there is no way to claim that hosting spam-promoted sites is anything but a content-neutral blocking policy.

The main problem is that this level of blocking goes far beyond the original intent of the RBL. The Blackhole was only supposed to block known current sources of spam. Over the years it has experienced mission creep and now goes after spam accomplices (e.g. affiliated web pages & email boxes) as well as accessories (e.g. email harvesting software). That is too many tasks for a single list!

RBL's original mission is a good idea, and could even be palatable to major backbone providers. For example, imagine if Verizon and UUnet were subscribers to the more-focused version. Millions of people would be better off instantly. Within months, RBL would put itself out of business -- anyone on the list would scramble like mad to get off or else go out of business from lack of traffic.

MAPS has already implemented multiple parallel lists -- RBL, RSS, DUL, etc. It's time to break up the RBL into 3 separate components with appropriately narrow targets.

OK the article made some valid points, I can't argue there. And I don't think anyone can argue that SPAM is a real pain in the arse.

As part of my job is sys admin for our main mail servers I need to look at options that limit the amound of SPAM and crap that comes into our systems everyday. I prefectly understand why MAPS blackholed the web services of Media3 and I think it was fairly well explained by MAPS in their press release:

"The proprietors of these websites send massive amounts of unsolicted mail from an account with an ISP, then when that account is shut down for violating that ISP's terms of service, they just move on to another ISP. In these cases the only way to get them to stop sending the unwanted email is for the company hosting the advertised site to get involved. If they don't, there is no incentive for the unsolicited email to stop, and then we are forced to protect our own mail servers from the onslaught of that unwanted email."

If the owners of these websites were doing the spamming off the servers that host their website they are bound to have the plug pulled on both their website and their mail. But because they are abusing another ISPs services for just their email they aren't having anything done to them.

Now what MAPS did by blocking whole Class C netblocks is probably a bit of overkill, but I am sorry if I had the choice of having to enter about 10 - 20 IPs in a list or entering just one entery I would opt for the one.

I would just like to query the author of the story and any other sys admins who thinks what MAPS has done is wrong, with what should we do to stop the SPAM affectively? The only suggestion I have seen is to use somehting like sneakemail.com. but that is only viable for end users and not for network administration. So instead of saying something is crap, why don't you work out a better way of ridding the world of SPAM?

Graham

I originaly sent the message because i was implementing rbl on a sendmail server and i saw the news on maps web site.
I did not expect this to be such a complex question when i sent the post. I myself thought that i was instaling a censor system that blocked known spammers and not random C classes. I have the system installed for about 12 hours and i can feal the diference, but after reading the article i am really considerating removing it. In the main pages of maps it states that they are blocking spammers (as you can see here ) But after this question i went back and saw that what it says is: ".. involved in the sending of Unsolicited Commercial Email, or spam. " , this is a more vage question, and should be statted that if a company seels software our lists of e-mails it will be considered blacklisted. But the question here is that MAPS is blocking things it should not. Maybe MAPS should be more careful and instead of bloking the C class they should block the individual adress. Also i have read that some sendmail distributions now come with rbl by default. Linux systems are beying installed by the houndresdes this days, so MAPS administrators should take extreme caution on what they block. (excuse my typos, but english is not my native language)

They are blocking the ISP, which has hosted a whole mess of spammers for at least six months.

The ISP is the one who is violating the "cooperative spirit that makes the Net work"; MAPS just lets us know who the bad guys are so we can block 'em if we choose.

Also, RBL is used in a backbone and those using it have no choice in the matter.

Many have made this claim; despite many requests, I still have seen no evidence. I say it's bunk.

That's how MAPS should work, by blocking the bad stuff so that RBL users just don't see it. There isn't any need to punish innocent sites who happen to be on the same class C.

Wrong. Media3 is currently the number one ISP for live spam sites accoring spamhaus.org. MAPS has been talking with these guys for months about their various spam-friendly activities. If an ISP keeps allowing spammers in, MAPS should block 'em.

If MAPS successfully got Media3 to shut down the spammer's site, then MAPS WOULD be dealing in
censorship, wouldn't they?

These aren't just people who say that spam should be allowed. They are people who spam to draw traffic to their websites, people who sell spamming software, and people who provide spam-friendly hosts services.

If MAPS blocked people for advocating spam, like, say, the DMA, then they would be censoring. But they don't; they only block people who spam or those who help spammers. Their criterion is based on an activity, not an opinion. That's not censorship as far as I'm concerned.

In fact, MAPS even goes so far as to give links to its various opponents on its web site. Censors? I don't think so.

[...] in all honesty, are you going to tell Peacefire.org to switch providers now because they're using the same service as MarketingMasters?

Yes. Although I support Peacefire's work (and even donated money to them), they should move. And if they want to stick with their spam-friendly ISP, then that's their choice, but my computers will stop talking to theirs. (And I probably won't give them money again, either.)

MAPS has taken the power they have and abused it.

It's not like they're pulling these judgements out of their collective ass or doing something secretive. They have a clear policy on what gets you in. According to a recent press release this ISP got listed for hosting spam-advertised sites. They are also clearly continuing to host sites that sell bulk-mail software and addresses. According to spamhaus.org, Media3 is the largest spam site hoster currently active.

RBL needs to be replaced. The original intention was to keep it as a list of sites that send spam.

I don't know if you've looked closely at any of your spam in the last couple of years, but the the vast majority of it now is from dialups, open relays, and weird foreign hosts. Making a "list of sites that send spam" won't do much good anymore; that's why they have expanded it to include relays and spam support services. As another poster mentioned, you have to follow the money to stop spam.

Still, if you think such a service would be more useful. you're welcome to start one. Note, though, that the only serious RBL competitor, ORBS, was substantially more aggressive than MAPS; I doubt an RBL-minus would be very popular.

---

The point here is not to punish a single spammer site; it's to punish an ISP that's been so badly behaved for so many months that there's nothing left to do but to ostracize them. It's unfortunate that banning an ISP harms their legit customers. (It's also unfortunate that boycotting, say, Microsoft or Starbucks or Nike harms a lot of perfectly nice employees.)

But how else do you suggest that we deal with a rogue ISP?

[...] in all honesty, are you going to tell Peacefire.org to switch providers now because they're using the same service as MarketingMasters?

Yes. Although I support Peacefire's work (and even donated money to them), they should move. And if they want to stick with their spam-friendly ISP, then that's their choice, but my computers will stop talking to theirs. (And I probably won't give them money again, either.)

MAPS has taken the power they have and abused it.

It's not like they're pulling these judgements out of their collective ass or doing something secretive. They have a clear policy on what gets you in. According to a recent press release this ISP got listed for hosting spam-advertised sites. They are also clearly continuing to host sites that sell bulk-mail software and addresses. According to spamhaus.org, Media3 is the largest spam site hoster currently active.

RBL needs to be replaced. The original intention was to keep it as a list of sites that send spam.

I don't know if you've looked closely at any of your spam in the last couple of years, but the the vast majority of it now is from dialups, open relays, and weird foreign hosts. Making a "list of sites that send spam" won't do much good anymore; that's why they have expanded it to include relays and spam support services. As another poster mentioned, you have to follow the money to stop spam.

Still, if you think such a service would be more useful. you're welcome to start one. Note, though, that the only serious RBL competitor, ORBS, was substantially more aggressive than MAPS; I doubt an RBL-minus would be very popular.

---

The point here is not to punish a single spammer site; it's to punish an ISP that's been so badly behaved for so many months that there's nothing left to do but to ostracize them. It's unfortunate that banning an ISP harms their legit customers. (It's also unfortunate that boycotting, say, Microsoft or Starbucks or Nike harms a lot of perfectly nice employees.)

But how else do you suggest that we deal with a rogue ISP?

If you look at spamhaus.org's page on marketingmasters.com, in addition to tidbits like the last four ISPs from which they've been terminated, you'll find the reasons cited for blackholing marketingmasters.com's IP address, as well as blackholing Media3.net's other addresses. This is part of MAPS RBL SOP (standard operating procedure). You may not like what they do, but they're operating within their guidelines here.

Under MAPS RBL clause III of Blackholing Due to Spam Support Services, the IP address 209.211.253.74 is now elegible for addition to the RBL.

Under MAPS RBL clause IX of Blackholing Due to Spam Support Services, if the host media3.net is knowingly providing Spam Support Services by knowingly hosting the marketingmasters.com Spam Service Site, parts of (up to all of) media3.net's netblock may be nominated to the MAPS RBL.

If you want to read the clauses directly, check out http://www.mail-abuse.org/rbl/candidacy.html#ByAss ociation, which outlines the criteria and reasons for including spam support companies in the RBL. The essence of their criteria is "providing any service which uses internet resources to support spamming activity," although they go into more detail as well.

There are three ways that RBL may be used, listed at this address:

http://mail-abuse.org/rbl/usage.html

ONLY ONE OF THE USAGE METHODS results in blackholing all ip traffic, that is the Subscription via BGP. This option is only available to larger networks with routers which have an ASN (see whatis.com if you don't know what an ASN is.)

I know of very very few networks which use RBL in this manner. There must be a few, but it seems like a pain in the ass, and there are negative effects of doing it, as indicated on the RBL description of the service.

Anyone choosing to implement such an esoteric blackholing system for all ip traffic from RBL-listed hosts is likely FULLY AWARE that they will be dropping some hosts, and must consider that an acceptable risk. If you are a client of such an organization, and don't buy into that, then leave. My guess would be that most that have successful implementations of BGP RBL subscription had buy-in from their clients before they set it up.

My guess is that 95% or more of RBL subscribers use the "Direct usage via DNS lookup by mailserver" method of applying RBL blocking. This method has ZERO IMPACT on http, ftp, dns, ICMP, or any other type of traffic other than SMTP.

This Slashdot article was written by someone who does not understand the nature of the Internet and the RBL on a detailed level, and who is obviously dipping into conspiracy theories a bit... his little diatribe on above.net sounds like the manifesto of a lunatic. To the author: Get over it, sir. You don't understand the technology, and you don't understand the decisions made by ISPs who implement the RBL. I wish you well in your career, but this isn't going to be the ground-breaking story you thought it was. Feel free to write me if you'd like to speak to me further.

Sincerely,
~Acheron