Slashdot Mirror
As the Spam Turns
Anonymous writes "The SBL has added Verio's corporate mail servers
to its blocklist which protects nearly 100 million mailboxes, because of the number of spam gangs on the Verio network.
Verio also provides connectivity to AS26212, a collection of 9 of the most notorious spammers netblocks. AS26212 - the new spambone? - is also connected to he.net and bbnplanet.net."
Now how will I know the best way to enlarge my penis or get that degree from a fine, unaccredited institution?!
To see the spammers win and block legitimate sites to stop the criminals is well... criminal. Isn't that what all of us who believe in freedom are supposed to be fighting against. I hate spam as much as the next guy, but I'd rather see every spammer run rampant then restrict even one innocent party nobody cares about.
That's just what the Internet needs. When will ISPs decide, or be forced, to stop playing Big Brother and let the users make their own decisions about what to filter? The technology is out there, in the form of Bayesian filters, and is nearly perfect. So why do we still have to deal with upstream providers knowing what's best for us?
--sdem
I replied with a cheap goatse.cx link. It went something like "Sure, I'll do it--but can you please check my [a href="http://goatse.cx"]website[/a] tomorrow--I will post a picture of an open door to indicate that you have been granted the go-ahead. If not, it will mean I need another day for my paperwork to be prepared. I have been having troubles with my bank lately, and they might be looking into me, but fortunately I have the right friends. I think email is much too insecure for this." I guess trolls do provide something useful for the community.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
As with the UDP, all that ridiculous overreactions like this result in is an increase in those who find the cure nych worse than the sickness.
I used to subscribe to a few filter lists on my mail servers, but the operators are such assholes about things that the lists are now useless, filtering out more valid email than bad (when you consider that a few intelligent local filters can eliminate 90% of spam).
Do you think the people who send out all this spam get annoyed at all the spam in their mailbox or are they proud of the work they do?
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
IE the founder of the EEF and the guy who refuses to close is open mail relay?
autopr0n is like, down and stuff.
In the comment from Spamhaus it is clearly stated that only the Verio corporate mailserver is blocked in order to protect their ISP users.
Freevo - Linux Multimedia Jukebox
This will force Verio to take action.
Yeah.. legal, probably. After all, it is a down economy. I would not be suprised to see Spamhaus served a cease-and-desist before Verio does the Right Thing and starts punting luser spammers.
The admins & abuse people are the ones at Verio really taking it on the chin. I can only imagine the vitriol pouring in their mailboxes and publicly on forums like nanae.
-fester
-'fester
Hmmm ... i don't know if it cooincidence, but the spam in my Hotmail account has significantly dropped off ... from 30 to 100 spam a day down to 10-20 max ...
A while ago I worked for a now defunct dot-com that dealt in e-mail marketing through opt-ins. When we moved to hosting through verio. They threatened to cut us off even though our mailings were opt-in, and sent from a different (non-verio) location.
Their anti-spam policies were so draconian that we had to move to exodus. When did they become pro-spam?
I know I'm going to hell, I'm just trying to get good seats.
Mine also, and I asked a couple friends who run ISPs, one in Japan, they also noticed a drop in spam. Could this "Mike and Andrew" health labs really be doing 50% of the spam in the USA?
Bayesian filters, SpamAssassin, and other client-side content filters can indeed reduce the amount of spam that you see. As such, they can reduce some major costs of spam for the average Internet user, small site, or business: costs such as annoyance, offense, wasted time, and harm to productivity thereby caused -- that is to say, the end-user costs of spam.
However, they have no effect on the cost of the bandwidth and other resource costs of spam, which are substantial for large ISPs and large businesses -- and for the Internet as a whole. In order to perform content filtration on a piece of mail, you must receive it and store it first, which has its costs. (Consider that large ISPs regularly report that anywhere from one-third to two-thirds of their mail is spam.)
Only forms of spam filtration which do not permit the spammer to send the spam to your mail server can reduce the bandwidth cost of spam. In practicality, that means filters which apply to one or more of the following (in increasing order of cost):
(Note the SMTP envelope is not the same as the mail headers, which are part of the SMTP DATA. An SMTP server is permitted to reject mail before DATA, but is not allowed to drop the connection in mid-DATA. If you do not understand this, read RFC 2821.)
DNSBLs -- such as SBL, MAPS RBL, and SPEWS -- all apply to the IP address of the sending system. Domain-based rejection lists (which are not commonly published) apply to the DNS name of the sending system. RHSBLs, and relay checking, apply to the SMTP envelope.
Keep also in mind that one function of some (but not all) DNSBLs is not merely to filter out spam, but to discourage it from being attempted in the first place. By rejecting mail from networks which have proven themselves to tolerate spammers, we tell network operators that if they wish to be able to send us mail, they must kick off their spammers. It's their choice which they do; they just have to choose which is worth more to them: being able to send mail to sites that don't like spam, or being able to host network-abusers with impunity.
(Incidentally, you will find precious little sympathy for calling spam filtering "censorship". Censorship, as those who have experienced it understand, happens when some party uses violent force to stop a view or expression from being published by its advocates (at their cost). Spammers aren't trying to publish their views at their own cost and being violently restrained from doing so: they're trying to steal the use of others' equipment to publish their stuff.)
We really need a law which requires Internet service providers to publicly disclose their terms of service -- that is, publicly disclose what terms of service they actually enforce.
After all, it's really just a consumer protection issue: Verio claims to have an active abuse department, and is thereby misleading people who assume that spammers on Verio's network will be shut down.
Tarsnap: Online backups for the truly paranoid
Luckily, the spamfighting community has a great deal of experience with such misbehavior. The slang expression among spamfighters for a sender of baseless legal threats is "cartooney", as in cartoon + attorney. Spammers send these out by the boatloads when their delusions suggest it will get people to stop trying to block their thefts.
Steve Linford, the operator of the SBL and ROKSO (and known in China as Stiff Linefeed) is a long-time anti-spam veteran, and has a great deal of support from others such. If Verio tries to harangue, hassle, or hornswoggle him into falsely removing them from SBL, he will have dozens of clued and supportive people on his side. If Verio files suit, Mr. Linford will have a substantial legal defense fund faster than you can say "Canter & Siegel".
Stopping email from the Verio domains is going to cause more pain than it will help. It is only a matter of time until the spammers find some other vendor to help them send their ads. Money talks, and in an open market, someone will provide the goods.
I honestly believe that the only way to free ourselves from spam is intellegent filtering. Making it illegal will only cause the spammers to move overseas, if they even notice the law at all. The internet is far too large an entity to make a difference by blocking the IP addresses of spam-friendly domains. It won't put a dent in the real problem.
ISPs need to realise that if they're not going to do anything about it, they'll be blocked. This happened to us years ago when the ORDB started, and we fixed the problem immediately. We didn't think they were being nasty to us, we realised we had a problem, and we set about fixing it. When ISPs get globally klined from IRC networks, their customers want to know why, and put pressure on the ISP. They listen and respond.
This is no different. If yer gonna be a spammy host, prepare to be blacklisted. Reponsible, rigid, no nonsense, targetted policies are the only thing that will have ANY effect, and even they won't STOP all spam. But it sure helps.
---
When I grow up, I want to be a kid again.
Spam blocking has been around for ages. Blocking broken mail servers has been around for ages. Apparently, it's not working as my mail box still contains a lot of spam.
We need a new solution folks, and blocking large portions of the net will not fix the problem. If you want to make *all* spam to go away, you need a different form of a solution because you can't block everyone who might want to legitimately talk to you. This decision will certainly block a whole slew of legitimate users from speaking with each other.
I'm thinking SMTP needs to be entirely rethought. Unfortunately, this isn't practical either as it'll have the same effect as deliberate breakage during the transition. (hence the reason we don't have ipv6 yet either).
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Actually, most "spam blockers" work for organizations which commercially use the Internet. They are mail administrators for ISPs or other companies, which have directed them to reduce the impact of spam on their businesses -- to cut costs or to improve service to customers.
Spam isn't commercial use. It's criminal use.
No, I don't. I define it as the use of the Internet for commerce, which is to say economic activity between consenting traders and investors -- what my left-wing friends would call "capitalism". I don't consider your sending of unsolicited advertisements to "an unconfirmed email address" (how many was it really?) to be commerce. I consider it to be spamming.
You admit sending commercial email to an unconfirmed email address (how many addresses?), which turned out to belong to someone who had not solicited your message. By the usual definition of spamming as "unsolicited commercial email", that means that you admit to having spammed.
The techniques for operating confirmed mailing lists are not new. Mailing list software to operate confirmed lists has existed since well before the "e-commerce" boom. Thousands of businesses use such software. They operate confirmed, solicited commercial mailing lists ... and they don't get listed as spammers.
It sounds to me, from your description of the situation, like you failed to do due diligence, failed to take advantage of the information resources available to you -- and as a result, you spammed. In that case, the folks who listed you as a source of spam were telling the truth, weren't they?
Hey, I'm just working with what you give me. If you'd like to point to a published record of your exchange with the list operators, please do so. A Google search link into NANAE, if that's where the exchange took place, would be more than adequate.
How many addresses did you spam, again?
I find that figure *very* hard to believe. How do they figure it's 100M?
Here's hoping this group is more responsible than SPEWS. With that (likely bogus) figure being announced, I doubt that they are.
The goal of the blockers is to eliminate commercial use of the Internet.
This is absolutely untrue. The goal of the blockers is to stop spam and abuse of the network and reclaim it from those who think that merely having and email address is an invitation to get spam.
dave
Same here. The spam noise level on Hotmail is so intense that instead of checking individual items to delete, it's easier to set your hotmail preferences to display only 25 emails at a time, and then when checking mail just always click on the "check all" box to tag EVERYTHING for deletion. Then quickly scan down the list and maybe uncheck the one piece of email that is worth reading. I've saved my index finger from carpal tunnel this way.
Anyway, I used to plow through at LEAST three screenfuls of garbage at a time this way on Hotmail, but in the past few days, I've been doing only one screenload and getting all of it. So maybe something has happened.
Of course, it's going to come back very soon, so don't get too used to this. It's strange how we've sort of come full circle from being an agricultural economy and shoveling horseshit all day, to having an industrial revolution, and then computers, and worldwide computer networks, and after all this we end up still having to shovel mountains of horseshit around on a daily basis.
in first place is 'hinderance of interstate trade' followed closely behind by 'defamation of character'. Coming up fast is 'Lost revenue!' This is gonna be a photo finish folks...
"It looks like this could be a photo finish, or an oil painting..." Spike Jones, "A Day At The Races"
The problem is, everything on the track right now is a dead horse. Worse still, these horses are being beaten by jockeys with really big... bank accounts, so they'll somehow manage to win the race every time, leaving the long-standing dark horses "customer service" and "viable communications option" in the dust.
Come to the University of Mars! Classes starting soon!
TMDA offers those who want it the ability to filter e-mail through a confirmation process (or, you can generate "keyword" or "dated" addresses for temporary use in newsgroups and other high-harvester areas). My spam went from several tens of spam messages a day to zero after spending a couple of hours with TMDA.
This solution doesn't do anything about bandwidth (since you will still get the same amount of spam traffic at your mail port), but it's a fuzzy-warm feeling to be in control of your own mailbox for once.
Yeah, and you take one thing from a store without paying for it and you can get arrested for shoplifting. Life just sucks sometimes.
/. If the government wants us to respect the law, it should set a better example.
You send one single email to an unconfirmed email address
Actually, having just tried a demo of CD-R Diagnostic (an excellent program, btw), I'd like to point out that you send FOUR. Two in quick succession when the demo is downloaded, one three days later, and one five days after that.
The last e-mail says that you delete all evaluation e-mail addresses after 14 days, but the others give no indication of when it will end, there are no remove instructions, there is no explanation of how you got my address, etc. If I got this because someone typed in my e-mail address, I'd probably report you too. You should read up on the Ten Rules for Permission-Based Marketing.
the size of the vagina is related to the expected size of the head coming out not that going in.
I'll probably get tagged as a troll for this one, but...
I support and believe the position that spammers or other unauthorized users of a system that I own are stealing services from me. I further believe it is OK to block their traffic from crossing my equipment.
Now, let's look at this from the telemarketing perspective...My phone at home is one of those models that has a wall wart. I believe when the phone rings, or is in use, it draws more current. So, when a telemarketer makes an unsolicited (and unauthorized) call to my phone, does that mean they're stealing my electricity? What about my most valuable resource, my time? Are they stealing my time?
I hate spam just as much as the next guy. And I don't believe ignoring people who cause a nuisance infringes their right to free speech. I do however believe the "telemarketing" lens will be used by the Judicial System when examining these issues. Sooner or later, these spammers will mount a constitutional challenge to anti-spam legislation. Well, if they are making that much money, anyway. They may not even need the money for such a battle, it seems the EFF just might take up their cause.
cat
And what would it have taken to confirm that address? Perhapse ensure that you weren't opening yourself, and some unwitting third party, to abuse?
'member when Usenet admins stopped filtering spam to get some attention to the problem? That sure as shooting got people to pay attention, what with all the servers that went up in flames from the load. Maybe that's what we need with email, it feels like we're building to that kind of standoff.
Bet we'd see some real legislation and enforcement then, eh?
This works best if you own your own domain name and can create multiple pop boxes. It's still doable using regular email accounts, however.
Step 1: Change your email address to a previously unused address at your domain. Test it for a day, verify no spam is coming in to that address.
Step 2: Email all your trusted friends, relatives and business contacts your new email address.
Step 3: Remove your old email address links from your website and replace them with a feedback form that emails an unrevealed throwaway secondary address using your favorite web -> email gateway scripts.
Step 4: Create a bounce message at your old address, with a link to the feedback form, for all the people you forgot to email about your new address, and for people who want to contact you through your old address as they have found it on google searches or other archived postings, or your old business cards, etc.
Step 5: Receive both the new email address and the feedback form submissions on to your local mail reader. Filter them in to seperate directories. Give out your real, private address to feedback form users once they've verified themselves as being legit. If not, have a throwaway identity you can talk to them through. (the email account that the feedback form mails to) If you start getting spam at that address, simply change it.
Step 6: When you make public postings, post the feedback form URL instead of your email address. When you have to give your address away to commercial websites to sign up or download things, give them the throwaway address, or create a third address for legitimate online companies and filter that into a third folder for "commercial website email" If that get compromised by an unscrupulous business, change it. Still doesn't affect your primary private address.
You can receive the two or three addresses all at once with any modern mail reader, and filter them into folders. I personally use Eudora.
This is a really easy thing to do if you can stand changing your email address. I've had the same address since 1995, so I get about 150 spams per day. I have a filter that gets rid of most of those, but that's local and I still take the bandwidth hit, and about 20% of them get to my inbox still. Rather than try to over-filter and get a false positive, I think the above solution is a worry free and clean way to make a break from spam.
---Mike
not that any of this will happen, but I see a lot of posts mentioning ideas like adding a new standard, a "SPAM" flag to the standard SMTP headers. What about something even lower than that? tcp/ip has plenty of bits left for "future expansion", why not an "Advert" bit? how about a couple different ones- "Main", "Advert", "Stream", just as bits? You know, things that can be knocked out with very little proccessing by routers?
That could speed things up a lot.
And now a future timeline:
-Terrorist groups note that many routers are dropping "advert" spam before they reach the mail servers, start sending messages with the "advert" bit set, thus avoiding detection by bugs in mail servers
-Government catches on, starts paying close attention to posts with the "advert" bit set
-Advertising is outlawed after Bush calls the advert bit "evil"
-- 'The' Lord and Master Bitman On High, Master Of All
Hotmail just started using Brightmail, hence the drop in spam. It's nothing to do with blocklists or Verio.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
We were blocked (wrongly) a while back by some cowboy with a list.
No you were not. As you yourself later point out, people who compile lists don't block anyone.
Practically everyone listed claims that they were "wrongly" listed (and maybe you were). And you will find an astonishing number of "innocent" people in jail if you do a survey of the incarcerated. I have heard proclamations of innocence from multiple people running open relays and from those who claim to have purchased "opt-in" lists of e-mail addresses. In many other cases, these "wrongful" accusations are because some firm had a registration form with some tiny checkbox hidden below the bottom of the screen that, by default, gave them and/or their "business partners" permission to spam. Frankly, if a company tries to deceive its customers that way, then they deserve to be blocked.
The goal of the blockers is to eliminate commercial use of the Internet.
Spoken like a true spammer*. The goal of the blockers is to eliminate theft of bandwidth, storage, and time via spam. They want to make spam unprofitable both for those who send it and those who enable them. In short, they want to stop people from being bombarded with unwanted bulk e-mail delivered at the recipient's expense. What you said is analogous to saying that the goal of store security is to eliminate commercial transactions in stores.
I have a domain on which I employ aggressive anti-spam filtering, based on IP addresses, addressee, content, and header criteria. In the last couple of weeks, I have received commercial e-mail directly related to purchases from Gateway, TigerDirect, MCM Electronics, HP, and Directron. I do a lot of business on the net and rely on e-mail for everything from order confirmations to customer service inquiries. So please don't tell me that my goal is "to eliminate commercial use of the Internet."
We have to move away from relying on an unreliable communication media (email) just to stay in any form of business at all.
All of the firms that I mentioned above rely on e-mail. Dell never seems to get blacklisted. Neither does HP, Directron, Amazon.com, ebay, General Motors, etc. Just what was your firm doing with e-mail? Were you using it to send advertising? If so, how did you compile the list of recipients? Was it from a link that said 'click here to get our advertisements' or was it via some registration form that purported to be for some other purpose (e.g., order placement, tracking, customer survey, contest, etc.)? I just have trouble believing that some blacklist maintainer blocked you because you sent an order confirmation to someone.
* Note that I said "like" -- I'm not accusing you of anything
No. Email has _never_ been completely reliable. There is nothing in the RFCs that guarantee delivery of every email.
Spam on the other hand, makes email _more_ unreliable because of the unwanted volume of it. Spam blocking is a means of reducing that volume.
No. Consensual commercial email usage is preferred. Unsolicited and unwanted email in volume is what we seek to eliminate.
Funny how you need your services blocked before you actually take responsibility for your mail server. Now had you been a competant and responsible administrator, you probably wouldn't have been on a block list in the first place.
First, your phone doesn't draw any more power to ring, or at least it shouldn't. The power necessary to ring is sent down the line. Have you never seen a phone that plugs only to the line? I have one sitting right next to me.
As to your time, well, all sorts of things "steal" your time and and thus far that's not something that you have any recourse for. Besides, you waste plenty of people's time too, it's just how things go.
The big difference between telemarketing and spam is who pays the cost. When a telemarketer calls me, I don't pay a thing, even if I do choose to answer the phone. They pay all associated long distance charges, my line costs me the same amount no matter how many calls I recieve. With SPAM, it is other peopel that foot the bill. The spammers order mail servers to send out thousands of messages, which uses tons of bandwidth on their ISP, and all the recieving ISPs. I work at a university and the amount of bandwidth used to SPAM is not trivial.
This is why telemarketing is not allowed to a cellphone (in the US), you have to pay for all calls including those you didn't initate, so people aren't allowed to make sales calls that would cost you money.
Also telemarketers tend to be much less persistant and much less fraudlent than spammers. Every time I've asked to be placed on a do not call list, the telemarketers have complied (because I can sue them if they don't). Also, all the sales calls I get are really offering me a legit service. When Sprint calls me selling long distance, they will make good on the offer if I want. At least 40% of the SPAM I recieve is totally fraudlent, and spammers don't know when to quit. I have recieved over 10 SPAMs per day for the same thing, form the same company. The only telemarketer I know that tried that receantly is the Miss Cleo service, and they got shut down and fined millions for it.
I do know that one of their employees handling spam complaints did give me a reason to pause once -- she initially accepted a spammer's response, but that action was reversed as soon as I challenged it, and the customer was terminated, and I was sent an apology making clear that this was a mistake, not a new spam-tolerant policy at the company. Later complaints were promptly and properly handled.
I believe that at least three he.net customers were terminated in the past year due to complaints I submitted. (And I was a lowly $200-per-month colo customer, and at least one of the terminated customers was much bigger.)
If he.net is leaving the door open to spam-cartels, despite warnings, then of course they should be blacklisted. I just find that harder to believe. In contrast, my experience has been than Verio is extremely spam-tolerant, even balking at terminating Spamford Wallace (they finally relented and cut him off, which resulted in his filing a frivolous lawsuit against me, costing me $5,000 to get the suit dismissed). All my more recent spam complaints to Verio have gone unanswered, and I know I have several Verio IP blocks already on my filter list, though I haven't blocked all their IP addresses.
-- http://www.MarkWelch.com/ Pleasanton California
More than that. Verio could (and, possibly, already has) experience widespread blocking of their IP ranges by individual SysAdmins in privately-run (read: local and site-specific) blocklists, if they're dumb enough to throw cartooneys at Spamhaus.
In fact, they already tried the same stunt on Ron Guilmette of monkeys.com (threatened legal action when Ron expanded their listings on his system). Within (probably) minutes of the word going out on the newsgroup, many SA's, myself included, started asking for lists of Verio's IP ranges, and inserted those lists in their private blocklists.
In short: If they threaten legal action against people who are doing nothing more than expressing an opinion (in the form of publishing lists of IP addresses they think are contributing to the spam problem), and taking steps to protect their private property (by checking incoming mail connections against that same list, and selectively blocking the unwanted stuff), they're only going to dig themselves deeper into their existing hole.
Verio is second only to UUNet (also known as 'SpewSpewNet') for harboring spammers. They need a wake-up call like nobody's business. If Steve's listing doesn't do the trick, I don't think anything else will.
Bruce Lane, KC7GR,
Blue Feather Technologies
While you may have broadband, not everyone does. Probably 50% or more of Internet users are still on dialup.
While you may only check your mail from one machine, not everyone does. And most people don't have the luxury of setting up an IMAP server so they can access their post-filtered mail remotely. (I do, but a cable modem connection isn't the most reliable, so I often find myself having to read raw unfiltered spam-laden mail.)
Also, wireless access to email from cell phones (either "dumb" WAP browsers or "smart" integrated PDA/phone solutions) is becoming more common. Have you tried downloading 100 messages over a 14.4 connection, only 5 of which weren't spam? Have you tried sifting through 100 subject lines on a cell phone screen. (It's painful even on a Palm PDA screen like my Kyocera 6035's). Thanks to the proliferation of spam in my inbox, I cannot even THINK about using my wonderful phone for email, something which it would normally be excellent for.
It doesn't matter how good client-side filtering is (mine is a manually maintained blocklist, plus a few rules to detect malformed HTML that is always spam and fake Yahoo/Hotmail/Netscape addresses not coming from their servers.), the client still must pay for bandwidth, and in the case of wireless users, per-minute download time at 14.4 (Or in 2.5G systems like Sprint Vision and Verizon Express Network, per-kilobyte.)
Simply put, it costs the user money to receive spam, therefore something needs to be done about it before it reaches them. Server-side blocking reduces user costs in:
a) Download time/bandwidth for the mail
b) Storage costs on the ISP server that are passed on to the user in the form of higher fees.
These are both costs that cannot be negated with client-side filtering.
retrorocket.o not found, launch anyway?