Slashdot Mirror
The Spam Problem: Moving Beyond RBLs
whirlycott writes "I just published a paper called The Spam Problem: Moving Beyond RBLs on my site. I comprehensively describe RBLs and list eight specific problems with them. I also get into ideas that next generation antispam system creators should read. I hope that this will be useful to anybody who is attending the Spam Conference at MIT on Jan 17th."
1. Don't let a spammer verify your email address
2. Don't post your email address on the internet
3. Secure your email client
4. Avoid common email traps
5. Fight back
Let me know if these can be improved.
Read my sig if you like, but I'll never see yours, thanks to Discussions, Viewing, Disable sigs...
My company was collateral damage on SPEWS last month and I kicked the *^&^#$* out of our ISP for hosting Global Travel on our netblock. They got booted and we got cleaned off the list. Bada-bing bada boom.
5 2%24Db4.726975%40twister.tampabay.rr.com
RBL's are like a fever. They tell you when something it wrong and only a dork blames the fever when the problem is the disease. Get your ISP to whack the spammer or change ISP's.
http://groups.google.com/groups?threadm=Fc6K9.262
My God! It's full of Voids!
Stupid job ads, weird spam, occasional insight at
Having briefly looked at the paper, it seems like the usual complaining about RBLs as being too broad you see all the time in NANAE (news:news.admin.net-abuse.email).
Summary: someone tries to send email and finds that they're listed on SPEWS. They complain because "we're not an open relay", without figuring out just why they're on that list. Almost invariably, they're on the list because their ISP persistently ignores spam complaints and prefers spammer money to honest customer money. I think there's been about two or three actual mistakes in the SPEWS listings in the year or so I've been following NANAE. Otherwise, it's all been a legitimate extension of the block because the ISP knowingly ignores complaints and supports spammers.
Spam is theft. Theft of Bandwidth, theft of service and theft of time. It's that simple. Spammers are thieves. ISPs which support spammers are thieves. Soon, they'll be blocked from the public internet for anti-social behaviour. After all, if your local bargain supermarket ignored the thieves stealing 20% from every transaction you make with them, will you go back?
Many South American and Asian ISPs are blacklisted because they were quite happy to spam everyone when they could steal bandwidth and service from other ISPs. Now that they're blacklisted, they're whinging and moaning about 'freadom of speach', interference with interstate commerce, and other such bullshit.
It's about none of these things. Blacklists are about protecting your network from a Denial of Service attack by spammers.
People who complaing about RBLs (OR DNSBLs, to be more accurate) are missing the point. They should be complaining about spammers who think it's acceptable to steal my bandwidth and your bandwidth to advertise their product..
dave "the only good spammer is a rotting corpse, dangling from the noose"
The problem is that you are in a global network. It is like the problem of eating whale meat, you can persuade 99.999% of the world population that eating whale meat is a bad idea but the other 0.0001% that is left can eat the endangered species to extinction within a matter of months.
It only takes a vanishingly small number of businesses out there to SPAM and you have a massive problem.
SPAM does not have to even be profitable for people to do it. If I wanted to launder a lot of drug cash I would set up a spam house and bombard people with ads for herbal viagra..
There was a time not so long ago when the majority of the SPAM being sent out was adverts for spam software. SPAM does not have to work as a marketing method for creeps to get rich charging others to spam. The pitch line they use to haul in suckers is 'it must work or why would people do it', well no, it does not have to get one single end customer for it to work for the spammer.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
(1) You (and I) get too much spam.
(2) Your e-mail system administrator (and mine) need to keep beefing up the servers because the sheer volume of e-mail is growing so quickly.
To a first approximations, filters solve (1) but not (2), and black hole lists solve (2).
whirlycott summarizes the problem with (2) in two words: "collateral damage." How much of the e-mail network do we need to destroy in order to save it?
We need to move past first approximations. We need systems that work at the server level, but that somehow address the problems of collateral damage and false positives.
This is only the tip of the iceberg. Any network messaging medium is vulnerable to abuse by spammers. The problem started with Netnews, it continued with e-mail, it's happening now with instant messaging. We need at least high level solution that helps solve the problem regardless of prototcol.
I wish I had one.
Stupid job ads, weird spam, occasional insight at
The problem, as I've said here before, is SMTP itself.
The RFC pretty much states that to be compliant, you have to accept the mail as it is presented. Can't achieve accurate or trusted reverse name lookup information on the sending system? Well, that's tough, take the mail (read this for yourself).
This problem stems from when systems on the Internet were inherrently trusted. That's not the case any longer, and it's time for a new mail transmission standard.
For starters, it should allow system administrators the ability to give priority to systems that can present some form of credentials. SSL or keyed encryption, whatever the standard is, it will permit systems to give totally trusted access to systems that meet the specific security and trust guidelines of the receiving system, not the RFC (times have changed, tough).
Those systems that do not meet minimum trust levels will either have to clean up their act or take the time to contact the remote system to figure out the issue.
It won't stop spam, but it will go a long way to slowing it down and possibly providing some secure method of mail transport in the process.
One proviso: if anyone complains, I will look at it.
RFCs require that one accepts mail for postmaster@domain.com and from the empty envelope sender. Since I do this, I believe I am fully RFC compliant.
So stop whining about DNSBL. The problem is wider than that, and will not be solved by getting rid of DNSBL. The system isn't perfect, but that is not the issue.
Conversion Rate Optimisation French / English consultant
I have been a very loud protestor about collateral damage in news.admin.net-abuse.email. I well understand the problem but I think you over-estimate it. SPEWS deliberately lists non-spam-source IPS - that's collateral damage, that's wrong and avoidable. Take that away and the remaining collateral damage is unfortunate but not severe.
Many have changed how they use RBLs - instead of simply rejecting they send a reply asking for confirmation the sender is a real human. If that confirmation is made the original message is delivered. That seems to be simple, straightforward, and capable of reducing collateral damage to a very low level. It even has intelligence behind it.
I advocate relay spam honeypots (and open proxy honeypots - move with the times, keep up with the spammers). The white paper doesn't even mention these. The WP has the section asking if open relays are necessary. Well, no, they probably aren't. Is there a point? For how many years has there been an effort to secure open relays? Has it succeeded? The fact is that they are there - asking if they are necessary may inform you but it doens't change the situation in any useful way.
For all these years the spammers have been given free access to the relay level - there's a self-satisfying division into the secure systems run by the wise and the open relays run by inept administrators. that division allows the operator of a secure system to condemn the operator of an open relay with confidence - he can strut. Yipee. As a spam-fighting tool it's a close to a complete bust. Well, yeah, lots of open relays have been secured. BFD - there's still enough for the spammers, and RFC 2505 said it would be this way. Yo: RTFM (in this case RTFRFC.)
You want to hurt the spammers? OK, hurt them. It's not like you have to go out of your way - accept and deliver one of their relay tests and the chances are excellent they'll send you spam that you can discard. That's still a secure system, but it has teeth instead of gums.
There's all these people falling over themselves devising elaborate filters. If you simply open up a relay enough to accept the spam but not deliver it there's no filter needed - a non-mail-server system that receives relay email receives close to pure spam - you will never get a filter as selective as that. Accept and deliver the relay tests and you have screwed the spammer. I won't even enumerate all the ways he is or can be screwed but there's a bunch.
If 5% of the Windows systems with network connections ran Jackpot then spam would be dealt a mortal blow:
http://jackpot.uk.net/
It isn't hard, and it does tremendous good. Check it out.
Isn't this how a blacklist is supposed to work? I thought the idea was precisely to annoy the honest users, such that they complain to the ISP. If the users know that they are blacklisted because of a spammer, they are likely to either leave the ISP or pressure it to turn the spammer off. It's not nice, but the intent is to get results.
I assert ownership of all trademarks and copyrights on this page.
A huge amount of spam is being sent through unsecured relays in Asia and South America. Consequently, an overwhelmingly large percentage of the hosts listed on RBLs are in fact based in these countries (see Wired article: Not All Asian E-Mail Is Spam). This amounts to nothing less than discrimination and isolationism that is being used to slowly cut off countries that have a critical importance in global matters
Obviously, if a huge amount of spam is coming from a huge amount of servers in a country, a huge amount of servers in that country are going to get blocked.
How about we drop the sensationalism here?
It's not some conspiracy to block all mail from Asia.
Look, maybe some people need to get mail from Asia, but I don't have any reason to. I'm not obligated to let anyone on the internet contact me at will. I can pick and choose who to block/accept at will. If people in don't want their servers to get blocked, maybe they should deal with their spam problem. I don't have time to fix it for them.
Look at it this way:
The internet is this huge shared network. It has a finite amount of bandwidth and it works because everyone carries data to its destination.
The question here should not be if any nodes should ever get blocked. The question should be: How much junk traffic should a single node on the network have to generate before it happens?
At some point you have to start blocking people. If I start DOSing an email server (almost what spam is), I can expect to have my traffic blocked at some point. Maybe I have to send a million junk messages, maybe a billion, but at some point it's costing too much to carry and process my traffic. Yes, bandwidth costs money. That's just the way a system like the internet has to work. There have to be mechanisms in block to handle the case were a node starts misbehaving. One of those mechanisms has to be dropping traffic from that node.
Carrying junk traffic costs money. Filtering costs money. At some amount of traffic, the cost becomes too high, and you have to block the traffic. Think of it as a signal to noise ratio. There always needs to be some number, at which you pull the plug, because the data isn't worth dealing with anymore.(And filtering it is too expensive)
Any time you share something you're going to need the ability to do this. If I start driving in the middle of a two lane highway, I can expectect to get pulled over and have my license revoked (eventually). It should be. I'm messing up things for everone else and the sensible way to fix it is to remove me.
Life is too short to proofread.
Not exactly. Besides being a theft of end-user and mail-site resources, spamming is also a scam perpetrated upon businesses. If you got spam advertising Joe's Naked Kinky Web Site, that probably isn't because Joe thought up the idea of spamming you all on his own. Most likely, a career spammer (let's call him Alan) convinced Joe that spamming was:
- effective,
- legal, and
- everyone's doing it anyway, so why miss out?
Joe then paid the career spammer to spam for his naked kinky Web site. Since all three of Alan's claims are false, and he knows it, this means that Alan has defrauded Joe. He exploited the fact that Joe is probably neither an Internet expert nor a lawyer, but he does feel competition from other naked kinky Web sites, to convince him to pay for spamming.(Yes, Alan the spammer told the news media that spamming is effective, too ... and they believed him. He was lying there, as well -- but it got him, and spamming, free advertisement in the news!)
This scam does not rely on spamming actually being effective, so long as vendors still believe it might get them an edge over the competition. Thus, getting people to quit buying spamvertised products cannot (directly) affect it. Only when all vendors on the Internet -- yes, including naked kinky Web sites -- realize that spamming doesn't work, isn't legal, and that they can do just as well without it, will spamming go away.
But, you see, those things he's "pointing out" are wrong. They just aren't so. They aren't the way the world works, and they aren't the way DNSBLs work.
It is not mail users who want us to consider DNSBLs passe' or something to "move beyond". It is spammers who want us to give up our current most effective tool for collaborating to impede their crimes.