As the Spam Turns

Anonymous writes "The SBL has added Verio's corporate mail servers to its blocklist which protects nearly 100 million mailboxes, because of the number of spam gangs on the Verio network. Verio also provides connectivity to AS26212, a collection of 9 of the most notorious spammers netblocks. AS26212 - the new spambone? - is also connected to he.net and bbnplanet.net."

Why content filtering is not enough

[Frater+219]

The technology is out there, in the form of Bayesian filters, and is nearly perfect.

Bayesian filters, SpamAssassin, and other client-side content filters can indeed reduce the amount of spam that you see. As such, they can reduce some major costs of spam for the average Internet user, small site, or business: costs such as annoyance, offense, wasted time, and harm to productivity thereby caused -- that is to say, the end-user costs of spam.

However, they have no effect on the cost of the bandwidth and other resource costs of spam, which are substantial for large ISPs and large businesses -- and for the Internet as a whole. In order to perform content filtration on a piece of mail, you must receive it and store it first, which has its costs. (Consider that large ISPs regularly report that anywhere from one-third to two-thirds of their mail is spam.)

Only forms of spam filtration which do not permit the spammer to send the spam to your mail server can reduce the bandwidth cost of spam. In practicality, that means filters which apply to one or more of the following (in increasing order of cost):

1. The sending host's IP address;
2. The sending host's DNS name or other IP metadata; or
3. The contents of the SMTP envelope, that is, the arguments to the MAIL FROM and RCPT TO commands, or other sender behavior prior to the DATA command.

(Note the SMTP envelope is not the same as the mail headers, which are part of the SMTP DATA. An SMTP server is permitted to reject mail before DATA, but is not allowed to drop the connection in mid-DATA. If you do not understand this, read RFC 2821.)

DNSBLs -- such as SBL, MAPS RBL, and SPEWS -- all apply to the IP address of the sending system. Domain-based rejection lists (which are not commonly published) apply to the DNS name of the sending system. RHSBLs, and relay checking, apply to the SMTP envelope.

Keep also in mind that one function of some (but not all) DNSBLs is not merely to filter out spam, but to discourage it from being attempted in the first place. By rejecting mail from networks which have proven themselves to tolerate spammers, we tell network operators that if they wish to be able to send us mail, they must kick off their spammers. It's their choice which they do; they just have to choose which is worth more to them: being able to send mail to sites that don't like spam, or being able to host network-abusers with impunity.

(Incidentally, you will find precious little sympathy for calling spam filtering "censorship". Censorship, as those who have experienced it understand, happens when some party uses violent force to stop a view or expression from being published by its advocates (at their cost). Spammers aren't trying to publish their views at their own cost and being violently restrained from doing so: they're trying to steal the use of others' equipment to publish their stuff.)

Re:Why content filtering is not enough

[Frater+219]

What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble. Of course many have closed their relays, but a lot still have open ones.

"If we close the open relays, spam will go away" is actually what a lot of spamfighters thought five years ago. A common opinion then was that spam was basically a technical problem, like a security hole or smurfing, and that applying the appropriate technical fix to mail servers would prevent it.

Unfortunately, that hasn't worked. First off, open relays are not the only technical problem that makes spamming easier. Open proxies are just as common today -- and worse, since they hide the tracks of spammers. (They're also used by all sorts of other abusers.) Moreover, open proxies are harder to get people to close down, since blocking access from them to mail servers doesn't usually affect their legitimate users -- and thus doesn't draw their attention.

Second, it has been increasingly realized by most spamfighters that spam is a social problem, not merely a technical one. The problem isn't just that there are abusable resources, but that there are people who are willing to abuse them for profit, and other people who are willing to aid and abet those abusers in order to reap a share of that profit.

As a parallel, consider burglary. Sure, it is good to employ technical means such as deadbolt locks and alarms to block or deter burglars -- but nobody thinks that burglaries are solely technical problems, and that we should pursue only better locks rather than the arrest of burglars. Burglary is a social problem; specifically, a problem caused by some people's willingness to violate others' rights. We call those kind of problems "crimes".

Spam is a particularly frustrating crime since anyone who considers the proprieties of the situation can recognize it as lawless, but few legislatures have chosen to formalize its criminality in statute. It's lawless because it defies the property rights of mail server owners, alienating their resources for the spammer's use without permission. That's often covered by statutes regarding theft of service, computer crimes, or various sorts of tort, and there have been a number of cases wherein spamming was recognized by judges and juries as such. However, in many jurisdictions there's no statute to point to that says "spamming is a crime".

Third, there's also an social-technical problem. There's a small number of crooks who can profit themselves greatly by finding means of sending spam. Each of them has a much greater incentive to locate these means than any individual spamfighter does. This is a social problem in a different sense: insofar as spamfighting relies on discovering paths for spam propagation and getting them shut down (e.g. closing open relays) the crooks are always going to be several steps ahead.

By targeting organizations and persons known to be sources of spam, rather than the victims they exploit to send that spam, we can get around that problem. The number of large-scale spammers is actually rather few. Steve Linford's ROKSO (Registry Of Known Spam Operations; same guy as the SBL) lists around 100 organizations which have been thrown off of ISPs three or more times for spamming.

Fundamentally, I agree with you that the problem is one of education. However, it is not merely the education of ISP technical staff that must take place. It's the education of everyone involved -- technical staff, their managers, mail software authors, spammers, the legal system, spam recipients, and businesses that might consider spamming. Everyone needs to wise up about spam.

Re:Good

[Frater+219]

I would not be suprised to see Spamhaus served a cease-and-desist before Verio does the Right Thing and starts punting luser spammers.

Luckily, the spamfighting community has a great deal of experience with such misbehavior. The slang expression among spamfighters for a sender of baseless legal threats is "cartooney", as in cartoon + attorney. Spammers send these out by the boatloads when their delusions suggest it will get people to stop trying to block their thefts.

Steve Linford, the operator of the SBL and ROKSO (and known in China as Stiff Linefeed) is a long-time anti-spam veteran, and has a great deal of support from others such. If Verio tries to harangue, hassle, or hornswoggle him into falsely removing them from SBL, he will have dozens of clued and supportive people on his side. If Verio files suit, Mr. Linford will have a substantial legal defense fund faster than you can say "Canter & Siegel".

Re:Great, more censorship

[p3d0]

That's only half the picture. It also must let every non-spam email get through. It can't just discard important emails. Otherwise, I could provide you with a simple filter that blocks 100% of spam...

(I'd like to point out that the link you provided claimed "0 false positives" which is exactly what I'm talking about.)

Re:Good

[Frater+219]

You define commercial use as providing services for not-for-profit indivduals web surfing. Fine.

No, I don't. I define it as the use of the Internet for commerce, which is to say economic activity between consenting traders and investors -- what my left-wing friends would call "capitalism". I don't consider your sending of unsolicited advertisements to "an unconfirmed email address" (how many was it really?) to be commerce. I consider it to be spamming.

I define commercial use as trying to sell a product on the Internet and communicate with customers. You send one single email to an unconfirmed email address and you can be blocked for days. Do that enough and you are out of business.

You admit sending commercial email to an unconfirmed email address (how many addresses?), which turned out to belong to someone who had not solicited your message. By the usual definition of spamming as "unsolicited commercial email", that means that you admit to having spammed.

The techniques for operating confirmed mailing lists are not new. Mailing list software to operate confirmed lists has existed since well before the "e-commerce" boom. Thousands of businesses use such software. They operate confirmed, solicited commercial mailing lists ... and they don't get listed as spammers.

It sounds to me, from your description of the situation, like you failed to do due diligence, failed to take advantage of the information resources available to you -- and as a result, you spammed. In that case, the folks who listed you as a source of spam were telling the truth, weren't they?

Don't bother saying it doesn't work that way - we just got unblocked from that happening.

Hey, I'm just working with what you give me. If you'd like to point to a published record of your exchange with the list operators, please do so. A Google search link into NANAE, if that's where the exchange took place, would be more than adequate.

How many addresses did you spam, again?

Re:Good

[odaiwai]

The goal of the blockers is to eliminate commercial use of the Internet.

This is absolutely untrue. The goal of the blockers is to stop spam and abuse of the network and reclaim it from those who think that merely having and email address is an invitation to get spam.

dave

Re:A temporary fix

[LostCluster]

What this is designed to do is to make an example out of Verio. If an ISP hurting to make reveune targets agrees to look the other way towards spammers, that ISP will find itself in the black hole, and end up losing legit customers (whether they walk away in protest after hearing of the RBL, or simply because they think Verio's too clueless to get their e-mail to work) which negates the spammer income and then some.

Yeah, it's cat-and-mouse, but eventually the mouse will run out of places to hide. There are a finite number of backbone providers in this world.

Re:Breaking things is not fixing the problem.

[Skapare]

What if the someone that wants to talk to you just wants to sell your something? Or what if they want to convice you to change your opinion about something. Or what if they want to just reply to your Slashdot posting privately? How are you going to tell these apart?

The problem with spam isn't really the message. If I were to get in my mail box precisely and exactly the information I was interested in, I wouldn't have any problem with it. Maybe I would be interested in visiting just the right kind of porn site. Maybe I really would like to enlarge my penis. Maybe my printer really has run out of ink. Maybe. Maybe NOT.

But this is a hard thing to work out when you are dealing with content. For example, I often post on mailing lists or USENET and for many, I do get private replies (and spam, too). It's reasonable to assume that if you post, you've invited a reply (unless you say otherwise). But a "reply" to a posting about what I think should be in the next version of some standard should not be asking me if I need more golf balls. That's just plain off topic. Still, I have gotten replies that are completely ON topic, yet are sent by someone that is a total moron and not worth reading and a total waste of my time.

The real problem with spam isn't the content at all. The real problem is the way it is delivered, and the way it is determined to whom it is delivered.

TV commercials, radio spots, newspaper ads, and web banners, are what I call gatewayed advertising. What that means is that someone (the TV station sales department, the newspaper advertising department, or CmdrTaco while trying to get more revenues for Slashdot to keep it alive and pay for the kind of bandwidth that would create a Slashdot Effect on most web servers) is the "gateway" into the media where the advertising is presented. You don't get to put a TV commercial on without paying the TV station for the time. As much as I dislike most commercials (some I do enjoy the first time around), I also know they pay for, or in some cases at least help pay for, what I am receiving. But the whole point is, it's not going to get out of control because there is someone acting as the gateway. TV stations know they will lose viewers if there is 50 minutes of commercials every hour. CmdrTaco knows it would ruin Slashdot if every page were plastered with dozens of banner and box ads totally obscuring the content. And even if they did do the wrong thing and ruin it, I can change the channel or go to another site. There isn't a scaling issue here for these media.

But with spam, you can't change the channel. You can't choose to visit another site. And worst of all, it's not paying for a damned thing you receive.

We can make a comparison of spam with telemarketing and fax ads. Neither of these really pay for anything you receive. While it may be argued that telemarketers keep the cost of phone service down by providing more revenue for the phone company, this isn't really true. Most telemarketing actually takes place at the peak times that phone networks are busy, so the phone companies just have to scale up to that level of business. They aren't getting new revenues, and you can be damned sure that telemarketers are not paying an extra premium to the phone companies to help lower your phone bill (there are plenty of scumbags in that industry that would find ways around that).

Another comparison is with ads you get in snail mail. It doesn't really pay for anything you receive (they get huge discounts from the Postal Service for bulk packaging them so the delivery guy doesn't even have to check the addresses). But while these are annoying and a bit of a problem, it's not something that's going to grow exponentially from here because there is a "gateway" of cost. Those leaflets you get on your windshield are much the same. It's a pain to have to reach over and grab it and throw it away, and again, it hasn't paid for anything you receive. But like bulk snail mail, there is cost and someone has to roam around sticking them on.

The problem with spam isn't the content, it's that so much can be delivered so fast and to so many people that there is in effect NO GATEWAY to this. And as bandwidth gets cheaper and cheaper, and servers get faster and faster, you and your delete key will have to just work harder and harder to keep up. No wonder people are working on automating things to delete spam. And it just escalates.

So yeah, we do need to be able to continue to communicate, and this also needs to include advertising where appropriate. But there needs to be some kind of "gateway" to control it, to make sure it doesn't get out of hand, and to make sure the decisions about how much to send and to whom to send are decided on properly. And this also includes making sure it is sent to the proper email address for those of us with many (if you own a domain and have set it up so that any name on the left of the at sign works, raise your hand).

There will always be those who think it is their right to communicate with everyone. But, yet again, the issue is not about the message, but instead is about the methodology. Email is not a broadcast medium and should not be treated as such. It is a one to one communication medium. And I translate that to being a person to person communication medium. So if you want to communicate with me, you need to at least be a person, and not a machine running some spamware. Maybe SMTP needs a rethought. Or maybe not. I've thought about it and don't really have any answers (yet). But I do think the ultimate solution is going to end up having to be something that proves that it is a person who communicates with me, and gives me as much of their time in sending me the message as it takes from me to read it or listen to it. We need to find some way to communicate that does not allow the sender to automate it without that message being tagged as automated. That is the real problem with spam ... it's so impersonal ... it's all automated.

Some corrections and arguments.

[fmaxwell]

We were blocked (wrongly) a while back by some cowboy with a list.

No you were not. As you yourself later point out, people who compile lists don't block anyone.

Practically everyone listed claims that they were "wrongly" listed (and maybe you were). And you will find an astonishing number of "innocent" people in jail if you do a survey of the incarcerated. I have heard proclamations of innocence from multiple people running open relays and from those who claim to have purchased "opt-in" lists of e-mail addresses. In many other cases, these "wrongful" accusations are because some firm had a registration form with some tiny checkbox hidden below the bottom of the screen that, by default, gave them and/or their "business partners" permission to spam. Frankly, if a company tries to deceive its customers that way, then they deserve to be blocked.

The goal of the blockers is to eliminate commercial use of the Internet.

Spoken like a true spammer*. The goal of the blockers is to eliminate theft of bandwidth, storage, and time via spam. They want to make spam unprofitable both for those who send it and those who enable them. In short, they want to stop people from being bombarded with unwanted bulk e-mail delivered at the recipient's expense. What you said is analogous to saying that the goal of store security is to eliminate commercial transactions in stores.

I have a domain on which I employ aggressive anti-spam filtering, based on IP addresses, addressee, content, and header criteria. In the last couple of weeks, I have received commercial e-mail directly related to purchases from Gateway, TigerDirect, MCM Electronics, HP, and Directron. I do a lot of business on the net and rely on e-mail for everything from order confirmations to customer service inquiries. So please don't tell me that my goal is "to eliminate commercial use of the Internet."

We have to move away from relying on an unreliable communication media (email) just to stay in any form of business at all.

All of the firms that I mentioned above rely on e-mail. Dell never seems to get blacklisted. Neither does HP, Directron, Amazon.com, ebay, General Motors, etc. Just what was your firm doing with e-mail? Were you using it to send advertising? If so, how did you compile the list of recipients? Was it from a link that said 'click here to get our advertisements' or was it via some registration form that purported to be for some other purpose (e.g., order placement, tracking, customer survey, contest, etc.)? I just have trouble believing that some blacklist maintainer blocked you because you sent an order confirmation to someone.

* Note that I said "like" -- I'm not accusing you of anything

Re:Good

[Isofarro]

Spam blocking makes email unreliable.

No. Email has _never_ been completely reliable. There is nothing in the RFCs that guarantee delivery of every email.

Spam on the other hand, makes email _more_ unreliable because of the unwanted volume of it. Spam blocking is a means of reducing that volume.

The goal of most spam blockers is to eliminate commercial use of the Internet.

No. Consensual commercial email usage is preferred. Unsolicited and unwanted email in volume is what we seek to eliminate.

We got unblocked yesterday.

Funny how you need your services blocked before you actually take responsibility for your mail server. Now had you been a competant and responsible administrator, you probably wouldn't have been on a block list in the first place.