DoS Assaults Underway Against Spam Blocklists

Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.

Why does he think it's spammers?

[seanadams.com]

Apparently spammers aren't going to sit by...

Has anyone stopped to think that maybe it's not spammers who are doing this? I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down. They are pure evil in their methods, and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

All of these centralized blacklists have made so many enemies in their history that any finger pointing is simply laughable. They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks. This is not your normal DDOS: it is not only the originators of the DDOS, but the very network itself that wants them destroyed!

Re:Why does he think it's spammers?

[ahodgson]

Actually SPEWS is very effective. It makes people DO something about spammers they are harbouring or sharing space with. Naturally, that's why you hate them.

Re:Why does he think it's spammers?

[fmaxwell]

I hate spam with a passion, but words cannot describe my pleasure in seeing these blacklists, especially SPEWS, shut down.

I will be equally happy when someone uses a DoS to keep you from posting comments with which I disagree. As you point out, a DoS is a valid way to suppress free speech.

They are pure evil in their methods,

How is it "evil" to publish a list of IP addresses that match a listing criteria? You don't want to block e-mail from Nigeria? Fine. Don't use nigeria.blackholes.us. You don't like SPEWS listing criteria? Don't use them. (I don't because I don't like their criteria).

and largely ineffective against spam while causing massive inconvenience for ISPs and legitimate users of the network.

Absolutely untrue. I use several of the blacklists for my domain and the quantity of spam blocked is tremendous with very little collateral damage. Without those blacklists, I would be seeing far more spam than legitimate e-mail every day.

They have made powerful enemies, including the large ISPs who happen to be the only ones that in a position to stem these attacks.

Yeah, the same large ISPs who, in many cases, were writing "pink contracts" for spammers and making money from spam. Those are the large ISPs that really hate the blacklists. And if it wasn't for the blacklists, more and more ISPs would be writing pink contracts.

Re:Why does he think it's spammers?

[nearlygod]

The problem is that they are not checked and updated (at least in my experience). My companyies IP (actually my ISP's entire C-block is blacklisted by one list and dispite trying for 6 months, I have had no luck getting removed. I have gotten zero responce from the blacklist dispite many attempts and following their removal instruction to the letter. No other blacklist has us listed and we have never had an open rlay or sent spam. So to me, this particular blacklist is evil and since they are the only one that I have had to deal with, I wouldn't be suprised if others have had the same experience.

Re:Why does he think it's spammers?

[TillmanJ]

Oh...I just noticed, the poster is a proud Republican...that explains it. Anyone who feels the need to brag about their conservatism generally has a soft spot for Joe McCarthy.

Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.

Re:Why does he think it's spammers?

[rusty0101]

"They are pure evil in their methods,"

How is it "evil" to publish a list of IP addresses that match a listing criteria? You don't want to block e-mail from Nigeria? Fine. Don't use nigeria.blackholes.us. You don't like SPEWS listing criteria? Don't use them. (I don't because I don't like their criteria).

What he is getting at is not himself using the list, it is midling sized ISP's using these lists preventing him from sending legitimate e-mail to people who can't get that e-mail, because his ISP is blackholed even though the ISP has corrected the issue that got them on the blackhole list in the first place. Or that his ISP's ISP happens to be blackholed through no falt of his own ISP's policies or practices.

The problem with blacklists is that they decide that it is more important to thow the baby out with the bath watter than it is to see if the baby is clean.

-Rusty

Re:Why does he think it's spammers?

[dissy]

> I'm sure there are a million other guys out there with a thousand dollar a month
> T1 that is completely worthless for emailing customers thanks to these
> blocklists.

What you are wrong about is its not thanks to the blocklists, its thanks to the ISPs that have willingly chosen to use the blocklists, and share the same opinion as the people that run the blocklist, who do not want you to email them.

Do you think its only you that knows SPEWS blocks UUnet ?
The ISPs that use SPEWS know this too. They still use SPEWS. They do not want email to enter their network that comes from you!
Yes, even through about 4 levels of indirection, the networks you are trying to send email to have chosen to not want your emails.

Why are you blaming the blacklists for this?

You bitch and moan that it isnt fair to you to have your IPs blocked by those that want them blocked. You sound just like a spammer with that logic.

You may be happy to see SPEWS packeted until they are shut down, but what about my right to choose that I want to block email from people who spam, and people just like you, who use ISPs indirectly that support spam?

Are you so much more importaint than I that my right to choose not to recieve your email is less importaint than your right to force your emails upon me aginst my will?

Re:Why does he think it's spammers?

[drudd]

You claim it's a false analogy, but everything you bring up makes the analogy more apt in my mind.

These lists are basically operating under the assumption that punishing a large group of people weakly associated with undesired behavior will result in the elimination of that behavior by the minority of that group. The innocents are unable to do anything about the people they are affiliated with. The ISP is like a zoning commission. Yes, with enough complaints from their customers/constituents, they might change their ways, but in the short term, the people punished have no real control over the situation.

You also show why this tactic is doomed to failure. The honest non-spammers will continue to not spam, but be incredibly inconvenienced, while the spammers will ignore the edict and run around spamming on other networks.

Doug

Re:Why does he think it's spammers?

[hawkfish]

Anyone who needs to point out someone elses political leanings in order to denigrate them generally has a soft spot for Chairman Mao.

Amusingly enough, this can be applied to Rush Limbaugh and most of the other right wing fruitcakes in the US. As it is written, "Choose your enemies wisely, for you will end up resembling them."

It's illegal

[mabu]

Would someone please remind the federal government that DOS attacks are illegal? Anyone want to encourage them to take action against these people? Can they stop playing golf long enough to do their job?

Re:It's illegal

[antis0c]

I love "A friend of mine.." stories, they're like Unicorns. You always hear about them but never see any proof. :)

Distributed blocklists

[silentbozo]

Bad for them. The main reason for creating centralized blocklists was so people who reformed, or who kicked spammers off their blocks, could have their IPs relisted without having to worry that random admins had hardcoded filters into their routers. One central source for listing, one central source for delisting.

If they succeed in negating the value of centralized blocklists, guess what - admins will go back to blacklisting blocks manually. Those IP blocks will become useless once enough people add them to their blocklists, and there won't be any easy way of redeeming them.

Anyone who wants to get internet access better get a clause in their contract guaranteeing that the IPs they get weren't abused by someone in the past, or else they might be getting a useless connection.

Desparation

[RevJim]

This is an act of desparation on the part of spammers that proves the anti-spammers are winning the battle. Fortunately, the next phase of the "war" is moving away from blacklists and focusing on technologies that are user-based and user-specific, such as Bayesian filtering. There is no level of DDoS attack that can stop that battle.

Re:Desparation

[McDutchie]

Fortunately, the next phase of the "war" is moving away from blacklists and focusing on technologies that are user-based and user-specific, such as Bayesian filtering.

On the contrary, spammers love Bayesian and any other kind of filtering because it doesn't stop them from sending their spam. They love it when people "just hit delete" either manually or in an automated fashion through filtering, instead of actively blocking their junk and getting their accounts shut down. They don't mind that you don't get their junk; they will just increase the amount of spam they send tenfold every year so they keep making money on those suckers that are born every minute, until e-mail has been completely destroyed. Blocking - aggressive, massive blocking and boycotting of spam supporting networks - is the only way to save e-mail.

ever tried to get off SPEWS?

[Barbarian]

Go to nana-e, and they'll tell you that robots from space run SPEWS, and there's no way to get a hold of them. They start with Class C's, then progress to banning class A's. Some of the crazies who post on nana-e even have the whole country of Brazil banned on their private lists. SPEWS had information too on DNS blackholing (i.e. preventing your users from going to internet sites) and on HTTP blocking. If it was anyone else (the government) who was advocating this, people would be outraged.

Re:ever tried to get off SPEWS?

[mrex]

Go to nana-e, and they'll tell you that robots from space run SPEWS

Spammers with unbalanced ethics:lawyers ratios have already attempted to make life hell in court for blocklist owners that they could track down. I know of no instances where the spammers won, but the costs and hassles associated with defending yourself from a lawsuit exist whether one wins or loses.

Who can blame SPEWS for planning ahead for this? Answer: spammers who are really pissed off.

, and there's no way to get a hold of them. They start with Class C's, then progress to banning class A's.

That's the whole goal of SPEWS. SPEWS is not a list of spammers, its a Spam Prevention Early Warning System. Listing individual spammers addresses has not been entirely effective, as spammers simply find providers who are willing to lie for them, thus SPEWS was created to punish ISPs who are unresponsive to legitimate abuse reports. SPEWS exists to counterbalance the profit those ISPs may make from spammers with loss of profits from those who want to use the internet for a legitimate purpose.

Some of the crazies who post on nana-e even have the whole country of Brazil banned on their private lists.

I add a very very large score via SpamAssassin to any mail that comes from Brazil, Mexico, China, Taiwan, Korea, and several other nations who appear to be becoming spam havens. What's your point? I have, in many years on the net, never received an e-mail I wanted from those countries.

SPEWS had information too on DNS blackholing (i.e. preventing your users from going to internet sites) and on HTTP blocking.

Uhhhh...yes...and? Is there something immoral about administering the ISP you are responsible for in the manner you see fit? It's my business, I can do as I damn please. If I want to filter out every website except my own, that is my right. My customers vote with their business, they do not get a direct say in how I run my outfit. Every business owner understands this concept when it is put into their terms, yet spammers seem to be very against this right when it comes to ISP owners. Gee, wonder why.

If it was anyone else (the government) who was advocating this, people would be outraged.

So? Very often it is acceptable for an individual to do something that a government cannot. For instance, if the government tried to convince me to go to XYZ Church, I would be outraged. For an individual to do so is nothing short of normal.

Re:ever tried to get off SPEWS?

[cdrguru]

The problem isn't the ISP blocking "their" traffic - it is the ISP blocking other people's traffic. Usually without informing their customers that said blocking is occurring.

This results in their customers not receiving email. The decision that the sender of that email wasn't legitimate has been removed from the user and the sender and placed in the hands of some anonymous third party.

In general, the ISP answer to blocking complaints is they simply use the list and do not control the content of it. The blocking list provider - if contactable - claims they just make up the list and the use of it is outside of their control. This means nobody is accountable for blocking.

The problem with this sort of censorship - and it is indeed censorship - is the user never hears about it. When a business is blocked they quickly discover that blocking has made email unreliable for communications with customers. They can either abandon email for important stuff or they can try to convince the blockers that their commercial use of email is valid. This is extremely difficult. Why? Spammers use email - if you use email commercially, then you might be a spammer. If you get blocked and claim you were blocked in error, you might be lying. Spammers lie, so anything you say can be considered to be a lie. Why should anyone unblock a spammer?

Either email can be used for commercial purposes, or it cannot. Anti-spam folks want to ban all commercial use of email.

Re:ever tried to get off SPEWS?

[Just+Some+Guy]

So, write down in your day planner, right there on the date that your current contract is due to expire, this simple action item: negotiate next contract duration to be dependent on the provider not being blacklisted.

That's a great idea. On the other hand, I live in a small town with exactly one feasible ISP that's not a residential cable service with incoming port filters. My options are:

1. Stick with said ISP, who has excellent service, great staff, and reliable connectivity, even though their upstream ISP hosted a couple of spammers a few years ago and SPEWS hasn't unlisted the whole /12 of us, or:
2. Explain to my wife that we have to move to a new city so that I can send email to some Slashdot jackass who doesn't understand that some people don't have a viable option to change their service.

Hmmm. Let me think about that one for a while.

Re:ever tried to get off SPEWS?

[CrowScape]

To use the common analogy, you live in a filthy crimeridden slum. Trying to send e-mail to my server is equivalent to calling and trying to have a pizza delivered to your house.

No, it's the equivalent of trying to go from the slum to the downtown area. With your analogy, the city has walled off the slum. Those who live in the slum and want to go into the city have to move out of the slum first. I wonder how well that policy would go down outside the digital realm. Besides, if I recall, the government seems to think that you do have the right to buy a pizza and have it delivered provided you're within a reasonable distance of the establishment that delivers even if you happen to live in a crime infested slum.

Re:ever tried to get off SPEWS?

[Eric+Ass+Raymond]

No. The purpose is to get the end-users pissed-off at their ISP for providing service to spammers.

Ok.

Tell me how an ISP can be 100% sure that the new user application they just received will not be used for spamming?

That's fundamentally what SPEWS is requiring of the ISPs.

indeed

[Trepidity]

Even if you happen to like the blocklists and agree with their methods, it's clearly irresponsible to assume they're being attacked by spammers -- there are a lot of non-spammers who would love to take them out.

Re:Blacklists' downfall

[rossz]

Yeah, the red tape is a bitch. Here's a list of the red tape:

1. Close your open relays
2. Kick off known spammers
3. Stop list washing system admins who complain about spam
4. Stop making it nearly impossible to submit complaints

Black lists and delisting

[raj2569]

As the anti spam officer in a Major ISP in India, I have no problems with blocklists as such. But the people who maintain the blacklists also has a responsibility to correct their mistakes immediatly. They must listen to people who maintain networks and if a machine is wrongly listed they must remove it. The procedure for taking out a machine from blacklists must be documented and verifiable.

We have a large cable network, and there are 3 4 trouble making customers. We do allow people to run their own mail servers. But that also means that some customers misuse it to send spam. It takes us a day or 2 to shut down the spammer, and by then the C bloc will be listed in some black holes.

Now de listing it becomes a major pain if the black holes are not responsive. If the procedures are well documented life of ISPs become much easir.

and no we have not considered denying the freedom of our customers to run their own outgoing mail servers. one or two random spammers cannot force us to deny that freedom to majority of legitimate users in our network.

raj

A Defensive tool, not censorware

[mercuryresearch]

I'm getting a bit tired of people applauding DOS attacks on blocklists. Many of us run small mail servers for ourselves and/or small companies where EVERYONE who recieves email is in agreement that blocking spam is the right thing to do. When everyone chooses to do this, it's not censorship. Seriously -- the volume of spam is overwhelming, and in a small business there is no one delegate managing email to, and it's consuming precious bandwidth. Spam is the problem, not block lists. No spam, no blocklists, simple as that.

My server has seen as many as 500 spams a day directed at it -- for just two email accounts releated to my business. I had little choice but to elect to use drastic measures and escalate them until the spam became manageable -- and the best defense due to bandwidth issues (we run on just 128K because that's all that's available to us) is blocklists. The problem has been so bad that I maintain an internal block list that uses iptables to simply not route packets from IP blocks (/24) for any email that gets through the first layer of blocklists that sendmail checks.

Osirusoft in particular was very, very useful to me, because they maintained a number of DNS mirrors of other blocklists, so you could pick and choose how drastic you wished your blocking to be. I will miss their service greatly -- and can already notice it as my spam has doubled since it was removed from my sendmail config.

Without blocklists, email for my small business at least would be useless. I know that I've lost business using them, but I'd lose more business/time/money without -- there's no friggin' way I'm going to search through (and accept the bandwidth hit from) five hundred messages to find the few legitimate ones and still have time to get real work done.

WAR

[hawkbug]

This is WAR. Spammers will stoop to any level to get their crap into people's mailboxes, and now the blacklists are giving into their guerilla tactics - I say keep fighting, eventually they will figure out where the attack is coming from, and shut the damn thing down. We must never give up fighting spam, at any cost.

Anyone else observer a huge dropoff in spam?

[rayvd]

This morning around 6:30AM MST, the spam levels on our work server dropped from ~800 spam/hr to ~35/hr. They'd been hovering at the 800 level for more than a week (most are not actualy spam, but "bounces" from SoBig.F faking our domain as the From address). It's staying right around 35 still about 7 hours later..

Not complaining, but very strange nonetheless!

Distributed Spam List

[rahlquist]

Ok we have all this wonderful file sharing technology avalible, why not put it to good use. Why not build a distributed black list. One that is shared over an automated file sharing network similar to Napster or Kazaa. DDOS only works with a target, with 100 or more geographically diverse machines sharing it I wish them luck. Make being able to access the list depend on your willingness to share it out too. Of course someone would have to figure out the infrastructure but this would rock.