SPEWS Adds DSL Reports to Block List

Kylow writes "Last year, Slashdot publicized our efforts at DSL Reports to pursue a group of spammers who had spammed our forums. The Slashdot community immediately pitched in to help, and the publicity wiped the sites owned by the spammers off the internet. Fast-forward to today, and the popular yet often draconian block-list SPEWS has added DSL Reports to their blocklist due to the activities of other websites hosted on NAC.net. DSL Reports users are less than happy. This is hardly the first time SPEWS has been accused of going too far."

Level 2

[Phroggy]

Comment from At Sea:

your mail server is NOT BlackListed! If you look at the listing it is at level 2 the [2] means level 2. Read the SPEWS FAQ. No one blocks on level 2 listings.

Level 2 listings are netblocks which are watched carefully for evidence of abuse, usually because the adjoining netblocks are in use by spammers, and because the provider (NAC in this case) is ignoring complaints about the abuse, or is doing nothing to remove the abusers.

But, from the SPEWS FAQ, The Level 2 list ... can still be used by small ISPs or individuals who want a stricter level of blocking/filtering. "No one blocks on level 2 listings" is obviously wrong.

Re:Level 2

"No one blocks on level 2 listings" is obviously wrong.

You're right. A more accurate phrase would have been "ISPs who cannot afford a critical mass of false positives do not block on level 2 listings."
That's the majority of ISPs, and certainly all of the big ones. Very few block on level 2 listings.

Small ISPs or people like me who run an SMTP server for less than ten people (who really hate spam and are willing to deal with some false positives) have thought about it and are willing to reject inbound email from entire netblocks that are owned by sleazeballs who take money from spammers, even if it means a half dozen false positives a year. We block about 200 spams a day using a combo of spews, ordb, and spamcop, so it's definitely worth it. If that makes life difficult for the sleazeballs who take money from spammers, fine. If it encourages their legit customers to get pissed off enough to threaten to move elsewhere and stop giving the sleazeball ISP their money, that's great too. I love the fine spam-haters at DSL Reports, but they need to realize that they're pissed off at SPEWS because their ISP is hosting spammers. If they want to ignore that and place the blame totally on SPEWS, then I'm willing to chide them by bouncing any email they send my way for a little while.

I like SPEWS and it's my choice as to whether to use it or not. Nobody else has to like it and nobody else has to use SPEWS if they don't want to.

Re:Am I my keeper's brother?

[Lord+Azrael]

Your isp can be totally against spamming and enforce it heavily... You'll still get blocked out because their are always people who will register a server or hosting account and then spam as much as possible till they get shutdown.

that is not true. SPEWS knows that every ISP has a certain amount of customers willing to spam. No provider will get blocked for having occasional (!) spammers on his nets. And SPEWS will not block nets that fast one spamrun originates from a net. They start threatening a ISP if he continously fails to do something against the spammers, that means, terminates their connections or shuts down the spamvertized sites. Mind that usually no ISP gets blocked suddenly, most of the blocked companies to not ever reply to messages sent to abuse@ISP or at least they never gave the impression, that they are trying to get rid of the spammers.

Spews will then block an entire ip block in which the offending ip belongs and then both your isp and yourself will suffer.

there are numerous reports about ISPs who did not care about well known spam gangs in their nets and only then reacted, after their internet had been turned into a big intranet after a spews listing. Only when other innocent customers of the ISP start complaining about their own ISP and threaten to terminate contracts, then often only at that point the ISPs have reacted and shut down spammer lines. SPEWS does work, although in that case mentioned today the collateral damage is too hight.

Re:The problem with lists like SPEWS...

[Dimensio]

NAC has been what I would call a "good supporter of internet society" offering decent services and a good location without degrading into a plain and outright capitalist corporation.

NAC.net harbors known spammers, despite repeated spam runs and subsequent complaints. This means that nac.net is not a "good supporter of internet society".

The SPEWS philosophy

[Malor]

From what I have gathered, the SPEWS philosophy isn't just indifference to collateral damage (ie, 'civilian casualties'); they actively do this damage in order to try to force ISPs into changing their habits. And they are extremely difficult to both reach and reason with; you can post on a newsgroup and hope someone pays attention to your pleas.

I don't know if the actual newsgroup replies come from people who make decisions with SPEWS, but those replies are amazingly hostile. "Oh, you're blocked? That's because you're on a crummy ISP that allows spammers. You're on a contract and can't switch? Well, you'd better start calling your ISP, because the block on your addresses isn't going away until the spammer adjacent to you does, and maybe not then, because you're a whiner."

(ok, ok, that last part was a bit of hyperbole, but it's not that far off... check dejanews!)

Admittedly, they're not killing anyone, but the tactic of deliberately attacking people who are only tangentially related to your real target is often called 'terrorism'. The consequences here are far less serious, but the fundamental tactic remains the same.... someone is doing something you don't like, and so you hurt a whole lot of people to try to force them to stop. So I don't use SPEWS.

There are a number of other, much saner, blocklists available, and the advent of Bayesian filtering is a VERY big deal. I am personally using a combination of postfix, maildrop, SpamAssassin and bogofilter, and I get amazing results; I only started training about two weeks ago, and the spam I have to deal with has dropped by over 99%. I get 1 or 2 false negatives per day, and I have had only one false positive since I started using this system. It does take a little maintenance, but it's much less annoying and intrusive than the constant attention digging through spam takes.

It is possible, in other words, to do an exceptional job of stopping spam without contributing to a form of terrorism.

Re:SPEWS == the wrong way

[scrytch]

> In other words, just don't use SPEWS. Use ANY list but SPEWS.

SPEWS is great for getting raw data, and one of the only blacklists left with detailed evidence files that contain actual spam samples (now that spamcop went from simple munging to nearly useless to all the way useless).

Just mind the timestamps, the data is not always all that fresh. Often even that is useful, it's nice to dig up a spammer's history and past associations that way.

Personally I'm a fan of Spamhaus, but you still can't automatically block based on SBL listings because they vary widely in quality. What Spamhaus does reasonably well is correlate the IP blocks with organizations, and none more illustrative a fashion than with ROKSO. ROKSO listed spam sources are pretty much "block on sight" ... but there's no way to tell if a listing is for a ROKSO spammer other than visiting the URL in the TXT record. It's probably that way on purpose, to make you research it, but sometimes I just need something to jog my memory. And that's where SPEWS comes back in. SPEWS puts the name of the spamming organization in the TXT record, whereas SBL does not. When I see an IP with a SBL listing, I check the SPEWS TXT record. If it indicates a ROKSO spammer, no need to go further.

So for the obligatory bit of rudeness, stuff your righteous stance, some of us who do mail for a living know how to use blacklists as the advisory mechanisms they were intended to be. I'm truly sorry your friends or associates or whatever got screwed by an ISP that doesn't know better. SPEWS does not generally go off on righteous rants about why IP ranges are blacklisted and how everyone in there is an evil spammer. They simply indicate a range with spam problems, present the raw data, and encourage people to use other sources like spamcop to triangulate and pinpoint.

Information may want to be free, but some people are still into shooting the messenger if the message isn't always 100% clear or it doesn't place a disclaimer between every sentence.