As the Spam Turns

Anonymous writes "The SBL has added Verio's corporate mail servers to its blocklist which protects nearly 100 million mailboxes, because of the number of spam gangs on the Verio network. Verio also provides connectivity to AS26212, a collection of 9 of the most notorious spammers netblocks. AS26212 - the new spambone? - is also connected to he.net and bbnplanet.net."

Why content filtering is not enough

[Frater+219]

The technology is out there, in the form of Bayesian filters, and is nearly perfect.

Bayesian filters, SpamAssassin, and other client-side content filters can indeed reduce the amount of spam that you see. As such, they can reduce some major costs of spam for the average Internet user, small site, or business: costs such as annoyance, offense, wasted time, and harm to productivity thereby caused -- that is to say, the end-user costs of spam.

However, they have no effect on the cost of the bandwidth and other resource costs of spam, which are substantial for large ISPs and large businesses -- and for the Internet as a whole. In order to perform content filtration on a piece of mail, you must receive it and store it first, which has its costs. (Consider that large ISPs regularly report that anywhere from one-third to two-thirds of their mail is spam.)

Only forms of spam filtration which do not permit the spammer to send the spam to your mail server can reduce the bandwidth cost of spam. In practicality, that means filters which apply to one or more of the following (in increasing order of cost):

1. The sending host's IP address;
2. The sending host's DNS name or other IP metadata; or
3. The contents of the SMTP envelope, that is, the arguments to the MAIL FROM and RCPT TO commands, or other sender behavior prior to the DATA command.

(Note the SMTP envelope is not the same as the mail headers, which are part of the SMTP DATA. An SMTP server is permitted to reject mail before DATA, but is not allowed to drop the connection in mid-DATA. If you do not understand this, read RFC 2821.)

DNSBLs -- such as SBL, MAPS RBL, and SPEWS -- all apply to the IP address of the sending system. Domain-based rejection lists (which are not commonly published) apply to the DNS name of the sending system. RHSBLs, and relay checking, apply to the SMTP envelope.

Keep also in mind that one function of some (but not all) DNSBLs is not merely to filter out spam, but to discourage it from being attempted in the first place. By rejecting mail from networks which have proven themselves to tolerate spammers, we tell network operators that if they wish to be able to send us mail, they must kick off their spammers. It's their choice which they do; they just have to choose which is worth more to them: being able to send mail to sites that don't like spam, or being able to host network-abusers with impunity.

(Incidentally, you will find precious little sympathy for calling spam filtering "censorship". Censorship, as those who have experienced it understand, happens when some party uses violent force to stop a view or expression from being published by its advocates (at their cost). Spammers aren't trying to publish their views at their own cost and being violently restrained from doing so: they're trying to steal the use of others' equipment to publish their stuff.)

Re:Why content filtering is not enough

[Frater+219]

What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble. Of course many have closed their relays, but a lot still have open ones.

"If we close the open relays, spam will go away" is actually what a lot of spamfighters thought five years ago. A common opinion then was that spam was basically a technical problem, like a security hole or smurfing, and that applying the appropriate technical fix to mail servers would prevent it.

Unfortunately, that hasn't worked. First off, open relays are not the only technical problem that makes spamming easier. Open proxies are just as common today -- and worse, since they hide the tracks of spammers. (They're also used by all sorts of other abusers.) Moreover, open proxies are harder to get people to close down, since blocking access from them to mail servers doesn't usually affect their legitimate users -- and thus doesn't draw their attention.

Second, it has been increasingly realized by most spamfighters that spam is a social problem, not merely a technical one. The problem isn't just that there are abusable resources, but that there are people who are willing to abuse them for profit, and other people who are willing to aid and abet those abusers in order to reap a share of that profit.

As a parallel, consider burglary. Sure, it is good to employ technical means such as deadbolt locks and alarms to block or deter burglars -- but nobody thinks that burglaries are solely technical problems, and that we should pursue only better locks rather than the arrest of burglars. Burglary is a social problem; specifically, a problem caused by some people's willingness to violate others' rights. We call those kind of problems "crimes".

Spam is a particularly frustrating crime since anyone who considers the proprieties of the situation can recognize it as lawless, but few legislatures have chosen to formalize its criminality in statute. It's lawless because it defies the property rights of mail server owners, alienating their resources for the spammer's use without permission. That's often covered by statutes regarding theft of service, computer crimes, or various sorts of tort, and there have been a number of cases wherein spamming was recognized by judges and juries as such. However, in many jurisdictions there's no statute to point to that says "spamming is a crime".

Third, there's also an social-technical problem. There's a small number of crooks who can profit themselves greatly by finding means of sending spam. Each of them has a much greater incentive to locate these means than any individual spamfighter does. This is a social problem in a different sense: insofar as spamfighting relies on discovering paths for spam propagation and getting them shut down (e.g. closing open relays) the crooks are always going to be several steps ahead.

By targeting organizations and persons known to be sources of spam, rather than the victims they exploit to send that spam, we can get around that problem. The number of large-scale spammers is actually rather few. Steve Linford's ROKSO (Registry Of Known Spam Operations; same guy as the SBL) lists around 100 organizations which have been thrown off of ISPs three or more times for spamming.

Fundamentally, I agree with you that the problem is one of education. However, it is not merely the education of ISP technical staff that must take place. It's the education of everyone involved -- technical staff, their managers, mail software authors, spammers, the legal system, spam recipients, and businesses that might consider spamming. Everyone needs to wise up about spam.

Re:Good

[Frater+219]

I would not be suprised to see Spamhaus served a cease-and-desist before Verio does the Right Thing and starts punting luser spammers.

Luckily, the spamfighting community has a great deal of experience with such misbehavior. The slang expression among spamfighters for a sender of baseless legal threats is "cartooney", as in cartoon + attorney. Spammers send these out by the boatloads when their delusions suggest it will get people to stop trying to block their thefts.

Steve Linford, the operator of the SBL and ROKSO (and known in China as Stiff Linefeed) is a long-time anti-spam veteran, and has a great deal of support from others such. If Verio tries to harangue, hassle, or hornswoggle him into falsely removing them from SBL, he will have dozens of clued and supportive people on his side. If Verio files suit, Mr. Linford will have a substantial legal defense fund faster than you can say "Canter & Siegel".

Re:Great, more censorship

[p3d0]

That's only half the picture. It also must let every non-spam email get through. It can't just discard important emails. Otherwise, I could provide you with a simple filter that blocks 100% of spam...

(I'd like to point out that the link you provided claimed "0 false positives" which is exactly what I'm talking about.)

Re:Good

[Frater+219]

You define commercial use as providing services for not-for-profit indivduals web surfing. Fine.

No, I don't. I define it as the use of the Internet for commerce, which is to say economic activity between consenting traders and investors -- what my left-wing friends would call "capitalism". I don't consider your sending of unsolicited advertisements to "an unconfirmed email address" (how many was it really?) to be commerce. I consider it to be spamming.

I define commercial use as trying to sell a product on the Internet and communicate with customers. You send one single email to an unconfirmed email address and you can be blocked for days. Do that enough and you are out of business.

You admit sending commercial email to an unconfirmed email address (how many addresses?), which turned out to belong to someone who had not solicited your message. By the usual definition of spamming as "unsolicited commercial email", that means that you admit to having spammed.

The techniques for operating confirmed mailing lists are not new. Mailing list software to operate confirmed lists has existed since well before the "e-commerce" boom. Thousands of businesses use such software. They operate confirmed, solicited commercial mailing lists ... and they don't get listed as spammers.

It sounds to me, from your description of the situation, like you failed to do due diligence, failed to take advantage of the information resources available to you -- and as a result, you spammed. In that case, the folks who listed you as a source of spam were telling the truth, weren't they?

Don't bother saying it doesn't work that way - we just got unblocked from that happening.

Hey, I'm just working with what you give me. If you'd like to point to a published record of your exchange with the list operators, please do so. A Google search link into NANAE, if that's where the exchange took place, would be more than adequate.

How many addresses did you spam, again?

Re:Good

[odaiwai]

The goal of the blockers is to eliminate commercial use of the Internet.

This is absolutely untrue. The goal of the blockers is to stop spam and abuse of the network and reclaim it from those who think that merely having and email address is an invitation to get spam.

dave