Slashdot Mirror
SPEWS Adds DSL Reports to Block List
Kylow writes "Last year, Slashdot publicized our efforts at DSL Reports to pursue a group of spammers who had spammed our forums. The Slashdot community immediately pitched in to help, and the publicity wiped the sites owned by the spammers off the internet. Fast-forward to today, and the popular yet often draconian block-list SPEWS has added DSL Reports to their blocklist due to the activities of other websites hosted on NAC.net. DSL Reports users are less than happy. This is hardly the first time SPEWS has been accused of going too far."
I can't tell you how much we hate spews, this is far from a common occurrence and it seems that the only to fight this is to not use spews. Their are plenty of better alternatives like spamcop and orb.
Hmmm... Pie...
from openrbl.org
SPEWS/spews.org: 209.123.109/24: 553 SPEWS2 [2] nac, see http://spews.org/ask.cgi?S2814
from the SPEWS FAQ
Q22: What is Level 2?
A22: This includes all of Level 1, plus anyone who is spam-friendly, supporting spammers, or highly suspicious, but not blatant enough to be included in the Level 1 list yet. If it becomes obvious that someone at Level 2 has become a real problem, they will be escalated to Level 1 after some attempt at education. The Level 2 list will have some inadvertent blocking (non-spammer IP addresses listed), but can still be used by small ISPs or individuals who want a stricter level of blocking/filtering. By having a two tiered list, you can make the hardcore spamfighters happy; those who want to block first and ask questions later. Also, a listing in the Level 2 list may exert a bit of pressure on spam friendly sites and may keep them from turning totally bad - but that is not really the point, stopping spam is. (note: a Level value of "0" means that area is not listed)
From the linked forum posts:
1) your mail server is NOT BlackListed! If you look at the listing it is at level 2 the [2] means level 2. Read the SPEWS FAQ. No one blocks on level 2 listings.
Level 2 listings are netblocks which are watched carefully for evidence of abuse, usually because the adjoining netblocks are in use by spammers, and because the provider (NAC in this case) is ignoring complaints about the abuse, or is doing nothing to remove the abusers.
2) There is something you CAN do other than rant, which will not do you any good at all; and that is to complain to NAC about their spam-friendly policies. It's NAC's hosting network abusers which is the problem. If the listing is upgraded to level [1] then there will be a problem getting your e-mail out; if this is intollerable, the ONLY solution would be to change providers.
3) If NAC persists (usually for a prolonged period of time) in it's disregard for the rest of the Internet, by allowing our mailboxes to be filled up by their customer's garbage, then many system administrators including myself, will choose to refuse mail from larger and larger portions of NAC's IP-Space, IMHO this is a perfectly reasonable choice. It puts presure on the service provider not to host spammers, something, which in the long run will help stop spam.
Understand, that SPEWS does not block anyone, all they do is make available a list of spam-friendly, and spam-supporting providers. Many systems will choose not to communicate with providers who support spam operations in a direct effort to hurt spammers by denying them access to providers.
Yes I run an ISP, and YES we use SPEWS as one of many BL's we use to eliminate UCE/SPAM from our customer's mailboxes. Spews comes in seccond only to spamhaus.org in it's effectiveness. We receive less than 10 spams/day across a user population of over one thousand. Spews alone is responsible for about 30% of the blocking.
No.
Spews will list the IP that their spamtrap received mail from.
Then they will make a complaint to the ISP.
If the ISP ignores complaints, THEN the listing is progressively expanded, but they don't start out by listing a whole block.
One spammer buys a few IPs on a block with an ISP, and SPEWS takes out the entire block.
You don't know what you're talking about. As long as the ISP acts to terminate spammers in a reasonable fashion, they don't get listed in SPEWS. It's only after several months of protecting a spammer that an ISP gets added to the block.
It should be "no one who wants their mail system to run smoothly blocks on level 2".
... well, they don't own the mailservers on which their lists are used.
SPEWS does not recommend that level 2 listings be used for filtering, but they don't disallow it because
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Actually, this part is incorrect. Spews (and several other blacklist providers) don't even bother to notify the ISP before listing (or after for that matter). In spews particular case they don't send ANY email at all (you can't email them either).
Actually, this part is incorrect. Spews (and several other blacklist providers) don't even bother to notify the ISP before listing (or after for that matter).
SPEWS as an organization does not send mail, however the people who are behind SPEWS DO send LARTs to the responsible hosting providers for the spams that they receive. They just don't identify themselves as SPEWS when they do it. This is so that ISPs will either learn to take ALL complaints seriously (because they can never know when one of the complaints comes from someone at SPEWS) or learn to enjoy their new intranet.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
The problem with just using SpamAssassin is that it's very CPU-intensive. And when the spam's already got onto your mailserver, has already cost you in storage space and bandwidth.
SpamAssassin is good as a second (or third) line of defense, but an RBL is much cheaper from the CPU/bandwidth/storage perspective - hence one or more RBLs is preferable as a first line of defense.
The cool thing about RBLs is the wide selection. Are you happy to block confirmed open relays? No worries. Do you want to block all of South Korea, as you never recieve legit mail from there? No worries. Do you want to block known and thoroughly reprehensible spam gangs that have been booted off three or more ISPs? No worries.
And of course there's a variety of other blocklists, all with their own published criteria and standards. No one says which ones you have to use. No one says you have to use any of them.
But the major point is, if you're a target of a blocklist, there's a reason for it (assuming the list admins didn't make a mistake, which does happen very occasionally). And there are always ways you can deal with the listing, ranging from ignoring it to smarthosting email to changing your mailserver IP.
SPEWS are absolutely consistent with their listing criteria, and always have been. If you're not a spammer and you've been included in a netblock listed by SPEWS in Level 1, it is always after your ISP has been repeatedly warned and they've done nothing about the problem spammer.
A SPEWS listing always starts with individual IPs. Beyond that point, it's the ISP's problem.
Pete.SPEWS stands for Spam Prevention Early Warning System. Level 2 is that early warning - which gives listed ISPs a chance to take action before they get moved to level 1. Including the ISP's netblock is necessary because spam-friendly ISPs will relocate their high-paying spammer customers to different IP addresses in order to frustrate single IP-address blocks. Also, if one spammer is tolerated with an ISP, you can count on several others joining up - so a netblock listing pre-empts this.
The jolly good fellows of nac.net sponsored IRC servers by money they got from spammers:
n ac .net
http://www.spamhaus.org/sbl/listings.lasso?isp=
Ok, I'm trolling but you hopefully got the point. spews lists ISP's who have spammers and nac.net has them. news at eleven.
Those scumbags forward spam complaints to spammers, tell people reporting spam to "get a life", and generally abuse anyone who dares to say anything about thier spammers.
I don't think the SPEWS listing is going to make a big difference. All of NAC.net has been locally blocked on my domain for over a year now, and they're going to stay there until the heat death of the universe or Windows XP is released under the GPL, whichever comes first.
If DSL Reports doesn't like it, they need to get themselves a provider that has the first clue on how to run an ISP.
NAC helps thier spammers listwash, insults complainers, and doesn't cut off spammers. If you complain too much (once per spam), they threaten you. This is a "Good supporter of internet society" in the same way that John Ashcroft is "an ardent supporter of civil rights"
I used to poll SPEWS, as I really, really, hate spam.
However we quickly got reports form our users about false positives. While my attitude was "Then your friends should switch ISPs", my users were not happy with that response.
After some discussions, I stopped using SPEWS. I may poll it again as an advisory (i.e. marking, but not blocking messages).
However, currently I am polling the Spamhaus SBL and XBL, and me and the users are very, very happy. The XBL catches loads of spam, and we did not have a single false positive.
Alex
Absinthe makes the heart grow fonder
Which is why anyone contemplating a hosting contract should check every ISP's record on spam - and make it a provision in the contract that the ISP has to pay relocation expenses in the event of their inaction resulting in them being listed on a DNSBL.
Spews listed samba.org's ISP, and their supporters spewed the same sophistry: that the (non-profit) Samba admins should spend large amounts of time and money switching ISPs and physical hosts. The ISP's record was previously clean, and negotiating those kind of terms is impractical when hosting a small number of machines.
Spews openly admits that they see collateral damage as a positive good. The more non-spamming machines they hit, the happier they are. That's fine, they're happy to list whoever they want.
I just wish more administrators were aware that blocking using Spews is a definite decision to drop legitimate and wanted email. You *will* drop legitimate email, and possibly large quantities of it, if you use Spews. If hurting spammers is more important than getting your own mail, use it!
To judge from the number of complaints we got about people not getting their mailing lists, I don't think many of the admins using Spews were aware of the consequences. Basically everybody we spoke to decided to use less-insane RBLs.
Using a mix of sane RBLs blended through SpamAssassin is probably the way to go these days.
After a run in last year with SPEWS, and after some investigation, I believe I have found SPEWS owner/administrator, and posted last March as SPEWS no longer anonymous
Pete Carr Owner Chatmag.com
Wonderful piece of software that works quite nicely and for small independent mail servers you will not be disappointed.
http://tmda.net/
In case you don't have this running already, that is.
There are ways to reduce the harm done by a SPEWS listing.
I've recently started submitting data to the Weighted Private Block List project.
Basically, it's an attempt to use statistical filters (eg Bayesian based ones) to identify what IP's are sending spam. I'm sure that they would love to have more people involved in the collection of data, particularly if they've already trained their client side filters to a high level of accuracy.
You're an idiot. SPAM is unsolicited, bulk, commercial e-mail. If you send it out to a list of your customers (who can opt-out, I assume), then it's not SPAM.
Next time, try to form an argument that actually makes sense.
It's always a long day... 86400 doesn't fit into a short.
I am quite surprised that a forum dedicated to broadband telecommunications can't or won't understand hat.
CEE5210S The signal SIGHUP was received.
Personally I use a spam filter on my e-mail server, but I use Spamhaus, as my primary, which is a much more professionally run list, they remove listing automatically after 90 days without spam complaints (SPEWs generally only removes you after you beg in the newsgroup), actually have e-mail addresses that you can contact them at, and actually target the spammers nets, not blocking class B networks.
I believe that any admin of an ISP that uses SPEWs is really doing a disservice to their customers, who will have a number of e-mail problems from some very large hosting companies.
NAC's security isn't too great either. True story: I was on IRC one day when I got a message from someone I didn't know. They knew I was on NAC from my static hostname/IP. They said "what's your NAC username?" I didn't exactly want to answer as it seemed shady, but my username was the same as my IRC handle. They figured that out and about a minute later said, "Oh, xxxxxxx is a nice password." Radius had been cracked and this random person had access to lots of passwords. Real great folks, NAC is.
Perhaps, though, they should talk to the source of the problem instead of complaining about the solution. The problem, after all, isn't that SPEWS listed a spam source network, but that NAC.net is hosting spammers alongside it's legitimate customers. Those customers should make it clear to NAC.net that either the spammers go, NOW, or they'll take their hosting elsewhere, also now.
Like I said, Ignorant.
You are ignorant of this scenario:
Your ISP has Company A (You) and Company B with a bad administrator.
Company B screws up and installs a Microsoft patch that opens up their Exchange SMTP server as an open email relay.
So they become a spam email relay just because they applied a patch. Unbeknown to the ISP, someone accidentally became a SPAM relay. Then some idiots get this attitude that the ISP is a Spam friendly ISP.
My company was blocked because a company that had been shutdown 2 years beforehand was listed in the same IP block.
So here's what we did when we discovered we were on SPEWS:
1. Looked up SPEWS database.
2. Tried to contact the Company listed in our block as a SPAMMER.
3. Discovered Company didn't exist.
4. Contacted ISP to find out why we were being blocked.
5. Discovered ISP wasn't doing business with the company anymore.
6. The IP address in this block that was listed on SPEWS wasn't even assigned to anyone.
7. For the hell of it, tried to use the IP address for an SMTP relay. Didn't work.
8. Tried contacting SPEWS (HAHAHAHAHAHAHA) on the newsgroups, for about a year.
9. Gave up.
10. Half a Year later was removed from the list.
If any administrators are reading this and think SPEWS is worthwhile... please quit and get a job in Marketing. Thanks.
This is my sig. The post is over.
Am I missing something here?
Yes. Blocklists can reject the message as the SMTP protocol level. It's possible to literally drop the TCP/IP link before even the first headers gets sent. Any content filter solution (header or body of the email) will require receipt of the full message. At that point, the spammer has already wasted your bandwidth resources, and is now going to waste even more of your CPU resources in filtering it.
The first part of this rant is directed to the admins of BBR. (dslreports is also known as BBR)
I can understand your frustration at being listed and at the "scorched earth policy" of spews. However, there is ample and damning evidence that your isp, nac, is a MASSIVE spam haus
First piece of evidence:
12 sbl listings (with 3 of the really nasty yellow ones) at www.spamhaus.org
Second piece of evidence: the well mentioned spews listing, which has bucko evidence contained inside.
third piece of evidence: 1970 listings found at http://groups.google.com/groups?q=nac.net+group:ne ws.admin.net-abuse.sightings&hl=en&lr=&ie=UTF-8&oe =UTF-8&group=news.admin.net-abuse.sightings&sa=G&s coring=d
I think we can all agree, nac has a MASSIVE spam problem and does jack shit about it. So lets move on. BBR obviously doesnt spam, but because you are hosted with a pro spam isp, your being used as human shields by your isp. So what are your options here to get your mail working?
option one: bitch at nac to punt all their spammers, which will cause spews to descalate (yes spews DOES remove entries when spammers are terminated) the listing so your mail doesnt get 550'd. Problem is, nac is likely to not give a shit, and not lift a finger.
option two: smart host your mail with a non spammy isp. There are a variety of ways to do this, and usually its not very expensive. I've leave it up to you (i am sure you guys are fairely clueful in a network sense) on the best way to accomplish this. This is probably the quickest and easiest solution, though the one negative to it is that your still supporting a spam haus, but if that doesnt bother you, then so be it.
option three: the probably least practical solution for you, but morally the best solution. Tell nac to eat shit and die, and move your operations to a non spam haus (and despite what some people are saying, there ARE isps that dont get blacklisted, they agressively nuke any spammer on sight. Spews doesnt list you for one spam, they list you for ignoring repeated spam complaints). On a practical level, i understand this may not be a realistic option for you due to the extreme complexity of moving servers, but i figured i mention it since it is technically possible.
ok, now for my rant directed at the non mail server admins of this forum.
As others has said, spews does NOT directly block your mail.
The mail admin is the one that blocks or doesnt block incoming mail. When he configures the mail server you use, he decides what if any rbls (aka blacklists) he uses. The critera for which rbls he uses depends on management's attitude (assuming its a business server), the admin's stand on spam (is he a rabid block spammers on sight type, or a "screw it, not my inbox or bandwidth" type), and the user base of the server (do the users need to recieve mail from china or south america, or can those countries be blocked with out losing legit mail?).
Spews does not communicate directly with the outside world or provide a method to be communicated with directly for very good reasons. In the past, spammers and spam hauses (verio comes to mind) have sued rbls for completely bullshit reasons. Because spews can and does play hardball with spam hauses, they remain safely anonymous so when spam hauses try to send bullshit lawsuits (aka cartooneys in the anti spam world) to spews; well it doesnt go far when you dont even know who to send the process server to The only way to communicate with spews is by posting on the usenet group NANAE that you've removed the spammers you host. Failure to remove your spammers or lying that you've removed the spammers only gets more and more of your network listed.
People complain about spews listing non spammers along with the spammers. Spews philosophy is similar to the following analogy. Lets say you live in the same apartment complex as the unabomber. People in your town keep getting mail bombs
Lawyers, MBA's, RIAA? A jedi fears not these things!
Finding a smarthost might take more than 5 minutes, but if it takes you that long to modify your mail server configuration through the smarthost, then you are too stupid to run a mail server.
-- Will program for bandwidth
Let me modernize those paragraphs for you:
The Internet is, by definition, a "network of networks", a large anarchy owned by corporations who make private economic decisions about who and how they allow to access their bandwidth, systems, and services.
The owners of the networks establish TOS to limit liability and help ensure profitability.
Do you really believe that the techies at the ISPs still have the authority to decide who does or does not remain a customer?
> Criticising SPEWS is utterly pointless, though because they do exactly what they advertise.
Nullshit, they do exactly NOT what they advertise.
SPam Early Warning System?
Where is the EARLY warning?
They cannot warn before spam reaches my network, they do something else, point out places that may with a slight increased likelyhood produce spam.
What SPEWS does is point at possible spam hosters beyond what is clearly proven, that is NOT early warnoing, it is pointing out potential sources.'
By this naming scheme, and by trying to hide their real tactics in the information they give pubnlicly, they are definitely doign false advertising for themselves.
Then there is the simple fact that their tactics are immoral, and the only ones to blame for that are the people of SPEWS.
Criticising them? hell yes, and if that is done publicly they send their DDoS monkeys after you.. that is quite telling I'd say.