Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Blacklisting Spammers Is A Bad Idea

Posted by timothy on from the painting-with-machine-gun dept.

Roland Piquepaille writes "For the last two months, an eternity in Internet time, I was unable to reach -- and to contribute to -- Smart Mobs, the collective blogging effort around the next social revolution initiated by Howard Rheingold. Why that? Because an unknown customer of Verio decided it was a spamming site and asked the company to blacklist the site. Verio complied -- probably without even checking it -- and my problems started. It took me dozens of e-mails and phone calls and two visits to the headquarters of my french ISP, Noos, to fix the situation. More about this horror story is available here."

37 of 396 comments (clear)

  1. ORBS by olman · · Score: 5, Insightful

    And other RBLs require usually multiple reports from multiple sources. And you have fairly straightforward way of getting de-listed, too.

    What's with the current boo-hoo over blacklists? Do we have some kind of spammer astroturf going here?

    1. Re:ORBS by t0ny · · Score: 3, Insightful
      This sounds more like a complaint about the potential for human error, rather than a complaint about the idea or technology itself.

      Rather silly, Slashdot. I suppose next we will have an article saying how security is evil, because some LUser gave his password to a hacker who phoned in posing as tech support. Or even that DNS is evil, because someone can hijack your listing (which was posted a few days ago...)

      --

      Manipulate the moderator system! Mod someone as "overrated" today.

    2. Re:ORBS by PurpleFloyd · · Score: 5, Insightful
      The current "boo-hoo" over blacklists can be mostly summed up by one word: SPEWS.

      They operate on the "nuclear bomb" method: list spammers, plus anyone using a "spam-friendly" mailserver (a definition that can be stretched to cover almost anyone) or anyone who is simply "suspicious." Oh, and you might also be listed if your new IP block was once used by a spammer. Don't worry, though. You can just wait a few weeks and lose massive amounts of buisiness because many customers can't recieve email from you and have no idea why - they just think you aren't responding. Or you can go onto NANAE and post a delist request, which will get you nothing but "Whiner! Eat your SPEWS, it's good for you!"

      To be sure, a large portion of the problem comes from ISPs implementing SPEWS incorrectly - silently dropping all IPs listed, not just tagging level 2 and dropping only level 1 (confirmed spammers), and the spammers have created this problem themselves. However, SPEWS' "list 'em all, let God sort 'em out" approach is irresponsible, particularly when they know that ISPs are applying the filtering with a wide brush.

      --

      That's it. I'm no longer part of Team Sanity.
    3. Re:ORBS by Eggplant62 · · Score: 4, Insightful
      [SPEWS] operate[s] on the "nuclear bomb" method: list spammers, plus anyone using a "spam-friendly" mailserver (a definition that can be stretched to cover almost anyone) or anyone who is simply suspicious." Oh, and you might also be listed if your new IP block was once used by a spammer. Don't worry, though. You can just wait a few weeks and lose massive amounts of buisiness because many customers can't recieve email from you and have no idea why - they just think you aren't responding. Or you can go onto NANAE and post a delist request, which will get you nothing but "Whiner! Eat your SPEWS, it's good for you!"


      Incorrect characterization of SPEWS methods. From my own personal observations, a SPEWS listing starts out with the spammer's IP addresses based on spam received at multiple spamtrap accounts. Complaints are filed by the people who run the SPEWS list and, of course, they do not identify themselves as SPEWS operators in those complaints. Some time elapses (I'm not SPEWS, how should I know how much time exactly?). Either the spammer is removed (Yay! The listing drops off the list) or the complaints go ignored and more spam is received at the spamtrap accounts. The listing gets widened to the /24 in which the spammer space is included (this may happen immediately in the case of a spammer identified by Steve Linford's ROKSO (Registry of Known Spam Organizations) at spamhaus.org (may be difficult to reach due to the Slashdot effect or DDoS by virus)).

      Lather, rinse, repeat the above until someone at the responsible ISP who received the original complaints wakes the fuck up and notices the situation, usually after their own customers are screaming at them, asking them to fix the problem that got them blocklisted. Then again, this is all laid out in the SPEWS faq in fairly clear, easy to understand language.

      If ISP's are dropping mail from both level1 and level2 listings, they've made their own bed and are now laying in it. Only an idiot would block on level2 listings as they are meant as an historical indicator of problems with an ISP and do age off after an indeterminate period of time, again outside my control or knowledge.

      SPEWS is the only thing thus far in the war against spam that actually has an effect at the ISP level to get some of these outfits to wake the fuck up and see what's happening in their own abuse@ mail accounts. ISP's think they can continue to shine on the spam problem, thinking they have no responsibility for their customers' actions. We, the users of SPEWS blocklist, say otherwise.

      If I decide I don't want mail from a corner of the Internet that has sent me nothing but spam, that's my right. If I decide to rely upon the opinion of another Internet service who tracks this kind of information for themselves and elects to share it with the public, that's my right also. SPEWS works for me and mine.
  2. Just by SargeZT · · Score: 4, Funny

    Break into the lobby of the ISP, guns in hand, and force them to remove the site from the blacklist. It's what I do when I'm pissed.

    --
    And why did you staple the trout to the RAM?
  3. Why Blacklisting Spammers Is A Bad Idea by wo1verin3 · · Score: 5, Insightful

    This article should have been called...

    "Why it's important to have good policies and procedures in place when blacklisting spammers"

    1. Re:Why Blacklisting Spammers Is A Bad Idea by sweetooth · · Score: 4, Insightful

      No kidding. The primary problem is the ISPs and thier upstream.

    2. Re:Why Blacklisting Spammers Is A Bad Idea by rgmoore · · Score: 4, Insightful

      Yeah, because blacklisting has been so effective thus far, we just need to do more of it. Yeah, right. Blacklisting is basically playing a game of whack-a-mole; it makes things a bit less convenient for spammers, but doesn't seem to be doing them serious harm. OTOH, crippling the email of innocent bystanders who happen to share IP blocks with spammers seems a rather steep price to pay for something that does very little to stop spam.

      Spam is a tough problem, and it's going to take more than just vigilante action to deal with it. What's needed is a two pronged approach. One prong is legal and is being followed fairly well; pass laws that make spamming illegal. The other prong, which is still under development, is to make technical changes to email so that spammers can't hide their addresses. Neither one will succeed alone- laws can't help as long as spammers can hide, and making spammers stand still won't help if there's no legal recourse against them- but the combination of the two should help a lot.

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

    3. Re:Why Blacklisting Spammers Is A Bad Idea by BrokenHalo · · Score: 4, Funny
      Spam is a tough problem, and it's going to take more than just vigilante action to deal with it. What's needed is a two pronged approach.

      So I should find a spammer and spear him with a pitchfork?

  4. Just to clarify by Nachtwind · · Score: 4, Insightful

    "blacklisting" in this article refers to completely block an ip address. This is not a "bad idea", but complete nonsense. First time I've heard of something like that. This is not to be mistaken for using an open relay blacklist or similar, which only blocks mail from a certain address. I bet those "network administrators" clicked on some fancy "block site" button, not knowing what they were doing...

  5. Re:Run your own mail server on your own domain by bhtooefr · · Score: 4, Informative

    RTFA. Verio was doing blacklisting on ALL PROTOCOLS for this ISP. The guy could not even GET TO THE SITE.

  6. Pot/Kettle by AndroidCat · · Score: 3, Funny

    Verio blocking HTTP access to other people's spam pages? I have I wandered into another universe again?

    --
    One line blog. I hear that they're called Twitters now.
  7. Non sequitur by ScottSpeaks! · · Score: 5, Insightful

    The fact that a strategy (such as blacklisting) can be mismanaged and that it is not invulnerable to abuse does not necessarily make it a "Bad Idea". It just means it needs to be managed more carefully, and better secured from abuse.

  8. Improperly done blacklist by DaEMoN128 · · Score: 4, Insightful

    Why is the blacklist being done on a domain level. Spam is usually email....so block the email address. That is simple enough to do with intrusion detection systems, some application level firewalls, and if your really bored....an access list on a router. Whoever decided to block ftp or http to stop spam was not all there. They should have stopped smtp traffic from there instead and been done with it.

    Black listing of spammers is a good idea, we just have to make sure we are only blocking them and not innocent bystandards.

    --
    Stop signs are only Suggestions
    1. Re:Improperly done blacklist by PReDiToR · · Score: 4, Interesting

      I'm still pissed that AOL won't let me send email to any of their customers, just because I run my own SMTP server.

      That sucks ass royally.

      --

      Do not meddle in the affairs of geeks for they are subtle and quick to anger
    2. Re:Improperly done blacklist by spicedhamhawg · · Score: 5, Insightful

      Speaking as someone who fights spam for a living, effective blocking requires a combination of techniques. You need to filter on sender (both envelope and From:), sender domain, sender IP, and content filters.

      Your statement that whoever decided to block ftp or http was not all there completely misses the point, I think. If a site is known to spamvertise, blocking *all* traffic to/from that site is actually a pretty good idea. Why? Consider why spammers send spam: to generate traffic to a web site, an email address, a phone number, some way to contact that. Since they know any email address they use to spam probably won't last as long as fart in a room full of air purifiers, the contact link is usually URL, whether by domain name or IP address. If they spam and you put in a filter for that spam, they may never get that spam through again, but they may still get some buyers from among your (stupider) customers. However, if your policy is to block all traffic to/from that IP address, they get zero traffic and zero business from your netblock and you really hit them in the wallet.

      Verio's idea is good, but someone dropped the ball on implemenation in this case by not checking the facts before blocking.

      What I'd like to know, though, is why the author of the article uses an ISP as bad as Noos. They sound so bad they make even wanadoo.fr (gee, speaking of spam!) sound good in comparison. Someone at Verio apparently made a mistake, but if so many people at Noos weren't so incompetent (did the PHB character come from their, I wonder?) the situation probably could have been resolved in a day or two.

    3. Re:Improperly done blacklist by l-ascorbic · · Score: 3, Informative

      I'm assuming that by "running your own SMTP server" you mean you're running one at the end of a DSL line or similar. If so, why don't you use your ISP's server as smarthost and relay through them? Avoids DSL/dialup/dynamic blacklisting, and reduces the strain on your server. Win-win, surely?

    4. Re:Improperly done blacklist by bigberk · · Score: 5, Interesting
      If so, why don't you use your ISP's server as smarthost and relay through them?

      Why don't I use my ISP's mail server? Because:

      1. My ISP's mail server sometimes takes as much as 3 hours to deliver a single email
      2. Mail sometimes gets lost entirely, and without access to logs I have no clue what happened
      3. I have a host with TCP/IP abilities just like everyone else. Just because I'm not paying thousands of dollars doesn't mean I can't establish a port 25 connection to another host. I resent the drive by industry to segregate connectivity based on service class (consumer/business). TCP/IP knows no such labels.
    5. Re:Improperly done blacklist by bigberk · · Score: 3, Insightful
      Amen! This is a perfect example of one of many serious threats to end-to-end transparency in the Internet . . . I don't know what can be done

      Unfortunately, these Windows viruses that make a broadband customer act as a spam relay are a big reason that ISPs are considering blocking mail from dialups/dynamics.

      If Internet communications gets divided between consumer/corporate lines, I will place the blame on spammers and Microsoft (no joke).

  9. Horror story my arse by pauldy · · Score: 4, Interesting

    Use some common sense editors when presented with a story that seems unusually slanted please take it at face value. This is why corporations such as verio need to be made aware of their policies not working not that black lists do not. Blacklists are the only thing that works against spammers and they know it. So how do they fight back by using the blacklists against regular sites to try and disrupt users service so that people might think twice about using them.

    Instead this article should be title "Why Blacklist Do Work" and what spammers are doing to try and disrupt them.

  10. That's what I'd call costumer care... by rune.w · · Score: 5, Informative

    Quoting from the article:

    1. Technical support people don't have access to Internet;
    2. They are not allowed to phone to customers;
    3. And they are not allowed to send them emails.

    Maybe it is a good time to change ISP?

  11. Am I understanding this correctly? by orthogonal · · Score: 5, Insightful

    From the article: My ISP has a partnership with Verio to handle its traffic in the U.S. When Verio blacklisted Smart Mobs, any request from Noos went unanswered -- sorry, there was the (in)famous 404 error.

    I want to be sure I understand this correctly. Verio wasn't (only) discarding mail from Smart Mobs, because they thought it was spamming site, they were refusing to pass through http (or other) connections to it?

    Discarding mail is one thing, but blocking an IP address is quite another. What's the justification for this? To prevent the (supossed) spammer from profitting from the spam, by preventing anyone from connecting to it to (presumably) buy the product touted in the spam?

    Discarding mail from a spammer can be justified, by, among other things, the argument that spam mass-mailings strain system resources. But connecting to sites happens all the time -- an ISP should should be set up to handle that traffic, and can traffic to sites touted in spam really increase the volume that much?

    To me, this seems like a dubious policy on Verio's part -- even without the problem of mis-identifying sites as in the case of Smart Mobs.

    --
    Opinions on the Twiddler2 hand-held keyboard?
  12. Yup, I was RBL'd by kwerle · · Score: 3, Insightful

    I left an HTTP proxy on on an open port - on the same machine that does SMTP. I didn't even know that spammers could relay via an http proxy using a PUT to the local SMTP server. mea culpa.
    I fixed it in 3 days (too long, I know).
    I contacted mail-abuse.org and submitted a removal request. It took them 2 weeks to take me off the list.

    It frustrates me that their site is so unresponsive to removal requests, and that they fail much of their process. They were supposed to send email at several stages, which they did not do. The email they did send was badly formatted (broken urls, urs that weren't relevent).

    I won't ever use an RBL because they just don't seem responsible.

    Yeah, I know - pot kettle black. But I'm not supplying a service to thousands of users.

    1. Re:Yup, I was RBL'd by sirket · · Score: 3, Interesting

      First off, mail-abuse.org is notorious for their response times.

      That said, you left a relay open for 3 days, and potentially tens of thousands of spam emails, and you are going to sit their and complain that it took two weeks for you to be removed from the black list? What about all the individual admins that added you to their personal blacklists and just never bothered removing you?

      -sirket

    2. Re:Yup, I was RBL'd by fmaxwell · · Score: 3, Insightful

      It frustrates me that their site is so unresponsive to removal requests, and that they fail much of their process. They were supposed to send email at several stages, which they did not do. The email they did send was badly formatted (broken urls, urs that weren't relevent).

      Almost all of the RBLs are run by private individuals who make no money for their efforts. Why do you believe that they owed you anything? All that you did was make work for them by your misconfiguration of your mail server. They don't owe you nicely formatted e-mails, prompt responses, or open lines of communication.

      Yeah, I know - pot kettle black. But I'm not supplying a service to thousands of users.

      No, but you may have been supplying spam to that many -- easily.

  13. Had the same problem.. by Chicane-UK · · Score: 3, Interesting

    Someone anonymously submitted our MS Exchange server (I don't blame em *grin*) as a spam relay, despite the fact that it is not. As said in the original post, they didn't even check the server they just blacklisted it.

    The first thing we know about it is when members of staff come to us and complain that they are getting error messages such as 'denied' when trying to email important people.

    Sigh.. in fact I have that very same problem waiting to be tackled when I get back on Monday morning. And its always such a ballache to get your mail servers removed from these block lists... :(

    --
    "Hey! Unless this is a nude love-in, get the hell off my property!!"
    1. Re:Had the same problem.. by sirket · · Score: 3, Interesting

      I know of no blacklist that does not first verify that you are indeed an open relay. If you know which service did this, then please let the rest of us know so that we can be sure not to use them.

      -sirket

  14. Hypocrisy by sirket · · Score: 4, Interesting

    First of all, the idea of Verio blocking spammers is laughable. They have always been a haven for spammers and everyone here probably already knows that.

    The real issue, however, seems to be this guys ISP. I mean honestly, what the hell is wrong with them? If I had called Speakeasy with this sort of problem, it would have been taken care of that day.

    -sirket

  15. My own slashdot horror story... by Sun+Tzu · · Score: 5, Funny

    I have an earthlink.net account and a couple of weeks ago I was issued an IP address in the dreaded slashdot BANNED! file. Pity poor me, getting the big orange screen telling me about the terms of use and how, as a BANNED! IP addy, I was unable to even read them. Fortunately, the evil orange BANNED! page quoted me a few of the offenses that might have gotten 'my' IP banned. I must have spammed the input queue or posted a PWP (page widening post) or somesuch.

    Of course, it wasn't me. It was some other Earthlink customer who, sometime in the past, was issued that same dynamic IP address and committed the unpardonable offense. That customer has moved on to a new IP, but /. never forgets.

    It was hell. I spent *hours* unable to access /. -- can you imagine the suffering that such a fate would cause *you*??!

    Eventually, I was issued a new IP address from earthlink and was back online as the ageless Sun Tzu once more. But I still live in fear that someday, perhaps when I least expect it, the evil orange BANNED! page will return to haunt me. This is the personal hell that I inhabit and it is here that I shall remain, until I get a clean static IP address of my very own. I live for that day.
    --
    Send us your Linux System Administration articles

    --
    Geeky modern art T-shirts
    1. Re:My own slashdot horror story... by pyrrhonist · · Score: 4, Informative
      And you couldn't manually request a new DHCP address because... ?

      He probably could, but unfortunately he'll probably get the same IP address. From the RFC:

      If an address is available, the new address SHOULD be chosen as follows:
      • The client's current address as recorded in the client's current binding, ELSE
      • The client's previous address as recorded in the client's (now expired or released) binding, if that address is in the server's pool of available addresses and not already allocated, ELSE
      • The address requested in the 'Requested IP Address' option, if that address is valid and not already allocated, ELSE
      • A new address allocated from the server's pool of available addresses; the address is selected based on the subnet from which the message was received (if 'giaddr' is 0) or on the address of the relay agent that forwarded the message ('giaddr' when not 0).
      Bummer, dood.
      --
      Show me on the doll where his noodly appendage touched you.
  16. Answering the question. by _Sprocket_ · · Score: 4, Insightful

    So the question presented by this article would be "WHY is blacklisting spammers a bad idea?" Unfortunately, it doesn't answer the question.

    The blurb mentioned by the article submitter is the entire coverage of any such activity. The rest of the piece then goes on to complain about the user's ISP. Those who haven't RTFA'd can feel comfortable in skipping this one.

    I'm sure this submission will provide nice fodder for expressing annoyance over spamming and horror stories of "collateral damage". But then - we've had plenty of those before. It would have been nice if an article had provided some framework around this kind of conversation.

    This article doesn't.

  17. Wrong. Not perfect != "bad." by the_dreadnought · · Score: 5, Insightful

    The good it does is far outweighed by the bad. Just like everything else in life, mistakes will be made. You can have a problem with the process to correct mistakes, but advocating RDNS blacklisting should go away doesn't make sense.

  18. Verio = SBF (Spammer's Best Friend) by NoSuchGuy · · Score: 4, Informative

    To get kicked from Verio, you have to burn down a network center or something like this. About 500 mails from users to abuse@verio.net for one spamvertized website netmails.com and no action taken ==> They do nothing against spam. They tolerate spam.

    Check for yourself: Verio's Listing .

    I use blackholes.us to block (port 25) entire countries (cn, kr, tw) and ISPs (Verio, interbusiness.it...) that do not qualify (in my standards) for connecting to my mailserver.

    NSG

    --
    Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
  19. Earthlink is Horror by ticklemeozmo · · Score: 3, Funny

    I dare you to try and contact the Earthlink Network Abuse department. At my work, we are a (legal) online betting site and were getting pounded by several Earthlink IPs grabbing our free odds.

    With megs of apache logs for each IP address, Earthlink network abuse must have taken the week off. 17 Emails and 8 calls. With NO answer, NO response on anything.

    We cannot just block all of Earthlink's dynamic numbers because of ten insipid users. I wish death on all the sysadmins at Earthlink and I curse their children with webbed genitailia.

    ((Before replying with suggestions to do on my end, they have been tried. mod_throttle wasn't an option, dynamic temp bans had to be watched, blah, blah, blah.))

    --
    When modding "Informative", please make sure it both has a source and IS actually informative.
  20. Better title by commodoresloat · · Score: 5, Funny

    "Why Blacklisting Spammers is a Bad Idea: It Takes Up Valuable Time that Could Be Spent Tracking Them Down and Killing Them"

  21. Proper spam blocklisting (for mail) by bigberk · · Score: 3, Insightful

    First, it's obviously a bad idea to block all IP traffic for an entire netblock (except under extreme circumstances -- attacks, for instance).

    Spam is a huge problem, and there are some very effective DNSBL's (DNS blocklists) out there that can let a mailserver reject mail coming from a certain IP address. There are many different DNSBL's out there, and each has their own policies on what IPs they will list, how they will de-list, etc.

    I don't like DNSBL's that list IPs based on non-spam related criteria. Examples include: country/continent of origin and service class (consumer vs. commercial). Blocks based on such criteria just divide the Internet, and don't even take into account where spam is coming from. I think it's a slap in the face of the Internet for a company to say, "I'm going to block all traffic from dynamic IPs, because they are not commercial connections".

    Then there are the blocklists that block IPs that send spam. I like this approach because the lists are designed to block what I don't want; spam. sbl.spamhaus.org blocks regions of the Internet that perpetually send spam. blackholes.easynet.nl similarly list established spam sources. relays.ordb.org and list.dsbl.org block open relays and proxies that were found to be points of abuse.

  22. some IP addresses blow spam by chongo · · Score: 3, Insightful
    While I feel sorry for those who are innocent victims of blacklists, I cannot also ignore the most of the spam comes from a only few IP addresses.

    Over the past 6 months, some 65% of spam (and spam attempts) that my ISP received came from less than 0.16% of the assigned IPv4 address space.

    Almost 2/3's of the spam we saw was sent over SMTP connections from one of 77 CIDR blocks (ranging from /16 to /30 in size). These 77 CIDR blocks represent less than 1/6 of 1 percent of the assigned IPv4 address space.

    BTW: The CIDR list growth factor is not much when you move from the 65% level to the 90% level.

    ... your stats may vary. :-)

    Spam is truly a world wide problem. Those 77 blocks, by national/region, break down as follows:

    1. 1 Australia
    2. 1 Belgium
    3. 8 Brazil
    4. 1 Canada
    5. 8 China
    6. 3 Dominican Republic
    7. 1 Spain
    8. 1 France
    9. 1 Israel
    10. 1 Italy
    11. 1 Japan
    12. 15 Korea, Republic of
    13. 3 Mexico
    14. 1 Poland
    15. 1 Russia
    16. 2 Thailand
    17. 3 Taiwan
    18. 25 US
    The above list is provided for the curious. I do not recommend that people block IP addresses based on the hosting country.

    "Yes, Virginia", a few IP address blocks do transmit most of the spam.

    --
    chongo (was here) /\oo/\