Slashdot Mirror
SPEWS Adds DSL Reports to Block List
Kylow writes "Last year, Slashdot publicized our efforts at DSL Reports to pursue a group of spammers who had spammed our forums. The Slashdot community immediately pitched in to help, and the publicity wiped the sites owned by the spammers off the internet. Fast-forward to today, and the popular yet often draconian block-list SPEWS has added DSL Reports to their blocklist due to the activities of other websites hosted on NAC.net. DSL Reports users are less than happy. This is hardly the first time SPEWS has been accused of going too far."
Is that it swats flies with sledghammers. Surely there's a more elegant way to deal with this issue now?
Remember the Alamo, and God Bless Texas...
If your ISP is also providing spam services to spammers, do you really want to be grouped in with them?
I think the black girl behind me at the screening of The Ring said it best. "Get the fuck out of there!"
Everyone loses when you patronize businesses who willingly accept spammers. Don't give them your money. Do it and feel good about yourself and for the good of your subscribers.
I have been pwned because my
This is a perfect example of why you should never just arbitrarily block email because it comes from an IP on a list. Instead, programs like SpamAssassin are useful because they use blocklists as a factor, one among many, in determining whether to treat a message as "spam".
The problem with RBLs is how people use them. There are actually ISPs who block all email from IP (ranges) in a RBL (even to postmaster or abuse!). That is clearly wrong and lazy.
RBLs should be used as they were intended. As advisory to extra check email against. A good idea is to add RBLs to e.g. spamassasin and assign them a +2 score. Then you can take into account other things, like the headers and body of the email to determine if it actually counts as spam. That works very well. But blocking all email just because it comes from a certain IP on some random RBL is stupid.
By hosting on NAC.net, they are providing support for an ISP that supports spammers where it counts -- in the pocketbook, with money.
Find a new host and quit whining.
The SPEWS level 2 list is pretty agressive, so much so that I can't imagine it being used for blocking by commercial operations of any significant size. Individuals are another matter - do you really want to make a fuss over a few people who don't want to receive your mail?
That being said, netblocks get listed for a reason. SPEWS does a pretty good job at providing a history of abuse. If this proves to be true, then you should choose a different provider - I wouldn't want my money going to someone supportive of spam operations.
- dslreports.com has address 209.123.109.175. That address only appears in a level 2 listing. Very few people use level 2 listings, the "real" SPEWS are the level 1 addresses. What level 2 really means, is explained in their FAQ (Q22).
- SPEWS did not add dslreports.com to their blacklist (search the linked page for dslreports, it's not mentioned). This does not make it less annoying for the owners of dslreports.com obviously, but there are differences. E.g., if a spammers moves, the blacklisting will be moved too, for dslreports.com it obviously wouldn't (no, that doesn't mean I think dslreports should simply move and shut up, I know things like that cost money).
- The blacklist that SPEWS publishes is an *opinion*. Everyone is free to follow their opinion or not and use it to (over-)protect their property or not. If an ISP uses it (or any other blacklist) and doesn't clearly inform its customers about that fact, then this ISP is at fault.
Nevertheless, I completely agree it's sad that the spammer situation has gotten so much out of hand that people resort to this kind of carpet-blacklisting to try to force ISP's to stop their spam support (as larger ip-blocks are only added when an ISP refuses to remove its spammers, or starts moving them around to non-blacklisted IP-addresses).It's however pretty much the last resort that other people have to do anything about it. If an ISP does not experience any significant harm from hosting spammers (and in facts profits largely from it) and does not want to remove them because it's the right thing to do, what else can you do to tell the ISP to FOAD if you don't want to become a vigilante?
(putting on asbestos suit)
Donate free food here
I actually think blocking the wider IP ranges of the ISP is a positive thing, and I'm sysadmin for one, and I've been involved in a similar dispute in the past with SPEWS. To be fair in our case we were actually caught in the collateral damage and weren't even hosting the spammer in question.
The point is, blocking a sizeable portion of the ISPs IP range inconveniences them and their non-spammy customers. It encourages them (if nothing else) to take responsibility instead of going for the cheap buck. If blocking wide-ranging ISP IP ranges means that they wake up and stop hosting spammers (or implement stricter controls) then surely that's a good thing in the grand scheme of things.
I see lots of comments in the forum like 'spews blocked my server'. Spews did no such thing. Spews is listing their provider. That's what spews does. They list providers. Spam friendly providers.
When your provider is listed by spews, it's time to move away. You are supporting your provider, which is supporting spammers.
When legitimate customers move away, providers will feel that supporting spam costs them real money. They will figure it out sooner or later: the community hates spam. Really, really hates it. And the community will hate you for not hating spam.
This is your sig. There are thousands more, but this one is yours.
Make sure that you understand what the list is meant for, and how aggressive the list is. Some lists tell you right off of the bat that they should be used for experimental or reference purposes only, and shouldn't be used in a production environment. Talk to friends and colleagues, reference newsgroups. Start small, and see how effective your beginning measures are before increasing your efforts. Your customers and/or company depend on email, and I have seen too much legimate traffic blocked by aggressive lists being used without proper research beforehand.
Eat recycled food - it's good for the environment, and OK for you.
Yes, and if you were using Osirusoft's DNSBL when they decided to shutdown and blocklist the entire Internet it would have accounted for the extra 10 spams a day as well. Of course, you wouldn't be getting any legitimate email either, but collateral damage is the whole point of the story, and makes your statistic a little meaningless. Do you know how many legitimate emails are being blocked? No, of course not, because that's the drawback of DNSBLs; you can't tell whether that SMTP connection you just refused was really spam, or a sales lead from a potential customer that just went elsewhere.
Now, don't get me wrong. I'm a firm believer in the judicious use of RBLs; I use a select few directly with the MTA and have several more adding weighted scores to inbound emails via SpamAssassin. However, it has been my experience that using too many blacklists is a waste of time; the spammers will most likely be on multiple lists anyway and you just increase the chances of getting false positives like DSL Reports. Obviously it's a YMMV issue, but for me SPEWS was also responsible for the vast majority of hits on the webform link I provided in the reject message to capture false positives. Note the past tense; I stopped using SPEWS a *long* time ago because of this, including with SpamAssassin, and I still get no spam in my inbox.
UNIX? They're not even circumcised! Savages!
First thing, it doesn't seem as if they are blacklisted yet, only that their IP-block is on some sort of warning level before being blacklisted if their ISP doesn't do anything about spammers.
Secondly, I don't understand why people blame SPEWS. All SPEWS does is provide a list of what they think a black-list should be. They are not forcing anyone to use it. They are not a government body or even a standards organisation. They are not trying to trick anyone with false promises or advertising a dangerous product. Obviously the people who are using it agree with its philosophies (ie. collateral damage) and believe that the false positives are worth it to get rid of the spam. ISPs that implement it are businesses first and formost. If they were losing more customers due to complaints about false positives than to complaints about spam they would have disabled it ages ago. As for complaints that SPEWS have too much power, they get the power by people who run ISPs deciding to voluntarily and of their own free will give it to them. They don't dictate terms to anyone, they don't force anyone to use their blacklists. SPEWS is a symptom of the problem not the cause. Just like fevers and boils are often the body's attempt to get rid of the disease. Mighty inconvient but useful. The cause is spammers and ISPs that support them. Managing to wipe out SPEWS is like popping smallpox boils. It does nothing to get rid of the disease. The question is whether SPAM is a disease that SPEWS can get rid of or whether the disease is so severe that the fever is useless and the inconvience was all for naught.
I think the issue is that the problem with spam is so huge that any anti-spam action you take is going to cause problems for someone somewhere. No approach is NOT going to cause problems. Legal approaches either seem to legitimise spam or add more government control and often seem to be useless with little teeth anyway. Technical approaches like changes to email protocols seem to be going no-where quickly and take lots of money and inconvience to implement. If people fustrated with the slow technical changes start implementing different protocols we could end with a Balkanisation of email. Making people pay for each email sent will cause big problems with people who legitimately need to send out mailing lists. End user filtering tends to be more complex than the average user likes and doesn't address the problem that the email still costs money to the ISP (and hence to you). Blacklists tend to cause collateral damage. It's like the solution to any major problem - someone somewhere is going to have to give. Either you allow the government exert more control over the internet, you are willing to spend a lot of money fixing the problem technologically or you accept that blacklists are going to cause collateral damage. What are people willing to sacrifice to get rid of spam, because you are going to have to sacrifice something because it is the legal and technical status quo that allows it to happen. Just like if you want to get rid of pollution, you are going to have to sacrifice something because it is our current way of life that causes the massive pollution problems that exist today.
Personally I think the best approach would be for spammers to all get struck by lightning and suffer in the 7 Hells for the rest of eternity but somehow I doubt that will happen.
they apparently owe nobody a duty of care to ensure only the "bad people" are blacklisted.
Of course they do. It's a reputation thing. If they were to list IPs at random, then nobody would use the list. That people do use the list is a sign that they don't act carelessly in listing IPs in there. SPEWS is a little more strict than most lists of this nature, but then some ISPs want that. It's freedom of choice, baby.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
If they are stuck in a contract with NAC, then they need to talk to thier legal department. NAC is blocked, and thus DSLR's connectivity is reduced, because of NAC's own negligence. It's no one else's fault, and no one else's problem.
We've tried relaxing it, using smaller netblocks and it DOESN'T PROVIDE ENOUGH INCENTIVE TO WORK. If you get blocked because your ISP's blocked as they're an RFC-ignorant Spamhaus, then you'll take your business elsewhere. If you can't take it elsewhere then you'll shout and maybe change their minds.
No ISPs forced to use SPEWS: if they do, then it's the ISPs servers the spam's clogging up, and their choice to block based on any criteria they want to.
Maybe I'm just being paranoid. But isnt it entirely possible that 'professional spammers' could set up mail relays under a subnet of highly regarded anti-spam sites?
This would mean that the spammers would get blacklisted, but much to the spammers glee the anti-spam sites (in this case DSL Reports) also gets blacklisted. It has a double effect of the anti-spam site being blacklisted, plus the anti-spam site (DSL Reports et al) owners arguing for the blacklist hosts (SPEWS) to be more lenient.
It wouldnt suprise me if 'professional spammers' were acting this way to protect their own interests.
"Yeah, uh, we put a lot of innocents in jail, but on the bright side we did also put a lot of criminals in jail."
You need to come up with something better.
HAND.
There is a HUGE difference between "False Positive" and "Intentional False Positive".
SPEWS defends their actions by saying that they cannot eliminate all False Positives, and so shouldnt try.
However, that is a lie. SPEWS intentionally blocks legitimate e-mail for the purpose of causing people to complain to their ISPs to the point that their ISPs complain to their provider, to the point that a legitimate customer who is not violating any terms of service is asked to change their practices or move to another region of the country.
Is this effective? Of course not. Certainly, someone who uses the list will not recieve as much spam, as well as blocking much legitimate mail at the same time. But SPEWS is not about blocking Spam, it is about trying to get high-level service providers to violate their contracts.
Any list you use is going to have False-Positives. The difference is that SPEWS does it on purpose.
SPEWS claims that they are innocent, because they don't block anyone. This is a lie. They publish lists which are in turn downloaded by automated scripts and are applied to e-mail servers as filters. They are aware of this. Their lists have no other purpose. Remember when SPEWS blocked everybody, and many automated scripts did the same?
When you publish a list which has no other purpose, then tell people how to configure their servers to automatically download and use the list, you Are blocking people. It's entirely possible for someone to exist who is stupid enough to not see the connection between publishing an IP to a list which is used by many automated servers which you have helped to set up for the purposes of blocking the IPs on the list, and the subsequent blocking of that IP. Those people don't have anything to do with SPEWS, though.
There is more, but I need to head off. I may post again later.
-- 'The' Lord and Master Bitman On High, Master Of All
Looking at all of the broadbased effects that spam has --- added network traffic, open SOCKS proxy exploits, open SMTP relay exploits, trojan host takeovers, lost business time/productivity, added storage allocation --- it really is high time that the standard governing organizations expand the SMTP protocol in to a stack that includes more sophisticated mechanisms to ensure message integrity. A sender verification token of some sort. Be it a PKI check, a site certificate, a challenge/response between sender and receiver mailhost, etc.
Since supposedly the spammers can hide their tracks well perhaps whatever commercial product being spammed should be targeted by the authorities. The websites and entities in question would certainly be less likely to hook up with spammers then I would think.
OK, for those of you who read NANAE, this is old news, but for the rest of you...
I'm a sysadmin who worked very hard to get a /24 listed in SPEWS delisted. The netblock was in the list because a customer of ours decided to provide DNS service to a known and notorious spammer. We earned the listing, period. I killed the bastard, reported the fact, and got the listing lowered to a zero, historical. In the process of doing that job, I learned a lot about the whole blocklist thing and realized that even the operators didn't see what they are really doing. They think it's about spam. Wrong.
Follow along with me a moment, and you'll see why I think this way. First, the Internet is, by definition, a "network of networks", a large anarchy run by a very large number of system administrators (greater than 10,000) who make private decisions about who and how they allow to access their bandwidth, systems, and services. The Internet Society and its sub-units provide a forum to publish community notes, the Requests for Comments, which are nothing more and nothing less than agreements for how to play nice in this employee-owned swimming pool.
The Internet community has decided on standards of behavior, and each system operator trusts every other system operator in the pool to conform to the rules of society, and to ensure that the users conform to the community rules -- not unlike CC&Rs in a neighborhood development that form part of the purchase contract of many homes and condominiums. Some operators have become lax in their expected enforcement of the rules on particularly not-nice people, the ones who break the rules in order to win money, or some other benefit. There are enough of these Internet con men out there that the community coined a word to describe them: "spammers."
Back in the NSF days, a lapse in administration resulted in disconnection, quick and swift, so the system adminstrators, up and down the line, toed the line to avoid being banished. In the Commercial Internet that replaced the NSF Internet, personal greed gets in the way of this remedy, and so the disdain of social customs is left largely unpunished by the society.
Just about every system operator who runs a mail service with more than three users has been yammered at by those users: "WE WANT LESS SPAM -- DO SOMETHING." Complaints to ISPs who take spammer money go largely ignored, and appeals "upstream" -- to the connection providers and to the Tier One networks -- have also gone largely ignored. So the small administrators started to implement mail filters and blocks on "spammy" IP addresses in the hopes that they can block the crap and thus appease their users.
Spammers countered by having their providers move them around in IP space, and by using techniques to "get around" the content filters. It's become a war, frankly. First there were keyword filters, and so spammers started to "do things" to their messages, like replace the letter 'o' with the digit '0' -- you've all seen the tricks. Hash identification of bulk messages were thwarted by inserting random nonsense text. Learning filters are poisoned by spammers injecting random words. And so on and so on. In addition to these content-based counters, spammers also steal resources of innocent people: open mail relays, open proxies, and hijacked Web scripts like formmail.pl, so that the wrong person gets blames for their flood of commercial feces.
What the block-list people decided is that having each of the 10,000 to 100,000 system administrators deal with this individually was eating up too much time, and there was this nifty thing already in place that could be used to reduce the system overhead of id
And this lovely idea is clearly working wonders.
... and how many complaints do you guys still have coming from legit people who CAN'T just up and move to a different provider?
How long has SPEWS been "in business"
You know, some of us are trying to do legitimate business on the internet. It's not like we have a friggin dialup account and can just pick someone else. The process of moving a business from one provider to another, especially if the provider is co-hosting your servers, is quite involved and usually involves a contract that can't easily be broken without penalties.
SPEWS BLOWS.
Ironically, the word ironically is often used incorrectly.
Here is a website detailing basically what happens with SPEWS:
http://www.satlug.org/~kjar/spews/
My company has had prety much the exact same experience.
Anyone using SPEWS is either lazy, ignorant, or could care less about the right way to do things.
In other words, just don't use SPEWS. Use ANY list but SPEWS.
This is my sig. The post is over.
Even if you do, finding a new ISP or smarthost is a five minute job
5 minutes? Sure, then contact me, and I'll pay you for 5 minute's work of work to move all of my co-located servers to a new ISP. You have no idea what you're talking about.
Instead of blocking spammers, just filter out the links they include in e-mails. They can't be obfuscated because they won't work if they are and countless spammers use the same domains to host their affiliate pages and/or ad images.
Block one IP, you block nobody you wanted to because the spammer that sent it doesn't use it anymore. Block one URL and you've just blocked dozens if not hundreds of spams regardless of who's advertising it.
Includes source for automating the process as much as possible
It takes just a few minutes to go through any number of e-mails and remove all the legitimate domains that were linked to and then to update the Mercury Mail rule file.
SPEWS is retarded and counterproductive. IPs are a finite resource and are reused constantly. You cannot realisticly block spammers by blocking IPs. SPEWS has probably done more damage to the internet by it's idiocy than spammers have. It's about time some of the businesses that are being hurt by them form a class action lawsuit. Or, even better, everyone should just stop using them until they pull their heads out of their asses and start being productive instead of just an internet bully.
I found a simple solution that results in getting virtually no spam. And any spam I do get is taken care of on the next update. I have a domain that was getting lots of spams now pointing to a catchall at my home IP. Since I had no legitimate e-mail addresses using that domain it's now a very effective way to preemptivly block links before a spammer tries to use them in a spam sent to one of my real e-mail addresses.
No solution is going to make spam dissappear entirly. The idea is to make it go away as much as possible so it's down to a reasonable level without causing collateral damage. SPEWS has taken the stance to act like an idiot and then blame the ISPs for SPEWS being retarded. There's no excuse or need to block IPs. Especially ones in use by people who have never sent spam.
The best part about blocking links is that the header is meaningless. Every line of it could be forged but if the e-mail contains a link to a blocked domain it will not get through.
Ben
Work Safe Porn
SPEWS is very responsive. Kick the spammers off your network and they'll unlist you. It really isn't that hard.
This story fits very well into the "Your Rights Online" category. It's my mail server, and it's my right to decide who can talk to it. As the admin of my mail server, I am participating in a boycott of spam supporting ISPs. It's that simple.
Nobody has "the right" to call me at midnight to sell me stuff, or junk fax me, or bang on my door until I open it. Similarly, nobody has "the right" to put an e-mail into my inbox.
I have to agree with their actions here. This is the sort of 'collateral damage' I agree with. Asking ISPs nicely to clamp down on spammers doesn't work - after all, spammers are customers too. To get an ISP's attention, you have to talk their language: money, and the easiest way to do that is to cause their customers to move elsewhere, and the easiest ( and most defensible ) way to do that is to blacklist IP blocks belonging to the ISP. It's just cold, hard reality. Note that I'm not saying that we have to bomb the Christ out of the ISPs and kill hundreds of thousands of innocent customers and steal their computers ... that would be taking things too far!
The problem is, those notices are sent to the spammer and the ISP, and NOT the innocent bystander who shares the block with the spammer. SPEWS may go to great lengths to work with the spammer, and the ISP hosting them, but they do NOTHING for the innocent bystander. I had our mail server blocked suddenly this way one day; some spammer shared an IP block with us and one day BOOM: all of our clients were having problems with mail because SPEWS decided to list the entire block.
I've said this before, and I'll say it again: FUCK SPEWS. I'm 1000x more upset at what they did that one single time than all the upset I have from getting junk mail combined.
Let me put it this way. If anyone went after SPEWS and asked for donations to their legal fund to get them shut-down, I'd be a donor.