Are SPAM Blacklists Unreasonable?

rlsnyder asks: "I'm the inadvertant co-administrator of e-mail a for company that relies pretty heavily on it for daily business (e.g. sending confirmations of financial transactions). At one point in the not-too-distant past, our server was an open relay. I admit I'm a sinner for letting it happen, and I'm ready to do my pennance. Given the relatively low volume of mail our server moved that did not originate from inside, I doubt I was a major contributor to the world of SPAM. In any event, we've been blacklisted on a number of sites. Some lists have reasonable policies, and we've since been removed. Other places are a little more arbitrary as to removal policies, and although I can prove we're not a relay, we're still listed." While I approve of the basic concept of SPAM Blacklists, there are dozens of SPAM blacklists out there who are real keen on adding open relays to the list, but not so keen on taking rehabilitated hosts out. I would posit that SPAM blacklists that are not properly maintained are a part of the problem, not the solution. What are your thoughts on the subject?

rlsynder continues: "Am I way off base here, or is this self-appointed mail police thing going in the wrong direction? Given that I can't reliably deliver e-mail to a number of places due to being blocked, I've got a big exposure. Is this making spam less of a problem, or are we trading one problem (SPAM) for another (the reliablility of proper maintenance of SPAM Blacklists)?

I could draw a bunch of analogies here, but isn't the bottom line that no one owns the internet e-mail system? I realize no one makes ISP's subscribe to the blacklists, but basically, I'm trying to move data from one point to another, and some machines in the middle are discriminating against my data because a corrected, perfectly legal system configuration error. How is this helping? Has SPAM really decreased universally thanks to these lists?"

Real Pain

[Tadrith]

The company I work for had the same problem. As a result, we ended up having trouble getting e-mail to some of our customers. Thankfully, it was easy to get ourselves removed, but I think if people are going to use blacklists, they should also take the responsibility of keeping them maintained, both in additions and removals.

Re:Real Pain

[fmaxwell]

They've made it their responsibility to jump to list the open relay, it becomes their responsibility to jump to de-list the machine after it's been secured. Otherwise their[sic] just fanatic assholes.

Ignoring your name calling, they are making a volunteer effort to help reduce spam, not to minimize inconvenience for negligent system administrators. I don't care if they only purge their database once a month. If you don't like being in their database, don't do something as brain-dead-stupid as running an open relay. And if you f*ck up, don't blame the people that report it.

Re:Real Pain

[fmaxwell]

If they can jump to get it on, they can jump to get it off when the server is secured against relays.

Or they can do it when they are damned good and ready to. It's their list and they can make removals a high or low priority. Their choice. If their views and mine are the same, then I can use their list to help me filter my mail.

If volunteer firefighters had the same attitude

The firefighters' responsibilities are to the community, not to the guy supplying oily rags and matches to arsonists.

If these people volunteer at hospitals you could easily find them by following the dead bodies and screaming.

In your world, the hospitals would be tending to the needs of the muggers, rapists, and wife beaters rather than those of the innocent victims. "Oooh! It looks like you cut your hand when you punched your wife. We'll get right on it and tend to her later."

Subscribing to blacklists did not help me.

[Dick+Click]

When I used to manage a mail server, I was asked to filer based on orbs. Not did this in no significant way limit the amount of spam entering the system, it became a huge administrative headache. Eventually, we stopped using the lists. I am sure there are likely better lists, but I simply prefer creating my own list, based on investigation into what's coming in.

Re:Subscribing to blacklists did not help me.

[diamondc]

We use ordb and orbz here at work. Over a day or so it rejected about 500 emails.

Then we blocked all mail from mail servers who's IP numbers don't resolve. Now we have cut down on spam dramatically.. our root@ email account has gone from 200 spam emails a day to about 10

Re:Subscribing to blacklists did not help me.

[Carlos+Laviola]

In most cases, you can find out where you got blocked by just looking at the error the remote smtp daemon (the one that is filtering you) gives when they bounce back your message. I have set up my ISP's mail server so that, when the message bounces, the person whose message is bounced receives a warning in Portuguese and English about the blocking, and a URL, relative to the DNS blackhole that got him (we use both ORBZ and SpamCop's DNSbl's). Nevertheless, I still have to explain to some people why the heck their mail is getting blocked but, overall, I feel like I'm doing a service for them too. You may not get your mail delivered with an open relay, but at least some crazy idiot doing the old 419 scam won't be spending your bandwidth again. Ever.

Re:Subscribing to blacklists did not help me.

[Flower]

First off, go to samspade.org, bookmark this page and then check to see if your server has been blacklisted. It doesn't check every list but it is a dang good start. samspade is a friend indeed.

After that, it's simply up to you to find out how to get off the lists. Some are incredibly easy and take less than half a day. Others require more work. It isn't fun but it is worthwhile. You will surely rue the day when a client is knocking on your cube trying to send this critical e-mail to someone and the best advice you can give them is to open a hotmail account.

Re:Subscribing to blacklists did not help me.

[Syberghost]

I have only about 7 users. I am using two blacklists:

Not Just Another Black List, and Osirus

Between them, I'm stopping an average of over 100 messages a day. We do not have a single indication of any false positives yet.

Considering that only 2 of my 7 users receive a lot of mail per day (based on the size of their mail spools), that's a hell of a lot of spam.

So protestations that "they don't work" are bunk. If you think spam blacklists don't work, then you either have a skewed definition of "work", or you're just sadly misinformed.

As for "false positives", that depends on your definition. I personally choose not to do business with people who keep open relays. I therefore by definition can only have a "false positive" if there's a bug in one of my blacklists. Legitimate mail from an open relay isn't a false positive as far as I'm concerned, and my users have hundreds of alternatives if they don't like my policies.

Re:Subscribing to blacklists did not help me.

[Syberghost]

I should also add that every time Slashdot puts up a new spam-munge that leaves the domain name intact, as with the current one, I start getting bounces in my logs from spammers:

Feb 16 08:25:22 oa sendmail[4090]: g1GDPKD04090: <sLAPLACEyberghost@eiv.com>... User unknown
Feb 16 08:25:22 oa sendmail[4090]: g1GDPKD04090: from=<mark@gemdealers.net>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=netturbo.cscoms.com [202.183.214.2]

I thought you guys were gonna fix those to always munge the domain, too, for those poor souls who get their domain's mail via fetchmail with a POP account?

ObPeeve: SPAM(tm) vs uce spam

[Speare]

Hormel Foods has stated they don't mind the use of the word 'spam' to refer to U.C.E., or junk mail, as long as people don't use the term spelled in all-capitals. Hormel owns the trademark on the meat product, SPAM. Given their more-reasonable-than-average position on this, let's respect their request?

Its more of a pain in the neck

[tkrotchko]

I like the idea of something like MAPS-RBL, but I think many of them are bad hacks put together by guys who take the spam thing as a holy crusade. I don't really have a problem with that, its a free country, you do what you want.

However I fault ISPs for using them without understanding their policies. Many ISPs use these small-time black-holes because they don't want to use MAPRBL (I assume its a money thing at this point). And if you get listed, how do you know that you're listed? You don't until somebody calls somebody and says "I can't get mail through to you". There needs to be a better way.

And some sites, its not worth getting delisted. "www.joes.antispam.site.com" isn't worth the effort one way or the other.

Re:Its more of a pain in the neck

[crucini]

Many ISPs use these small-time black-holes because they
don't want to use MAPRBL (I assume its a money thing at this
point).

I don't think it's only a money thing. MAPS is almost useless - they don't list spammers until they've tried to "educate" them. I've noticed that servers sending me spam are never on MAPS. But the fact that they're charging doesn't help.

And if you get listed, how do you know that you're listed? You don't until somebody calls somebody and says "I can't get mail through to you". There needs to be a better way.

You generally know that you're listed because some of your outbound mail bounces with a message explaining that you are listed and giving a URL for further info. Are you saying that you've had outbound mail bounced due to a spam list and there was no indication of the reason? I realize this is theoretically possible, but I don't understand why someone would set up a mail server that way.

Re:Its more of a pain in the neck

[macdaddy]

I tend to agree. MAPS is useless for the most part as far as listing actual spammers. Now I do like to use their RSS. Many anti-spam admins still report open relays to MAPS. I do. Because of that they have a decent list of open relays. I also like their DUL. It was created in a fairly professional way. They did the leg work to identify actual dialup user netblocks rather than me trying to make a quick guess. I like that. I don't hit the DUL much (maybe 500 times per week on average) but every so often it gets hit hard and I'm glad I shelled out the $$$ for it. I use the ORSS for most of my filtering. I zone transfer it so I get the SPEWS stuff as well. It works well for me. Add that to me huge Sendmail access list and you have a decent setup.

Automate the maintenance

[jACL]

In this day and age, there's nothing stopping blacklist coordinators from automating the rehabilitation process: Select your host and click 'Check me now!' Passing verification removes one's host from the list.

Re:Automate the maintenance

[Sir+Spank-o-tron]

1. turn off open relay.
2. click 'check me now'
3. pass check.
4. turn on open relay.
5. spam as usual.
6. rinse repeat.
7. automate process

Re:Automate the maintenance

[maxpublic]

And if the database flags the company as a repeat offender the process is locked for them, requiring actual human intervention. Easy to write something like this.

Max

Re:Automate the maintenance

[Tyrall]

Nope, the usual way to do it is:
1. Filter the open relay checker's IP.
2. Click 'check me now'.
3. Spam as usual.

This is a retarded, but effective way of avoiding the automatic blacklist generators.
You'll still get on a lot of the automatic+human checkers like MAPS' open relay list.

Re:Automate the maintenance

[ahde]

a spammer doesn't need open relay turned on on his own box

Re:Automate the maintenance

[LinuxHam]

1. turn off open relay.
2. click 'check me now'
3. pass check.
4. Go on probation involving random checks for 6 months, with fails being duly punished.

No. Deal with it.

[Tackhead]

No, they're not unreasonable.

You wanna live in a crack house? Don't go whining to the cops when you can't get a pizza delivered at midnight.

You wanna get bandwidth with a company that provides services to spammers and relocates spammers to IP addresses to avoid blocking of single IP addresses, don't come whining to /. when the rest of the world wants nothing to do with your ISP.

If someone spams me, I block the IP address. If the ISP relocates the spammer to another IP address in the same netspace, I say "fuck it", and block the /24. Or the /16, if need be.

Don't like living in a crack house? Move.

I've been e-mailing the admins of those lists,...

[5.25"+Floppy]

... but dammit, they just don't seem to be getting my e-mail! I'm going to start having all my friends send them a few mails as well... *sigh*

Naughty in his sight

[ackthpt]

At one point in the not-too-distant past, our server was an open relay. I admit I'm a sinner for letting it happen, and I'm ready to do my pennance.

...and the number of counting shall be three...

Mail servers are private property

[Tyrall]

From the article: I could draw a bunch of analogies here, but isn't the bottom line that no one owns the internet e-mail system?
This is a fallacy that continues to be propagated. I own my own mail server. The company I work for owns its mail servers. We can both decide who we want to allow to send mail to our users.

At work, we use two open relay lists; ORDB and ORBZ. Nobody forces us to use them; it's our server cluster, and our choice.
The reason we use those two systems, however, is due to the reasons pointed out in the article. Some blacklists are far too easy to get onto, or hosts are arbitrarily added by humans. The only way to get onto either of those lists is to be an open relay. The only way off is to be automatically retested and found to not be an open relay.

Re:Mail servers are private property

[Tyrall]

Correct.
There are numerous ISPs out there; you are not required to use any one ISP.
If an ISP doesn't fulfil your specific needs, or has policies you disagree with, then there is nothing preventing you from using a different one.

Similarly, if you're an ISP, there's nothing /requiring/ you to use one transit provider. If you have an issue with RBL filtering, don't use that transit provider.

Re:Mail servers are private property

[geekoid]

e-mail system not server.
he is correct, nobody owns "the system".

Re:Mail servers are private property

[dillon_rinker]

Which is like saying that no one owns my neighborhood because 30 people own the property, the utilities own the poles, and the city owns the street. Or it's like saying that no one owns GE because 50,000 people own stock.

True, no single person owns it all, but all of it is privately owned, except for the bits that are owned by the govt, which in theory is owned by all the people.

Re:Mail servers are private property

[Tyrall]

You are 100% correct. However, I think that it's the responsibility of the sysadmin who subscribes to a blackhole list to keep the database current and to make sure that the list has a decent policy for removal from the list.

I'd say it's the responsibility of the sysadmin to analyse those factors way before they even started to use the list. I know we checked over a period of months that the two services we used we well maintained. I'd like to counter a couple of the points you mentioned:

Mail is sent to an administrative account at the mail-server (or at least to common addresses like abuse@[mail-server], root@[mail-server]. Making admins manually subscribe does not satisfy this requirement.
Related to the above, such mail must contain a full itemized list of tests performed (or at least any and all items which were failed). The point of these lists is not to punish admins, but to educate them and make a better internet.

This was one of the stumbling blocks we came up against. We'd prefer the systems used a notification method like you described. However, the TXT on the lookup clearly points you to a web page detailing exactly what failed. Our reject message is also customised to suggest why the mail is being rejected.
I find ORBZ's reason for not emailing notifications somewhat amusing though.

There must be a period of sufficient length (24 hours sounds good to me) to allow the admin to fix the problem, before the host is added to the list.

I disagree. One of the bonuses of both systems is their automatic notification feature. I can submit a relay for checking on the first spam from a server, and have it reject future attempts that same day.

There must be a free means of checking the lists. The current database of blocked addresses must be available for use and editing by myself. If IP blocking is enabled, it must possible to disengage, on a per-host basis.

Any server capable of limiting using RBLs is also capable of whitelisting IPs or IP ranges. We have many IPs in our whitelists, but it should be up to us to add to that whitelist. If you allow general access to the blacklists you will get moron spammers de-listing relays and then using them.

Any IP address which submits a list of open relays must be banned from submitting more relays for a reasonable period of time (3 years, maybe?) if one, when tested, is found to be adequate. Otherwise, these DBs are just DDOS attacks waiting to happen.

ORBZ will not retest within 24hrs unless requested from the IP of the blocked server. ORDB does not have such a limit to my knowledge, but I agree it should have.

Re:Mail servers are private property

[nick+this]

I think that the database approach is not the solution to the problem. The better approach may be to define a mail header that compliant webservers may attach saying that the mail was sent using open relay. This could then be blocked by destination servers using their own rules.

Hey... this is a good idea. So if I've got the concept right, then those people that set the mail server up the wrong way to begin with would just adjust the configuration of their mail server. Not to stop acting as a spam relay, but to add a header saying that any mail going through might be spam?

Uh... riiiight...

While we're at it... here's another idea from the same well:

There are still a couple bits unused in the IP header aren't there? One flags bit and one service bit or something? We could just appropriate those. We could set up encodings to mean that a particular packet was part of a data stream that was:

• Attempting to hack or probe the destination system
• Attempting to steal computing time or other resources (spam)
• A general waste of resources (d/l pr0n, mp3, slashdot, etc)

Hacking tools could be written to set those bits, mail sent from spam servers could be configured to set the appropriate bits. DDoS bots, news clients downloading from the alt.binaries.* newsgroups, browsers to the slashdot.org domain, etc, etc. Or perhaps there could be an interface on the user's side... so that when the user was doing something that was wasteful of their employer's time or bandwidth, they could just check the "I'm wasting bandwidth" checkbox, and then the network administrator could decide whether or not to pass the traffic.

I think you are on to something here...

Re:Mail servers are private property

[Russ+Nelson]

If mail servers are private property, then why does ORBZ refuse to respect my private property? Every time ORBZ test my server, I receive several dozen mis-addressed messages. Given that they're unsolicited, bulk, email, with false envelope addresses, they closely resemble spam. Of course, ORBZ partisans angrily reject the idea that they are spamming anybody. But they are.
-russ

No decrease noticed on my part

[fishybell]

I've had my e-mail address at hotmail for many years, and until the last year or so haven't taken any precautionary measures to reduce my spam intake. As a result of this, that address receives hundreds of spam messages daily (thank god for filters).
I've only noticed that spam is getting harder to filter because of the blacklists. No longer are they all coming from a dozen or so servers, but instead hundreds.

Please list your domain.

[Henry+V+.009]

Unfortunately you are on my personal spam blacklist. I will consider removing you in return for a fee that will be calculated based on the amount of my time you wasted by allowing yourself to be used as a tool of the spam distributors. And I want you to grovel too.

P. S. And how come I never got those pics of Teen Sara27 XXX 18th birthday?

ORDB.org

[paranoidia]

ordb.org is a great site for this. They are very professional with both addition of servers, and subtraction of them. My mail server was an open relay for a time till I got an email from them saying that I was blacklisted. I quickly fixed the server, and submitted that my site be checked again, the next day I was taken off their lists, very easy. They run about 20 tests connecting to your server and sending e-mails for the most common way of sending spam. Also, as they say in their faq that they reload their lists every hour to get servers off it quickly. Well done!

Re:ORDB.org

[Skapare]

One of the things I want to know is why mail server admins let their servers be open relays in the first place. Is it because you became a mail server admin before you knew about open relaying? Or was it because you didn't really understand how your mailer software worked or was configured? Or was it because you inherited the machine from an idiot? Or was it because management didn't give you the time/resources to do the job right? Or was it because someone just didn't realize the impact of being blacklisted?

One problem I do see is lots of mail servers that are open relays from the very first day they go online. I can only suspect this is because the admin is a newbie and doesn't know about open relays or doesn't realize it can happen to him.

Another problem is that in a certain highly populous eastern Asian country, most servers are coming online with pirated copies of an older version of Microsoft Exchange, which not only is an open relay, but can't be made closed, either, even if the admin could read English. It seems in said country that piracy is the norm and virtually no one runs a legitimate copy.

Blacklist sites

[schon]

OK, you've fixed your mail relay(s)..

This is a good thing - and what every blacklist's ultimate goal is.

Speaking as a mail server admin, I'd be interested to know which lists are not removing you - so that I can make sure I'm not using them.

Seriously - letting people know about this is the best way to get what you want. If your site is not a relay, any blacklist maintainer is doing their users a disservice by listing you.

As a mail admin, I'd want to know.

Alternatively, you could do the American thing and threaten a lawsuit - most blacklist operators are immune from libel charges because they're just listing people who operate open relays (truth is defense against libel) - if you're not an open relay, then you've got a good case for libel: they're deliberately publishing false information to hurt your business.

Re:Blacklist sites

[RedHat+Rocky]

I disagree that blacklists just list open relays. I keep an internal blacklist instead of using an public list, it's purpose is to list IPs that we DON'T accept email from. Sending me an email is not a right, it is something I allow or disallow. My receipt of SPAM is enough reason to me to decide I don't need email from the offending party, be they a user or a 16 block of an ISP. Now, in my case, the blacklisted party would get a bounce (assuming they're not being FRAUDULANT and using an invalid Reply-To!) informing them that their email is not welcome and a link to a web form that would allow them to plea their case.

In the case of the original poster, being an open relay would get you on my list, assuming I got SPAM, and I'd probably only remove you if there was some reason I wanted to get email from you. If you want off only because you MIGHT email me, forget it.

I'm hoping the "threaten to sue" was a joke, but in today's America it wouldn't suprise me if someone tried. No one has a Right to connect to my email server and send a message unless *I* grant that Right.

Re:Blacklist sites

[Skapare]

It seems what we need now is a ratings system for blacklists. I personally do want to only use those blacklists which operate professionally. The only time I can see justifying a delay in removal from a list is after the offending server goes back to being an open relay for the 3rd time or more.

I also do not want to be blocking whole ISPs just because the ISP hosts a spamhaus (or even a spam promoted web site), as long as the spamhaus itself can be listed and stay that way. OTOH, if the ISP lets them keep changing IP addresses, then by the 3rd time I'd be willing to have the whole ISP listed until the ISP gets a clue. But even that needs to be a separate blacklist zone so those who don't want these blocked at all won't have to (again, a "truth" issue, as this is saying "this is an ISP that not only hosts spammers, but aids them in evading being blocked as well").

Re:Blacklist sites

[Skapare]

I would agree an organized blacklist should be used in preference to private ones ... as soon as one that meets my needs can be found.

Those that are out there either block stuff I do not want blocked (and don't separate the zones to give me a choice), or are not very effective in doing quick blocking.

So I do block some on my own. But unless it is clearly a spamhaus (no point in ever trying to communicate with them), or a direct dialup/DSL pool (I block them by reverse-to-forward-verified domain name), I do send abuse@ the complaint with instructions to ask me to unblock. They don't even have to tell me they fixed the server the first time ... if they just ask to be removed, they get removed. They don't have to track me down because I sent them the report. Yet, the vast majority never ask.

Prevention is still the least costly route. Anyone running a mail server needs to prevent the problem from happening in the first place, or else pay the price.

And perhaps we need better blacklists.

Re:Blacklist sites

[WNight]

I agree about the overabundance of lawsuits, but here I think you misunderstood the intent of the post...

If someone lists you on their blackhole list claiming that you are running an open relay and refuses to change your status once you are not, you might have a libel case.

Not that people shouldn't be added to a "once ran an open relay" list that doesn't get blocked, but which gets added to the block list again more easily, or which people scan occasionally to check their compliance.

I don't know how well the lists are being run now, but a year or so ago there was a lot of scandal about list maintainers using them to unfairly hush their critics. In that case they aren't maintaining a list of people they don't accept email from, they're maintaining a list of people they claim have committed an offense worthy of being ignored. There's a subtle difference there. If they had said "I hold a grudge against these people for various reasons from having an open relay to having insulted my sister" then they would be in the clear.

Re:Blacklist sites

[schon]

This is not just about open relays. This is also about spam havens, DNS providers for spammer's web sites, and web space providers.

No. THIS is about open relays.

The poster had an open relay, and got blacklisted because of it. Now that he's fixed his mailserver, he's still listed.

If he's not telling the whole story, and is operating out of a spam haven, or is spamvertising his website with another ISP, then that's another issue.

That's a self-solving problem (mostly)

[devphil]

Yep, that's the root of the problem: there are a number of for-free blacklists out there which are professionally managed. Those are the ones that should be used.

And as long as we publicly point out the blacklists that are being poorly run, people will stop using them, and switch to the good ones (like RBL, RSS, DUL, ORDB). The solution is not to ban or otherwise stop using blacklists, the solution is simply to (vocally) promote the ones which stay on top of the problem.

Re:That's a self-solving problem (mostly)

[Rick+the+Red]

Gee, devphil, you say:
The solution is not to ban or otherwise stop using blacklists, the solution is simply to (vocally) promote the ones which stay on top of the problem.

But your .sig says:
You cannot apply a technological solution to a sociological problem. (Edwards' Law)

Using SPAM blacklists is trying to apply a technological solution to a sociological problem, which your .sig proclaims won't work*. Either change your .sig or rethink your actions.

* And it doesn't: we still have SPAM despite the blacklists.

Re:That's a self-solving problem (mostly)

[Skapare]

However, RBL, RSS, and DUL, are not free. And they don't even seem to be interested in money from the little guy as they have refused to respond to any of my mail (and no, I was not using any blacklist that might have blocked them).

Re:That's a self-solving problem (mostly)

[AndroidCat]

Damn, the $cientology term for "shunning" of disconnection from a potential trouble source works.

That's not supposed to happen! :^)

Re:That's a self-solving problem (mostly)

[devphil]

When I say, "the solution is simply...," I'm not talking about the solution to spam. I'm talking about the solution to poorly-managed blacklists. And that solution (vocally promoting the good ones) is hardly technological.

The solution to spam is also quite simple: two bullets to the head of the marketing agent who did the spamming. That's not a technological solution either. :-)

Re:That's a self-solving problem (mostly)

[Rick+the+Red]

Repent and be not shunned.

If only it worked that way. That's rlsnyder's point: He repented but he's still shunned.

Shout out for SpamAssassin

[dietz]

I'd just like to give some props for SpamAssassin.

If you haven't heard of it, it's an elegant system that assigns a weight to each email message based on hundreds of different tests, and if the email scores over 5 (configurable), it is marked as spam.

One of the nice things about it that is it uses most of the email blacklists, but they're only worth ~2 points, so being in a blacklist alone isn't enough to kill a message. That's good for those blacklists that throw far too many people in that don't belong (osirusoft). It also uses razor, but that is only worth three points, so if someone is piping bugtraq to razor-report (that happened for a while) you won't lose all that email.

There's a really interesting set of tests (it's fun to read them) each with an obscure set of points including:
HTML with a non-white bgcolor (1.2)
Claims conformance to obscure spam law (1.0)
HTML mail with no text portion (3.33)
Various spam phrases (various points depending on how many "hits" there are)
Subject ends in an exclamation point (0.5)

The points have apparently been calculated using some program to give the best accuracy.

Anyway, SpamAssassin is the best of the spam removal programs I've seen. Give it a shot!

Re:Shout out for SpamAssassin

[smnolde]

I can personally vouch for Spamassassin as I just installed it this week on my FreeBSD system running exim.

Here's a nice sample log entry of what I see when an email is flagged as spam:
2002-02-15 14:07:17 From: tyu7@mail.com Subject: ***** SPAM ***** Add that extra room
X-Spam-Status: Yes, hits=13.2 required=5.0 tests=NO_REAL_NAME, MSGID_SPAMSIGN_1, FAKED_UNDISC_RECIPS, TO_MALFORMED, INVALID_MSGID, FREQ_SPAM_PHRASE, RCVD_IN_OSIRUSOFT_COM version=2.01 Sender: tyu7@mail.com

The highest hit count so far? 26.7 from a yahoo spam email.

It is so nice having Spamassassin on my mail server so that all users can choose what they want or not. Since Spamassassin only flags email as spam, it is up to the MUA how the email is disposed.

Re:Shout out for SpamAssassin

[Sarin]

the tests read the description of test, they are very funny.

Re:Shout out for SpamAssassin

[Syberghost]

HTML mail with no text portion (3.33)

I bounce 100% of that, excepting the ones that have invalid headers proclaiming them to be text.

But only for me, not my users.

Here are the procmail rules I use:

:0
* ^X-Header-Type:.HTML
* !^X-Loop: MAILER-DAEMON@eivNOSPAM.com
| (formail -rk -i "From: MAILER-DAEMON@eivNOSPAM.com" -A "X-Loop: MAILER-DAEMON@eivNOSPAM.com"; echo "eiv.com does not accept html-only emails."; echo "Either include a text attachment, or remove us from your lists."; echo "This is an automated response, no human has seen or will see your message." ) | $SENDMAIL -t -oi

:0
* ^Content-Type:.text/html*
* !^X-Loop: MAILER-DAEMON@eivNOSPAM.com
| (formail -rk -i "From: MAILER-DAEMON@eivNOSPAM.com" -A "X-Loop: MAILER-DAEMON@eivNOSPAM.com"; echo "eiv.com does not accept html-only emails."; echo "Either include a text attachment, or remove us from your lists."; echo "This is an automated response, no human has seen or will see your message." ) | $SENDMAIL -t -oi

:0
* ^CONTENT-TYPE:.text/html*
* !^X-Loop: MAILER-DAEMON@eivNOSPAM.com
| (formail -rk -i "From: MAILER-DAEMON@eivNOSPAM.com" -A "X-Loop: MAILER-DAEMON@eivNOSPAM.com"; echo "eiv.com does not accept html-only emails."; echo "Either include a text attachment, or remove us from your lists."; echo "This is an automated response, no human has seen or will see your message." ) | $SENDMAIL -t -oi

and yes, I realize there's a better way to write them. I'm lazy. :-) I also spam-proofed an address in there, so remove "NOSPAM" when you edit this for your own use.

I used to have the rules include:

* !^FROM_DAEMON
* !^FROM_MAILER

but the spammers have figured out how to make their emails look like they meet these conditions, and spam was getting through. No legitimate MTA will be sending HTML-only error messages.

I do still see a percentage of it, when it bounces back as undeliverable due to the fake return addresses. But I can spot that without getting too far into it.

I run the risk of confirming my address, but anybody sending me legitimate HTML mail gets a proper chance to repent.

Re:Shout out for SpamAssassin

[mjh]

Does SpamAssassin. . . allow you to define your own rules? I haven't figured out how yet, but I haven't looked very hard either.

Yes it does. In $HOME/.spamassassin/user_prefs you can define rules. Here's an example of a rule that I've added to filter ICQ requests as spam:

header ICQ_REQUEST Subject =~ /^Please let me add you to my ICQ Contact List$/
describe ICQ_REQUEST Subject contains request for ICQ
score ICQ_REQUEST 10.00

Check here for instructions on how to specify rules.

Yes and no

[Grax]

Being added to a blacklist without being informed of it is wrong. I was added to a blacklist due to an oversight in my mail config. We were not generally an open relay but in specific instances we were.

Any time that happens an email should be sent to postmaster@(reverse dns of mail server IP address) to inform them of the action being taken and the specifics of their openness. Just "you are running an open relay" is insufficient.

Also the ability to quickly remove the address from the blacklist when the other mail admin repairs the problem is important.

I don't particularly like blacklists but something must be done to discourage open relays and for now they are the only option.

Easier solution

[LordNimon]

Wouldn't it just be a lot simple if the mail servers, when they receive a connection from an smtp server to deliver mail, make another connection back to the smtp server on port 25. If the connection can be made, then it means that it's an open port, and therefore the mail is rejected? Wouldn't this be a sort of "dynamic blacklist"? That way, mail from an open port is never accepted.

Re:Easier solution

[Shiny+Metal+S.]

Wouldn't it just be a lot simple if the mail servers, when they receive a connection from an smtp server to deliver mail, make another connection back to the smtp server on port 25. If the connection can be made, then it means that it's an open port, and therefore the mail is rejected?

It means that the port is open (you can't have smtp server with smtp port closed), but it doesn't mean that it's an open relay. You'd have to make an smtp transaction.

Re:Easier solution

[LordNimon]

Open and secure relays would both respond to port 25 connections. Correctly secured relays would reject any message you tried to send through their mail server to another destination, whilst still accepting mail for local users (if it's not just an outgoing relay).

Ah, I get it now. Thanks.

It's possible to connect to the mail server for the address supplied and verify that the user exists, but in most cases, due to server configuration, that would require actually sending a message (thus putting you at risk of getting into a bizarre authentication loop).

Wouldn't it possible to initiate an SMTP transaction and then abort that transaction just before the email was actually sent, while still verifying that email could be sent?

It would also seriously add to the overhead of sending a message, something larger sites would not be able to cope with.

Well, yeah, but as a mail filter for your email client, it should work pretty well. Test each email as you receive it. No?

Re:Easier solution

[curunir]

Hmmm... I wonder if it's possible to write a script that scans the header of every email that arrives, does an open relay test on the sending IP, and if it fails, discard the email?

You'll want to be careful doing this as the actions that your script is taking will look suspiciously similar to someone trying to send SPAM. You don't want to get blacklisted yourself.

Re:Easier solution

[Phork]

you very much can have an smtp server that does not listen on a tcp port, but it can only be used for outgoing mail. Many people use this configuration with sendmail so they can send mail directly from there workstation, but recive mail on another system. Sendmail is just invoked from the command line, so it doesnt need to listen on a tcp port.

Re:Easier solution

[Shiny+Metal+S.]

you very much can have an smtp server that does not listen on a tcp port, but it can only be used for outgoing mail. Many people use this configuration with sendmail so they can send mail directly from there workstation, but recive mail on another system. Sendmail is just invoked from the command line, so it doesnt need to listen on a tcp port.

Yes, I know (I've configured quite a few workstations that way), but I consider such configuration an smtp client, rather than smtp server. Sendmail/Exim/etc. are clients in smtp transactions here, and can't act like a server (from the network standpoint).

What I was saying about is that, while you of course can eliminate open relays by denying access from every host with open smtp port, you will also eliminate that way, every host which can get mail, not only those who can get mail from everyone and send it to anyone, i.e. you deny access from every public smtp server. It's like eliminating misconfigured web servers by denying access from every host with port 80 open.

Re:No. Deal with it.

[spencerogden]

What if it used to be a crack house, but the neighborhood cleaned up and was safe?

When you set up a mail server...

[Shiny+Metal+S.]

When you set up a mail server, never EVER write:
host_accept_relay = localhost:192.168.1.0/2
when what you want is
host_accept_relay = localhost:192.168.1.0/30
It took me ten long hours to figure out that I allowed 1/4 of the whole Earth to use my relay, when I wanted 4 computers on a private network. And it was probably the worst 1/4 of the Earth, every C-class network... It was a long day which I will never forget. In this ten hours I read more about smtp than ever before... So remember kids, don't do this at home!

Re:When you set up a mail server...

[Shiny+Metal+S.]

I actually wrote literally all of the hosts ip numbers,

host_accept_relay = 127.0.0.1:192.168.1.1:192.168.1.2:192.168.1.3

Yes, after those ten hours I wasn't sure if I understand what "localhost" means, so I wrote 127.0.0.1 which seemed to be the only safe notation at that time. And those ten hours, was a constant fight. Of course I didn't know I have an open relay until the spammers attacked. I was manually killing smtp servers and removing messages from the queue with something like

killall -KILL exim; for m in `exim -bp | perl -ne 'print "$1\n" if /\b(\w{6}-\w{6}-\w{2})\b/'`; do exim -Mrm $m; done

whenever I noticed, that they were back, in my xterm with

tail -f /var/log/exim/mainlog | perl -ne 'print"\a$_"'

unplugging the network cables etc., while reading the exim docs, smtp specification, faqs, howtos, rfcs, everything, and wondering "what the hell can be wrong?". Believe me, something like this can quickly drive you insane. When I found out what was wrong, I shouted quite loudly "Ale ja jestem glupi!" (which in Polish means "How stupid am I!" or something like that) and after a while of silence wondering if anyone heard it (I usually don't shout alone so it's pretty embarrassing feeling, you know), I just changed the config to every host written as literal ip address.

Eventually, after few days of comparing slash notation definitions from many independant sources, I wrote it as 192.168.1.0/30. But I still keep those comments in my /etc/exim.conf:

# ZLA MASKA:
#host_accept_relay = localhost:192.168.1.0/2 # ZLE!

# dobra maska:
#host_accept_relay = localhost:192.168.1.0/30

(zla maska means bad mask in Polish, and dobra maska means good mask)

This is a frightening story of a hard and deadly fight of human versus his eternal enemy, his own stupidity. 100% of adrenaline. This is exactly what kids are talking about when they say: "Mommy, I wanna be a sysadmin when I grow up."

Protecting my server, thank you very much

[alansz]

DNS-based blacklists are not your problem. There are no more than a dozen that are really widely used (some orbs spinoffs like http://www.ordb.org and http://www.orbz.org, the MAPS ones if you're willing to pay (or can get a hobby contract) at http://www.mail-abuse.org, and the collection at http://relays.osirusoft.com that includes open relays, spamhaus, and SPEWS. All of these systems have clearly-published listing policies and are actively maintained and if you're blocked by one of them, you'll likely get out sooner or later once you're clean. (In some cases, you can have them automatically retest you). Plenty of mail admins find that using the information on these sites to protect their mail servers from spam is highly effective.

Your problem is twofold. First, while you've cleaned up your open relay, plenty of spammers and spam-friendly hosts make the same claim and lie (Rule #1: Spammers lie). So you may have to be patient.

More importantly, your server ip may now be sitting in hundreds of private blacklists of mail servers whose admins don't like to use the centralized lists, and just reject/blackhole spammers on their own. It is the presence of well-trusted centralized blacklist services that gives you even the hope of ever having decent communication, because without them, you'd get into a thousand tiny blacklists and never get out.

(P.S. Note that if you're checking your status using the rblcheck tool at http://relays.osirusoft.com, it will tell you about a lot of blacklists that are not intended to be publicly used and not part of the usual osirusoft dnsbl, as well...)

Re:No. Deal with it.

Crack house? A bit harsh considering the guy simply had an open relay which he then fixed.

You really think this is a valid analogy? Go spend a night in one, then go back to our cushy world of sysadmin stuff.

Didn't think so.

I'm betting he was asked to install a server - prolly a turnkey type - did so, and watched it chug along for a good long time before someone found out it was open and started using it.

More like finding a crackhead in your garage, eh?

Gee, ya think maybe he missed the giant neon sticker that came with the mailserver manual that said "your box is an open relay by default. fix that. tag - you're it!" Oh, right - that's because there is no such sticker.

If they maintain the lists, they should *maintain* them, not just treat them like a brick wall and simply pile up the addresses and leave it at that. My experience with orbz is that they don't pay attention to the people in the middle - I've been there.

Just takes a little bit of hard work, and this guy's apparently willing to do his part.

Lighten up and tackle the appropriate problem.

--Jake

Black lists probably work

[jumpingfred]

The real question is did you only close down the open relay because of the black list? If that is the case then the black list did the job.

Re:Black lists probably work

[DahGhostfacedFiddlah]

But if you're not taken off the list afterwards, then there's no reason not to run an open relay - you're already screwed - and so is everyone else who may be saddled with your IP address at a later date. Part one is fixing the problem - part two is revoking the punishment.

RBL can be useful...

[dtdns]

I agree that some BL's are not properly managed. The old ORBS system was a perfect example of this. They would add you if you were an open relay, but getting OUT of the database was pretty much impossible if the guy that ran it didn't like you or your attitude toward his "service".

One of my mail servers ended up on ORBZ as well as ORDB because I had made a mistake in the configuration, and I corrected it and was promptly removed after submitting a re-test request.

I now employ the use of RBL on my own servers, but I will only use those services which will remove "fixed" servers using an automated testing system that works properly. ORDB, ORBZ and Osirisoft's RBL's tend to be the best AFAIK. I have found that by using these systems, the level of SPAM that my users and I receive has dropped to a point where it's not entirely annoying or time-consuming to deal with it anymore.

One RBL that I stay away from using is the one operated by SpamCop (bl.spamcop.com). It's a great idea, but it ends up blocking out too much "real" e-mail as well, esp from the larger ISP's like Comcast, etc.

Re:RBL can be useful...

[Skapare]

One of my mail servers ended up on ORBZ as well as ORDB because I had made a mistake in the configuration, and I corrected it and was promptly removed after submitting a re-test request.

Did you learn from that experience to test your mail server after making configuration changes? I don't know if ORDB, ORBZ, and others track servers that get added back to the list repeatedly. But at some point (about 3 or 4), I'd want to start extending the time after being tested as clean, like maybe an additional week for every time above 3 that the server has been listed in the past 180 days). Surely you would no longer allow your mail server get go back to being an open relay. But some people it seems just don't really care, especially if they know where to go get delisted quickly.

Going to get far worse before it gets better.

[Thagg]

rlsnyder asks Has SPAM really decreased universally thanks to these lists? Well, it is hard to say. Spam has increased monotonically since its inception, and it continues to grow. It is possible that blacklists have helped lower the rate of growth.

What blacklists really do is get the attention of sysadmins, and get them to take the problem seriously. I, like rlsnyder, was victimized in the same way -- our mail server was an open relay, we forwarded some spam, and got blacklisted. It took me a week or so to get it straightened out, and in the process I learned quite a bit about the UCE problem. rlsnyder similarly has been enriched by the experience, whether he agrees to that at this point or not.

One always has the option of sending mail from one of the many free mail systems. If your mail is blocked while your case is being reviewed, then send it from hotmail or someplace like that. That's what we did. In took about a week for the last of the spam reporting services to delist our site, and while it was inconvenient, it wasn't devastating. It won't be for rlsnyder, either, I trust.

The big problem is that there is nothing to stop the spammers. People who relay mail through unsuspecting companies are already criminals, they will not be dissuaded by laws. The only thing that the anti-spam community can do is to try to put a finger in all 2^32 holes in the dike, and the only way to do that is to educate people. The blacklists are that education program

thad

Re:Going to get far worse before it gets better.

[Skapare]

Unfortunately we're not free and can't be everywhere.

That's not as big an "unfortunately" as you might think it is. The bigger "unfortunately" is that the Brightmail website does not give enough information up front to decide if this product/service is suitable enough to be worth contacting the company about.

• It doesn't explain how the Brightmail server interacts with other mail servers and customer domains.
• It doesn't explain how Brightmail works with variant email addresses.
• It doesn't give any information whatsoever about pricing.
• It doesn't explain how it deals with issues of customer privacy and confidentiality.
• It doesn't explain what security audits have been done on the server software itself.

It just leaves people in the dark (that's not very "bright"). So for now it's a direction I won't be going, even though I have no qualms about paying for good service. Maybe if you can get the marketing people to make a better website, more people might become interested. It's not like you have anything to hide, being protected by patent 6052709.

Re: Exclamation marks

[stu72]

I ran a simple procmail filter for a while, and I was astounded how much spam I could nuke by filtering based on subject line punctation. Some of my triggers:

more than 2 exclamation marks
more than 2 dollar signs
All caps

etc etc.

Worked pretty well, for its simplicity.

Getting blacklisted is just lots of fun...

[mttlg]

I recently discovered that any e-mail I sent with the return address listed here (and elsewhere on the web) will not get through to AOL. There's no notice of this of course, so I just never got responses from people on AOL. This had nothing to do with my mail server (I tested this with multiple mail servers and return addresses), it was completely based on the Reply-To header - changing the reply to address fixed the problem. Based on my experience, I see two main problems with blacklists:

Without notice that your message was rejected, it seems like the message is getting through, but the recipient is unwilling or unable to respond. This is a real pain with eBay, especially with Paypal payments (the sellers apparently never noticed that money had magically appeared in their accounts unless they received an e-mail notice).

Basing the filter on the Reply-To header is rather stupid, because it can easily be changed or forged. Spammers can simply spam under your address until it gets blacklisted, then move on to another, leaving you screwed. Sure it is simple to just change your return address, but how do you know that you have to if nobody tells you that you're blacklisted?

Re:Getting blacklisted is just lots of fun...

[Skapare]

Basing the filter on the Reply-To header is rather stupid.

Maybe. If it is negative filtering, blocking the reply addresses that spammers actually use, which would hopefully not be what you use, then it may work. And it has less collateral damage, unless someone spams with the intent to hurt you by using your email address, or this happens out of coincidence.

Still, the best way to block spam, IMHO, is at the SMTP connection, before it is even delivered, despite some collateral damage. As long as eBay, Paypal, and other like places are not blocked (while I currently refuse to do any business with Paypal for several reasons, I do not block their email), you should be able to communicate with them using SMTP connection level anti-spam (e.g. DNS based blacklists, or local blacklists databases). Giving a 5XX rejection gives you notice (if your mail server does the right thing and sends it to you), so you do find out about the problem and know it's not someone ignoring you.

In general I don't like basing the filtering on any aspect of the message content because that means the message had to be delivered to see that (including the RFC822 headers). Since it was delivered, then if it is rejected, my servers have to send the rejection notice back. And, since so many are bogus, my outbound queue is huge, and my postmaster box gets flooded for the failures to deliver the rejection. Stopping the spam before it is even delivered (based on connecting IP address as looked up via DNS blacklists or a local DB, or that IP's domain name using reverse the forward verification, or even the MAIL FROM string) givs a 5XX rejection over SMTP and commits the sending server to return the rejection instead of mine.

Re:ObPeeve: SPAM(tm) vs uce spam

[brunes69]

Big Deal. Diid you know McDonald's owns a trademark on the phrase "Smile" ? (Yeah that's right. It used to be on their cups when they were running some "Smile your at McDonal's campaign or something) Kimberly-Clark owns the trademark on Kleenex, do you think the cops come after me whenever I call my no-name tissue "Kleenex"? The point is, just because they own a trademark doesn't mean you can't use the word in whatever context you like, it means that you can't sell products under that same mark in the same field, or otherwise portray your products to belonging to that mark when they don't.

Re:No. Deal with it.

[harlows_monkeys]

Try actually reading the question. The complaint is not about blacklists in general, but rather about poorly administered blacklists.

Trust, but Verify

[eaolson]

After lurking on news.admin.net-abuse.email for a while, I've seen a lot of mail admins post asking to have their servers un-blacklisted because they've "cleaned up their act" only to have it pointed out to them that they are still hosting spammers.

Perhaps you could tell us where you have been blacklisted and what IPs are listed so we can see for ourselves the veracity of your statement?

Re:Trust, but Verify

[ColaMan]

Perhaps you could tell us where you have been blacklisted and what IPs are listed so we can see for ourselves the veracity of your statement?

Post some ip's? On slashdot? Are you mad?

evil blacklist admin #1: The fool! Even after our comprehensive "re-education" program, he still complains!

evil blacklist admin #2: I know! We'll use the awesome POWER OF SLASHDOT against him! I'll log in and issue a politely-typed request for his IP.. He'll rue the day he spoke out against ....
*pause for dramatic effect*

the BLACKLIST!

*evil laughter*

Re:No. Deal with it.

[xee]

Your logic is... fuzzy.

First of all, your crack-house metaphor is absurd. Secondly, your "if you dont like it, move" mentality is so amazingly worthless, I'm surprised i'm even taking the time to point it out.

If you don't like it, try to make it better.

Re:if you got listed then you were major

[TheCarp]

That depends entirly on what blacklist we are talking about.

Our mail relay boxen were listed in orbs for a long time. We were never a major spam source, in fact, our relays were open (and stayed open because of political reasons, took us a while to get them shut down... now we have authenticated smtp and life is good)

The fact is, we got on the orbs list not because we were a spam source, but because we could have been. We were open if (and only if) you forged your from address as being from our domain. Yea...it was dumb - but believe it or not, noone spammed through us!

In fact (I said political process right?) we had permission to shut down relaying permanantly if we got abused - we were waiting for it! It never happened. (eventually, we finnally got it shut down without abuse but... it took time)

So no... bein glisted on a blacklist doesn't mean you are a spam source, unless it is one of the better blacklists. SOme blacklists will list you because you could be one. (One of the orbs tests that caught a machine of ours was an obscure uucp test that, yes meant we were open, but again.... no real spammers were actually using)

all in all I liked orbs, I think that active testing and notification was good... it helped us fix some of the stuff we didn't know about... but in the end, it wasn't a very good blacklist to block mail by because it listed alot of places that just wetren't spam sources (like us).

-Steve

Re:No. Deal with it.

[Tackhead]

> What if it used to be a crack house, but the neighborhood cleaned up and was safe?

A good point. That's why I'd buy SPEWS a beer.

The system appears to be automated -- if the blocked host stops sending spam for a long enough period of time, SPEWS appears to unblock it.

If, on the other hand, the spam continues to issue from the blocked host, SPEWS appears not to unblock it.

From what I've read in news.admin.net-abuse.email, the length of time for which a provider remains in SPEWS appears to be proportional to the length of time the provider ignored abuse complaints.

Contrast this with a privately-run blocklist (e.g. my "fsck it, block the /24".) I can't be bothered to check if the /24 has cleaned up. There are IP address ranges all the way back to the days of Cyberpromo that I haven't been bothered to unblock.

The advantage of SPEWS and its ilk is that 1000 systems can be unblocked. The problem with the blocklist on my own system is that I can rarely be bothered to unblock it.

(In crackhouse terms, SPEWS reads police blotters, and if it stops seeing crime in a certain area, allows pizza delivery. I'm the crusty old Italian guy who says "No, you can't deliver to 48th street, it's a war zone, at least, it was the last time I tried to deliver a pie there sometime in 1996!")

some of thee guys are nuts

[ellem]

A little while ago a site I worked at was blacklisted.

We fixed the problem that day and when we contacted the SPAM COP he wrote back to say, basically:

All Lotus Notes Mail Servers are insecure so we're leaving you on the list. Get another mail server.

I made achange in the Notes.INI file that made it look like I was using SendMail. And he fixed us.

Ridiculous policy. Notes is pretty secure anyway! I wonder what this guy read...

some companies deserve it

[not_anne]

My employer's corporate office email system is an open relay, so that outlying offices (like ours) can send email, and so the company can track what we're doing.

Recently, spammers have discovered our open system and have been relaying at a furious rate (read: thousands of emails a day.) This caused *our* email to get reflected back to us most of the time, and it also got my employer's domain on several spammer blacklists. This is such a problem, that the corporate office recently switched ISPs over it.

Now, with the new ISP, the IT guys have "cracked down on security" by banning relaying...for 1/2 the day. In the mornings we can send all the email we want (and so can the spammers), but after we all get back from lunch, no more email can be sent out. My employer is baffled why we can't get off of the blacklists, even after the move to the new ISP. I just laugh and goof off for the rest of the afternoon.

I'm all for an appeals process of some sort in order to get off of spam blacklists, but some companies do deserve to stay there, as long as their habits and policies don't radically change.

not_anne

Re:some companies deserve it

[ColaMan]

Ok.......

You *do* realise that mail servers can be configured to only accept relays from certain domains? eg from "outlying-branch-isp.com"?
And your new ISP is "cracking down" by letting it go half the day only? Hmmm .. I take it you get charged by the MB by your new ISP?

I know, it's fun to goof off, but you're doing the rest of the internet a disservice.For chrissakes, get somebody to post your system specs here on slashdot and get somebody will post the steps required to walk you through setting it up .... even *I'll* have a go, if it stops the spam just a little bit.

If someone at your outlying branch isp subnet(s) discovers your mail relay after that, well it should be a simple matter for you to get them booted.

Oh, don't post any identifying details about your company, unless you want them to experience THE AWESOME POWER OF THE SLASHDOT EFFECT *evil grin*

Heh , I like the sound of that ...
"NOBODY EXPECTS THE SLASHDOT EFFECT!"
Kind of python-esque.

simple solution..

[Lumpy]

a self maintaining blacklist. if you get blacklisted and then fix it, you go to a webpage that you submit that you're fixed. then the system simply uses a seperate computer that is NOT on the webpages domain and tries to relay email. if the relay happened then the blacklisted site is still blacklisted, otherwise it is automatically removed.

Maybe 100 lines in perl to accomplish this. no real effort required.

Re:simple solution..

[curunir]

How long until the SPAM'ers found a way to configure a mail server that blocks your 100 line perl script but still allows open relaying?

However, your 100 line perl script could be useful as a pre-emptive measure to warn admins who have carelessly left their servers open to relaying. So if it finds an open relay, it sends the admin mail saying:

"The Automated Open Relay Detection Service has determined that your server does not sufficiently deny open mail relaying.

The following test was performed:
<test details here>.

If you do not wish to be added to various blacklists services, you should probably fix it. If you need help fixing it, useful resources include:
<useful urls&gt"

Set that up as a distributed project, and it'd find all the open relays on the internet PDQ.

Re:simple solution..

[Lumpy]

Ok I should have elaborated... Make the test happen in a random time and for a random amount of times over the next 72 hours. scummy spammer relay cant afford to be down for 72 hours. Or increast the time period... also increase the script to 150 lines and LOOK for a refusal to relay, seeing no response doesnt remove from the list. hell you can have the remote machines (say 3-4 of them at members homes or companies that volunteer some time running the script) keep the recently OK'd sites on a suspect list and cintinue to try to relay over the next 15-20 days. if it's still clean after 15 days, I'd bet it 's clean.

Re:simple solution..

[anthony_dipierro]

So say I'm a scummy spammer ISP.

I can't think of any reason why a scummy spammer ISP would want to be an open relay. Sure, they want to be a relay, but only for their own spam and those of their trusted partners.

Re:simple solution..

[Phork]

you seem to be not understanidng something. Open relays are not uasualy set up by spammers, they are uasualy setup unknowingly by companies for there corprate email and things like that. Then a spammer finds out that the server is an open relay, and starts to bounce there spam off it. So it is not at all an issue of spammers finding a way to avoid having there mail servers detected, a smart spammer would not run an open relay on there own server, because open relays get blocked, and can cost you money if someone starts to send a large amout of traffic through the server.
The only time you would have someone trying to avoid their server being detected as an open relay is when they use the server for legitimate(non-spam) purposes, but are to lazy to make the server not an open relay.

Re:simple solution..

[Phork]

i belive this is how several of the blacklists currently work, at least for the removal. I dont know if they automatically go out and hunt for open relays.

Re:simple solution..

[curunir]

No, I understand all too well how spammers operate. I realize that they currently look for vulerable servers to exploit.

However, if the blacklist process were to be made automated like the parent post suggests, then spammers would quickly realize that it is far easier to run their own server than search for open relays to exploit.

This kind of solutions is very Microsoft-esque. It seeks to solve the current problem without thinking about the problems that could be created by the solution.

Machines in the middle?

[ryanwright]

I'm trying to move data from one point to another, and some machines in the middle are discriminating against my data

Just wait a minute there Jethro... "machines in the middle" are not discriminating against your data. It's not like your mail passes through this machine that says, "Hey, you're a bad bad person! Go away."

In fact, the recipients are the servers refusing to deal with you. Sure, it's because they've subscribed to a list, but the list is not the one refusing you, it's the server that reads from it.

That said, it's not very nice to remove you from such a list once you've demonstrated your server is fixed.

Re:Machines in the middle?

[ryanwright]

That said, it's not very nice to remove you from such a list once you've demonstrated your server is fixed.

Oops. That should have said, "It's not very nice to refuse to remove you" ...

It's anti-democratic ! There are other (better) so

[dbucher]

We too were listed on some of these lists. And this was at the beggining of what is now know "mail relaying". Before then, all mail servers were open-relays, and suddently your emails are blocked !

Therefore I'm against these lists but I would suggest another solution :

1. These list should inform you have been added
2. They should leave you 10-15 days to fix the problem before blocking you
3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"

The problem 3 is quite grave : What can you do if your mail server doesn't support anti-relay ?
Or if you must buy another licence, or it it's opensource, but needs a new version of the OS, or things like that. OK, now all email servers support anti-relay. But this was not the case at this time.

And FIRST OF ALL, I would really like to have a RFC on this subject : I don't accept ORBS having decided what's permitted and what's not ! Some relaying is permitted and some not.

Example : Accept any IP address for relay except ORBS, you won't be blocked but you're an open relay ;-)

Re: Exclamation marks

[Da+Schmiz]

Yeah, a friend of mine was using a similar system, and it worked quite well for him. That is, until the day his boss sent him a message with the subject line "URGENT!!! THIS IS VERY IMPORTANT!!!" or something like that. He never saw the message.

So, the boss realizes that perhaps my friend didn't get the message, and so the boss forwards the message to him, with a note attached, so now it reads "FW: URGENT!!! THIS IS VERY IMPORTANT!!!"

This happens two or three times before he finally figured out what was going on.

Moral of the story: quarantine spam, but don't automagically send it to a black hole. Only the addressee can truly differentiate legitimate mail from spam.

Re:How to avoid SPEWS black-listings

[Tackhead]

> I check to see if the customer is a spammer and if they are running a open relay. If they are a spammer, I tell them to fuck off. If they have an open relay, I fix it. If they are none of the above, I send them thru a colo.

Cool! (Frankly, I can't see how you'd get listed in the first place. I'm speaking primarily to the SPEWS issue, as that seems to be the "blacklist du jour", as opposed to the various open relay blocking services.)

(Yeah, I was exaggerating by implying I block the IP on the first spam. I usually don't block a /24 unless it looks like a dedicated spamming operation being hosted by a known non-responsive ISP. For dialup-through-relay spam, procmail is your friend. For my own mail, I still auto-forward-to-abuse and the FTC everything from certain ISP dialup ranges in Michigan and the Dallas-Ft. Worth area. I watch those recipes pretty quickly, and take the victim/accomplice ISPs as soon as the cockroach-in-question migrates to his next ISP.)

Re:Shout out for ... spamcop.net

[edstromp]

I personally like SpamCop.Net. It has a dynamic black list based on ip. If people report spam from a specific ip address, it will (after a certain threshhold) get added to the black list. Once the spam stops being reported, the ip address becomes open again.

Blacklist maintenance

[Todd+Knarr]

I can understand the problems caused by unmaintained blacklists, or ones that operate on the roach-motel principle. All you can do is communicate directly with the blacklist maintainers, or communicate with the sites blocking you (mail to postmaster shouldn't be blocked) and see if you can convince them the blacklist is unreasonable. If sites start getting lots of reports about a blacklist refusing to delist open relays after they've been fixed, site operators may stop using those blacklists.

On the other hand, you admit to having had an open relay in your network. Back before 1995 or so this might have been excusable. If we're talking in the last 6 years, though, there's no excuse. The problems have been well-known, the solutions equally well-known and easily implemented. If you shoot yourself in the foot, even unintentionally, whose fault is the resulting pain?

Re:It's anti-democratic ! There are other (better)

[hpa]

The problem 3 is quite grave : What can you do if your mail server doesn't support anti-relay ?
Or if you must buy another licence, or it it's opensource, but needs a new version of the OS, or things like that. OK, now all email servers support anti-relay. But this was not the case at this time.

If so, they're right in blocking you. You're saying "oh, we're not willing to go through the trouble of cleaning up our server, to hell with anyone who gets spammed." It's exactly those sites that they're supposed to be blocked

2. They should leave you 10-15 days to fix the problem before blocking you

That's insane. Once you end up on a spamrelay list, you'll be the conduit for tons of spam within hours of even minutes. 10-15 days is an eternity in that respect.

Problem needs to be addressed on several fronts

[Pinball+Wizard]

Consider all the small and medium sized businesses out there. They may be lucky to have even one admin, yet still need to provide email to all their employees. That one(if even that) overworked admin may have many responsibilities, one of which is running a mail server. I know some of you would like to say, "hey if he can't run his mail server right, he shouldn't be doing it at all". That's a bad attitude to take, and putting someone on a blacklist without giving him the chance to correct the problem first is just plain wrong. Yet thats what these blacklists do. Only after you take care of the problem are you taken off the blacklist.

IMO, the way it should work, to be fair, is to send a warning email to someone from the company. Then, if that email goes unnoticed, put the company in the blacklist. Even better, put something informative in that email letting people know how they can stop their server from being an open relay.

I should know. I've been in this situation, where my email server was way down on my list of priorities. I was blacklisted without warning or explanation. I had to investigate the whole matter myself, fix the problem, find the people who blacklisted me and go through their procedures to get off the blacklist. While I see the need to have blacklists, they certainly could do a better job dealing with buisnesses who have no intention of spamming and who may have just overlooked or not even known about the problem.

Amen.

[FreeUser]

No, they're not unreasonable.

[...]

You wanna get bandwidth with a company that provides services to spammers and relocates spammers to IP addresses to avoid blocking of single IP addresses, don't come whining to /. when the rest of the world wants nothing to do with your ISP.

Thank you.

The only way you get blacklisted is if you (or your ISP) is stupid enough to run a promiscuous mail server that allows anyone to use it as a maildrop/forwarder. Fix the problem (either getting a new ISP, closing up your server, or highering competent people to run your service) and you will be de-blacklisted.

If you cannot be bothered to do any of these things you (and your company) don't deserve to be on the internet, and certainly don't diserve to have any contact whatsoever with me.

Since all of these lists are voluntary, if I have chosen to shun you on the basis of one that is my choice. You do not have a right to be able to contact me if I don't wish to allow it, so get over it, learn from your mistakes, and don't make them again. If you can't be bothered to learn, then, well, enjoy being a component particle of the Black Hole.

Yes Big Kudos to Spamassasin

[sterno]

I started running spamassasin a few weeks ago and it works wonderfully. I've got it set up on my box so that users can choose to use it or not by some simple procmail configuration.

The way I use it is have all spam messages get dumped to a common directory. This way I can verify that I didn't lose something important. In the 169 messages it filtered out during my last cleaning, 3 (all from mailing lists I'm on) we filtered improperly, and none of them were that important.

The beauty of this approach is that I can deal with wiping the spam out all at once and not have to be digging through my mail box wondering from subject lines if something is worth reading or if it's spam. I'll just do a "grep Subject: * | less" in the directory I use for storing the filtered messages and check for any mistakes. I add the mistakes into my procmail filter and voila, I get maybe half a dozen spams a week now.

Pot: Kettle, you're black!

[Chagrin]

Sysadmin A, whom didn't take the time to check the security of his mail server, is complaining about sysadmin B whom doesn't take the time to maintain his spam list?

Please tell me what company you work for. I'd like to see how well-maintained and secure your systems, apparently employed by some type of financial company, really are.

...or feel free to move your mailserver to another IP or subnet if you can't get it unblocked. Testing it could be a pain in the butt, but isn't the spam that you let through a pain in the butt also?

Give your users the control: EXIM and RBL-Warning

[Sosarian]

Use EXIM as your mailserver and you can have the best of all worlds.

1) Messages are checked for RBL
2) A X-RBL-Warning header is added to the message
3) Users can choose to filter these messages themselves

If you had an open relay

[www.sorehands.com]

If you had an open relay that was used by spammers, go after a few of them in court. Go after the people who sell the SPAM software that uses the open relays.

Bankrupt a few spammers, show others it is not cheap to spam. Maybe get some charged criminally.

All spammers should be tortured, then executed.

Blacklists not the answer...

[curunir]

IMHO, Blacklists are just a small band-aid on the gaping wound that is SMTP. SPAM has proliferated to the point where it needs to be dealt with in a more sane manner than just punishing the offenders.

I'm usually all for privacy, but I think we need to be using an email transport protocol that involves some form of authentication. I'm not sure if some such protocol exists already, but it doesn't seem like it would be too hard to create.

Am I way off base here, or wouldn't this cut way down on SPAM?

Re:No. Deal with it.

[dattaway]

Try actually having to deal with spammers. They lie and threaten to sue often if I complain.

If you do the crime, be prepared to do time on the blacklist. Ignorance of spam administration is no excuse.

Simple solution

[gUmbi]

The rehabilitated system or network should be able to submit there address to a server to be crawled for open relays (much like submitting a URL to a search engine).

The server would connect to each address in the resubmission list and test if the relay was open. If an open relay wasn't detected then the system is put into a probationary state or taken off the list entirely. It's an automated solution that doesn't require any work by spam list administrators.

If necessary, the list of resubmissions could be distributed to volunteered machines (similar to seti) on many different networks. The volunteer machines then double-check the result. This reduces the chance of someone closing the relay exclusively for the spam list server.

A three-strikes and you're out policy could also be put into place.

Jason.

Re:Simple solution

[Enigma2175]

The rehabilitated system or network should be able to submit there address to a server to be crawled for open relays (much like submitting a URL to a search engine).

I don't know about the other RBL lists. but ORBZ allows you to do this. The URL to submit your server for re-testing is http://www.orbz.org/sysadmin-darkside.php.

Re:How to avoid SPEWS black-listings

[Tackhead]

> Uh-huh.... Sure you aren't. ;)

(Someday, I envision a huge "I'm Spartacus!" cascade...)

> My customer goes to the newsgroup to ask to be let out of SPEWS. Group members flame my customer to a crisp because he is supporting spammers when he pays his bill every month.

As for nanae posters flaming your customer to a crisp, well, that's USENET ;-)

Seriously, I do have a problem with that, even though I understand why it happens. The problem is that if you've read nanae long enough, you've seen every spammer lie in the book, and you're very skeptical.

I don't know a solution for that one. It's disturbing - like the cop who busts everyone for minor traffic offenses, because he believes everyone's lying to him. He's heard "I left my wallet at home!" and "Gee, my speedometer must be off!" and "I just noticed the headlight burned out when I left work!" thousands of times over his career, and the thought no longer crosses his mind that once in a while, it'll be the truth.

The nanae problem, in this sense, is that your customer (unlike the poor schmuck who did leave his wallet at home, but who probably realizes he's still toast :-) has no idea how burned-out most nanae denizens have become, and is (IMHO justly) surprised and pissed-off at the rough reception he gets when he tries to make good.

As my initial /. post shows, I'm also part of that problem (too cynical for my own good), which is why I maintain my blocklist on my own box, and only lurk on nanae. But having seen the arguments in nanae so many times, and realizing many /.ers aren't regular nanae readers and haven't read them, I figured I'd throw my two bits in here.

Re:ObPeeve: SPAM(tm) vs uce spam

[geekoid]

the poster was just asking for common courtesy towards Hormel.
sheeesh, Hormel could of gotten all uppity about it, sent its lawyer out. We all know that cease and desist letters work. If you get a cease and desist letter, and don't, you end up in court. do you have enough money to fight this in court?

Now if I could only get one of those flaming SPAM hats.

Your IT guys are morons.

Seriously. They need to be canned. NOW.

My employer's corporate office email system is an open relay, so that outlying offices (like ours) can send email, and so the company can track what we're doing.

Your employer's corporate office needs to emply a VPN.

My employer is baffled why we can't get off of the blacklists, even after the move to the new ISP.

Tell him it's because th IT guys are incompetant. Point him to this message if he thinks it's just you. You NEVER need an open relay. Tell him that you need VPNs between sites - that with the email flying around unencrypted, that anyone can view all of your internal memos as they fly between sites.

Re:Your IT guys are morons.

[tweek]

No shit. That was the first thing I thought when I read it.

Use a couple of fucking openbsd boxes or linux boxes for vpn gateways and tell the IT wankers to take a fucking leap.

Re:Your IT guys are morons.

[SuiteSisterMary]

Hell, configure your mailservers to only relay for the IP addies of your other mailservers, then use TLS encryption, if you don't care for a full blown VPN/WAN solution. But you don't need to be open to the world.

I've been there... and it sucks

[sparkz]

I've done the exact same thing as the poster of this article - and it took ages (weeks, IIRC) to get off the list, despite being "clean" for all that time.

One item of spam had been sent through our server, I spotted the problem, fixed it, and got told that I'd been blacklisted. I then applied to be retested ("oh please Mr. Self-Appointed Cop, please say that I am good"), and was not removed from the list for a long long time. It should be automatic. Maybe test that server once a day for the next few weeks to make sure that it stays closed, if you feel such an urge. But everybody loses when the lists are not updated promptly - the admins of previously-open relays cannot send email, innocent recipients of email from the previously-open relay don't receive email they were expecting, and the maintainers of systems using the blacklists lose faith in the accuracy of the list, and stop using them (hopefully!).

I really don't know why people bother using these lists - I've not seen anyone claim here that they've benefitted significantly from doing so, and many people are harmed.

Blacklists are bad - DNS fascism is WORSE!

[bourne]

As other people here have said, blacklists can be bad but most often only need some patience to get off of.

What's far more annoying, in my opinion, is those sites who've configured their mail server to be utterly anal about DNS. Forward mapping, reverse mapping, no underscores, etc. etc. Since many otherwise decent mailservers are stuck with ISP "What's DNS?" level support, this can be a pain in the ass for completely innocent victims.

Re:Blacklists are bad - DNS fascism is WORSE!

[Skapare]

Doesn't matter. I don't want mail from generic dialup/DSL/broadband connections, anyway. If you're running a BSD or Linux box on such a connection, then either forward outbound mail through their central (presumably correctly DNS'd) mail servers, get a static IP with correct PTR+A entries, get a better ISP, or write to your MP.

Re:Blacklists are bad - DNS fascism is WORSE!

[Skapare]

It can't be a decent mailserver if the administrative staff who configure the network can't get it right. I'd worry that if they are too incompetent to get DNS right, they're probably too incompetent to get the mail server right. If it's not an open relay today, it might become one tomorrow.

Requiring reverse PTR names to provide a forward A record that matches the connecting IP is a bozo sysadmin filter. And it does a damn good job of filtering out huge numbers of direct marketers and eastern Asian pirated open relay MS Exchange servers.

I do have a list of a few IP addresses that I accept mail from regardless of any DNS problem or blacklist. If you really need to send me mail, have a static IP and an incompetent ISP, get on Hotmail and send me your story (why you can't change to competent ISP, and what your static IP address is), then I can open it up for you.

Re:Blacklists are bad - DNS fascism is WORSE!

[bourne]

It can't be a decent mailserver if the administrative staff who configure the network can't get it right.

The point is, many decent sysadmins run decent mail servers and - wait for it - have no control over their DNS. DNS is often handled by incompetent ISPs (I don't want to name names but it starts with two U's...)

Re:Blacklists are bad - DNS fascism is WORSE!

[Skapare]

They do have some control. They, or the company boss calls up and says "Get in-addr.arpa delegation working NOW or we have breach of contract!" and if they don't, you move on to another ISP because you're gonna lose if you stay with them. It is not my responsibility to let through 40% of the spam I'm now blocking because your business won't get a better ISP.

As for UU..., they will do it if you ask. I've set up about 20 businesses on UU... and never had any problems with in-addr.arpa delegation, even though the delegation went over to servers not even in the UU... address space. A couple times I had to repeat what I wanted, and got the call handed over to someone who actually knew what I was talking about.

Now there is one major ISP that seems to be very lame, brought to you by the letters Q and W).

Re:No. Deal with it.

[JordoCrouse]

Don't like living in a crack house? Move.

What about the people living next door to the crack house? Should they not be able to get a pizza as well? How about the good houses that get anonymously accused of being crack houses?

The fact of the matter is, for every legimiate spammer on the list (even the well administrated ones), there is another placed there unfairly.

In the three weeks preceding the much awaited dumping of ORBS, we started dropping mail from 4 different valid mailing lists and 1 valid business (it was a brick and mortar business - no web presence, just an e-mail server). One of the lists was LKML (and I have no idea why it was on the list), and the other three had the misfortune of being on the same web hosting service as a spammer.

The brick and mortar was on the list because of an open relay (which was a good reason to be listed), however once it was closed, they were not allowed to be removed, though their level of e-mail is about 20 - 30 message a day, and they have never send a spam in their existance.

The problem is that we are all living in close proximity here - legit businesses are only a few digits away from spammers (just like the real world). And the knee jerk reaction that most sysadmins take in dealing with the situation is similar in nature to burning half your mail daily because the postmark is similar to a known junk mailer. And burning is a reasonable analogy, because blocked emails don't get archived or analyzed, they get tossed, lock stock and barrel.

Its so easy for a sysadmin to install a blacklist and never worry about it again (unless of course, *he* starts losing messages).

The price for having a spam free existance is to constantly monitor and evaluate the system, not to light a match and walk away.

Re:No. Deal with it.

[Tackhead]

> If they maintain the lists, they should *maintain* them, not just treat them like a brick wall and simply pile up the addresses and leave it at that.

*nodding* - I'd never recommend anyone other than "me" use my blacklist. (And that's why I don't publish it :)

I'm too lazy to take entries out on a day-by-day basis. I believe public blacklists (in general) are a Good Thing, on the grounds that they're easier (for the admin) to use than private blacklists, easier (for the admin) to maintain, and easier (for legitimate customers if and when the ISP cleans up its act) to get out of.

Re:No. Deal with it.

[ahde]

you must use BSD

Internet Darwinism

[KFury]

Rather than try to 'rehabilitate' those blacklists that are too rigid, count on those who subscribe to the block lists to pick those that are most responsible.

Think about it: If I run a mail server and use the biggest, least lenient blacklist provider out there, my users will start to complain when they're not getting important emails from people.

As in everything there's a middle ground between blocking too much and blocking not enough (or even none). the right answer is tu make sure mailadmins listen to their users, so they can find the right black hole list, striking the balance between spam and legitimate access.

Who knows, we may even get a responsible public organization out of this, recognized for specific rules and procedures for blacklist inclusion and removal. the sooner there's one list, the sooner we have less spam and less illegitimate blocking.

Re:No. Deal with it.

[Tackhead]

> First of all, your crack-house metaphor is absurd. Secondly, your "if you dont like it, move" mentality is so amazingly worthless, I'm surprised i'm even taking the time to point it out.
>
> If you don't like it, try to make it better.

Moderators - give that guy back a point.

I really should have written "If you don't like it, ask your landlord to evict the dealers. Then think about moving."

Or "If you don't like being listed in SPEWS, and you're not a spammer, ask your ISP to boot the spammers. You, as a customer of the listed ISP, have a hell of a lot more pull with that ISP than the spam recipients do."

sorry, it's your problem

[markj02]

Sending out spam is no different from any of a number of other activities that give your business a bad name. If you publish an insensitive ad in a newspaper, you'll have to deal with that for years to come. If you send out spam, you'll end up in people's kill files. The fact that some of those kill files happen to be public for the convenience of users doesn't change that. Even if you could force all the public blacklists to remove your name, people would still have you in their private kill files.

You'll just have to be more careful next time. As you discovered, the cost of relaying spam is higher than you may have thought originally. Eventually, those entries will go away. But even consumers have to wait many years before bad credit information goes away.

The email system is under attack

[SSpade]

Email as a communication medium is under attack.

The deluge of spam itself causes some of the damage, causing people to be wary about giving out their email addresses, afraid to post publically on mailing lists, or in some cases changing their email addresses and only giving them out to close family and friends. This retreat into 'email enclaves' destroys one of the best things about email - the ability to communicate with someone on the other side of the world, even if it's just a "Hi from China, I really liked your webpage!".

The other widely used approach to avoid spam is the use of aggressive blocking lists to ghettoize huge sections of the internet, preventing them from communicating with those sections of the internet that use those lists. This, too is causing massive damage to email as a medium for communication.

The third part of the problem is the fear some organizations have of being labelled spammers for behaviour that would have been considered quite reasonable a few years ago. This chilling of communication isn't as big a problem as the previous two, but it's getting worse.

A combination of spammers and ill-conceived responses to spammers is balkanizing email, making it less and less viable as a means of person-to-person communication. And losing email would be a huge, huge loss, as more than anything else it sums up what is good about the growth of the Internet - letting people talk to other people.

Fake open relays needed

[magarity]

What we all need to do is fake open mail relays. Just report "Yeah Mr. Spammer, those 50,000 mails were sent" while not doing a thing. The spammer will think the mail has been sent, we won't get the mails; everyone will be happy!

Re:Fake open relays needed

[Lumpy]

Tarpits like this would be awesome.. it will make the spammer doubt every open relay they find. and if they doubt it they'll start worrying.

the key is to make them doubt that things are working, getting denials for relaying tells them that it isnt. so we need to modify sendmail to act like it accepted and is sending but is actually /dev/null ing it.

if you make the internet a hall of mirrors to them, they will lose their mind

Re:Fake open relays needed

[SomeoneYouDontKnow]

What you're proposing has already been thought of. It's called a Teergrube. What it does is hold the spammer's SMTP connection open for as long as possible, appearing to slowly accept mail, but in reality doing nothing but wasting the spammer's time. You can do a Usenet search on that term to get more information. Here's an FAQ that may help you out. The post I pulled the link from is several years old, so you may want to look for something more up to date.

Re:Fake open relays needed

[vadim_t]

Nice idea, but flawed. How about this:
The spammer connects to open.relay.net, and sends the first message to his/her own hotmail account made for checking purposes. If the email arrives the server is good, and the spammer sends the 50,000 messages. If it doesn't, the spammer tries another server.

How would you avoid that?

It's democracy and freedom in action.

[fmaxwell]

I don't accept ORBS having decided what's permitted and what's not !

ORBS does not decide what is "permitted" nor do any of these other databases. They have a set of criteria for deciding whether and when your mail server ends up in their database. If their criteria matches mine, then I can choose to use them as part of my mail filtering.

1. These list should inform you have been added
2. They should leave you 10-15 days to fix the problem before blocking you
3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"

I'm sick of the attitude that ORBS owes you something when your mail server is an open relay. If your system is an open relay, your fuck-up will cost them time and effort as they add your system to the database. Now you think that they owe it to you provide you an absurd amount of warning (10-15 days), notification that you were added, and then you want them to provide free consulting services (see item 3). If you don't know how to run a mail server, then stop trying to.

It's like being ticketed for driving your car down the wrong side of the road at 90 miles per hour and then being pissed off that the cop did not provide you with free driving lessons and give you 10-15 days to stop driving like that.

If your system is an open relay, unplug the Ethernet cable immediately and leave it unplugged until the system is fixed. If you don't know how to fix it, then pay professionals to provide your SMTP & POP services. A spammer could spew tens of thousands of messages per hour through an open relay and you owe it to everyone else on the net do whatever it takes, including pulling the plug, to make sure that your system is not an open relay.

I think that ORBS should charge a processing fee for "expedited removal" from their database and, otherwise, just remove systems once a week.

Re:It's democracy and freedom in action.

[wizkid]

There are many different blocking services out there. Orbs is one. They have an automated system to block and unblock your site. If you fix the open relay, you can fill out the form and get retested fairly easily. If you contact them, and hit them up with a bad attitude, they will respond with the same attitude.

They are one of the better filter services. I've run mail servers in the past, and dealing with them is a pain nowdays. Especially becuase of the spam problem. Using rbl and orbs blocking is getting to be a requirement because of the morons out there who have open relays and won't bother to fix them.
Giving someone 10-15 days to fix a problem is a bad idea. Having a painless way to have your server quickly is the right way to do it. If you leave an open relay there for 10-15 days waiting for some over-worked administrator to fix it won't work. Postmaster mail on an open relay will generally get buried almost immediately, and the administrators won't see it until the 10-15 days have expired, if at all. If the server is bouncing mail left and right, the administrator will be motivated to fix it quickly.

Yea, it's the Nazi approach, but that seems to be the only way that works these days. There's days where life sucks!

Re:It's democracy and freedom in action.

[fmaxwell]

This is BS, by the same logic used above, you owe me for adding your email-adress to my hypothetical spamlist... Would you pay me to remove?

That is such an illogical and poor analogy that I hardly know where to start...

Unlike spammers, open relay database services do not send the people in their database anything. They don't harass them. They don't use up their bandwidth and storage. They don't have a business relationship with those listed in the database. They are simply reporting the information: "IP X.X.X.X was an open relay last time we tested." If the New York Times runs a story stating that you were arrested and jailed, do you think that they are legally and morally obligated to immediately report when you are released from jail?

These database projects to not owe you anything unless you are paying them for a service. If they do remove your system after you fix it, you owe them a letter of apology (for causing the problem) and thanks (for taking the time to remove you), not a complaint that they didn't do it fast enough to suit you.

I think that ORDB should make you pay them for the time that they spend removing your database entry.

(note that the use of the word "you" was in the hypothetical sense in the above examples)

Re:It's democracy and freedom in action.

[aulendil]

That is such an illogical and poor analogy that
I hardly know where to start...

Well, obviously you did... As for an answer:

Not removing now closed relays from the list is like not releasing prisoners from jail. Something which might or might not be a good idea...

Also, I think the usefulness of DBs like ORBD lies in them staying current, as I think it might cost more losing one important mail than wading through tons of spam.

I really too should point out that I, for myself favours strict filtering of mail(servers), the reason being I'd rather miss out something not so important that most of my mails are, than d/l spam. Though I think this might not be true for others. You (fmaxell) seem to reason along the same lines as I do, but are you sure others do?

Of course, they do! otherwise it wouldn't exist services as ORBD! ;-)

Re:It's democracy and freedom in action.

[10.0.0.1]

I think that guy should go ahead and add your email address to his spam list. After all, it is postmaster@127.0.0.1, isn't it? :)

Re:It's democracy and freedom in action.

[fmaxwell]

Not removing now closed relays from the list is like not releasing prisoners from jail. Something which might or might not be a good idea...

That's assuming that you consider the list to be a punishment. I believe that they are information sources -- IP X was, and may still be, an open relay.

Also, I think the usefulness of DBs like ORBD lies in them staying current, as I think it might cost more losing one important mail than wading through tons of spam.

I agree. But keeping the open-relay databases current is not a responsibility the database providers have to those listed in the databases. It may affect the popularity and usefulness of their service, but that's another matter altogether.

If some person/group decides to create such a database, they have only the following two responsibilities:

1. Do not defame/slander by listing a system incorrectly. That said, they make up the rules and if they say their databases are "IP addresses that were open relays within the last six months", they have up to six months after a relay is closed to remove the record from the database.

2. Provide services paid for. If they accept payments to remove entries within, say, 24 hours (rather than the normal cycle), they have to remove those entries within 24 hours. Otherwise, they can remove them in conformance with the criteria that they set (see item 1).

Again, you are viewing this as punishment and I'm viewing it as information. Since ORDB does not block e-mail, harass ISPs listed in the database, etc., they aren't punishing. They are just providing information Now if bobco.com rejects your e-mail because your IP is listed in the ORDB, then maybe bobco.com is punishing you, but ORDB is not.

Re:It's democracy and freedom in action.

[fmaxwell]

Except that driving down the wrong side of the road is against the law! Until someone makes it so, spam is NOT. Neither is Open relay!

And a being entered into the ORDB is not a law enforcement action, doesn't result in you getting a criminal record, and isn't a punishment imposed by the courts.

You yourself are acting as if mistakes do not happen, or errors do not happen.

When mistakes happen, there are consequences. That's why there is the legal term of "negligence." If your mistake of leaving an open relay causes 250,000 people to be spammed, then I'm not going to have a lot of sympathy for your inconvenience of being blacklisted.

Personally I think blacklists should be blacklisted.

By whom and for what purpose?

I'm not for spam by any means, but I've SEEN what blacklisting can do to a web provider before they even know what's hit them.

Have you seen what can happen to a small company when some spammer uses a fictitious "From:" address in their domain? They are often paralyzed by bounced messages and angry complaints. So don't tell me about the poor (negligent) web provider that left an open relay.

Web providers are supposed to be professionals. They aren't supposed to make amateur mistakes of leaving open relays on mail servers. It's something that's easily tested and that can cost others thousands of dollars if configured wrong.

On top of that, there are so many lists out there, you may think you are off them all, only forgot one!

There's your business opportunity. Create a service that assures that people are removed from all of the major blacklists -- once they fix their open relay problems.

Either make there be a SINGLE standard, or go away, that's what I say!

Okay. I hereby declare that the single standard open relay database shall be ORDB and that all others must immediately cease operation.

Let me know if that takes care of it.

Re:It's democracy and freedom in action.

[fmaxwell]

HOWEVER, if your goal is CORRECT the offending mail server, then the 3 points that dboucher ask for are entirely resonable and good.

The goal is to protect the rest of the Internet community from the offending mail server. And that's best done by raising the flag early so that those who want to filter open relays can do so effectively. Do you have any idea how much spam can be funnelled through an open relay on a broadband connection in 10-15 days?

ESPECIALLY if he is not actually relaying spam

How, pray tell, can ORDB tell if server X is relaying spam to servers A, B, and C? All that they know is that someone reported an open relay and that their test confirmed it.

The people running these databases would have to take on an enormous workload increase to handle warnings, grace periods, and assisting those with open relays. Ever tried to figure out who is responsible for an open relay in Korea? Have you ever tried to communicate with them? I have. It's often impossible.

i loved how you threw in the greedy capitalist ideals at the bottom there, trying to make a quick buck of the poor saps once they corrected themselves

Hardly. The efforts of ORDB, Dorkslayers, and others are typically volunteer efforts that cost those who undertake them time and money. Getting some compensation from those responsible for the hassles might help to pay for the bandwidth and computing equipment. The people running these databases are not about to be made rich by their efforts. By the way, I am a liberal and am very much against the "capitalism over all else" mindset to which you allude.

Re:It's democracy and freedom in action.

[fmaxwell]

If you didn't start letting the e-mail through again within 48 hours, I would be taking you to court.

I run a mail server and I can block anyone that I choose (right now, almost all of China and Brazil is blocked). If you want to test your theory about a court case, I'd be happy to block your server, too.

A mail server is private property and the owner has no legal obligation to accept mail from any other mail server. If I choose to, I can block AOL because I don't like their users, MSN because I don't like their owner, and christiancoalition.org because I don't like their politics. And they can't do anything about it.

Now, the whole point to all of this is that there needs to be a spirit of cooperation here.

I'll give you a list of IPs in Asia that are open relays. Your mission, should you accept it, is to locate the owners of the mail servers, explain to them that they have open relays, and get them to fix them. Good luck.

The ORDB model is easy now. Someone enters an IP address, ORDB sends an automated relay test message, if the message comes back, the IP address is blocked. When the owner fixes it (if he does), he enters the address, the test is rerun, and the system is removed. Turning it into something where people would have to track down and contact the owner of each and every open relay would make it impossible to run such a database.

Re:It's democracy and freedom in action.

[fmaxwell]

Went to ORBS, filled out the "i've fixed my server" form, and a week or so later it was off the list.

You're trying to tell me i should've had to pay for that? You're as bad as the guy claiming they owed him!

What I said in my response to him was I think that ORBS should charge a processing fee for "expedited removal" from their database and, otherwise, just remove systems once a week. You were satisfied with waiting a few days. That guy wanted his system removed within milliseconds of fixing it. For that, he can pay.

Are you aware that ORDB runs totally off of donations? It hardly seems unreasonable to collect a fee from impatient mail system administrators who demand instant removal from the database.

Re:It's democracy and freedom in action.

[fmaxwell]

With mail servers, however, there isn't, at least yet, any widespread tool that will tell you if you have an open relay?

When you are talking about one that is listed in ORDB, which only lists open relays. The ones that list spamvertised web sites are a different matter and not the one we were discussing.

If you don't like the criteria that the blacklist service uses, then don't use that service. If someone else chooses to use it and your mail gets blocked, tough! They have every right to block systems that host spamvertised web sites.

But this is all hypothetical. I have never seen a blacklist that adds web providers hosting spamvertised web sites without giving the providers fair warning and time to shut down the site. If your site ends up on there, it's damned likely that you refused to take down the spamvertised web site in a timely manner.

Re:It's democracy and freedom in action.

[fmaxwell]

My question to you is, what would YOU do if Earthlink started blocking you because of a claim that you were running an open relay?

It depends on whether the claim was true. If it was not true, I would ask the organization making the claim to retract it and I would provide proof of that retraction to Earthlink.

It the allegation was true, I would shut down the open relay, inform the blacklist, beg them to remove me as soon as their time permitted, and then beg Earthlink to start accepting mail from my server again. Should either of them cooperate, I would send humble "thank you" messages and apologies for the trouble my open relay had caused.

I view the ability to send mail to any other server as a privilege granted by that sys admin, not a right. And I believe that a private database operator (e.g., ORDB) has a right to run their database in whatever way they choose -- so long as the data is not slanderous.

Re:It's democracy and freedom in action.

[fmaxwell]

I don't know if you could call it defamation to keep reporting the relay as open, but that'd be an interesting threat to get the blocking services moving...

It is defamation if they say "system x is an open relay" when it is not. If they say "system x was an open relay when we last tested it in 1997", that's not defamation (assuming that it is true).

The argument people on here are making is that a blacklist has a legal obligation to remove entries promptly. That is simply untrue -- unless the database has obligated themselves to remove the entries promptly by publically promising to do so. The database owners could choose to list all systems that were ever open relays, whether they have been fixed or not -- and they would never have to remove a system from the list.

It's real simple

[tuxlove]

If someone runs an open relay, they deserve to be blacklisted. Those sites who enjoy receiving spam can choose not to use blacklist information. Those who do not like spam can use blacklists.

However, those who repent and fix their open relays should be immediately removed from any open relay blacklist they might be listed with. It's totally irresponsible to run a blacklist without provisions for keeping them up to date in near-realtime.

An example of a great service was ORBS (the Open Relay Blackhole Service), may it rest in peace. It was largely automated, and would add and remove sites simply based on observations made by their relay-checking robot. There were some manual entries (for sites who refused to be probed), and that was cause for a bit of controversy. But by and large it was quite excellent. I can see absolutely no reason whatsoever for anyone to complain about the creation and use of such blacklists, unless they are a spammer. I have never heard a valid reason why an open relay should be considered okay (I do *not* agree with John Gilmore, just about the only slightly credible dissenter I've heard on this topic. He's just too lazy to use one of many available alternatives to what he's trying to accomplish. See this to see what I'm talking about.)

Too bad most of the great blacklist services seem to be going away or becoming (highly overpriced) commercial endeavors.

Re:It's real simple

[Lazy+Jones]

If someone runs an open relay, they deserve to be blacklisted.

That's just stupid. What's wrong with an open relay, if no-one has ever sent spam e-mail through it (because, perhaps, it may have its own black list of domains that may not send mail through it)? If even a single user who has not sent spam is affected by blacklisting, then this blacklisting is wrong, it's like denying someone his First Amendment rights because someone else might say something illegal ...

Mmm...

[Greyfox]

I wonder if spammers who exploit open relays can be labelled terrorists under the new anti-hacking laws...

This "ask-slashdot" looks familiar

[Sarin]

I think I've seen this message on more sites that use the slash engine, today ;)

Re:No. Deal with it.

[McSpew]

So, I guess you've never wound up the victim of a poorly-administered blacklist, have you?

My experience with open relays is virtually identical to that of the person who inspired this thread. My server was used as an open relay for part of a weekend.

Near as I can tell, the first spam fired its way out of my server on Friday night around midnight. I closed off the relay on Sunday morning around 10:00 am. In that time, literally thousands of spams were sent, so I fully expected to be blacklisted and even warned my bosses and co-workers.

What I didn't expect, however, was to still be trying to get myself off those blacklists SIX MONTHS LATER.

I think blacklists can be a valuable tool for fighting spam, but only if they're sensible. Blacklists that permanently block without ever rechecking blocked IPs are irresponsible. They're adding to the difficulty of using the Internet, not improving it. They're also reducing their value to their subscribers because they're blocking IPs they shouldn't.

In short, I agree with the post that called for an RFC. If there were some sort of standard for relay blacklists, it would be a damn sight easier getting off the lists once you've resolved the problem.

dialup is the devil. mmk.

[iomud]

I'm a dialup user, and I run exim from my debian machine to send mail. Of course I'm rbl'd from sf lists which makes a ton of sense. Feh. I can understand wanting to lock things down but there's no point in being a nazi about it. This isnt really related directly to spam but it's under the same umbrella.

so I have this "friend"

[brarrr]

My friend is a smart guy, but he is running an open relay, mostly unprotected server(s) on a T1 that is just waiting to get nailed. He doesn't understand what kind of pain he could end up in and how much more difficult his life could become without precautions.

What do I do? Let him learn the hard way or is there some easy way to teach him a lesson without making him hate me for ruining his server. (and no, I'm not posting the URL here)

He likes the open relay part so that he has his own smtp server he can use from anywhere anytime - even though he has a secure server on DSL at home.

Re:so I have this "friend"

[Phil+Hands]

Suggest that he uses one of the several authentication tricks, such as POP before SMTP (where the server will only accept relay mail from IP addresses that have had a successful POP authentication in the last 5 minutes) to limit the relay.

If he still ignores you, Submit his IP to ordb.com --- at least that way I won't have to see the spam that evenually starts pouring through his server.

Re:No. Deal with it.

[Brendan+Byrd]

I argee. If you're stupid enough to not know how to lock your mail server, you don't deserve to be a system administrator for a mail server. Not making your server an open relay should be the --FIRST-- thing on your list of things to do when you set one up. Most configurations do that by default anyway.

Most of the open relays out there are because mail adminstrators don't know jack about their job. As such, people get spammed at our expense. Open relays are no trivial matter.

Now, I don't quite argee with the Spamhaus policies. Just because a business was unlucky enough to use a web host that supports spam software sites doesn't mean they should be punished. Punish the spam software sites, and try to punish the web host without killing their own customers who are innocent of the crime.

Re:ObPeeve: SPAM(tm) vs uce spam

[Carlos+Laviola]

Cease and Desist Order
To: An Unknown Number of Anti-Spam Activists, regular Internet users, Tech Magazines Writers, and... stuff
(...)


I don't think so...

Unreasonable for innocent systems!

[khodsden]

My system was recently blacklisted on half a dozen lists because another system within my IP block was spamming. The blacklist used xxx.xxx.xxx.* instead of the specific IP address - a range that included my system. The end result for me was that I was unable to communicate with a large number of my customers, and had to move my server to a new IP range.

Requests to remove my old IP addres were, of course, ignored. My system didn't spam, had never spammed, wasn't an open relay, and was still blacklisted.

Personally, I think the spam blacklistings are a good idea in theory. As implemented, I find them annoying and worthless.

Good point.

[fmaxwell]

Not quite. You're required to take a test and become registered with a central database to become a legal driver. Any idiot with a 486 and a net card can set up a mail system after reading a few how-to's and I've seen plenty of highly underqualified people get sucked into maintaining the corporate email servers.

Then that company can pay the price for not hiring a qualified person to do the job. When their mail starts bouncing, maybe they will get a clue and hire a qualified person.

I'd hate to see more tests, government approvals, etc. associated with the Internet. I think that these databases are doing a good job of whacking clueless people's wee-wees.

Re:As a newbie, I still think you deserve it

[tweek]

Good call. I haven't read the rest of the posts just yet but I found someone who agrees with me.

At this point in my career, I am tired of dealing with half-assed admins who can't tie a shoe.

You were hired based on a particular compentance level. You said you knew how to administer a mailserver. If you say you can administer a mailserver, you should know about open relays. If this was your first job administering a mailserver, you shouldn't have gotten the fucking job.

As an admin, YOU and you alone are responsible for what comes out of your network.

Back when codered was flooding the internet (and still is,along with nimda, based on my fucking log files), I had to call this company that was sending out codered scans from no less than 5 different IP addresses. At ONE company! I searched through internic records (I'll be damned if I was going to load the company's website) and finally got in touch with someone who claimed to be the network admin. I explained the situation to him and he proceeded to tell me that he wasn't aware that these servers were even running! How in the fuck can you not know what goes on with your network?

You see, I'm paranoid. I want to know everything that goes on with my network at any given time. I do my damndest to make sure everything is secure as possible (short of pulling the damn cat 5 out of the switch). I've got the switches locked to MAC address so no one can just plug in a machine. I've got a external mail relay that only forwards mail to our firewall that is then passed to our Exchange server ( the one halfway decent product MS makes). Not only is the external mail scanner running some stuff to check for basic attachment viruses, but our exchange server is running Norton for Exchange. The client machines have NAV as well which uses a central server to update definition files daily. The outlook clients are running the Attachment and Zone patch from Microsoft. And to top it off, you can't relay trough our server without authentication which most email clients support nowadays.

Some people call that paranoid but while our clients got slammed by the latest outlook bugs, we happily zoomed along without a single infection (should have seen the NAV logs on the email server though ;> ).

The point of all this is this. You were hired to do a job. If you aren't compentant to do the job then get the hell out of the way and go work under someone who can.

Use the power of Usenet

[SomeoneYouDontKnow]

What you might try is to bring this issue up on news.admin.net-abuse.email and see if you can get things straightened out. If you go this route, have all your information in order, including your mail server name and IP, the time period in which it was open, what blacklists you were added to and which ones you're stuck on, and, most importantly, the date you got things fixed.

If you've never been in NANAE before, keep in mind that the people there are, by and large, very nice folks who are genuinely interested in solving the spam problem and not persecuting anyone who doesn't deserve it. Don't jump in there with flamethrowers blasting away. Just state your problem clearly and ask if anyone can help you out. If you're running a clean server now, you'll find all the help you'll need.

Re:ISP have the problem, too

[tweek]

Think that's bad?

From my deny file:

210 This mailserver does not accept spam from AsiaPacific netblocks. If this is in error, please send email to dj_tweek@yahoo.com
211 This mailserver does not accept spam from AsiaPacific networks. If this is in error, please contact dj_tweek@yahoo.com
202 This mailserver does not accept spam from AsiaPacific networks. If this is in error please email dj_tweek@yahoo.com
203 This mailserver does not accept spam from AsiaPacific netblocks. If this is in error, please contact dj_tweek@yahoo.com
61 This email server does not accept spam from Asia Pacific networks. If you feel this is in error, contact dj_tweek@yahoo.com

I don't know anybody from there and I give an option for the serious people who want to get in touch with me.

Re:Indeed, no one owns the internet mail system

[djmurdoch]

There has to be someway of ascertaining the list, without DOS'ing the DB's website (sending 2^32 queries to their server is probably something that is not appreciated by anyone).

Why would you want to know every entry in a blackhole list? You want to know if you're in it, and all the reputable ones make it very easy to figure that out. I can only think of one reason why someone would want a complete list of all open relays on the net, and that's so they could abuse them.

Re:Stay away from certain ISPs

[ONU+CS+Geek]

I use Rackspace for my Managed Hosting needs, and I've never had any problems with any of my site's emails. It's a sports agency, I've had only 3 problems of sites not getting any of our mail, and in both instances, it was a problem on my end (not having my MX pointer resolved right).

Rackspace is wonderful, and I would encourage anyone who is need of a Managed Host to go there.

Just my 2 Cents worth.

Comment removed

[account_deleted]

Comment removed based on user account deletion

SPEWS is the problem

[BCTECH]

I thank the person for this thread. First off I am a user of DNSRBL's I was using MAPS for a long while until they went subscription. Spam is virtually none for myself and my customers so I thank those who run legitimate RBL's

A client of mine (also an RBL users) has been black listed by SPEWS for months now. This is a legitimate ISP with over 4000 dialups, few hundred DSL lines, and 100 or so collocated servers. They have been in business since 1993.

Someone built a case based on three different incidents over as many years to blacklist this ISP's entire netbock. Perhaps they should apply this same logic to UU.net.

When trying to appeal to them to be removed they were told to post to the mail abuse news groups as this is spews vehicle for removal. Well they did this and all they got was libelled by what sounded like a bunch of kids.

Here is the real bad thing about this. Spews blackholed a /18 when in fact this ISP only had a /19. I contacted a maintainer of one of the RBL's that utilizes SPEWS and gave him a heads up that not only is this listing in error but Spews has blocked an additional 32 class C's that belong to another ISP. I informed him of a possible liability for such a mistake. He did not want to hear it and pointed me back to the news groups.

Seems that he was nice enough to contact the guys at spews as the /18 changed to a /19 but my client remains blacklisted to this day.

In reallity it has not been a huge problem for them as I think even the hard core anti-spam advocates have distanced themselves from spews.

Re:The other thing I hate about blacklists...

[SuiteSisterMary]

Can you not tell your mailserver to consider your ISP's server it's smarthost?

There's a reason you're on a blacklist

[CaptainSuperBoy]

Am I way off base here, or is this self-appointed mail police thing going in the wrong direction?

Yes.

The 'self-appointed mail police' aren't your problem. Your problem is with the sites that are still blocking you, after you have fixed your open relay. They may be using an old blackhole list. In any case, your mail has no god-given right to be accepted by their servers. List maintainers discourage sites from using static lists for this reason, but nobody's forcing the sites to take you out of their list.

Some lists have reasonable policies, and we've since been removed. Other places are a little more arbitrary as to removal policies, and although I can prove we're not a relay, we're still listed

Read news.admin.net-abuse.email. Every day there's a new poster ranting about the spam nazis blocking their mail, you people have no right, I fixed the problem, blah blah blah. If you've truly fixed the problem, they'll be more than happy to take you off the list. Don't expect overnight service - after all, nobody's to blame but your company for running that relay.

I could draw a bunch of analogies here, but isn't the bottom line that no one owns the internet e-mail system?

Please don't - the analogies have been drawn before, they've been heard, and they've been rebutted. Are the lists infringing your right to free speech? No. You have a right to speak, but you have no right to be heard.

You're saying no one owns the e-mail system, so everyone has the right to flood it with crap? Try, no one owns the e-mail system, so it is everyone's responsibility to keep it from being abused.

I'm trying to move data from one point to another, and some machines in the middle are discriminating against my data because a corrected, perfectly legal system configuration error.

Hardly. You're trying to move data, which is being actively refused by the recipient - they've made a choice NOT to receive your e-mail. Their action is a response to your failure to act in correcting your e-mail system. There is no 'machine in the middle.' Also, what does it matter that it's legal to run an open relay? It's legal to let garbage pile up on your lawn.. but it's not nice.

Has SPAM really decreased universally thanks to these lists?

If you didn't get blacklisted, would you have ever fixed your open relay?

Re:There's a reason you're on a blacklist

[CaptainSuperBoy]

Hey, I don't run any blacklists! Bring it up with them, or post it in news.admin.net-abuse.email.. should give those guys a good laugh.

Re:Using Sendmail how do you stop being a open rel

[SuiteSisterMary]

Jeepers krikies! I'd be FAR more worried about the basic security holes in a system that old. Remember, Sendmail was THE canonical 'drive a truck through the security holes' daemon. Hell, you used to be able to get root access to the machine by typing one of a few single words!

Re:The public blacklists aren't all...

[ahde]

ooh, scary! I'm sure I'll be cut off from a sizeable subsystem of the .cx domain.

Open relays aren't the problem. Without them, you're stuck with webmail and large ISPs. Some joker with a DSL or Cable modem (his or somebody else's) sends more than any open relay. Most of your spam is your ISP's fault directly -- either through bad security or bad configuration or willfull participation. *cough*AOL*Hotmail*cough

Re:It's anti-democratic ! There are other (better)

[CaptainSuperBoy]

1. These list should inform you have been added

If you were added to a list without any knowledge that you had a spam problem, you are not qualified to run a mail server. If you were in any danger of being blacklisted, your postmaster@ account must have received hundreds of spam complaints. If you just ignored them, what did you expect to happen?

2. They should leave you 10-15 days to fix the problem before blocking you

Why, so spammers can abuse your servers for 10-15 more days? It was eating up YOUR bandwidth too, you know..

3. They should help you. I was *very* shocked by ORBS attitude "we block you, and we don't care if you cannot correct it"

ORBS WAS the exception, not the rule. ORBS is gone now btw, but they weren't known for their user-friendliness or their accessibility. Nevertheless, it's YOUR responsibility to fix your server, not theirs.

Example : Accept any IP address for relay except ORBS, you won't be blocked but you're an open relay ;-)

You didn't come up with this idea you know.. it's been done before. What did we call the people who did that? Oh right, spammers.

Wow

[CaptainSuperBoy]

Now that's a company I wouldn't feel guilty about working at and goofing off all day..

What helped us and our users the most

[shadie]

We (dds, a dutch isp) had a spam problem, and being a free email provider for such a long time did contribute to that. When we went out to solve this problem we did it in three steps:

- Implement RBL+ on our mailservers (got the load down a bit though)

- Created a global "spam filter" (weight system a la junkfilter) wich was opt-in for our users..

- We installed procmail, gave each user it's own .procmailrc and made a web interface to create procmail recipes in an "outlook" style.

This recipe maker could then be accessed by each user on their own user pages, or they could just make receipts through their shell access

Our end users didn't really notice much about our use of RBL. And most of them don't know what rbl is annyway.

But giving them the possibility of filtering email on the serverside _themseve_ did make a difference! It gave them a feeling we are fighting spam, and that THEY are also in control !

And last but not least... Giving your users info on how to _avoid_ spam is important!. We did this by writing clear faqs on avoiding spam, and pointing each new user to these faqs

(b.t.w... this was my first post on /. , lurking time is over i guess :-)

Re:lmfao

[Arker]

heres a little story, about how a popular open relay database decided to add a tier 1 isp's entire ARIN/RIPE listed address space to their list. after being told repetitively that a tier 1 isp isn't responsible for the thousands of mail servers it's downstreams have (and therefor the associated open relays)

I disagree. You are very much responsible. Now, granted, you can't be expected to actually administer those systems. If one of your sub-leased addresses winds up used by a spammer, that doesn't mean right off you've done anything wrong. But... if reasonable efforts are made to address the situation with the sub-leasee, and they aren't willing to deal with the situation, then it does become your responsibility.

If that was actually what happened, and you just said "not our problem" then you were as guilty as the spammers. Moreso really.

Re:No. Deal with it.

[Flower]

Hey, that isn't exactly fair. When the old admin left I inherited the job of maintaining the mail server. I knew nothing about e-mail but did know Unix which few others in my department did.

Nobody told me the server had an open relay on it . Worse, nobody told me this was permitted to allow one department to relay off of us when they were at a customer site.

Needless to say, it wasn't long before we got listed and I got a quick education about smtp. Once I had a grasp of what was going on I immediately closed the relay and got us delisted.

Then after a sick day I came back to be informed that the relay was open again. The department in question had enough politcal clout to make it happen. Well, we got back on the lists and worse yet we got on Earthlink. I quoted RFCs, gave them alternatives to using our server as a relay (like configuring their e-mail client properly) and, in the end, I created a form letter and started turning other departments against the offender by basically telling it like it was. In a professional matter of course.

Getting off of ORBZ was easy and I'm happy to say I never landed on MAPS. But Earthlink was a chore. They run their own service and what made me unhappy is the technical contact listed in their whois entry is for desktop support. It took me a week of phone tag to find out I should be contacting a department called Corporate Escalates. Once I got to them it took less than an hour to be removed.

And fwiw, all lists are not equal. Strangely enough I did wind up on ORBZ again. It seems they changed the way they did their test and added one for name!domain_to_send_to@server2relay_from. The version of software I was using didn't stop this and I had to upgrade.

Now that I'm done with getting this off my chest (sorry, I had to.), the real issue isn't with admins who don't know anything. It's with admins who don't care enough to learn and do it right.

Re:No. Deal with it.

[CaptainSuperBoy]

If you don't like your ISP's spam policies, change ISP. It's not the list's problem that you're one IP away from a spammer. It's also 'collateral damage' like this that forces a lot of ISPs to deal with their spam.

Re:Blacklist of blacklist sites?

[Iffy+Bonzoolie]

How many sites could a blacklist site blacklist if a blacklist site could blacklist sites?

How many sites could a blacklist site blacklist site blacklist if a blacklist site blacklist site could blacklist blacklist sites?

Whee!

-If

I hate PHBs...

[Brendan+Byrd]

Now that I'm done with getting this off my chest (sorry, I had to.), the real issue isn't with admins who don't know anything. It's with admins who don't care enough to learn and do it right.

Now do you see what happens when you don't care about security? I'm sorry about the PHB a-holes you had, but that's the companies fault, not yours. However, if you're using a mail server, you better stick to your postfix/sendmail/etc. books if you want to keep your job.

SMTP does all that

[kaisyain]

RFC 2554: SMTP AUTH.
RFC 2487: SMTP over TLS.

The first problem is that people don't use either of these things. The second problem is the don't really address the problem of dealing with spam.

If you only want to receive email from pre-designated people, you can already do that. Hotmail, for instance, provides a filter that says, "Throw everything in the trash unless I specifically tell you otherwise." But generally people don't know in advance who they want to receive email from. This is what spam takes advantage of.

Providing authentication doesn't solve this problem. One idea that has been put forward is to charge people to accept unsolicited email. The idea is that you have to pay me $1 if you aren't on my white-list. Then I can look at the email and refund you that $1 if I decide the email isn't junk. There are problems with this approach but it is an interesting idea.

Re:SMTP does all that

[Sabalon]

RFC 2554: SMTP AUTH.
I'm using this. We have a server for our students on campus. However they use any ISP they want, but are required to use their student e-mail for comminique (something about that way we always know we have the current and correct e-mail address for them, and we can prove they got a piece of e-mail).

Anyway, with SMTP_AUTH, from anywhere on the net(*) they can now send their e-mail and relay through us. They don't have to always be choosing the correct outlook account setting or any of that bs.

(*) well, anywhere on the net that does not block port 25 connections. AOL, Earthlink (who provides the complete unblocked internet - bullshit), and others will not allow connections on port 25 to anything but their mail servers.

They claim that this cuts down on spam since spammers can't use an account to use an open relay somewhere. Does this mean now that the spammers just use the earthlink smtp server instead? Anyway, a config setting, a listen on port 2525 and all is solved.

RFC 2487: SMTP over TLS.
Isn't this just an encrypted smtp? Yeah...that really doesn't do much for spam at all like you said.

Re:SMTP does all that

[curunir]

The second problem is the don't really address the problem of dealing with spam.

That was exactly my point. The point of adding authentication would be to establish a trail of accountability for the email. If a user had to login to be able to send an email, that user's login information could be added to the message's headers. The only time that authentication would not be necessary on the last message hop when the server is accepting mail for local delivery. You would still be able to recieve email from anyone, but each email would have a verified sender who would be accountable for his/her actions. If this "path" could reliably be determined, legislation preventing UCE (with civil penalties for sending it) would be all that's necessary to solve the problem.

The situation is analogous to someone continually calling you on the telephone. If a caller-id system is in place and there is no way to block caller-id then all that's needed to solve the problem is laws banning excessive calling.

The problem with SMTP AUTH is specifically that it *is* compatible with SMTP. What is needed is a protocol that is completely incompatible with SMTP. Then, anyone who gets fed up enough with SPAM can only accept messages by the new protocol. Anyone attempting to send them mail via SMTP would recieve a bounce message telling them they need to send their message through the new service.

Additionally, this would be a good time to sensibly implement some things that have been kludged onto SMTP (mandate PGP, intelligent attachment capability, html formatting etc)

RFC 2505

[Flower]

Anti-Spam Recommendations for SMTP MTAs

'nuf said.

Re:Blacklist of blacklist sites?

[Sabalon]

Until the blacklist site of blacklist sites refuses to remove blacklist sites who have changed there ways, then we need a blacklist of blacklist sites of blacklist sites.

Is the room spining for everyone else now?

Re:As a newbie, I still think you deserve it

[Sethb]

Go one step further, disable the Windows Scripting Host. It's easy to do, and we do it for all of our users at my shop, with a simple command in the login scripts. Symantec makes a free tool, which you can find here.

This renders those nasty .vbs files as harmless as .txt files, very handy for when a hot virus/worm sneaks past Norton before the new definitions are out. Of course, if you block attachments with executable extensions, you're fine, but, you can never be too paranoid. :)

Blocking not the solution

[hyrdra]

Well I recently got an entry-level position in a large corporate enviornment, doing IT related stuff. I was surpized at the sophistication of the mail system in place for both dealing with spam and making sure company contact addresses (since there are thousands of new e-mail contacts established daily) are not blocked along with the adds for penis enlargement.

Our policy is to filter mail based upon client (e.g. employee) preference. If our client requests so, they can ellect to receive all mail, including any SPAM. If they want to, they can get SPAM from known spammers delivered to a specific folder, which is created when they download their folders in Outlook. They can block all mail except for known addresses. Domains they have ever sent mail to get put in the accept table automatically, with exception to a few (most notably hotmail and the like).

Another method we use is filtering bulk mailings. If a sever from X IP is connecting up everyday and spending several hours delivering mail to every address, you can bet that's spam and is thus filtered or at least flagged for human investigation. There are only a few major domains that deliver to a large percentage of our user base, such as humor mailing lists. And because spammers frequently change IPs, any IP delivering to over 20% of the population, which would easily be over 1,000 addresses, is flagged for review.

We have also found that often times spammers are setting up fake networks in areas of IPv4 that aren't even allocated to any network. We have even seen IP's connecting up which are supposed to be in the ameture radio range. This is either done via false route information to a helpless upstream ISP or spoofing in some way. This is increasingly common, and we have found doing a reverse-lookup on the IP address and reported hostname in ARIN works very well in stopping this. If it doesn't match, the mail is sent to the spam folder. This also works for people running dynamic DNS services on their DSL or cable connections, BUT with a registered domain name. So when you do a lookup on their domain, you get their IP address and can't tell it's on a cable or DSL network, unless you do a reverse lookup and compare the results. A true business doing a lot of e-mails will have an entry in ARIN. However, we use this with caution because it tends to flag e-mail from virtural web hosts or sites who aren't big enough to have their own netblock.

I think the solution to spam is to use the black-lists, but only within reason. I agree with many here and I also think the purpose of the lists should be to eliminate spam via open relays, and this should be done via closing those relays, not
'blacking' them out. Most are simple Netscape server-folk who have all kinds of other services open as well, including proxy, web cache, etc. and they need the blacklists to work with them to eliminate these problems.

I find the methods I've described an acceptable compromise. Although it doesn't solve the problem of wasting bandwidth, the risk is too great a valid corporate contact could be filtered due to various reasons, and the business would be lost. In a real corporate environment (read: not your home network of 5 linux boxen), you can't afford to block a complete, half, or even 1/4 of a subnet due to one abuse. There could be a client only one IP away who doesn't get through and decides to go somewhere else...

Anyway, just my 2 cents and 5 weeks experience...

Re:is as easy as...

[Flower]

Oh come on. If it's that bad then learn how to configure your client so you don't get the "pretty pictures."

As to what to tell your boss, tell him to look into getting some software that can do content filtering as the mail comes in. Where I work all incoming mail is virus checked then goes through the content filters before being delivered. We have a spam account where offensive mail can be forwarded and an admin then goes over it and updates the filters. If that isn't enough for people, they can call the helpdesk and get instructions on how to create a rule in Outlook to send the crap into the trash.

Comparing an open relay to child molestation is extreme and even more offensive than your boss' 'barn babes' issue. What is a greater pity is you seem possessed of a great deal of creativity (rhino stampede indeed) but are incapable of channeling it towards finding a solution to the threat of a "possible lawsuit."

Re:No. Deal with it.

[Skapare]

Part of the problem is that there are still new servers coming online all the time. And many of these servers are open relay right from the start. The reason I support being very harsh on sysadmins that did let a server do spam relaying is that I believe this problem won't get solved until it get so harsh that it becomes common public knowledge that you better do the job right from the very first day you get online, or you'll have trouble for a long time. Right now, new sysadmins are putting up open relays before they ever have any idea. That needs to change. Somehow they need to be educated about this before they ever have the root/Administrator password.

Bad analogy.

[achurch]

[Running an open relay is] like being ticketed for driving your car down the wrong side of the road at 90 miles per hour and then being pissed off that the cop did not provide you with free driving lessons and give you 10-15 days to stop driving like that.

Nice analogy, except that it doesn't work. If you're driving at 90 miles an hour on the wrong side of the road, then (1) your speedometer will tell you that you're driving at 90 miles an hour and (2) looking ahead will show you which side of the street you're on, which you can tell is the wrong side because of what you had to know to pass the test to get your driver's license.

With mail servers, however, there isn't, at least yet, any widespread tool that will tell you if you have an open relay (and given how such tools work, they'll probably be banned as "hacker tools" at the rate things are going these days). In fact, I found out recently that I'd been placed on a blacklist for having an open relay, which took me by surprise because I'd been careful to avoid having anything like that happen; it turned out that I had missed one of the potential avenues of abuse (specifically, using error bounces to spam people).

So until running a (secure!) mail server becomes as simple as driving a car and people need licenses to run servers, your analogy is inappropriate.

Re:Bad analogy.

[fmaxwell]

With mail servers, however, there isn't, at least yet, any widespread tool that will tell you if you have an open relay

There are numerous such tools. When I brought my mail server up, I submitted it to several of the Open Relay Databases for testing -- because that was the responsible thing to do. Anyone else bringing up a mail server should do the same thing and the open relay problem would go away.

So until running a (secure!) mail server becomes as simple as driving a car and people need licenses to run servers, your analogy is inappropriate.

The analogy works beautifully (see "+5 Insightful"). Maybe it takes a bit more knowledge and skill to operate a mail server than it does to drive a car, but that does not mean that the world owes you a break. It's harder to perform brain surgery than it is to drive a car, but that does not mean the brain surgeons are excused for their every mistake.

Re:Bad analogy.

[call+-151]

With mail servers, however, there isn't, at least yet, any widespread tool that will tell you if you have an open relay

There are actually many tools for testing for an open relay. Try:

• abuse.net 's web form
  
• mail-abuse.org has a description of a number of tools (the tried and true telnet relay-test.mail-abuse.org and a good FAQ
  
• linux-sec.net
  has a list and lots of info
  

Re:Stay away from certain ISPs

[Skapare]

Which blacklists are blocking whole ISPs when they could block just the offending server? If you genuinely know this is the case, then surely you know of examples of good blacklists and bad blacklists.

Colo/server hosting is one of the tougher areas to stop spamming. An ordinary dialup/DSL/broadband ISP can block port 25 and force the use of their mail servers, and rate control those servers and be effective. But colocated servers is harder to do because many of those machines have legitimate high mail volumes so the mechanics of controlling spam are much harder.

Re:Shout out for ... spamcop.net

[Skapare]

What good is it to depend on reports of spam stopping after the spamming server gets listed as a basis for delisting it?

1. Spam comes from some server.
2. Spam gets reported to SpamCop.Net.
3. Server gets blacklisted.
4. Spam can't be delivered anymore.
5. Reports cease coming in.
6. Server gets delisted automatically because of no reports.
7. Spam comes from some server.
8. Spam gets reported to SpamCop.Net.
9. Server gets blacklisted.
10. Spam can't be delivered anymore.
11. Reports cease coming in.
12. Server gets delisted automatically because of no reports.
13. Spam comes from some server.
14. Spam gets reported to SpamCop.Net.
15. Server gets blacklisted.
16. Spam can't be delivered anymore.
17. Reports cease coming in.
18. Server gets delisted automatically because of no reports.
19. Spam comes from some server.
20. Spam gets reported to SpamCop.Net.
21. Server gets blacklisted.
22. Spam can't be delivered anymore.
23. Reports cease coming in.
24. Server gets delisted automatically because of no reports.
25. ...

Re:Just being on the same IP range is bad enough

[zenasprime]

apparently the anti-spam fundamentalists don't see this as their problem. Eventually the problem will be solve because there will more ip on these lists then off. I hate spam but I am begining to believe these crusaders are just as bad.

Ever try to get help setting up a complient server? Try sifting through countless messages condeming any and everybody that doesnt fall into their radical camps.

Where are the moderates? http://www.dotcomeon.com/eff_011016.html

zenas

Morons are known to hire idiots in IT

[Skapare]

An open relay is not necessary in order to make email function at the outlying offices. You don't even need a VPN. The mail server can be configured with the static IP addresses of each of the offices as valid "local" addresses. Of course a VPN is much better as that also improves your security.

As confirmed by another of your postings, your company management are morons who have apparently hired idiots for the IT department. Obviously you recognize it, and can leave if you feel that is necessary, or can stay as long as you can deal with it, and are not blamed for it. Should they ever offer to promote you into IT, be sure you insist that you be given the authority to fix the problems with no further permission from management to go ahead.

Re:Open Relays & Blacklisting

[Skapare]

This is (by being dumb and setting up an open relay at first) how you get on 3000 (estimated) private blacklists. You get off mine by asking me to take you off (I do the first 2 times). Part of the problem is that many businesses just have their MCSE kid set it up.

Re:Fixing servers not always easy

[Skapare]

You didn't indicate if this is an on-campus or off-campus problem. Since most other schools have solved the problem, I'm assuming yours could, too, if you applied the correct solution.

First of all, mail coming in from off-campus is the issue with regard to open-relay. If you have students/staff spamming from on-campus, you do have better access to identifying who they are and dealing with it. But for off-campus, it's much harder, so it needs to be denied.

Many schools provide dialup services for staff and students off campus (some free, some for an added fee). This won't be a problem for the open relay issue as long as the dialup access itself is authenticated as usual.

Those off campus using a commercial ISP have a couple of choices. One is to just use the ISP's mail server for outbound, while picking up the mail at the school POP3 server for their dot.edu address. Most ISPs allow "From: anywhere" in the mail (means nothing, really). If a local ISP does not, you could ask them to allow the school's domain through (else you'd have to recommend to the school community not to use that ISP). And of course there is the POP-before-send approach which you can use to let the off-campus community send through the campus mail servers.

So basically, this is easier than you are making it out to be.

It sure did for us

[macdaddy]

I consult with a small ISP in Kansas. We started using MAPS' DUL and RSS quite a while back (zone transfers). Then I added the ORSS (zone transfers) which also gave me SPEWS, Spamhaus Block List (SBL), and SpamSites.org. When MAPS went commercial, we bought zone transfer rights to the RSS and DUL. About that same time I also added RSL, Summit Blocking List (SBL), and FlowGoAway who doesn't have a website. On top of all that I also reject mail from domains that don't resolve and I maintain an extensive Sendmail access list full of Alan Ralsky's domains, spam supporting providers like Broadwing, spamware vendors, and domains and IPs of every spamming outfit I come across. In total I'm up to 4682 entries. Oh, and I also filter message bodies on certain content that identify unique pieces of spam like all those "Enter your email address on this website to be unsubsribed" things. Works great. This time last year I was filtering maybe 10,000 pieces of spam per week. I'm over 100,000 pieces of spam per week now. Considering we only have 2500 users, that's a lot of filtered spam. Roughly 40 per person per week.

What all of this rambling means is that you can filter out a great deal of spam with the right DNS blacklists. I only use DNSbl's that allow zone transfers because I don't want network latency to slow down mail delivery. It really is a worthwhile thing to do.

Finally the best thing that you can do for your users is educate them. Give them very clear examples of how doing simple things like giving your personal email to a credit card company, entering it in a guestbook, using it in USENET, using it on any public discussion board, and many more can increase their spam intake many fold. Explain that to them. Show them the proof. It's not hard to generate spam. Hell create a dummy account and make a few posts in the newsgroups. Never give the address to anyone else and don't use it yourself. Give it a week. Then show the results to your users as proof of USENET address harvesting.

Finally, don't be part of the problem (this is to the parent of the article). Be proactive in fighting spam. Sitting back and bitching about it doesn't help anyone. If you put up a server that's an open relay then you fucked up. It's your responsibility as an administrator to make sure you do your job right. Putting up and open relay isn't doing your job right (are you listening all of you damned Exchange admins?! 90% of the open relays I find and report are running Exchange!!!). When you get spam, report it (called LARTing). Drop a copy to uce@ftc.gov. Reporting stock spam to the SEC. Report bogus drug scams (loose 100lbs tonight while you sleep!) to the FDA. Report Nigerian Monet scams to the Secret Service. Report the spamertised sites to their providers and ask that they investigate (don't accuse in case it's a Joe Job). Parse through the headers and learn to identify relayed spam, BS headers, and other tricks of the trade. Submit open relays for listing in all the open relay blacklists. Report it to the owner of the IP as well. DO YOU PART! If you're not going to do you part to fight spam or ensure that you're servers are properly configured, THEN GET YOU SERVERS AND YOUR ASS OFF THE 'NET BECAUSE YOU DON"T BELONG IN THIS COMMUNITY!! Don't be part of the problem.

Re:Blacklists

[Skapare]

It seems a bit ridiculous that they can leave listings in their databases that misrepresent other company's standards, simply because an open SMTP relay was left active inside the host's network.

It is not ridiculous at all. In fact this is exactly what they are supposed to do. If there is an open relay, and they say there is an open relay, they are telling the truth, and you have absolutely no cause to complain. Blacklists are not saying that such-and-such company has bad standards ... they saying that such-and-such IP address or network has an open relay (or whatever the case may be).

If your customer configured the server wrong, making it an open relay, then it is that customer you should be collecting recovery costs from. In the future, be sure terms that specify this is in your contact that you have each customer sign. Be sure the spam and open relay issues are discussed with them before the service is turned on.

And further, set up a testing facility which will probe all the IP addresses on your own network for open relays. Your own customers should not be relaying for any other of your customers, nor for your own machines, so you can do this entirely in-house. Leave the IP address of this testing machine out of the "local networks" list of your own mail servers and it can test them, too. Have it cycle through the network several times a day sending mail to an outside domain name which gets forwarded from there back to you. The contents of the message would be what the tester is testing, and with that and headers, you can see what server suddenly became an open relay before the spammers find it and cause you all this massive grief. And since it is your network, you have all the legal rights to probe it (but add this to your contact terms just to be on the safer side).

Now your next problem is those nasty form mail scripts that use a hidden field for where to send the mail. There is spamware available to use those to send spam. They simply fabricate the browser submission, with a false hidden address field containing the spam victim's address, and submit it to the web server. Such scripts should not be allowed on any web server in your network, with no exceptions made. Scanning around for them is harder due to the variety of potential pathnames they could be found it. The only form mail scripts that should be used are ones where the destination address is stored in the script itself, or in a database the script uses to lookup using the referer URL.

Re:Spammers can try and get off blacklists too

[Skapare]

These operations also get listed in other ways, too. The identity of their network generaly gets discovered and places like spamhaus.org will list them.

Re:Try DCC for spam control

[Skapare]

I make the decision whether to accept or reject mail before the headers and body are ever received. I don't want to be handling the returns on the rejections because I've accepted delivery, and then have to deal with huge queues of rejections that can't be delivered. I let the sending server do that.

Re:RBL's help spammers

[Skapare]

So be it. That means people running open relays get pounced on. Serves 'em right.

Re:Mixed feelings

[Skapare]

I submit that I have every right to have an open relay, and not risk having my e-mail blocked based solely on that basis.

I submit that I have a right to not accept e-mail from your open relay for no reason whatsoever (but generally I will do so because it is an open relay). If mail is relayed through your server, then I see that as sufficient proof for my purposes. I'm not asking the government to come take your personal freedom away, or take your driver's license away, or even take your network connection away (though many would want that taken away). IMHO, you have the right to be connected to the internet with an open relay if you want, but you have no right to expect that everyone must accept mail from your server, or even accept any IP packets from you, because of being an open relay.

Liken open relaying to doing bizarre behaviour, or having serious body odor because you don't shower. It's your right to do that. But it's also my right to have nothing to do with you and not even hire you. We just keep apart.

There is nothing wrong with running an open relay, if you manage it right and the volume is low enough that it is reasonable to do so. Shouldn't it be your right, without fear of someone else trying to modify your behavior?

First of all, in reality, it won't happen. As soon as the first spammer discovers your open relay they will spam. And I got hold of one of these spam lists and found that the very first entries are of spamware authors and other spammers. So they are going to be among the first to be spammed by the spammer that found your open relay. Now several spammers have your IP address. It will be like a shark feeding frenzy. Eventually the spamming gets down to the addresses that have will alert the blacklist operators, and you get blacklisted.

I don't want the spam, and I'll accept the collateral damage of loss of legitimate mail from your server in exchange for protection from the spam. And that's my choice and I have the right to make that choice, and base it on information I believe to be factual (e.g. ordb and orbz). You have the freedom to choose which way you want to behave, and all that comes with it (or not).

Re:Stay away from certain ISPs

[Skapare]

I don't use SPEWS for a couple of reasons, and that is one of them. You have a Rackspace based mail server? Figure out my email address and send me something and see if it comes through.

Re:Shout out for ... spamcop.net

[MoNickels]

I agree with the praise for Spamcop. We implemented a DNS check against bl.spamcop.net a couple of weeks ago. Since then, from four different spot checks of the server logs, these are the stats:

Totals:
Total time Covered: 52 hours 52 minutes
842 emails rejected as spam
1691 emails received
422 emails sent

This is in a small office with about 50 users.

No, it's vigilanteism without responsibility

[Anonymous+Brave+Guy]

ORBS does not decide what is "permitted" nor do any of these other databases. They have a set of criteria for deciding whether and when your mail server ends up in their database.

Which they have all violated on numerous occasions, to the detriment of the innocent bystanders caught up in their incompetence.

I'm sick of the attitude that ORBS owes you something when your mail server is an open relay.

And what if it isn't? There have been numerous cases where the various blacklists have included servers

• completely in error
• because they shared the first n sections of their IP address with another box that was open
• long after they've fixed whatever problem there was.

I don't like open relays and spam magnets any more than you do, but I know how easy they are to overlook, and it will happen, even to generally competent people. It is in everyone's best interests to have a quiet word with the sysadmin at an open site first, because 90% of the time, that will solve the problem.

On the other hand, what we now have is a vigilante culture where totally unaccountable people can wipe out your company (quite literally, if you depend heavily on e-mail) on a whim, and there isn't jack you can do about it. As far as I'm concerned, if these people are blocking you inappropriately, they should be liable in the same way as anyone else who damaged your business by making a false claim, and you should be able to sue them to the other side of the galaxy.

It's like being ticketed for driving your car down the wrong side of the road at 90 miles per hour and then being pissed off that the cop did not provide you with free driving lessons and give you 10-15 days to stop driving like that.

No, it's not even slightly like that. Having an open relay is inconvenient but not immediately dangerous. Having an open relay is not illegal. You are not required to pass a test before running a mail server. The internet is not governed by generally well-reasoned laws. A generally competent driver will not accidentally find themselves driving at 90mph on the wrong side of the road because they just bought a new car. All in all, the two cases aren't even remotely the same.

I think that ORBS should charge a processing fee for "expedited removal" from their database and, otherwise, just remove systems once a week.

Do you also think that the media should be able to run business-destroying stories based on complete misinformation, and then charge extra to print an apology in the next edition (even though most of the damage is already done and they don't have to pay anything for doing it)?

Re:No, it's vigilanteism without responsibility

[fmaxwell]

I don't like open relays and spam magnets any more than you do, but I know how easy they are to overlook, and it will happen, even to generally competent people.

When I set up my mail server, I immediately submitted it to two different blacklists for testing as well as testing it from a dial-up account on another provider. Open relays are only "easy to overlook" if you are negligent when you set up mail servers.

No, it's not even slightly like that. Having an open relay is inconvenient but not immediately dangerous.

Yes it is. There is a danger that I, and millions of other users will be spammed.

Having an open relay is not illegal.

And ORDB can't give you a criminal record for it.

You are not required to pass a test before running a mail server.

So what? Do police let you go because you passed your driving test?

The internet is not governed by generally well-reasoned laws.

Which is why organizations like ORDB have sprung up to protect people.

A generally competent driver will not accidentally find themselves driving at 90mph on the wrong side of the road because they just bought a new car.

Neither will a marginally competent mail server admin find themselves with an open relay.

All in all, the two cases aren't even remotely the same.

They are analogous, meaning that they share characteristics that make it valid to compare them. The ORDB and the police both serve an enforcement role. Driving recklessly is analogous to operating a mail server recklessly (even if the ultimate risks are different). Expecting the police to give you 10-15 days to cease driving recklessly is analogous to expecting ORDB to give you 10-15 days to stop running an open relay. Expecting the police to give you free driving lessons is analogous to expecting ORDB to give you free consulting on how to run your mail server.

It works great as a analogy.

On the other hand, what we now have is a vigilante culture where totally unaccountable people can wipe out your company (quite literally, if you depend heavily on e-mail) on a whim, and there isn't jack you can do about it. As far as I'm concerned, if these people are blocking you inappropriately, they should be liable in the same way as anyone else who damaged your business by making a false claim, and you should be able to sue them to the other side of the galaxy.

You can. They are completely liable if their negligence injures your business or reputation. So quit pretending otherwise.

Re:No, it's vigilanteism without responsibility

[topham]

I've had the pleasure of sitting across the table from someone who was descriing his 'job' for one of the anti-spam groups. According to him, my home machine could end up on their list because it was an un-authorized mail server. Regardless of the fact NO-ONE except me could ever send mail from it.

He also acknowledged they would put a server on the list if it sent mail out but could not be tested. If a firewall prevented their accessing the box they would ASSUME it was hostile and put it on the list.

These are not the actions of a group of people wanting to prevent spam, these are the actions of a group of people attempting to wield control over the Internet.

They are all simply a bunch of bastards that have no regard for anyone other than themselves.

If they knew what the fuck they were doing they would automate the removale process (at a minimum) and deal seperately with those few organizations which would choose to abuse it. Instead they decided they are the arbiters of justice.

Re:No, it's vigilanteism without responsibility

[topham]

1) I used my own SMTP server as, at the time, my ISP was damn near useless as a mail server. By the way, at the time, no ISPs were submitting their cable modem/ dialup pools to the lists.

2) They didn't 'bother' to verify it was just them that was firewalled. They ASSUMED it was just them and acted accordingly. (They would get the address of such servers by comparing mail from users to their 'correct' mail servers. downright obsesive if you ask me.).
3) Most of the fools who add these blacklists to their mail servers do not do so with management approval; customer service for such providers tend to say ' were sorry, but internet email is unreliable, it isn't a problem on our end because we still get mail'... sure, but not from everybody.
4) It isn't a deterent, its a fucking pain in the ass. They have, and continue to add people, and networks that should not be blacklisted. It happens. And they are NEVER quick to remove it when they screw up.

Had the blacklist services been implemented in a more friendly manner they wouldn't bother me; instead they are implemented as a 'all your mail are belong to us' crap.

Re:No, it's vigilanteism without responsibility

[Anonymous+Brave+Guy]

When I set up my mail server, I immediately submitted it to two different blacklists for testing as well as testing it from a dial-up account on another provider. Open relays are only "easy to overlook" if you are negligent when you set up mail servers.

But that's just not true. I've seen several otherwise competent sysadmins fail to close loopholes in the first few days of running a new system. A quick phone call or e-mail would immediately have made them aware of the problem and caused it to be closed, but instead, several of the sites were RBL'd without notice. The open relays were closed as soon as the sysadmins became aware of the problem, but there was still considerable damage to the businesses as a result, which continued for weeks after they notified the blacklists concerned that the relays had been closed.

There is a danger that I, and millions of other users will be spammed.

Too bad. There is a danger of that every day, open relays or not. If you think that is even remotely comparable to the danger of a serious road traffic accident, your priorities are really screwed up. Try learning first aid and treating the victims at the scene of an RTA. Watch one die, and tell me these two situations are comparable. You are a sick, sick person if you think your "analogy" is fair.

I'm not going to bother replying to your other points there, because I think those comments are equally off-base, and I think that's obvious to anyone else reading as well. If you really want to know my thoughts, scatter "undemocratic", "vigilante", "unaccountable" and "often wrong" liberally through your comments.

You can [sue the blacklists if they damage you by having you on their list inappropriately]. They are completely liable if their negligence injures your business or reputation. So quit pretending otherwise.

Maybe where you come from. I'd love to see the precedent, though. Certainly none of the companies I've seen damaged this way (in the UK) were ever able to take action. These guys have basically taken it upon themselves to sort out something that is not their responsibility, they're doing a pretty lousy job of it, and they're screwing people who can't fight back. So you quit pretending otherwise.

Re:No, it's vigilanteism without responsibility

[fmaxwell]

I've seen several otherwise competent sysadmins fail to close loopholes in the first few days of running a new system. A quick phone call or e-mail would immediately have made them aware of the problem and caused it to be closed, but instead, several of the sites were RBL'd without notice.

Did they submit their systems for testing by any of the open relay blacklists when they brought them up? Did they use a third-party ISP to test the systems for open relays? I did those things, so my mail server isn't an open relay. If they did not, then they were negligent. Period.

A quick phone call or e-mail would immediately have made them aware of the problem and caused it to be closed, but instead, several of the sites were RBL'd without notice.

So now you want volunteers running open relay databases to phone all around the world to negligent sysadmins? Get a clue. These databases are run on a shoestring budget. They cannot afford to turn every open relay discovery into an expensive, labor-intensive, investigative chore. Oh, and another clue for you: Many of the open relays are in Asia. How good is your Chinese or Korean?

You are a sick, sick person if you think your "analogy" is fair.

Did you ever hear the analogy that refers to "throwing out the baby with the bath water"? Do you think that the people who use that analogy are saying that abandoning a baby to die in dirty bathwater is the moral and ethical equivalent of whatever they are drawing the analogy to? If you don't understand something as simple as analogies, you need to spend more time in school and less on Slashdot.

I'm not going to bother replying to your other points there

That's fine since your replies to them would probably have been equally as ill-conceived as those replies you did make.

Maybe where you come from. I'd love to see the precedent, though. Certainly none of the companies I've seen damaged this way (in the UK) were ever able to take action.

Then look here. Next time, do your own research before you post.

Re:No, it's vigilanteism without responsibility

[Anonymous+Brave+Guy]

Did they submit their systems for testing by any of the open relay blacklists when they brought them up? Did they use a third-party ISP to test the systems for open relays? I did those things, so my mail server isn't an open relay. If they did not, then they were negligent. Period.

Probably not before the system was fully configured, no. In both cases I'm thinking of, they were blacklisted within a few hours of going on-line, before they'd even finished the diagnostics to find out if the system was working properly. Given another 24 hours, the relays would all have been blocked. They didn't give them those 24 hours, instead they jumped the gun and screwed the companies concerned for several weeks each. That is not reasonable behaviour, it's vigilanteism.

BTW, I notice we've somehow managed to lose all the cases where the blacklist just plain screwed up in the first place, and either added a server completely in error, or caught innocent servers up when blocking whole IP ranges. Having a competent sysadmin obviously didn't help all those companies, now did it?

So now you want volunteers running open relay databases to phone all around the world to negligent sysadmins? [...] They cannot afford to turn every open relay discovery into an expensive, labor-intensive, investigative chore.

I want them to do some basic fact-finding before they go around cutting people off from the world, yes. If they cannot afford to do the job properly, perhaps they should find a new line of work. As it is, they are screwing people and harming businesses left, right and centre. That is not justified by any of your over-excitable rants.

Then look here. Next time, do your own research before you post.

Perhaps you should do the same. The link you posted is obviously to a US court case. Do you now expect people in countries all over the world to take US-specific legal advice just in case they have a case there against someone there who's disrupting their network? Since you're so keen on giving out clues, here's one for you: many of the small businesses at risk from this practice can't afford to hire US lawyers to sort out US-based problems with US companies. Deal with your own problems, don't push them onto the rest of us, please.

Re:No, it's vigilanteism without responsibility

[fmaxwell]

Probably not before the system was fully configured, no.

If the mail server was not "fully configured", it should not have been live on the net. The sys admins did not do their jobs. They brought up mail servers that were open relays and didn't make it a priority to test them.

They didn't give them those 24 hours

They never said that they would give 24 hours notice. Do you know how much spam can be spewed through an open relay in 24 hours? Hundreds of thousands of pieces, assuming even a moderately fast connection.

BTW, I notice we've somehow managed to lose all the cases where the blacklist just plain screwed up in the first place, and either added a server completely in error, or caught innocent servers up when blocking whole IP ranges.

They don't "block" anything. They report where open relays have been found. Since it is now largely an automated process, the chance for human error is miniscule. As to the IP ranges, open relay databases don't use ranges. Databases of organizations that tolerate spamvertised web pages are the ones that use IP ranges. Sys admins can choose to block them or not.

I want them to do some basic fact-finding before they go around cutting people off from the world, yes.

Too bad. I, and many others, want them to identify threats and inform us of them as quickly and efficiently as possible. That means an automated system where someone enters an IP address, the system sends test relay mail, and, if it returns, an entry is automatically added. No human intervention or time is needed and human errors are eliminated.

And when will you get it through your head that these databases don't "go around cutting people off"? They are databases, not filters. If their criteria, methods, and accuracy satisfy me, then I can use them in my filtering. You don't like that? Tough. I don't have a legal obligation to accept mail from your server.

If they cannot afford to do the job properly, perhaps they should find a new line of work.

It's not a "job." They are mostly unpaid volunteers. If their "work" does not satisfy you, then don't use them for your filtering.

The link you posted is obviously to a US court case.

Yes, and you wrote:

Maybe where you come from. I'd love to see the precedent, though.

So, I showed you a precedent where I come from. There's no satisfying you, is there?

Do you now expect people in countries all over the world to take US-specific legal advice just in case they have a case there against someone there who's disrupting their network?

I did not give you "legal advice". I showed you a precedent -- as you requested (see above).

Let me summarize this for you since we seem to be covering the same ground over and over:

1. System adminstrators must be sure that their systems are not open relays if they want to avoid being listed. The very first test that they should run when putting their system on the net is an open relay test. If they don't do that, they have no right to complain when they show up in ORDB.
   
2. Open relay databases do not perform filtering or, in any way, block e-mail. They provide information just as a newspaper does: "IP X.X.X.X was an open relay on this date"
   
3. My mail server = my rules. Individual system administrators can block e-mail based on information in these databases, results of tarot card readings, or their own dislike of odd-numbers in IP addresses. It's their system so it's their choice.
   
4. Their database = their rules. Someone running an anti-spam database gets to decide the criteria for inclusion/removal and the procedures that they will use. You have no right to dictate how someone else runs their database.
   
5. The only time that you have a valid legal claim against an open relay database is if they listed you in error. If the listing was correct, then you have no grounds for complaint.
   
6. The people running the databases don't owe you anything. They don't owe you warnings, notices, consulting services, phone calls, e-mails, or any of the other things that have been proposed in this thread. They have no business or contractual relationship with you.
   
   Remember, you have a right to start your own database if you think that the existing open relay databases are going about it wrong. You can phone sys admins in places like Korea, Brazil, and Russia to tell them about their open relays. You can give grace periods. You can e-mail warnings to people. You can rush home from your job to immediately remove systems from the database the moment that the admins fix the problems. You can do all of those other things you think should be done. If others feel that you have the right idea, they will switch to your database. Of course, you'll probably have to deal with pompous twits who demand that you change the way that you run your own database, but it will be a learning experience for you.
   

Hopefully, this has cleared up the misconceptions you had when you entered into this discussion.

blacklists punish innocent users!

[Marvin_OScribbley]

Most of the comments people are making seem to be of the opinions that these blacklists and blackholes are a good thing. So what I am about to say will probably not be very popular. In my experience, blacklists punish users more than spammers.

A while back I got a reply to my e-mail that had the word SPAM with a question mark inserted into the subject. After some correspondence I learned that my ISP had been "blacklisted" because they maintain open mail relays. I was snidely told I should complain to my ISP, as if I could somehow force them to fix the problem. Well I did send an e-mail telling them about the problem and asking what they could do. Their position on the subject was quite different. They felt that to close the mail relays would hurt their customers by preventing them from sending mail through the server even when they were not connected locally. Now before you point out that I could simply switch ISPs, keep in mind that I live in an area where there is not a big selection of ISPs. Anyway, their reply sounded like a lack of technical expertise to me, but apparently a few weeks later they changed their mind.

But now I had a new problem. I've got two internet connections, one which is a direct connection from my office, and the other which is a dialup connection from at home. Suddenly I found I was unable to send e-mail from my office account through my ISP account, nor could I send e-mail from my work account from at home, because both mail servers were rejecting mail not from or to their domain. This was an added pain because it meant that I had to keep changing the smtp server in my mail program everytime I switched locations.

I guess the point I am really trying to make is that various administrators will set things up the way they feel is best for the situation. However in this case closing open relaying prevented me from sending legitimate e-mails. I have a feeling that customers care less about preventing spam than they do about the system working for them. Yes, I hate spam too. On one of my accounts I've set up the system to reject e-mails from anyone not on my accept list. I still get the e-mail, only in a low priority directory that I occasionally check. The sender also gets a message telling them how they can bypass the filter. I can do this because I've got shell access on this account.

But it seems to me that blacklisting is wrong because first, it filters mail that could be from legitimate users, and second, it makes no attempt to inform the user that their e-mail was silently deleted. In my case I was lucky that my e-mail was simply flagged as possible spam, and not just deleted. Had I not found out from the recipient what was going on I might never have known.

Re:How to avoid SPEWS black-listings

[CaptainSuperBoy]

Your customer shouldn't take it personally. nanae has seen a thousand posters exactly like him, and they'll see a thousand more after he's gone. Someone shows up, never posted on Usenet before, and fills up a page or two ranting about blacklists taking away his business and restricting his free speech. If he read the FAQ before he posted, he'd know that the /24 gets banned since spam-friendly ISPs often shift their blackholed customers to different IPs. He'd know that the people to talk to are his ISP, not nanae. Instead, he's argumentative and pushy to people who have nothing to do with his problem. At best, he's clueless. At worst, he's a spammer himself.

These people come along, argue for a couple days, and vanish. nanae regulars will help you, if you're not a dick about it. But what's the use of being nice to someone who is pointing fingers all over the place, ranting and raving, and you know they'll never post again?

Fake open relay software.

[Nonesuch]

It's been done.

http://www.msg.net/utility/small/chuckmail/

Looks like an open relay, optionally acts like a teergrube.

Re:Mixed feelings

[Skapare]

But you seem to have missed the point of my words. Using solely the criteria of an open relay means that you run the risk of blocking legitimate communications to those that depend on your server, without their knowledge.

My users are fully aware of the spam blocking I employ. I've received no complaints, and only investigation requests. Most cases of "I was expecting this mail but never got it" came down to what you might call "collateral damage". In all of those cases it was a misconfigured server at the sender side. One was an actual open relay. Three were missing or invalid reverse DNS. All got fixed when the errant sysadmins were told what to do.

If my users prefer a mail service with less collateral loss, and more spam, they can either ask for it (I could set it up using a separate server), or they can move along to another provider. So far no one has asked for it.

My point is that ORDB is a very crude means of stopping spam- a real 'throw the baby out with the bath water' approach that is effective but also potentially damaging. There are better ways, and a number of posts in this thread have described them in detail.

I employ a combination of mechanisms. First is my own list of IP addresses to allow through, bypassing the remaining tests. Then the connecting IP address is queried over reverse DNS. If no name, the mail is rejected. The name received is queried by forward DNS requesting A-records. If the connecting address is not received in an A-record, the mail is rejected. If the DNS test passes, then the domain name is checked against a list of domain names to allow through. Then SBL, ORDB, and ORBZ are checked. Then my list of domains to reject is checked. And finally my list of IP addresses to reject is checked. Anything not yet rejected is allowed through.

Many suggested mechanisms require first accepting the mail, so that one can, for example, examine the headers or the mail body. I might some day add those mechanisms, but I do not want to remove the mechanisms that reject the bulk of spam prior to accepting the mail. This is the key. I don't want my server to become responsible for delivering the rejection message. For most spammers, the mail can't be delivered and either the mail stays in the queue retrying for a while, or my postmaster box gets the rejection of the rejection reply.

I have found that checking for keywords in content is not effective. Much mail gets matched that is not spam. Much spam is now sent as MIME encoded attachments, making it necessary to further run a detach and decode. Some spam even comes in MS Word format (tempting to get their product serial number out of it).

I'll stick with the mechanisms that work before mail is even delivered. It has a very high spam rejection count to collateral damage (67000 to 4 in the past 7 months).

That's the point. I don't have the freedom, as long as I might want to communicate with you or one of the people depending on your server, I must behave in a certain way.

You do not have the freedom to barge into my home at 3 AM just because you want to communicate with me. You have the freedom to try to communicate with me using civil means that do not violate my rights. You do not have any right to be guaranteed this communication. I might simply not answer the door at 3 AM. I might not even answer it at 3 PM. I'm not presuming you to be a criminal just because my server doesn't want your mail, or because I don't answer the knock at the door. And my users know this is happening and are free to use another service.

By using ordb, you are taking on a role which you should consider carefully. Your users have the right to receive their mail, regardless of it's origin, if they are paying you for that service.

I have considered the role very carefully over the past 2 years. What I do today is the result of it. Yes, my users do have a right to receive their mail. And they can choose to fully exercise that right any time they wish by any means, such as operating their own mail server, asking me to operate a different class of service for them, or asking another provider for service. Right now they are not paying me to accept mail from absolutely anywhere it happens to come.

I can only hope that you are open minded and are willing to consider the ramifications of controlling one's communication, without their knowledge. You have the right to do what you do, as does every link that makes up the ordb system, but by using the combined effect, you are inflicting potential damage. You can disregard this entire line of reasoning if your mail server is for you and you alone, but please reconsider, if others depend on it.

They are quite aware of what I am doing. They may not understand all the details (they have little interest, for example, in how SMTP or DNS actually works). They know their spam load is down. And they know they (the ones with their own domain names) can ask me for service via a fully open server (which is easy enough to do by binding a new IP address, changing their MX records, and starting a new instance of Postfix with a different configuration ... I don't even need to invest in new hardware).

My big point is that even though I am providing a service to others, I am not obligated to provide that service in any way other than how I have agreed with my users to provide that service to them. Further, I can also decline to offer service of any type they might ask for, if that is my choice. While I might provide the fully open mail receipt service, if asked, I can tell you I will not provide a service of hosting a spam transmission operation (spamhaus) nor will I host an intentionally open relay. I will decline to offer any kinds of services which could in some way compromise those other services I do offer. And I do have the right to choose the business I will be in, including to choose not to provide any fully open mail reception, should I so choose.

Re:No. Deal with it.

[Technician]

(In crackhouse terms, SPEWS reads police blotters, and if it stops seeing crime in a certain area, allows pizza delivery. I'm the crusty old Italian guy who says "No, you can't deliver to 48th street, it's a war zone, at least, it was the last time I tried to deliver a pie there sometime in 1996!")
I still apply that to reality. If I hit a town with wild traffic traps (like getting a parking ticket at 2 AM while in the car!) I take that as a unwelcome sign and refuse to do business there again ever. Not everyone is ready to fully trust a part of town with a bad reputation right away. I've noticed 15 years later a large number of boarded up and empty retail space where I got the weird ticket. I won't consider returning until it's all plowed under and rebuilt nice shiny and new. People must return as a sign it's no longer a place to be robbed. Most all the reputable businesses moved 5 miles South into the next county. This is how real world slums and internet slums are created.

Re:Shout out for ... spamcop.net

[Erasmus+Darwin]

"What good is it to depend on reports of spam stopping after the spamming server gets listed as a basis for delisting it?"

I believe SpamCop doesn't use an absolute block. So it's still quite possible for users to file spam reports against spam that's been flagged as spam.

Also, if SpamCop uses external lists, the initial SpamCop listing only needs to last long enough for the spammer to get on a more permanent/human moderated list.

Re:The public blacklists aren't all...

[ahde]

Every sentence of this message is wrong.

Every sentence of this message is wrong.

See above, below

You didn't read my message, did you? My system is a small one, true. Multiply my system by the thousands of others whose administrators maintain private blacklists - and, I assure you, not all of them are small - and you're talking about a significant chunk of the net.

You didn't read your original message, did you? So there are a thousand end users who use their own mail server that dead ends into their living room from their local ISP. Not much mail gets routed through them. Yes there are ISPs, and some of them large, that use their own (or other) blackhole lists. But that's not what you were talking about.

Wrong. People can send email from their own systems - as I do - or through their ISP's outgoing email server. That is *not* an open relay, since (if it's properly configured) only relays messages from that ISP's customers.

Wrong. You can send email through your own system (as I do) -- you are in a very small minority. And you can only send email piggybacked on the relays of larger networks (like your ISP.) I said, "Open relays are not the problem", in one sense, that is an exagerration, and should be read ,"Open relays are not the biggest problem," but in another sense it is completely accurate the same way saying, "Guns are not the problem, it is the people who misuse them."

Those jokers send their spam through open relays, in an attempt to evade other blacklists. You even note this yourself, though you don't appear to understand it: what, exactly, do you think someone sending mail through someone else's DSL or cable modem is doing if not abusing an open relay?

Yes, they do. Some of them. It's hard to turn down a big chunk of free, anonymous bandwidth. But its easier these days to call up the telco and get your own access on the cheap, and the risk is smaller. Just be sure to use the name "Herbert Spammerton" only once. And try to blackhole all of Verizon, I dare you.

I run my own email server. My ISP has nothing to do with it.

Who are you peered with?

So much talking, so many errors. The fact is that, by eliminating open relays, a significant amount of spam is thrown out. If we didn't have open relays, we'd be much further along in the war on spam.

I was only trying to bring up a counter point, sorry if my original response came across wrong. But you deserve this one.

Open relays are not the problem. Only as much as "bars" are the problem that causes car accidents. It isn't the only problem, maybe not even the largest. While it is a big problem, if you take it away, *the* problem would not go away. I'm not saying you shouldn't treat the symptoms, but you can't ignore the cause.

Relevant to the case at hand, I had to open relaying (only to my local network and work IPs) so that I could use my personal mail server from my home workstation, and from the office. I'm facing the problem of having several friends around the country who would like to use my home mail server -- and I'd like to when I travel. How you you propose doing that without selective open relay? Its already growing into a difficult task to maintain, and it's inconvenient to download putty everytime I travel so I can ssh home. By then, its easier to just read it instead of setting up a temporary mail folder on whoever's computer I'm at. I might as well telnet to port 110 -- which is what I usually end up doing now.

Re:Stay away from certain ISPs

[Skapare]

The only difference between the way you would do it and the way I would do it, is you lose all the other mail, too, while I would not.

If you're going to block a range, the only range you need to block is the range the actual spam comes from. If you are capable of blocking a range, then you can succeed at blocking the spammer range. The only time you need to block the whole ISP is if they help the spammer evade your block. But as long as the ISP is simply providing basic IP service in a box, the content should be irrelevant to them (not to you or me, course).

The extreme danger in this is that it sets up the precedent that a hosting company has to judge content. Once they are judging one type of content, then they could be forced to judge another. They might end up having to take down a web site because the corporation it makes fun of, or reports about improprieties by, would be offended and threaten the ISP with a lawsuit. As long as the ISP doesn't give the spammer special treatment by letting them change IP addresses all the time, blocking gets the job done by blocking the spammer and not the ISP.

If you think that by doing this kind of blocking (of the whole ISP) often enough will cause spammers to somehow just disappear, you are delusional. Spammer types have always existed before the internet, and will continue to exist as the internet becomes entirely ubiquitous.

As long as there is perceived to be a target market for spam, there will be spammers, and they will find ways to deliver the garbage. And there is such a target market out there. While you and I pay greater costs, to the spammer it is a success because they very frequently get returns well in excess of expenditures (and the last time I looked, that was the way business worked).

Compare this to the illegal drug market in the US. As long as people want to buy these drugs, someone will find a way to deliver it, no matter how much the US law enforcement does to stop them. As the supply diminishes, the prices go up, and the attraction to enter supply side is greater. So it is with spam. The more we reduce it on everyone, the more successful the spammers who remain will be (because their target is less saturated). If instead of trying to stop all spam, we work on stopping spam from just us, and let it go on to those who don't really care (and whether you believe it or not, there are a large number of people out there who really don't care), then at least we can be spam free. Economics works with spam, too.