Spam Blackhole Lists Redux

tsu doh nimh writes "Are spam blackhole lists good, bad or indifferent? That appears to be the question they're tackling in this Washington Post story. It has some interesting back and forth between supporters of the lists and those who claim they condone censorship." J adds: Brad Templeton recently offered some comments on the most extreme pro-blacklist position.

Counter to the spirit of the Internet

It just depresses me that everybody thinks it's OK to drop undesirable segments of the Internet. Doesn't seem to run well with the spirit of Free Speech, and really if you think about it it just makes things like DRM and various recording industry proposals to kill P2P seem reasonable.

And they're not. They go against the spirit of the Internet. What makes it great is that everybody HAS a voice, and when we start talking about who should have a voice and who shouldn't we start to sound a lot like fascists. Doesn't matter that it's speech we don't agree with, because it's just a matter of time before the whole thing is so watered down that nobody in their right mind will bother to use it (like amateur radio nowadays...)

I still don't understand...

[ajuda]

Why don't we just create a system where we all only accept mail that has been PGP encrypted with our public keys? That way spammers will have to burn through a whole lot of clock cycles to get their crap out and as an added benefit, we will get a bit more privacy.

To RBL or Not RBL...

[TexTex]

I'm wondering what the slashdot fans seem to lean towards. Is it viewed as better, or easier, to simply flip on a few RBLs and prevent the messages from ever touching your server...or would you rather use these alongside sorting technology to channel spam towards a designated folder?

Spamassassin and the like do a decent job of helping the spam problem, but my users still complain that their SPAM box has 80 messages a day...even if they get no false positives.

Personally, I'd rather have control over this than my ISP...as at least I can control how I choose to filter or not to filter. And I think the brute-force nature of an RBL often offers piece of mind but without adequate logging or reporting to guarantee you're only blocking what you intend. I'll settle for a full SPAM box any day...

Blackholes don't really work anymore for me...

[jamesh]

I set my mail server to tag emails rather than block them (move to spam folder on workstation), so i see some interesting things...

When i first tried it 6 months ago, it magically worked, 99% of spam ended up in my spam folder.

Now the blocking ratio is down to about 10%... and here's why. There are 3 MX records for us:
A - linux server - MX = 10
B - msexchange server - MX = 20
C - isp's server - MX = 30

messages delivered to A are tagged (if spam) and forwarded to B. B exists in the MX records for redundancy. C is used because A and B are on the same site.

What i'm finding though, is that spammers send emails to B or C. When A receives the email, it has come from B or C, not the original spammer, so suddenly the blocking doesn't work anymore.

dammit.

It can only work if everyone in your MX record list does it, and my isp is the biggest in Australia so it's an awfully large machine to move.

I have tried adding in more dummy MX records, so that A is first, middle, and last. That seemed to work for a bit but not for long. I might have more success adding different ip addresses for A and peppering the MX list with those... but it's a bit messy.

d. None of the above

[mcubed]

I don't think blacklists are good, bad, or indifferent. The questions are how fairly are they implemented, how rigorously are the claims against the blacklisted party checked out, and how accessible are the administrators of blacklists for appeals. Obviously, there are problems with some of the implementations, as detailed in the Washington Post article -- and these particular problems read to me less like the typical growing pains of any developing concept than like design features. I wouldn't trust any blacklist who's operators hide behind a veil of secrecy anymore than I'd trust ad-ware.

Still, how effective can a blacklist, however well implemented & maintained, really be? Isn't this one of the easier types of blocks for spammers to get around?

If everyone would just stop trying to grow their penises, turn $5 into $5000, and visit XXChristyXX in her all-nude sorority, spam would wither and die. Lately, I've received some very helpful emails about how to stop spam and make money in the process, secrets I will be sharing with about 16 million fellow computer users very shortly.

--Michael

Ever wonder?

[MegaHamsterX]

Ever wonder why IM has taken off like it has, you don't get fucking spammed.

Blacklists suck, they don't work. Blacklist an ip address or range and a new guy gets it and can't send mail, real fucking smart and real fucking frustrating to be the admin, use the reverse domain name all you want, but don't involve the ip address.

Do you think ISPs want spammers, spammers are a pain in the ass to deal with, they are the squeeky wheel at an ISP and they rarely pay their bills after bitching about everything.

An extension to smtp and pop3 is needed, smtp stopped working years ago and people now ignore their email, often you need to call someone to check their email and search for you amongst all the spam in their box.

I'm an admin, not a programmer, but I would do it this way if I was a programmer.

mail is received, the host starts out with a zero rating and the user does as well.

A global bayesian filter then ranks this piece of email, the email is then delivered to a users box with the rating attached for the domain and the user.

The user may sort by this rating to filter out spam from non spam, it is optional at this point, but if the user is using software with the necessary extension, the user can then check if the email is spam or good and have the domain's rating adjusted slightly, and the user's rating fully in the negative or positive, if negative the sending user will not have mail accepted again unless someone uprates the user.

If enough complaints arrive from the sending domain, the domain is blackballed and cannot escape since multiple users have decided that this domain is sending inappropriate email according to the TOS of the receiving ISP.

So, to be more specific, sorry to make this so long, but maybe it will inspire someone.

Connection established with port 25, reverse checked for presence on blackball list, if present drop connection silently. No reverse also gets dropped.

Check for from line with specific user name, if user is on blackball list drop connection silently.

Receive email and grade with bayesian filter using global ruleset, this filter cannot blackball domain or user no matter how much it looks like spam, but can make it nearly so.

Deliver mail, if user confirms mail is spam, blackball user and downgrade domain further, this may actually blackball the domain if enough mail is sent and the filter grades it badly enough (based upon average grade).

Since Dialup and DSL connections do not control their own reverses, it would be trivial to add a simple filter that would refuse mail delivery from these sources, except from their own isp, and then the outgoing mail would be run through a filter, if the rating dropped for the user into negative territory as reported by receiving servers the user would lose their bulk smtp privledges and have thier outgoing mail throttled in a severe fashion with all mail containing bcc and cc mail rejected, and the number of emails per hour limited to stave off potential damage.

The SMTP extension comes into play with a network of these mail servers, blackballed domains would be automaticlly sent to a neighbour in p2p fashion, but ratings would only be accepted if the neighbour server had a valid key, that would be exchanged amongst admins and a network of trust would form.
If a domain becomes blackballed, a user/domain notification takes place alerting that site to the fact mail from their domain/user is not being accepted, at this point an admin could get involved, but my guess is that more often than not the domain will remain there.

Anyhow flame away, my asbestos suit is on :-)

Re:It's not exactly counter...

[MillionthMonkey]

Anyway, the point is, if you say something on your website (such as "niggers are great"), I do not have to read it. However, if you send me a nice big jpeg, with a smiling porch-monkey, that says "niggers are great", I end up having to deal with it. If I felt the need for a larger penis and an unaccredited degree, I'll bet Google could help me find places to get that... I don't need someone telling me shit I don't want to know.

You know, I've seen some really good posts from you that get undeserved hostile replies based solely on who you are and what your unpopular political positions represent. (I know you're only karma whoring to keep your score above 0, but that's sort of irrelevant, really.) You recently wrote this excellent post about calculating bolometric luminosity- and the discussion quickly degenerated into a brawl about racism, with people inappropriately screaming at the moderators for marking your post as Informative, followed by Anonymous Cowards putting in their own racist two cents. I even defended you once, and pointed out that a moderation applies to a post and not its author. (Thus whoring some karma for myself in the process, and making it onto your friends list- so if anyone looks at my fans list now, they'll see "I'm a racist" listed there.)

You're certainly a character- a racist with a degree in astrophysics- in fact you seem like you'd be an interesting person to know in real life. But if people start screaming "mod this racist down" this time, I cannot defend you. Your actual post was needlessly and purposefully offensive, which is sad because otherwise it does bring up a valuable and subtle point. You just had to spoil it.

Besides, I can't imagine getting an email saying "niggers are great". It simply makes no sense. Unless it's a white supremacist being sarcastic. And it doesn't fit this situation, since it's political speech. Spam is inherently commercial speech. For your analogy to work, the spam would have to be offering them for sale, not simply saying they were "great".

Kudos for simultaneously karma-whoring and slipping the words "nigger" and "porch monkey" into your post. I rarely see anyone pull that off.

Re:RBLs are not effective at all.

[WoodstockJeff]

Yes, RBLs are becoming less effective. But not because of false positives... it's the false negatives!

Our small ISP hosts email and web sites for about 40 domains. Our mail servers send me a message every time they bounce a message, for ANY reason, with transcripts of the exchange and the error that caused the bounce. We use SpamCop, Blitzed, Monkeys and ORDB to suppliment our internal lists.

A typical day has 500-1000 messages reach the SMTP ports of our various servers. Lately, 80% or more of them (over 3000 in the last 4 days) are attempts by spammers to hit addresses that don't exist, usually arriving from open relays, proxies, and dial-up lines. And only 50% of those test positive against the RBLs... the rest are blocked by those internal lists.

Why is this? I suspect it's because the spammers are finding those open relays and proxies faster than the RBLs can catch up. And some open relays specifically block the test software from ORDB and others, trying to stay off the lists without actually fixing their problems.

Lately, though, it's the open proxies that have taken the lead. We added over 1800 NEW open proxies to our internal lists in the last week. Sometimes, one spammer will try dozens of proxies within hours to get through... Kind of makes it easy to spot them... B-)