On Futureproofing Spamhaus

BMcWilliams writes "Spamhaus director Steve Linford announced a new funding plan Tuesday. According to Linford's announcement, large ISPs and big corporate users of the Spamhaus zone transfer service (renamed the Spamhaus Data Feed Service) will be required to pay an annual subscription fee ranging between $190 and $14,500.(The free public-query mirrors will continue to exist.) The point of the new plan is to ensure that 'the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet'."

Bleck.

[JNighthawk]

Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

I dunno...

[c0dedude]

Is this a Self-Elimating Business Model?
The point of the new plan is to ensure that 'the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet
As they eliminate spam, spam becomes less profitable, thus decreasing the need for them. Not only that, but the less spam, the less people will request their services, as they can do it in-house. What do you guys think?

Lets get it out of the way now....
1. Block spam
2. ????
3. Profit.
There. Are you trolls happy?

Re:I dunno...

[gr8_phk]

" Is this a Self-Elimating Business Model?"

Yes it is. And therefore, they have a financial incentive to allow some amount of spam through. This keeps the spammers around while also letting customers know that the spam problem still exists. They'd need to play both sides to stay in business.

Pipe-full-of-fun-kit-number-7.

it'll help in 2 ways

[Xiph]

Make it a paid for service, so you can't sue for being on the list
or to provide money as a cushion against suits? and hurt in one, if you're a corporate bulk user (not bulk like that) you'll pay, for something that saves your company money.

Re:it'll help in 2 ways

[jnicholson]

Make it a paid for service, so you can't sue for being on the list

Why would that help? You have to pay for newspapers, but that doesn't protect them from libel (or is it slander?) laws. Why would paying for this list make any difference?

GRsecurity, anyone?

[DiscordOfFive]

This story makes me think of GRsecurity. Remember? It's dying because the developer didn't have any funding? Maybe Spamhaus caught wind of this, and is trying to avoid a similar fate.

Very true.

[JNighthawk]

I'll admit that I don't know how Spamhaus operates. However, it doesn't detract from what I said. Costs will still be forced upon me for something that I may have no use for. The government does it, but now it may be done from the private sector?

Still free for most

[rborek]

Note that the charges are for those that are doing zone transfers (ie those transferring the entire blacklist to their own DNS servers, for faster queries and cutting down on query traffic across their Internet connection), not for those who just want to query their servers to find if a specific IP is in the blacklist.

Spamhaus advises organizations set up a zone transfer if they're receiving 200,000+ e-mails per day. I doubt the average user (or small organization, corporation, etc.) will be receiving that much e-mail in a day (at least for now...)

Oblig. Simpsons quote

[fireman+sam]

homer: Ooh, I see. Get us addicted then jack up the price!

How to Stop Spam

The answer is with SPF, or Sender Policy Framework. This is how it works:

SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send. Close the hole, and we can easily block spammers by sender domain.

SPF closes the hole by using a DNS record that says which hosts can send email with a from address in the domain. The record is a simple TXT record that looks something like this:

<domain> IN TXT "v=spf1 ptr ip4:<address block> ~all"

What most of you don't know is that this is a Microsoft technology. Remember when Bill Gates said that he'd solve the spam problem in two years and you all laughed? Read this for the all the technical details. As it is an internet draft, this is completely patent free and anybody can use it.

Re:How to Stop Spam

[humankind]

SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send.

Yea, right. My mailbox isn't filling up with messages I didn't send. It's just plain filling up. This method is no more difficult to defeat that the current content-based anti-spam methods and requires major upgrades to both DNS and MTAs.

Of course this is a Microsoft idea. Rather than improve the system, in typical Microsoft fashion they want to employ a new standard indigenous to their systems. Another marketing ploy that promises an amazing improvement that would never materialize.

While some improvements to DNS authentication could prove helpful, they're not worth the trouble because in the end, this idea is little more than another flavor of whitelisting, which has proven to be most effective by a small config change to most MTAs and services like Spamcop, Sorbs and Spamhaus's RBL.

What you're proposing is that the burden be switched from MTA to MTA+DNS. The problem is that it's not that much more difficult for spammers to forge additional DNS records in most cases.

Yes, this scheme might address zombie proxy armies, BUT that presupposes that the major ISPs would actually properly manage their DNSes, which they DON'T NOW, so why would they update the new DNS records properly? They WOULDN'T. It's better to have the DNS records managed by an independent third party such as Spamhaus or Spamcop, that sysops can choose to use that are more responsible and more accurate in determining which hosts are allowed to deliver SMTP traffic.

Good or bad?

[xenobyte]

One can wonder whether additional funding will have the effect of actually having the records reflect the realities. The trouble is that I know of at least one record (SBL6024) that is filled with errors and despite several attempts at having Steve correct them, all that happened was a bunch of insults in response.

All content in that record except *one* line is completely wrong and/or severely outdated. The bad content reflects an old customer long gone (booted late 2002) whose IP-ranges were mixed up with Dynamic Pipe. All that remains valid is a single nameserver (freya.wildrhino.com) belonging to a different customer/alledged spammer: Wild Rhino.

If the info should be correct that entire record should be removed and the /29 belonging to Wild Rhinos nameserver moved to their record (SBL14379) - or similar. I know it would not delist anything (that's not the issue) but it would correct the information and that's what's important here.

But Steve does not want to admit his mistakes here, and one can wonder just how many other records in his system are equally flawed, mislisted or plain false. If the incorrectness is rampant throughout, one can wonder just what these businesses would be buying. I think Steve needs to learn a bit about humility and responsibility before he starts making money big-time on this. Because making money off lies and false pretenses has always been the domain of those he claims to hate the most: SPAMMERS.