Slashdot Mirror
SPEWS Adds DSL Reports to Block List
Kylow writes "Last year, Slashdot publicized our efforts at DSL Reports to pursue a group of spammers who had spammed our forums. The Slashdot community immediately pitched in to help, and the publicity wiped the sites owned by the spammers off the internet. Fast-forward to today, and the popular yet often draconian block-list SPEWS has added DSL Reports to their blocklist due to the activities of other websites hosted on NAC.net. DSL Reports users are less than happy. This is hardly the first time SPEWS has been accused of going too far."
But, from the SPEWS FAQ, The Level 2 list
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
This is another example of the cure being worse than the diease.
One spammer buys a few IPs on a block with an ISP, and SPEWS takes out the entire block. Which is worse - junk email, or the thought that someone else controls if your mail gets delivered.
Far too many people depend on email for it to be potentially dropped into a black hole like this if a neighbour of your ISP happens to be a spammer.
Spam in the inbox isn't desirable either, so where does this leave us ?
[ Monday is a terrible way to spend one seventh of your life. ]
Lord "not Gargamel's Cat!" Azrael
So, I understand the DSL Reports site is getting a great deal from nac.net, and this is why they don't want to switch hosts, even though nac.net is known to be spam-friendly. DSL Reports are perhaps indirectly profiting from spam because spammers are partially funding the discount. But they refuse to accept any blame in this matter, or even consider switching hosts.
I looked at nac.net's homepage and saw that they offer to charge their DLS/Dialup clients a FEE for spam filtering. So it's actually in their interest to propogate spam!
I hope someone finds out who is behind SPEWS, and publishes some names and addresses. We'll see how long that "we only publish information, it's up to you to use it how you see fit" line lasts.
NAC has been what I would call a "good supporter of internet society" offering decent services and a good location without degrading into a plain and outright capitalist corporation.
NAC.net harbors known spammers, despite repeated spam runs and subsequent complaints. This means that nac.net is not a "good supporter of internet society".
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Your words would have more credit were they not from an anonymous coward.
Give a man a fish, he'll eat for a day, but teach a man to phish...
Well this is strange, it's not like they've been added though, that's a bit of a mis-truth as NAC.net have been in SPEWS for a long time.
:) (Plus the whole damn Data Centre is in there)
Security Forums are also hosted in NAC.net so we are also 'SPEWed' which is a pain as it means anyone using an Outblaze related service doesn't get their sign up e-mail and their account will stay inactive. There is nothing you can do to get out of SPEWS, you can just moan about it
We got around the problem by relaying all of our mail through another SMTP server run by a friend at an unamed ISP.
We didn't report this though as we didn't really think it was slashdot worthy news.
From what I have gathered, the SPEWS philosophy isn't just indifference to collateral damage (ie, 'civilian casualties'); they actively do this damage in order to try to force ISPs into changing their habits. And they are extremely difficult to both reach and reason with; you can post on a newsgroup and hope someone pays attention to your pleas.
I don't know if the actual newsgroup replies come from people who make decisions with SPEWS, but those replies are amazingly hostile. "Oh, you're blocked? That's because you're on a crummy ISP that allows spammers. You're on a contract and can't switch? Well, you'd better start calling your ISP, because the block on your addresses isn't going away until the spammer adjacent to you does, and maybe not then, because you're a whiner."
(ok, ok, that last part was a bit of hyperbole, but it's not that far off... check dejanews!)
Admittedly, they're not killing anyone, but the tactic of deliberately attacking people who are only tangentially related to your real target is often called 'terrorism'. The consequences here are far less serious, but the fundamental tactic remains the same.... someone is doing something you don't like, and so you hurt a whole lot of people to try to force them to stop. So I don't use SPEWS.
There are a number of other, much saner, blocklists available, and the advent of Bayesian filtering is a VERY big deal. I am personally using a combination of postfix, maildrop, SpamAssassin and bogofilter, and I get amazing results; I only started training about two weeks ago, and the spam I have to deal with has dropped by over 99%. I get 1 or 2 false negatives per day, and I have had only one false positive since I started using this system. It does take a little maintenance, but it's much less annoying and intrusive than the constant attention digging through spam takes.
It is possible, in other words, to do an exceptional job of stopping spam without contributing to a form of terrorism.
WaterKeeper.ca, the site for the Lake Ontario Waterkeeper (part of Robert F. Kennedy's Waterkeeper Alliance) had the same problem, but with SORBS. WaterKeeper.ca is hosted on a server at a hosting company, shared by many other customers. The problem is, one or more of the other customers were allegedly sending spam messages, and SORBS blacklisted the whole box, leaving Lake Ontario Waterkeeper unable to communicate with many people who depend on their newsletters to keep up to date with environmental battles they are fighting.
Since 1996, I've been involved with running SMTP servers in some capacity, and I've always felt that the real-time blacklist services, while good intentioned, are a poor way to deal with the problem of SPAM. Too often, legitimate organizations get blacklisted because a few (and sometimes, only one) twit(s) forget that they've opted in to something and decide to report a message as spam. We're not talking about someone or some organization buying a mailing list here, either. In 100% of the circumstances that I've been involved with where someone has been blacklisted by an RBL, the messages that triggered the "spam" complaints have been totally opt-in newsletters - the people sending the messages haven't purchased their mailing lists, but instead, compiled them by having the users -specifically- request the content.
What makes things worse is that SORBS, for example, requests a "donation" to a charity in order to have you removed from their list. To me, that borders on extortion.
What makes it even worse still is that with SORBS blacklisting the whole box, all the other legitimate use e-mails being sent from that machine to SORBS-enabled mail servers are left out of luck. It's one thing to punish -one- "spammer", but with hosting companies as popular as they are, blacklisting an IP sometimes blacklists dozens (or even hundreds) of customers at a time, all sharing the same server. Suddenly, many people sharing a server have a problem, because one person was "spamming" and the RBL's are far too wide a net to cast over that single offender as they try to deal with the problem. When does the "service" they provide become a disservice because of the collateral damage it causes?
It's high time we abandon the clearly flawed RBL concept (and any other technological forms of dealing with spam) and start -really- putting pressure on our elected officials to enact sufficiently strong anti-spam legislation. Consider that many forms of copy protection and DRM have been cracked, replaced or upgraded, then cracked again... and you see that where there is a will, there is a way. Everytime we suceed in blocking spam by some means, it takes little time for the spammers to find another way to get their junk into our inboxes.
Not until we make spam a significantly expensive proposition (in the form of fines - I personally would love to see chronic spammers tarred and feathered, but I digress), will the "internet marketing" companies finally be stopped from flooding my mailbox with their messages.
Clearly, there are issues of jurisdiction standing in the way of this... but in my opinion, if copyright laws can be shared and upheld through a multi-national treaty, why can't a similar anti-spam treaty exist?
Now, I should point out that the unrealistic elitist in me remembers when spam didn't really exist, because not everyone and their grandmother had decided to rape the internet so that they could make a quick buck. Spam just reminds me - hundreds of times a day - that for all things good in the world, humanity finds a way to take advantage of it, use it until it's ruined, then move on to the next thing... you know... kind of like what 2nd wave style industry (to reference Toffler) is doing with our planet. Spam is just the next form of pollution that
bash-3.00$ uname -a
SunOS panda 5.10 Generic sun4u sparc SUNW,Ultra-2
http://www.ifn.net/classic/rblstory.htm covers SPEWS in detail (i don't agree with all of it, but it is pretty spot on).
but you are sure to find lots more on http://www.google.com/search?q=spam+hate+spews.
Notice how it seems to be mostly innocent people complaining about SPEWS and the way it operates?
I hate spam just like the next guy, so I would recommend the wonderful Spamassassin and use it with Spamcop.
**FREE** Track and view your phone's via CellID and/or WIFI and/or GPS
Unfortunately, this solution may not be available to everyone this affects. NAC.net is also our ISP where I work. If this escalates to where NAC is put in SPEWS' "level 1", we may end up with our company emails being dropped. Should the company switch ISPs, possibly breaking contracts?
As far as NAC itself goes... I know of at least one open mail relay controlled by the ISP itself (not some home user with a misconfigured or trojaned box). Granted, it's not listed in their MX records, and you can only use it to send mail to NAC customers, but I personally get enough spam at work through that machine I have added a spamassassin rule specifically to check for that hostname. And complaining to NAC about it a dozen or so times over the past few years has done absolutely nothing. I guess they can only blame themselves for the SPEWS listing. *sigh*
B*B,
-Smoke.
There's another effective cross platform tool that I'm hooked on. It's called Spambayes and uses similar Bayesian filters.
WPBL isn't a filtering tool itself (and hence not an alternative to Spambayes). It's a project aimed at building a list of IP addresses that send good mail and IP addresses that send spam (based on whatever bayesian filtering the client has available). The data collection is automated, so as long as your filter is accurate, then the data uploaded will be too.
I hope you have a huge advisory to your customers that states very clearly that you use a blacklist which has a very high number of false positives, due to their neanderthal mentality of 'extreme collateral damage.'
This is my primary problem with SPEWS and those who use it -- they do not publicize the fact that they endorse extreme collateral damage which results in unmeasurable false positives. Go to www.spews.org. Read their entire front page which summarizes SPEWS. No where does it even hint that this is how they work. Nowhere do they tell you how hard it is to actually get off SPEWS, unlike most RBL's which have automated or semi-automated processes to clear your good name.
Even if you go and read the SPEWS FAQ, they dance around this issue. Read the answer to "Q5: Why are network addresses listed if no spam has originated from them?" They don't come right out and say it. If you don't already know how they work, it sounds as if they only block networks that "spammers set up."
You have to read all the way down to question 16 before they finally mention this little fact:
"Q16: I'm not a spammer or spam operation... heck I hate spam, but my email is getting bounced by someone using SPEWS, or I can't access a website due to SPEWS based blocking."
And their entire answer is an outright lie based on past experience.
"A16: You maybe part of the rare "inadvertent blocking" that can occur when a spam friendly provider is listed in spews. Your best option is to try and educate your provider or switch to one who is not listed in SPEWS as spam friendly. SPEWS aims to avoid listing any non-spammer or non-spam support areas if possible - we just want to stop spam."
Ironically, the word ironically is often used incorrectly.
And of course there's a variety of other blocklists, all with their own published criteria and standards.
Of course, it would be a bit nicer if the listing of each blocklist on rbls.org contained a <= 10 word summary of the blocklist's policy like the ones you gave, such as "confirmed open relays", "Republic of [South] Korea", or "spam gangs that have been TOSsed thrice for spamming". I've e-mailed my suggestion to the contact address listed on the page.
Beyond that point, it's the ISP's problem.
So if "the ISP" with a problem is the only residential high-speed ISP in the geographic area, what do you expect all the other residential users in that area to do? Move house? Go back to dial-up?
But SPEWS is not about blocking Spam, it is about trying to get high-level service providers to violate their contracts.
Or, perhaps, enforce their contracts? Most ISPs claim to have a no spam policy, if only to keep them under the radar for a longer period of time. SPEWS helps to urge them to enforce that clause in the service agreement.
And even those few ISPs who say nothing about spam usually specify that they can terminate service at any time for any reason - thus, cutting off a spammer is well within the boundaries of their contract.
> In other words, just don't use SPEWS. Use ANY list but SPEWS.
... but there's no way to tell if a listing is for a ROKSO spammer other than visiting the URL in the TXT record. It's probably that way on purpose, to make you research it, but sometimes I just need something to jog my memory. And that's where SPEWS comes back in. SPEWS puts the name of the spamming organization in the TXT record, whereas SBL does not. When I see an IP with a SBL listing, I check the SPEWS TXT record. If it indicates a ROKSO spammer, no need to go further.
SPEWS is great for getting raw data, and one of the only blacklists left with detailed evidence files that contain actual spam samples (now that spamcop went from simple munging to nearly useless to all the way useless).
Just mind the timestamps, the data is not always all that fresh. Often even that is useful, it's nice to dig up a spammer's history and past associations that way.
Personally I'm a fan of Spamhaus, but you still can't automatically block based on SBL listings because they vary widely in quality. What Spamhaus does reasonably well is correlate the IP blocks with organizations, and none more illustrative a fashion than with ROKSO. ROKSO listed spam sources are pretty much "block on sight"
So for the obligatory bit of rudeness, stuff your righteous stance, some of us who do mail for a living know how to use blacklists as the advisory mechanisms they were intended to be. I'm truly sorry your friends or associates or whatever got screwed by an ISP that doesn't know better. SPEWS does not generally go off on righteous rants about why IP ranges are blacklisted and how everyone in there is an evil spammer. They simply indicate a range with spam problems, present the raw data, and encourage people to use other sources like spamcop to triangulate and pinpoint.
Information may want to be free, but some people are still into shooting the messenger if the message isn't always 100% clear or it doesn't place a disclaimer between every sentence.
I've finally had it: until slashdot gets article moderation, I am not coming back.
ISPs that have contracts like that to provide services to spammers, or lower level ISPs that provider services to spammers, should be forced to violate them. They are supporting the violation of other people's networks, mail servers, and mailboxes. SPEWS in fact has been successful at turning several ISPs around, by making them painfully aware of the consequences of harboring spammers. I only wish more ISPs would quit providing services to spammers once this is made known to them.
While SPEWS probably is aware that many networks use their published data to utterly refuse mail, they are also aware that many networks use their published data to subject mail from those addresses to more extensive testing, or to separate that mail into separate folders, or merely to tag it as possible spam. SPEWS surely is aware of this since it is so obvious. Are you aware of this?
now we need to go OSS in diesel cars
Post the SPEWS record number that you were blocked under so we can see if your story is true or not, and if you have left out any details. Otherwise... your anecdote is nice, but it doesn't shed any light at all on SPEWS's effectiveness.