Slashdot Mirror

If he were on the SPEWS's blocklist, he'd never get out!

And this is why the SPEWS blocklist is so effective and so good.

The problem with SPEWS is the refusal to consider appeals. Out of their FAQ:

Q16: I'm not a spammer or spam operation... heck I hate spam, but my email is getting bounced by someone using SPEWS, or I can't access a website due to SPEWS based blocking.

A16: You maybe part of the rare "inadvertent blocking" that can occur when a spam friendly provider is listed in spews. Your best option is to try and educate your provider or switch to one who is not listed in SPEWS as spam friendly. SPEWS aims to avoid listing any non-spammer or non-spam support areas if possible - we just want to stop spam.

[...]

Q41: How does one contact SPEWS?

A41: One does not. SPEWS does not receive email - it's just an automated system and website, general blocklist related issues can be discussed in the public forums mentioned above.

Every blocklist has sooner or later false positives. When there is no way to handle complaints then this list is more harmful than good.

If he were on the SPEWS's blocklist, he'd never get out!

And this is why the SPEWS blocklist is so effective and so good.

The problem with SPEWS is the refusal to consider appeals. Out of their FAQ:

Q16: I'm not a spammer or spam operation... heck I hate spam, but my email is getting bounced by someone using SPEWS, or I can't access a website due to SPEWS based blocking.

A16: You maybe part of the rare "inadvertent blocking" that can occur when a spam friendly provider is listed in spews. Your best option is to try and educate your provider or switch to one who is not listed in SPEWS as spam friendly. SPEWS aims to avoid listing any non-spammer or non-spam support areas if possible - we just want to stop spam.

[...]

Q41: How does one contact SPEWS?

A41: One does not. SPEWS does not receive email - it's just an automated system and website, general blocklist related issues can be discussed in the public forums mentioned above.

Every blocklist has sooner or later false positives. When there is no way to handle complaints then this list is more harmful than good.

If he were on the SPEWS's blocklist, he'd never get out!

Generally it helps if you actually bother to check how something works first rather than rely on a website run by spammers.

From the SPEWS FAQ:

Q42: My IP address/range is being listed by SPEWS but I'm not a spammer and I just signed up for this/these address(s). What can I do to be removed from the list?

A42: SPEWS is just an automated system, if spam or spam involvement (hosting spammers, selling spamware) from your IP address/range ceases, it will drop out of the list in time. Normally the listing involves spam related problems with your host and the first step you need to take is to complain to them about the listing, in almost all cases, they are the only people who can get an address/range out of the SPEWS list. If there is a spam related problem with your host, their IP address/range will not be removed until it is resolved. If your host or network is certain a listing mistake has been made, ask them to read this FAQ then post a message in a public forum mentioned above with the SPEWS record number (eg. S123) and/or the IP address/range information in it. Placing the text "SPEWS:" in the subject can help a SPEWS editor or developer see the message and they may double check the listing - note that, although others may, no SPEWS editor or developer will ever reply to the posting. Will this get your IP address/range removed from a SPEWS listing? Again, not if there are currently spam related problems with your host. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you're concerned about getting spammed, change or "mung" the email address you use to post with.

We dont need rules on *how* to send uncolicited mail - anything that is codified like a header that lets all spam be ignored *will* be ignored by spammers who will continue to cloak their identity and do everything they do today.

Stopping spam at the receiving end doesnt prevent it from using storage space and bandwidth that your ISP has to pay for. The only way that does is by stopping it from being sent - with strictly enforced anti-spam policies which ISP's use to disconnect any services to anyone sending spam.

The ONLY rule we need is DONT SEND UNSOLICITED MAIL, and the only way to enforce it is for ISP's to disconnect all services (connectivity, hosting, dns) to anyone found sending spam. And since so far, many ISP's dont seem willing to take such a hardline, and actually enforce their AUP's (maybe they like the money spammers are willing to pay them, the only way to force them to do so is to force them to choose between their spammers and their non-spamming customers - one good way to do that is SPEWS

The only way to stop spam is to make it so no ISP anywhere is willing to sell service to spammers.

*OPT-OUT* is the *WRONG* solution, and it will have very little effect on spammers, if any.

Anyone wanting to send ads should assume every possible address as being on the 'opt out' list, without needing there to be such an actual list, unless they have a *confirmed* request from the address owner otherwise.

Are there really people who *want* to get advertisements in their email box? Is there anyone who cant find products they need with a simple google search, or who is so desperate for email that they want to use it for advertisements?

Is it legitimate to assume that anyone who doesnt go to the trouble (and risk) of listing their address on some 'opt out' thing wants to?

Like it or not, the only way to stop spam is to make it so that no ISP anywhere will allow spammers to use their service. Filters which prevent you from seeing it dont stop it from using bandwidth and storage space at your ISP, and 'universal' opt-out lists will be 'universally' ignored by most spammers.

Stopping it from being received is not good enough - ISP's must be forced to stop it from being sent, by shutting down spammers as soon as they receive complaints. Unfortunately, some ISPs like the money they get from spammers for 'bulletproof' service, and it takes things like SPEWS to convince them to stop. (Or to convince the other customers of that ISP to switch, and then the rogue ISP can be nullrouted by everyone else on the net once it only has spammers as customers)

From his whiney tone and business model, I suspected spammer right away. Sure enough, there's a light dusting in the news.admin.net-abuse.email and .sightings groups. And www.searchking.com/dave144.mach10hosting.com/209.2 17.135.144 lives in a dump of a net-neighbourhood Hmmm although it looks like mach10hosting has been cleaning the place up a little.

I must admit to having less of a problem with DNSBLs than other types of RBL such as the open relays

It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.

For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.

There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.

You semiaddress the issue of accountability but not of secrecy. It's a fact that most services keep their lists secret until affectively revealed by dropped emails.

I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?

If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.

If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.

Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.

As an aside, I have personal experience of spending months trying to get a false entry in the DUL corrected.

Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.

Yahoo are saying they operate an Internet email system, but when I tried sending stuff to my own account on Yahoo from my static IP Earthlink DSL connection, my computer spent 3 days trying to send it before giving up because the MX host was unreachable. That means that, for these purposes, that service they claimed to be providing didn't exist. And it didn't exist because someone between me and Yahoo - maybe Yahoo, maybe Earthlink - had blocked an email.

I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.

Oh, but ok, I could have gotten it through if, at that moment, I'd used Earthlink's SMTP relay, but (a) WHY?

Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.

Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.

The end result of this is that legit email is blocked, spam (very clearly) still gets through (I already know how to enlarge my penis thank you very much), and so it's fair for me to say that the measures sysadmins are taking to block spam are not working, that they're interfering with legitimate use, that they're not actually ever going to be effective anyway, that they interfere with the communication of unconnected third parties.

It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)

It is mail users, it's not mail administrators, and this seems to be a distinction many in the pro-block camp fail to understand.

Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering ... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.

If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.

I agree to that - if You're going to use the SpamCop BL, use it to tag email, not bounce it!

SPEWS will flag far less non-spam email, and I use it to bounce at the first connect attempt.

Now, if you are on a "spam-friendly" ISP like my "anon coward" brother above probably is, SPEWS is not your friend - and rather than get their ISP to clean up, these posters just whine and say how evil SPEWS is.

Take your $ and move brother, why support a sleazy ISP, why not support a clean one? I know I do.

We ditched SPEWS and started using SpamCop's BL. Much nicer

Except that the SCBL is currently experimental. It specifically says it should not be used to block mail.

The fact that you are posting as an AC makes me strongly suspect you are one of the spammer sockpuppets running AntiSpews.

I don't use it (don't have my own server) but as far as I'm concerned, SPEWS is doing a great thing. Namely, applying pressure to ISPs to not support spam in the first place.

There is other stuff out there for prevention in spamming terms. It is called SPEWS (spam prevention early warning system) and is quite effective in filtering spam if you already have some "burned" addresses. But it can block legit emails too.

He can't. You know he's full of it, I know he's full of it, heck I bet he knows he's full of it himself.

Or maybe he's just a bit of a retard and confused SPEWS with SpamBags where they DO list "based on Internet politics" and if the "admin don't like you personally".

You go Mr. Sam!

Bruce Schneier has an excellent article in his newsletter [counterpane.com] called "Counterattack". He discusses vigilantism and why it is the wrong solution to problems on the internet. SPEWS is the wrong solution, especially because it deliberately blocks mail from innocent sources.

You obviously mis-read Bruce's article or don't understand how SPEWS works.

SPEWS works just as Bruce suggests, no vigilante "counterattack" on the a spamming abusers. It just lists the ISPs who have decided to take money to host spamming abusers.

And for the record, SPEWS blocks nothing. It is my own private mailserver which is blocking mail from SPEWS listed spam havens. No, that is not a "counterattack", it's just a shun, or boycott.

And spews doesn't? Spews randomly blocked a consulting company's netblock I worked for part-time simply because that our block was next to a "known spammer's" block.

SPEWS blocks nothing - it LISTS areas of the net that belong to spammers or ISPs that willingly host spammers.

When they politely asked to be removed and pointed out that according to their own evidence file that their netblock had nothing to with spam, they were met with very hostile responses and told to essentially ditch their teleco provider because they'd never unlist anyone.

Bullsh|it meter pegged on this one. One one has ever shown they "talked to SPEWS", SPEWS don't play that game. They also remove places that boot their spammers all the time.

They admitted that they simply block IPs in a form of "collateral damage" because they feel like it to hurt legitimate businesses so they flee their network provider.

"They" must be the people in the NANAE news group or on the Spam-L list. "They" is not SPEWS. Was it you, or these geniuses a the "consulting company you worked for" who neglected to grab a clue on this? Care to name them, I'd like to add them to my "idiots who should never be hired to consult" list.

Look at antispews.org [antispews.org] for more info on their flagrant abuses and why you shouldn't use spews.

Are you kidding? Antispews.org? This place is run by the fscking "Wangomail" spammer Ajay Gayhole, were you the troll whining on FuckedCompany last week, or a you a new one?

Man, don't stand there pissing on us saying it's rain mofo!

Partial listing:
1, 65.165.237.126, HUFFNAL / underage-girls.net
1, 65.165.238.144, HUFFNAL / home-lolita.net
1, 65.165.235.230, HUFFNAL / mail.webspace4all.net
0, 65.165.239.144, HUFFNAL / dealsonpc.com (listed)
1, 65.165.235.205, HUFFNAL / trust-bill.com
1, 65.165.234.1, HUFFNAL / Spammers Perez/Walls / mortgageleads.tv
1, 65.165.232.0 - 65.165.239.255, HUFFNAL / Todd Spears/Perez/Walls (Sprint)

Looks like a pretty scummy net-neighborhood. If their ISP doesn't want to clean it up, I don't think I'd want any email from them either.

They block IPs based soley on the fact your upstream provider hosts or has hosted in the past, someone the SPEWS "admins" (and I use that term losely) believe to be spammers.

MrDingusMcGee responded:

As a sysadmin for an ISP I can assure you that this is absolutely the case. There is no human contact at Spews, the entire system is automated.

This is simply false. Of course there are humans behind SPEWS. Do you seriously think that the SPEWS record (S716) your ISP (Netsville) is covered by was written by a bot?

Of course SPEWS are going to automate what processes they can. But they can't automate everything. Most especially not the bit where they read posts to nanae and sometimes act on them.

A hosting provider should be responsible for the domains they host. But there is rarely anything a provider can do to pre-emptively stop a spammer.

There are certainly some things you can do. Ask potential clients about their 'net history before signing them up. Ask some minimally intrusive questions about the nature of their business. Ask why they left their last provider. Do a search for their domain name on news.admin.net-abuse.sightings and/or nana.email. Do a search for their company name - and their company director's names - on ROKSO. Do a search on SPEWS or the Spamhaus Block List or Spamcop for whatever IPs they might previously have used.

Very few spammers will stand up under even minimal investigation like that, which takes only a few minutes. This is basic stuff which any hosting provider should conscientiously do before taking on new clients, in the interests of their current clients!

Just recently, my company signed up a new company for Co-Location.

You signed up hotticker.com.

Another thing I forgot to mention above. You should really have a look at the domain name your client-to-be uses. You can often spot a disreputable business just from the domain name.

Within a week, this company sent out a huge spam mailing. The moment we saw spam complaints come in we called the company and demanded proof that their mailing list consisted solely of opt-in addresses. They had no proof and their contract was immediately terminated for violating our Acceptable Use Policy.

Immediately terminated???

How long exactly did it take from the time the first complaints hit your mailserver for you to realise hotticker was responsible, call and ask them for evidence about their mailing list, wait for their response, deem their response nowhere near good enough and then pull the plug? If it was less than 24 hours then I might agree that having your /24 listed is perhaps a tad harsh. But I suspect it was in fact much longer than that, perhaps as much as a week or more.

I notice on your SPEWS record that your /24 has been downgraded to level 2. Your three webhosting machines (io, colossus and jupiter) are still at level 1, but any mail they want to send can be smarthosted through your level-2'd mailserver.

Apparently this company had, in the past, under a different name, been blacklisted as a spammer. We were now added to the list of their hosting providers and could not, despite our best effort, contact a single human at SPEWS to explain our situation.

Erm... just what would you have said? "Please take us off your damn blocklist, we've terminated the spammer we signed up and we promise to be more careful in future." SPEWS' generic response would be "Once we can tell you're not providing any more services to $SPAMMER - which may take a little time - we'll downgrade you to level 2, where you'll stay for six months or so, then you'll be removed entirely. And yes, you bloody well should be more careful." This is covered in the SPEWS FAQ.

I ask you, how does that make the internet a better place?

Hopefully it teaches ISPs like yours to be more careful about who it signs up as clients. I imagine that in a year or two it will be considered common practise for ISPs to go through a similar process with new clients as landlords do with potential new tenants. A bad client can easily do as much damage to an ISP as a bad tenant can to a landlord.

Pete.

They block IPs based soley on the fact your upstream provider hosts or has hosted in the past, someone the SPEWS "admins" (and I use that term losely) believe to be spammers.

MrDingusMcGee responded:

As a sysadmin for an ISP I can assure you that this is absolutely the case. There is no human contact at Spews, the entire system is automated.

This is simply false. Of course there are humans behind SPEWS. Do you seriously think that the SPEWS record (S716) your ISP (Netsville) is covered by was written by a bot?

Of course SPEWS are going to automate what processes they can. But they can't automate everything. Most especially not the bit where they read posts to nanae and sometimes act on them.

A hosting provider should be responsible for the domains they host. But there is rarely anything a provider can do to pre-emptively stop a spammer.

There are certainly some things you can do. Ask potential clients about their 'net history before signing them up. Ask some minimally intrusive questions about the nature of their business. Ask why they left their last provider. Do a search for their domain name on news.admin.net-abuse.sightings and/or nana.email. Do a search for their company name - and their company director's names - on ROKSO. Do a search on SPEWS or the Spamhaus Block List or Spamcop for whatever IPs they might previously have used.

Very few spammers will stand up under even minimal investigation like that, which takes only a few minutes. This is basic stuff which any hosting provider should conscientiously do before taking on new clients, in the interests of their current clients!

Just recently, my company signed up a new company for Co-Location.

You signed up hotticker.com.

Another thing I forgot to mention above. You should really have a look at the domain name your client-to-be uses. You can often spot a disreputable business just from the domain name.

Within a week, this company sent out a huge spam mailing. The moment we saw spam complaints come in we called the company and demanded proof that their mailing list consisted solely of opt-in addresses. They had no proof and their contract was immediately terminated for violating our Acceptable Use Policy.

Immediately terminated???

How long exactly did it take from the time the first complaints hit your mailserver for you to realise hotticker was responsible, call and ask them for evidence about their mailing list, wait for their response, deem their response nowhere near good enough and then pull the plug? If it was less than 24 hours then I might agree that having your /24 listed is perhaps a tad harsh. But I suspect it was in fact much longer than that, perhaps as much as a week or more.

I notice on your SPEWS record that your /24 has been downgraded to level 2. Your three webhosting machines (io, colossus and jupiter) are still at level 1, but any mail they want to send can be smarthosted through your level-2'd mailserver.

Apparently this company had, in the past, under a different name, been blacklisted as a spammer. We were now added to the list of their hosting providers and could not, despite our best effort, contact a single human at SPEWS to explain our situation.

Erm... just what would you have said? "Please take us off your damn blocklist, we've terminated the spammer we signed up and we promise to be more careful in future." SPEWS' generic response would be "Once we can tell you're not providing any more services to $SPAMMER - which may take a little time - we'll downgrade you to level 2, where you'll stay for six months or so, then you'll be removed entirely. And yes, you bloody well should be more careful." This is covered in the SPEWS FAQ.

I ask you, how does that make the internet a better place?

Hopefully it teaches ISPs like yours to be more careful about who it signs up as clients. I imagine that in a year or two it will be considered common practise for ISPs to go through a similar process with new clients as landlords do with potential new tenants. A bad client can easily do as much damage to an ISP as a bad tenant can to a landlord.

Pete.

Perhaps there is some confusion here. You can't use SPEWS directly; it is only available to the public via relays.osirusoft.com, and their servers return information that categorizes the kind of spam source or facilitator.

That's not quite true. SPEWS publishes a text-based list (warning: 800+ kB) which you can transform with a Perl script into whatever format your mail software needs. What Joe Jared at Osirusoft does is transform this into a DNSBL and make it available at spews.relays.osirusoft.com. This is why technical illiterates often accuse Joe of "being SPEWS" -- he republishes SPEWS' data in its most easily used form, though he doesn't have any editorial control over it.

George Alan Moore, Jr.
2920 Dubarry Lane
BROOKEVILLE, MD 20833
301-570-1297
--------------
George Alan Moore, Jr.
300 TWIN OAKS RD
LINTHICUM HGTS MD 21090-2154
--------------
GEORGE MOORE, JR
ULTIMATEDIETS.COM
8 EASTERN STREET
GLEN BURNIE, MD 21061

There's one little thing about Rackspace that they, of course, neglect to tell you; They're a spammer nest.

Rackspace has a long history of being apathetic at best to spamvertized sites, despite their anti-spam Terms of Service. As of 3-Dec-02, they're still hosting at least 20 or so spammers, and chunks of their netspace may still be listed on SPEWS.

Cheap or not, good customer service or not, I would be very wary about selecting Rackspace for any sort of hosting.

This article does indicate that there are a certain amount of foreign ISP's willing to allow the spamcrap through though, some in Canada no less (which means me, as a Canadian, very unhappy).

Have a private detective check on any potential clients to make sure they have no connection with the spamming trade?

In this case, the spammer seems to have been an Aussie porn spam gang with a truly abominable record; no private detective needed, just type the guy's name into Google and see if there's anything in news.admin.net-abuse.sightings.

The /16 block thing didn't work either, the support guy basically said 'the people refusing your mail are cretins, they'll probably get over it'. Which they did.

Going by your website, I assume the problem was http://www.spews.org/html/S1995.html - this was reduced to level 2, which is a 'yellow alert' which people don't generally use for blocking. The spammers were booted by hosteurope.com, the listing reduced to a level 2 instead of level 1, and your email started getting through again. The listing worked exactly as intended.

Replying to a complaint about a spammer with 'just use the spammer's remove link' is unhelpful in the extreme. I'm not surprised your provider was listed.

Unfortunately, Latin America has become the new Far East, as far as spam sources are concerned. About three out of four spams are coming from open proxies within the 200/8 netblock, that's why more and more people are blocking it. You'll find about 5 or 10 proxies within each class C netblock.

See also the large SPEWS listing http://spews.org/html/S1297.html.

If LACNIC wants South America to be able to communicate with the rest of the world, they better have Embratel et al. fix their proxy problem or join China and Korea with their "spammy intranet"...

/.
DocSnyder.

SPEWS can rot in hell. A properly configured SpamAssassin will block 98% of spam and have 0.01% false positives (I haven't gotten one false positive in a year, but I will someday).

Please, please don't support SPEWS. I beg you.

Here's the link to SPEWS.ORG... just in case someone wants to read more about it. :)

Take a look on comp.net.abuse.email and read about the many admins who are complaining about SPEWS. The problem with SPEWS is that they often block large ranges of IP addresses as a punitive measure against ISPs they don't like - willfully blocking legitimate mail in this way seems awfully ironic. I realize that anyone can choose whether or not they want to filter with SPEWS, but the problem is that they don't tell you about this policy. Every once in a while I'll get an email from someone and my reply will bounce back because they're blocking me. I'll contact them from another account and explain the situation, and these people are unanimously surprised and pissed that SPEWS is doing this.

They recently blacklisted a huge swath of IP addresses - hundreds of class Cs, deliberately blocking not just spammers but thousands of IP addresses on neighboring subnets. Sadly, my little block of 64 IPs was included. So I went on the mailing list (SPEWS will not respond to inquiries) and suggested than an error had been made. My IP was coming up as a "confirmed source of spam" in spamasassin and other tools. I was immediately bombarded by a bunch of leet little fucks telling me it was my fault for choosing the wrong ISP, and I need to switch.

Fuck SPEWS. I like my ISP, and I could find no evidence of them being spam-friendly. In fact, SPEWS keeps almost zero documentation. The just block whatever the hell they want, and they're accountable to no one.

Please don't filter with SPEWS unless you want to lose contact with a good chunk of legit mail servers which have deliberately been blacklisted!!!

SPEWS.

"SPEWS is a list of areas on the Internet which several system administrators, ISP postmasters, and other service providers have assembled and use to deny email and in some cases, all network traffic from. ...
Most spam advisory and blocking systems work after the fact. There is a time lag between the spammer setting up shop, spamming millions, and getting netblocks listed by these systems. SPEWS identifies known spammers and spam operations, listing them as soon as they start, sometimes even before they start spamming."

I'm working on setting up my own mail server just so I can implement SPEWS (and other spam-fighting tools).

These systems are "self-correcting", that's the beauty of them.

If SPEWS or any other spam stop list starts listing things that are not related to the spam problem, people will just stop using them and switch to systems that do.

I've used SPEWS (with other lists) at our servers for a year now - zero problems that were not transient. Customers love it, and when I see the 80%-of-email-is-bounced-spam on the weekends which did not cost us bandwidth or storage, I love it.

I'm not aware of any vaguely popular blacklists that would add an IP/range on the strength of one random unknown person presenting what appeared to be a spam from that IP. That would obviously be ridiculous. Do you really think they would become as popular as they are if they were that stupid?

yea, i agree. but that australian news article didn't really go into detail of how SPEWS decides who stays and who gets banned. after a quick read of the the SPEWS faq it sounds like they have an automated system overseen by several admins. (news flash) and they only target known spammers and spammer friendly sites. and they stress that anyone who uses SPEWS does so willingly and knowing that some legitimate email could be bounced.

so i suppose in this case, i am sure it's probly a pretty benign system. however, like any banning list, there are people that must make the decisions what to ban and what not to ban. yea, overt spammers get banned, but what about the grey area? also, what about the ones who get banned for no reason? (SPEWS admits it happens and even has a full page dedicated to it.

what i was alluding to in my first post was that having any list like this is a form of censure-ship. though SPEWS says it is not:
from the faq:
Q10: Isn't SPEWS censorship?
A10: No, SPEWS is a list of areas of the Internet that some people do not wish to communicate with. Think of it as one group's Consumer Reports review of portions of the billions of Internet addresses. These are the ones SPEWS members have a poor opinion of. SPEWS is not anti-commerce and fully supports the USA's First Amendment and other nation's free speech protections. In fact, the USA's Supreme Court agrees with the SPEWS view. The creators of SPEWS are its main users and who it was designed for, if others decide to also use its data, they are exercising their own rights. No one is forced to use SPEWS.

no one is forced to abide to banned book lists either. in fact the caveat in the above faq answer closely mirrors the caveat in the pabbis banned book site at the link above that says essentially, that pabbis doesn't think books are bad, that is up to parents to decide. they just provide a list. SPEWS doesn't decide that they are bad, they just provide a list of spammers and companies do what they wish.

but like i said, upon further reading of the SPEWS site, i think they are probly a good thing in the end, but i still think that if used incorrectly (just like every single tool and technology ever created... yea, even sporks) it could become a bothersome hassle or even, in some wacko Brave New World scenario, a way to silence the voice of the people. we could have lists to ban IP's from known dissidant factions or unpopular opinions.

but those days are a few decades away still :)

-John

I'm not aware of any vaguely popular blacklists that would add an IP/range on the strength of one random unknown person presenting what appeared to be a spam from that IP. That would obviously be ridiculous. Do you really think they would become as popular as they are if they were that stupid?

yea, i agree. but that australian news article didn't really go into detail of how SPEWS decides who stays and who gets banned. after a quick read of the the SPEWS faq it sounds like they have an automated system overseen by several admins. (news flash) and they only target known spammers and spammer friendly sites. and they stress that anyone who uses SPEWS does so willingly and knowing that some legitimate email could be bounced.

so i suppose in this case, i am sure it's probly a pretty benign system. however, like any banning list, there are people that must make the decisions what to ban and what not to ban. yea, overt spammers get banned, but what about the grey area? also, what about the ones who get banned for no reason? (SPEWS admits it happens and even has a full page dedicated to it.

what i was alluding to in my first post was that having any list like this is a form of censure-ship. though SPEWS says it is not:
from the faq:
Q10: Isn't SPEWS censorship?
A10: No, SPEWS is a list of areas of the Internet that some people do not wish to communicate with. Think of it as one group's Consumer Reports review of portions of the billions of Internet addresses. These are the ones SPEWS members have a poor opinion of. SPEWS is not anti-commerce and fully supports the USA's First Amendment and other nation's free speech protections. In fact, the USA's Supreme Court agrees with the SPEWS view. The creators of SPEWS are its main users and who it was designed for, if others decide to also use its data, they are exercising their own rights. No one is forced to use SPEWS.

no one is forced to abide to banned book lists either. in fact the caveat in the above faq answer closely mirrors the caveat in the pabbis banned book site at the link above that says essentially, that pabbis doesn't think books are bad, that is up to parents to decide. they just provide a list. SPEWS doesn't decide that they are bad, they just provide a list of spammers and companies do what they wish.

but like i said, upon further reading of the SPEWS site, i think they are probly a good thing in the end, but i still think that if used incorrectly (just like every single tool and technology ever created... yea, even sporks) it could become a bothersome hassle or even, in some wacko Brave New World scenario, a way to silence the voice of the people. we could have lists to ban IP's from known dissidant factions or unpopular opinions.

but those days are a few decades away still :)

-John

For obvious reasons, and "ADV" wont work. Now, Lessig makes the mistake of thinking that the US is the whole world. That's a very bad mistake. Another mistake is not to realize that my mailserver and bandwidth has suffered from the spam if I accept it. These costs are very large indeed. The only way to avoid this cost is that spam is never sent.

I've been a regular in NANAE for a long time (not right now), and I have supported RBL and SPEWS, and I still see many positive things about them.

Yet, I don't think people realize how much power they have, and what costs a mistake will have. Use of RBL and SPEWS is voluntary, so Lessigs "vigilantism" reference is highly inappropiate. But effectively, so many people are using them that an error on the part of us is too costly for those that it hits.

Mistakes are human, and we all make mistakes, but it is easier to make mistakes when you're not working full-time on an issue, when you don't have the time to research properly. Nevertheless, these mistakes are unacceptable. By mistakes I'm not talking about the RBLing of Peacefire. They chose to stand by scumbags and chose to go to the press rather than resolve it in a manner that everybody would benefit from. I'm talking like the case of Ed Felten's "Freedom to Tinker" experiences with SpamCop and the SPEWS listing of The Linux Kernel Archives. These are examples of things that should never happen. Most of us strive for many 9s of uptime, and can appreciate what it is like to be blocked for days. Traumatic, that's what it is. :-)

Yet, that is going to happen many times more if we continue with current practices.

I think the US needs good laws. Here in Norway we have a law that requires confirmed opt-in and bans business to consumer spam. It works quite well. While I get quite a lot of religous spam from US, I get nothing from Norway, though that is not regulated. It could be that the message is quite strong that spamming is unacceptable anyway, so even the morons don't spam.

While spammers can move off-shore, I wouldn't mind blocking whole countries untill they get good laws. Moving off-shore won't work.

It will not totally stop spam, but only totalitarian regimes want total solution to problems. With laws in place, we may get a spam a month, I don't mind as long as I can turn the spammer over to the justice system and let them decide whether he overstepped the boundaries or not. That's what the justice system is there for.

Now, Lessig's proposal is bad from another angle too, and that is that it to a great extent encourages vigilantism. I really don't want a bunch of script-kiddies running around trying to obtain evidence that some randomly accused person committed spamming. Joe-jobs happen a lot, I've been joed myself. True spamfighters know a joe-job when they see it, but a random script-kiddie out to make a fast $10k won't.

A US ban on spam is needed. Blacklists should be abandoned.

Although this is certainly welcome news, it shouldn't be interpreted to mean that spam will dry up in the near future.

Read the story. It took four years to get this far. At four-five years a pop per spammer, how long would you care it'll take to go after all of 'em?

I still believe that the real solution is a combination of technical and social approaches, with litigation being used only for the worst offenders, like Heckel. It's been my experience that carefully-tuned mail filters are very succesful in blocking between 60-75% of the junk. If you don't mind an occasional false positive, you can get even better than that. Adding up what I find in /var/log/maillog, and my mailbox, my filters block about 95% of the crap that's flung my way.

What's left over can be kept in check by agressively going after the network providers who are providing Internet connectivity to these spamming parasites. That's the social approach. If you've been complaining to large networks you've probably figured out for yourself that many large networks consider spam complaints to be nothing other than requests to shut down a paying customer. A paying customer who often generated lucrative "bulk-friendly" hosting fees.

Agressive spam blacklists, like SPEWS have actually gotten some pretty good results in forcing these rogue networks to get their shit together, by massively blacklisting large portions of spam-hosting networks until such time that they decide to get rid of their spamming vermin. I think that the spam problem will finally get handled when more and more people will accept the notion that sometimes it is necessary to temporarily throw the baby out with the bathwater, and blackball an entire network until they no longer refuse to do anything about their spamming abusers.

As one of those who would be accused by this person as being a "vigilante", I prefer to think more in terms of securing my borders. If someone is a "known spam source", I will scrutinize their mail much more thoroughly, and probably reject it as probable spam, without evidence to the contrary. We do it every day, and I'm sure the author of the article in question has his own form of spam filters installed.

There is no spam filtering method that is without colateral damage. Find some obscure trait of a particular group of spams, say, the name of a particular dead Nigerian engineer, and filter email against that trait, and someone is going to include that dead Nigerian engineer's name in a legitimate email, even if it's just a warning to one of your users that a particular scam letter is circulating, and not to believe it. That's why, as an email server administrator, every bounced email, be it a misspelled address or spam policy violation, generates a notice to me of why it bounced... sometimes over a thousand per day, during bad spam attacks.

I'm constantly tweaking the filters, and checking with users to see if exceptions need to be made. If I were needing to accept mail from a particular domain that is hosted on a notorious spam server, I can make that targetted exception, and most other "vigilantes" can, too. That's why each and every spam blacklist I've seen carries disclaimers... Such as those found on this page from SPEWS.ORG

I don't run or maintain any mail server that I use, so I can't beat on the spammers the way I want. There's no way that I can say "My server, my rules" as clearly as I could by using the SPEWS blacklist. The best I can do is send the LARTs and hope the spammers get nuked. *sigh*

It would have, but surenet.net said they canned Balan's ass after SPEWS got on theirs!

This is not true. e.g. you can take the SPEWS list and fire-wall off the email servers. I have done this and I went from 100+ spams/day to a couple per week. The TCP connection is not even established and so very little data is passed and if you simply set the firewall to not respond to these IP addresses, you make the spammer pay by having to wait 10 to 60 seconds before going onto the next spammer making their machine idle which is a good thing(TM).

SPEWS can also be used in an MTA (sendmail,procmail etc) so that it rejects the email even before it's transferred. Using it like this means that a TCP connection is established and and the server needs to reject the connection, still it's much better than having to archive the mail.

Another nasty thing is blocking their DNS servers when they come in asking for a MT record.

I'm amazed that they have not figured out that it's better to just not send me spam since I do log all the rejected packets and A HUGE amount of them are still coming in.

I'm happy with SPEWS and a firewall. I'd actually started putting my own list together and I was pretty successful but keeping it maintained was a hastle. Go SPEWS !

check out http://www.spews.org/

• Use blacklists, spews.org if you want to be really careful, or relays.visi.com or relays.osirusoft.com to stop open relays connecting for a start
• Check the sending domains exists when mail is sent.
• Drop the common abusive domains
• Increase the amount of blocked domains you can have. 250 is not enough when people use aaaa.com, aaab.com and so on
• Data mine the individual block lists. If more than 20% of hotmail users block a domain, then it should be looked at

All these things are pretty standard these days, but webmail providers (not just hotmail) don't actually seem to bother. Remember, the more times you check your inbox, the more ads they have viewed.

"Overpeer will respond by randomizing the names."
If the names are randomized, how will they be picked up in searches? Even if the meta tags have the info, surely only a complete nit-wit is going to download #fe*&(^.mpg if they are searching for "Grateful Dead".
A few people have asked what can be done to stop Overpeer. IMHO they probably are pretty harmless. But what they are doing is a form of spam, and may someone like www.spews.org may be willing to help.

There are many options for blocking, with links at SPEWS to lots of others.

And it's very clear that you don't follow the spamming situation at all, or you wouldn't post such hilarious statement like "I am sure that none of them accepted spammailers as a viable customer." I suppose you never trace your spam or the spamvertized sites?

The above may be very well true for KPNQwest (and appears to be, according to the other reply to my post), but Qwest just loves spammers (or doesn't care about them spamming at all). Let's just take one spamming operation, Ernesto Haberli & Co. They operate (among others) the fake ISP's e-connexus.net, gigaipnet.com, transip.net and Americanet.com.ve. These are very active spamming networks (especially the first and the last at the moment):

• Postings in news.admin.net-abuse.sightings
• Spamhaus entry
• SPEWS entry
• bitchlist.net entry

That's just one spamming gang, of course. If you want the full list of spamming operations (yes, spamming operations, not just companies who spammed once or so) hosted by qwest, see here.

Really, saying that Qwest doesn't support spammers is like saying that Microsoft is an Open Source fanatic.

PS: Zeus is doing fine, thank you :) I'm the Zeus spam-admin currently, fwiw <g>

Horse byproducts! Name a list that will allow a spammer to buy out -- and if you can prove it, most admins will drop it instantly.

And as for proof, I think you'll find that the case files at SPEWS are usually quite detailed.

And it's UCE spam even if they don't hide or blast.

c) There is no direct way to be removed from SPEWS.

Bullshit. Or are all those SPEWS: messages in news:news.admin.net-abuse.email figments of my imagination?

From the spews faq

Q41: How does one contact SPEWS?

A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above. The newsgroup news.admin.net-abuse.email (NANAE) is a good choice, and Google makes it quite easy to post messages there via the Web as M@ilGate does via email. Note that posting messages in these newsgroups & lists will not have any effect on SPEWS listings, only the discontinuation of spam and/or spam support will. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you're concerned about getting spammed, change or "mung" the email address you use to post with.

So sort your spam problem, then post in nane once its sorted. Until then, don't expect a lot of us to accept your crap.

It wasn't a "pink contract" this time Sam, it was a "pink paragraph". The sleazy scamming spammers at Monsterhut (Neal Martin, Todd Pelow, et. al.) pulled one over on the greedy sales and clueless legal people at Paetec.

They got them to put in on paragraph that allowed for the magic 2% complaint level, this was the loophole they needed.

To stay on and spam for a year, they also needed a clueless judge who belive the lying spammers and not Paetec or the many people who submitted sworn affidavits showing they were spammed by Monsterhut. They lucked out with Judge John Lame^H^H^H^H Lane.

The appeals court saw that the paragraph was bogus and that this "pink paragraph" did not override the proper worded, "no spamming" part of the contract.

Too bad we had to eat a year of spam until it reached that court. Okay, YOU people had to eat the spam, I use SPEWS and Spamhaus to filter my mail.

Oh yeah, poster Mr. Sam has his own SpamBag block-list system that I'm sure no Monsterhut packets would ever get though!

If networks and courts don't protect you from spammers, you have to do it yourself it seems.

I'd have to agree with this. news.admin.net-abuse.email is full of people who have hosting with ISPs that host spammers (*cough* SPRINT *cough*) and their mail then bounces, or packets get dropped at firewalls.

http://www.spews.org/ allows you to do lookups, but unfortunately it's single IPs, not netblocks.

You can also lookup ISPs by name on http://www.spamhaus.org/

In general a quick "hat check" post to n.a.n.e. can save you a lot of time and grief.

I think it was Alan Ralsky who bragged about that figure per spam run. I remember reading an interview with one of the more persistent spammers who reported a 1-to-100,000 sell rate, but at 10,000,000 spams that's still a hundred sells.

If you google around, you'll find some web sites where anti-spammers (called "anti"s in spammer jargon) post their insight into the spammers world and psyches. One of the best is the venerable Behind Enemy Lines -- Premier Services Exposed" website.

Lots of info on how they communicate, harvest AOL accounts (that's now dated info, they have devised other techniques for their spam runs), and share the loot. A Must Read!

For documentation on organized spamming, there are two repositories with the dull date: SPEWS and spamhaus.

Spam is reaching the epidemic proportion that I now with increasing frequency receive the same spam on the same address several times, spaced a week apart...

Get lost spambag.

SPEWS works, proven where I sit. Used it for three months, users love the reduction in spam - zero "colateral damage" complaints. Could there be one day? Sure, the SPEWS site says there may be, but we ain't seen it yet.

SPEWS works, proven where spammers sit. They are bitching and moaning on a daily basis... same old tired "frea speach" crap they've been spouting since the mid 90's, all the while turning my mailbox into a wasteland.

People who use SPEWS and the other filter systems are smart - they don't want to waste the time deleting email from the likes of YOU!

Did I already say get lost? Yep.

MAPS is also emasculated ever since the lawsuits.

SPEWS is where it's at now.

Life_Enhancement_Society (NETBLK-BRW-3614-LIFEENHANC)
4551 California Ave. #10
Bakersfield, CA 93309 US
Netname: BRW-3614-LIFEENHANC
Netblock: 65.89.25.0 - 65.89.25.255
Record last updated on 10-Mar-2001.

Dutcher,Les (EVERYTHINGHERESITE-DOM)
7850 White Lane, #E221
Bakersfield, CA 93309
US

Domain Name: EVERYTHINGHERESITE.COM

Administrative Contact:
Dutch, L (LD8015) admin@everythingheresite.com
7850 White Ln E221
Bakersfield, CA 93309
US
661-637-1230 123 123 1234

Billing Contact:
Dutcher, Les (LD7700) mspss@hotmail.com
Dutcher,Les
7850 White Lane, #E221
Bakersfield, CA 93309
661-637-1220 (FAX) 661-637-1230

Record last updated on 07-May-2001.
Record expires on 07-Feb-2003.
Record created on 07-Feb-2001.
Database last updated on 1-Mar-2002 07:48:00 EST.

Domain servers in listed order:
SPOT.EVERYTHINGHERESITE.COM 65.89.25.5
LARRY.EVERYTHINGHERESITE.COM 65.89.25.6

Life_Enhancement_Society (NETBLK-BRW-3614-LIFEENHANC)
4551 California Ave. #10
Bakersfield, CA 93309 US
Netname: BRW-3614-LIFEENHANC
Netblock: 65.89.25.0 - 65.89.25.255
Record last updated on 10-Mar-2001.

Dutcher,Les (EVERYTHINGHERESITE-DOM)
7850 White Lane, #E221
Bakersfield, CA 93309
US

Domain Name: EVERYTHINGHERESITE.COM

Administrative Contact:
Dutch, L (LD8015) admin@everythingheresite.com
7850 White Ln E221
Bakersfield, CA 93309
US
661-637-1230 123 123 1234

Billing Contact:
Dutcher, Les (LD7700) mspss@hotmail.com
Dutcher,Les
7850 White Lane, #E221
Bakersfield, CA 93309
661-637-1220 (FAX) 661-637-1230

Record last updated on 07-May-2001.
Record expires on 07-Feb-2003.
Record created on 07-Feb-2001.
Database last updated on 1-Mar-2002 07:48:00 EST.

Domain servers in listed order:
SPOT.EVERYTHINGHERESITE.COM 65.89.25.5
LARRY.EVERYTHINGHERESITE.COM 65.89.25.6

Check out Rokso. This site maintains a database of well known spammers, as well as spam samples, MO's, partners in spam and, yes, personal info for many of the spammers.

Try going to SPEWS and searching on the IP addresses of any SMTP relays used in the mail. If you find a hit, view the evidence file. It will usually contain information about the sender of the spam, their ISP, and related domains.

Subscribe to news.admin.net-abuse.email via your news provider of choice, or search the archives at groups.google.com. If you type in some particulars about the spam - for example the domain being advertised, or maybe the email address listed on the whois for that domain - Google will usually bring up some pertinent matches from NANAE. When it's a new spam run, or a new spammer, remember that Google's archive is usually at least 12 hours behind.

If you don't find anything, or even if you do find something and you're in a sharing mood, post the spam you get to news.admin.net-abuse.sightings and if you've done any research into the spammer, include it at the top of your post.

Shaun

Experience shows that blocking SPAM at source is impossible today. The fight should be directed at beneficiaries of spam (clients of spammers). And the only effective remedy is blocklists like SPEWS.

Your friend could fight the spam indirectly if he persuaded his ISP (demon.co.uk) to adopt SPEWS filter. That would block mosf of ISPs that host spam beneficiary sites from demon.co.uk. When ALL their clients lose access to this large European provider (demon) - then ISPs would definetely notice and take action against the spammers. If not too late for themselves... (check out this tearfull public apology from a spammer at news.admin.net-abuse.email).