Slashdot Mirror

← Back to Stories (view on slashdot.org)

On Futureproofing Spamhaus

Posted by simoniker on from the good-eggs dept.

BMcWilliams writes "Spamhaus director Steve Linford announced a new funding plan Tuesday. According to Linford's announcement, large ISPs and big corporate users of the Spamhaus zone transfer service (renamed the Spamhaus Data Feed Service) will be required to pay an annual subscription fee ranging between $190 and $14,500.(The free public-query mirrors will continue to exist.) The point of the new plan is to ensure that 'the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet'."

96 of 146 comments (clear)

  1. email by rd4tech · · Score: 2, Funny

    Maybe they should send an email to everyone requesting those $$$ :)

  2. Bleck. by JNighthawk · · Score: 2, Interesting

    Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

    --
    Wheel in the sky keeps on turnin'.
    1. Re:Bleck. by thedillybar · · Score: 1
      Sure it'll be passed onto customers. But that's not very much money per customer.

      If you don't have to deal with spam, you will someday. And you're paying cents for the benefit of everyone. You pay for a lot of things you don't use, this won't be the first.

    2. Re:Bleck. by Eggplant62 · · Score: 4, Insightful
      Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.


      Heh... I love it, it shows that not too many folks understand about how Spamhaus operates, and may be relying on distant memories of the Mail Abuse Prevention System (MAPS). Both organizations, Spamhaus and MAPS, have operated on a free-to-all, volunteer-run system, accepting donations where they could be had to fund themselves. Back in July 2001, MAPS moved to a fee-based for all (except for educational and single operator systems, which could sign a waiver and have free access) model, while Steve Linford kept MAPS in its free-for-all state, where it continues to operate today.

      However, several large users, including world governments, have voiced their opinions that they love what Spamhaus has done, however, how can they rely on a free service that may not be in operation in a year or two due to legal shenanigans like what Richter is pulling against Spamcop??

      That, in a nutshell, is what's happening here. No one has ever paid to use Spamhaus other than through voluntary contributions. This changes nothing, the blocklist service and website will still remain free to all comers, and those that have large userbases that want to depend on Spamhaus as a going concern can help by paying a fee for use of a zone transfer service to their own database or dns servers.

      Simple, ain't it?? The little guys win, the big guys win, the spammers lose.
    3. Re:Bleck. by Hanzie · · Score: 1

      Mod parent post to oblivion, it is abuse.

      --
      ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    4. Re:Bleck. by SinaSa · · Score: 1

      I didn't read the RTFA, but it seems you didn't even read the summary! The public access lists remain, i.e. the cost is not passed down to the little guy.

      The money is only demanded from companies using SpamHaus. Much like lots of the other really good things on the internet. For example AVG antivirus is free for home users, but if you want to use it in your business, it'll cost you a fee.

      The pricing scheme looks pretty fair also, I'm guessing the lowest price is for smaller-ish businesses, while the high prices are for the big companies using it.

      --
      --
      The last digit of pi is four.
    5. Re:Bleck. by oconnorcjo · · Score: 3, Insightful
      Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

      Yeah I am really worried the 15 grand is going to be passed onto me from my multi-billion dollar ISP.

      I expect I will need to refinance my house to keep my internet connection.

      Spamhaus is providing a service that cuts costs for ISP's (due to savings in resources not needed for the handling of spam) so it only makes sense to throw some cash thier way in return.

      Penny pinching of the magnitude you are posting is ammusing. Next you will be saying the free coffee provided to the programmers at most ISP should be cut due to the large toll it provides on the cost to end user services (which is much more than 15 grand) or workers should provide for thier own toilet paper and soap. Cut the company softball team too! The 35 dollar's I pay for broadband is too high!

      --
      I miss the Karma Whores.
    6. Re:Bleck. by bigsteve@dstc · · Score: 4, Insightful
      Won't these costs just be forced down onto the customers?

      Are you suggesting that ISP customers are entitled to a service for nothing?? If customers are unhappy with a (probably tiny) increase in ISP charges to address the problem, they can always switch to a cheaper ISP ... and learn to enjoy their spam.

      I get maybe one spam e-mail a day.

      And how many extra spam e-mail do you think you would you receive if AOL stopped using the Spamhaus RBL?? (If AOL doesn't use the RBL the question is moot anyway.)

    7. Re:Bleck. by dubl-u · · Score: 3, Insightful
      Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

      I was just about to blast you for your apparent refusal to spend a whole five seconds thinking this through, but I see that you have an AOL address, so I'll assume your question was asked with all sincerity.

      There are several ways you benefit from this:
      • First is that you might already be benefiting. Since you currently get spam, that means that spammers have your address. Getting only one a day probably means that your ISP already is using spam filtering. How do you know that Spamhaus's databases aren't part of it?
      • Good spam filtering helps keep costs down, lowering your bills. A network engineer at a major ISP told me that if they removed their spam defenses, they'd promptly crash; they don't have the capacity to handle the doubling or tripling of mail traffic that would result. $15k per year is nothing compared to tripling your ISP's mail handling and storage capacity.
      • People will see your messages. If I turned off my filters, less then one in ten of the items in my inbox would be real mail. Without good filtering, I'd accidentally delete a lot of real messages, especially ones from unknown correspondents.
      • The people you want to communicate with will still use email. Some people, especially marginal internet users like grandparents and small children, are already starting to abandon email as a medium, despite our best efforts at keeping the spam out. Without good tools like Spamhaus's lists, more and more people will just give up on their spam-choked inboxes.
      So basically, if you use email at all, it's worth supporting the fight against spam, even if you don't personally get any at the moment.
    8. Re:Bleck. by JuggleGeek · · Score: 1
      NihirNighthawk@aol.com posts "I get maybe one spam e-mail a day."

      Perhaps one a day gets through the AOL spam blocking/filtering. If they turn all of that off, do you think you'll still get one per day?

    9. Re:Bleck. by wkcole · · Score: 1

      Maybe you don't understand how this works. A relatively small number of network operators (ISP's and other businesses that get a lot of mail) drive enough queries against the Spamhaus lists that it is worthwhile for them to have a full copy locally. IF your mail provider is one such entity, they are almost cerainly already using Spamhaus' lists and so you are simply not getting all the spam aimed at you. If it is not worthwhile for your mail provider to get a data feed from Spamhaus because their users don't get much spam, there is no cost for them to pass along.

      You should also look at the Spamhaus price calculator. It tops out at $1.18 per year per user and in my opinion (based on experience with large email systems using DNSBL's) that range is unlikely to be one where a data feed makes any sense technically even if it were free, unless the users are being very heavily spammed on an ongoing basis. At the other end, with a million users, an ISP would have to figure out how to pass along less than 2 cents per year to each user.

  3. I dunno... by c0dedude · · Score: 4, Interesting

    Is this a Self-Elimating Business Model?
    The point of the new plan is to ensure that 'the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet
    As they eliminate spam, spam becomes less profitable, thus decreasing the need for them. Not only that, but the less spam, the less people will request their services, as they can do it in-house. What do you guys think?

    Lets get it out of the way now....
    1. Block spam
    2. ????
    3. Profit.
    There. Are you trolls happy?

    --
    Since when has this country used intellectual elite as a pejorative term?
    1. Re:I dunno... by gr8_phk · · Score: 1, Interesting
      " Is this a Self-Elimating Business Model?"

      Yes it is. And therefore, they have a financial incentive to allow some amount of spam through. This keeps the spammers around while also letting customers know that the spam problem still exists. They'd need to play both sides to stay in business.

      Pipe-full-of-fun-kit-number-7.

    2. Re:I dunno... by menem · · Score: 1

      Thats backwards! Less spam means each spam that gets through is more profitable. If a user received only a few spam a week, the user is much more likely to read the spam instead of trashing it. This is why spam can never be eliminated, only reduced.

    3. Re:I dunno... by LostCluster · · Score: 1

      I don't think this is a business model. I'd see SpamHaus as closer to a non-profit that will gracefully close up shop if the disease it's out to get rid of is ever cured. Until then, however, there's bills to pay and they need to post a table of suggested donations.

  4. it'll help in 2 ways by Xiph · · Score: 2, Interesting

    Make it a paid for service, so you can't sue for being on the list
    or to provide money as a cushion against suits? and hurt in one, if you're a corporate bulk user (not bulk like that) you'll pay, for something that saves your company money.

    --
    Blah blah sig blah blah blah irony blah blah
    1. Re:it'll help in 2 ways by jnicholson · · Score: 2, Interesting
      Make it a paid for service, so you can't sue for being on the list
      Why would that help? You have to pay for newspapers, but that doesn't protect them from libel (or is it slander?) laws. Why would paying for this list make any difference?
      --
      "Do not drill any holes in your cat - it will not like it."
      -- Nick Davies
  5. This says it all... by erick99 · · Score: 2, Informative
    From the article:

    In the meantime, thanks largely to ineffective spam laws passed by governments, we're having to step up the fight against spam with more resources....

    Not that the gov't can do much anyway, but, it could do more. I think the fees are reasonable and I hope they are accepted and paid graciously.

    Happy Trails!

    Erick

    --
    http://www.busyweather.com/
  6. GRsecurity, anyone? by DiscordOfFive · · Score: 4, Interesting

    This story makes me think of GRsecurity. Remember? It's dying because the developer didn't have any funding? Maybe Spamhaus caught wind of this, and is trying to avoid a similar fate.

    --


    Only the purest of souls seek enlightenment. Everyone else just wants power.
    1. Re:GRsecurity, anyone? by AndroidCat · · Score: 1

      Er no. More like caught wind of the nuisance lawsuits and DoS attacks that have been happening to various anti-spammers over the last few years.

      --
      One line blog. I hear that they're called Twitters now.
  7. I'll fund them for life... by bhmit1 · · Score: 5, Funny

    Just as soon as this $54Mil bank transfer goes through for this poor Nigerian widow.

    1. Re:I'll fund them for life... by JNighthawk · · Score: 1

      Oh, thank you! Ever since my husband was killed in the Nigerian War of Fertility, I've had a hard time getting by. $54 million U.S. Dollars will be a start, but in order to survive and provide for my 37 children, I am going to need others to donate. If you would please send this e-mail to 10 of your friends, I would much appreciate it. Thank you, kind sir!

      --
      Wheel in the sky keeps on turnin'.
  8. Self-eliminating business model. by Hanzie · · Score: 5, Insightful

    If Spamhaus eliminated Spam, Steve Linford would be the first one dancing. He'd probably get a knighthood, but I think he'd prefer a good night's sleep.

    MS claims that Hotmail receives 2 Billion spams a day. (That's 2x10^9 to you friends across the puddle). I don't see that going away, more's the pity.

    --
    ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    1. Re:Self-eliminating business model. by Anonymous Coward · · Score: 1, Funny

      That's more penises than you can shake a stick at.

    2. Re:Self-eliminating business model. by shaitand · · Score: 4, Funny

      Okay, that covers my account. How much does everyone else get in their hotmail account?

    3. Re:Self-eliminating business model. by Viceice · · Score: 1

      Suprisingly, none. Well i still do, but it all gets routed to the Junk folder.

      I used to get about 6 a day, then suddenly, about 3 months ago, all the spam stop getting delivered into my inbox.

      ALL. Well i think about 1 month ago, 1 got through, but that was it.

      --
      Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
    4. Re:Self-eliminating business model. by Lennie · · Score: 1

      I think they are send to all@hotmail.com or something, I'm not sure, I don't have hotmail anymore.

      --
      New things are always on the horizon
    5. Re:Self-eliminating business model. by sk8king · · Score: 1

      Actually, Hotmail must have done something magical to reduce the spam [or maybe I accidentally set my options to reject all mail or something].

      Around the big blackout last August my friend commented that his spam in his hotmail account went down to almost nothing. I short while later, I also noticed the same thing. For an account that got 4 spams within a few hours of signing up, I can now check it once per week and maybe remove 5 spam emails. I admit I have some stuff directed to a junk folder, but I also had that when I received 20-30/day.

  9. Very true. by JNighthawk · · Score: 3, Interesting

    I'll admit that I don't know how Spamhaus operates. However, it doesn't detract from what I said. Costs will still be forced upon me for something that I may have no use for. The government does it, but now it may be done from the private sector?

    --
    Wheel in the sky keeps on turnin'.
    1. Re:Very true. by grasshoppa · · Score: 5, Insightful

      1) Everybody has a use for this. If you are part of an organization that uses a paid for spamhaus, then you have a use for it.

      2) Spamhaus recommends organizations that get 200,000+ emails a day sign up for the service. Conservatively, I think, we can estimate that would mean 100,000 users ( some get considerably more, most not at all ). At the high end, it's 14,500 a year. So, 14500/100000 = 14.5 cents a YEAR per user. I'll give you a fiver, if you shut up about the cost for the next 30+ years about it.

      3) Say I'm way off, and the number is more like 20,000 users. That puts us at about 73 cents per year per user.

      If you really can't afford that, how the hell are you able to sit here on the internet and gripe about it?

      4) Spam, annually, costs you way more. Or, more accurately, they cost your provider more, which in turn, gets passed on to you. So what they are doing is a cost saving measure.

      So, in closing, let me say this: Stop bitching, you are wrong.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    2. Re:Very true. by finkployd · · Score: 4, Informative

      Spamhaus recommends organizations that get 200,000+ emails a day sign up for the service. Conservatively, I think, we can estimate that would mean 100,000 users

      Just for reference, PSU has roughly 130,000 users, and averages around 4,000,000 emails a day (actually that number is about a year old, I imagine it is considerably higher given the microsoft viruses and spam that are going around now)

      Finkployd

    3. Re:Very true. by grasshoppa · · Score: 1

      2+3. It will cost more than that.

      Oh? Do you have any facts behind that? How about some sound reasoning? Shit, I'd take a wild shot in the dark.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    4. Re:Very true. by whmac33 · · Score: 2, Insightful

      There are a lot of things that ISPs do that you may not need. Do you have all 6-7 email addresses that a lot of them allot. Do you use your 25 mb of free web space?

      Of course if your ISP's rates go up you could always switch ISP's. I don't think these are large fees for these ISP's that need the service, especially AOL. And the reason you don't get spam at AOL is because they are already doing a lot of spam filtering.

    5. Re:Very true. by peg0cjs · · Score: 1

      You say that you only get 1-2 spam...ever think that's cuz your ISP uses spamhaus (or something like it)?

      --
      Karma: Excellent (Mainly due to Bill & Ted's Karma Adventure)
    6. Re:Very true. by JNighthawk · · Score: 1

      My ISP is Comcast, not AOL, I just use AOL for e-mail. But that's besides the point. You're right, that they are doing spam filtering already. I don't know. This just doesn't seem right to me.

      --
      Wheel in the sky keeps on turnin'.
    7. Re:Very true. by Tony+Hoyle · · Score: 1

      It seems to work out around 1000 spams/user/day round here, so 200,000 spams is 200 users.

      It's still not a lot, but I know the way the beancounters think... if it's not free it must be justified, and if it doesn't have an immediate benefit then there's no chance.

    8. Re:Very true. by sk8king · · Score: 1

      We get about 300,000-400,000 emails a day representing about 10 spams/user/day which is much lower then you, but we've been told [by a spam software salesperson] that we have a high spam count....90% of our mail is spam.

      Spam is free for the sender, but we're required to have equipment that would have been enough for an ISP 4 times our size 5-6 years ago [numbers in the last paragraph were made up on the spot, but are meant to provide an example of cost]

    9. Re:Very true. by mwood · · Score: 1

      It may be that you "have no use for" Spamhaus services because your ISP is already using them on your behalf. So you might wind up paying for something you're already enjoying.

      And of course you are still free to switch to an ISP that doesn't subscribe to the Spamhaus premium service. Spamhaus can't force you to pay for anything unless you agree to let them, perhaps implicitly by continuing to use an ISP which pays them.

    10. Re:Very true. by tensai · · Score: 1

      Just for another reference, we get about 200,000 valid emails a day for around 17,000 users. We get another 700,000 or 800,000 spams a day too, but those are run through Postini so thankfully I never see them. I'm sure that the cost of subscribing to Spamhaus would be far less than that of acquiring 4 times our bandwidth and storage facilities plus all the time I would have to mess with that trash.

    11. Re:Very true. by Eggplant62 · · Score: 1
      I'll admit that I don't know how Spamhaus operates. However, it doesn't detract from what I said. Costs will still be forced upon me for something that I may have no use for. The government does it, but now it may be done from the private sector?


      You could always vote with your feet and your wallet. There have to be plenty of operators out there that will cater to what you're looking for, even if it is email that's not filtered for you in any way, shape or form. Run your own servers if that's what concerns you. You still have a choice no matter what happens.
  10. Still free for most by rborek · · Score: 4, Interesting
    Note that the charges are for those that are doing zone transfers (ie those transferring the entire blacklist to their own DNS servers, for faster queries and cutting down on query traffic across their Internet connection), not for those who just want to query their servers to find if a specific IP is in the blacklist.

    Spamhaus advises organizations set up a zone transfer if they're receiving 200,000+ e-mails per day. I doubt the average user (or small organization, corporation, etc.) will be receiving that much e-mail in a day (at least for now...)

  11. Heh by Emperor+Tiberius · · Score: 4, Insightful
    the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet

    Don't they mean, as long as e-mail exists; in it's current form, anyway?

  12. Right, but... by JNighthawk · · Score: 1

    Isn't my ISP a company that may use Spamhaus to filter e-mail?

    --
    Wheel in the sky keeps on turnin'.
    1. Re:Right, but... by SinaSa · · Score: 3, Insightful

      You raise a good point, and yet I doubt that the cost of subscribing to SpamHaus will be passed down to you. The article mentions the maximum price as $14,500. Which would be for a company say (in relation to your example), the size of AOL.

      Even if a small ISP who can't afford to simply swallow the cost passed it down to customers, you'd only be seeing a tiny increment on your monthly bill . And by tiny I am thinking in the figure of 10 or 20 cents. Do the math.

      Small ISP "FooNet" has 1000 customers. They qualify for the lower brackets of SpamHaus subscription. Lets say the subscription costs $190 (from the article). Each user will only be paying $0.19cents more a month. Multiply that by 12, and thats an addition of $2.28 dollars a year for some very good spam protection.

      Now that I think about it, where do I sign up? :P

      --
      --
      The last digit of pi is four.
    2. Re:Right, but... by grasshoppa · · Score: 1

      It gets even better. The blurb says that's annual fees. So, you'd be out an extra 19 cents a year.

      Sign. Me. Up.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    3. Re:Right, but... by zangdesign · · Score: 1

      Only if they follow actual pricing and don't inflate the charges (a la cell phone bills) to exact extra revenue from customers.

      I can easily see some ISP saying "hey, it only costs us 10 cents per user, but hey, let's add a couple of bucks to the bill to cover the inevitable paperwork, and other sundry items that we can make them think are remotely related and we'll call it a filtration surcharge."

      --
      To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
  13. Cost Offsets by quinkin · · Score: 4, Insightful
    In theory you are correct. In practice all ISP's will not simultaneously commence paid spamhaus subscription and increase their fees. I would imagine that some ISP's may use this, either globally or as a premium value added service. Unless you are in a monopolistic market you will be free to choose a spamhaus-free (either lacking or only free zone transfers) ISP and it's assosciated lower costs.

    Even then a lot of businesses may actually save money through reducing bandwidth costs due to spam. I hope they don't force those savings onto you... :)

    Q.

    --
    Insert Signature Here
    1. Re:Cost Offsets by CritterNYC · · Score: 4, Informative

      In theory you are correct. In practice all ISP's will not simultaneously commence paid spamhaus subscription and increase their fees. I would imagine that some ISP's may use this, either globally or as a premium value added service. Unless you are in a monopolistic market you will be free to choose a spamhaus-free (either lacking or only free zone transfers) ISP and it's assosciated lower costs.

      Even then a lot of businesses may actually save money through reducing bandwidth costs due to spam. I hope they don't force those savings onto you... :)

      Good points. Using the Spamhaus XBL and SBL actually saves a decent-sized ISP more than its cost in a given year in bandwidth, storage and CPU cycles.

      Additionally Spamhaus is letting operators of free DNSBL mirrors continue the Zone Transfer for free. Perhaps additional ISPs will be given the option of getting the Zone Transfer for free in exchange for setting up another public mirror.

      --
      Portable versions of Firefox, GIMP, LibreOffice, etc
  14. Oblig. Simpsons quote by fireman+sam · · Score: 2, Interesting

    homer: Ooh, I see. Get us addicted then jack up the price!

    --
    it is only after a long journey that you know the strength of the horse.
  15. This is not a bad thing. by BCW2 · · Score: 5, Insightful

    If a corporate IS department is running their own mail servers, it would be wll worth the money. Transfer the lists into the server and check all incoming mail instantly instead of the latency caused by going to Spamhaus. The bandwidth and time saved for someone like GM, GE, Siemens,..... Thats a lot of money saved. $14,500 is pocket change to them anyway, and if it saved $50,000 over a year, thats a good return. I'd bet it would save a lot more than 50K though.

    The fact that it keeps Spamhaus a viable concern is another plus.

    --
    Professional Politicians are not the solution, they ARE the problem.
    1. Re:This is not a bad thing. by pipingguy · · Score: 1


      If a corporate IS department is running their own mail servers, it would be wll worth the money.

      Just speculation...

      Wouldn't most corporations prefer a whitelist-type solution in the first place? I'm just thinking of a recent story where email inquiries largely went unanswered.

      The dog ate my homework, some idiot (who has since been fired) must have deleted your message, I never received your original email, we had a virus, etc..

      It's a pretty good and plausible deny situation, isn't it?

    2. Re:This is not a bad thing. by scrytch · · Score: 1

      > $14,500 is pocket change to them anyway, and if it saved $50,000 over a year, thats a good return. I'd bet it would save a lot more than 50K though.

      It may be a pittance to all of corporate, but it is by no means a trivial sum to a single IT department who must justify the expense up a few levels. Your returns cannot be quantified -- it's not as if spamhaus is alone in producing a savings from effective spam filtering. Even if they are the most effective, the difference between spamhaus and the next approach might not be worth the expenditure.

      Spamhaus's quality, while the highest of most of the DNSBLs, still varies, quite widely at that. We're talking about having most of China on the list, with the same categorization as ROKSO spammers like Atriks and Whitcon. Many of the SBL listings have no supporting evidence at all, merely a WHOIS listing. If there were a response code (e.g. how SORBS does it) that differentiated these types of listings, then it might be a bit more useful. Otherwise you're going to have to investigate every SBL hit, which is going to cost a good deal more than $14K in manpower...

      --
      I've finally had it: until slashdot gets article moderation, I am not coming back.
  16. you benefit by.... by zogger · · Score: 1

    .... having the people who are combatting spam effectively reduce the over al global bandwith load that spam represents, plus helping in another oblique way be getting more people aware of spam and maintaining their own computers in a safer manner. It's a win for everyone who's on the net-except the spammers.

  17. In an abstract way, sure. by JNighthawk · · Score: 1

    I benefit, I guess. Not directly, as far as I can see. I'm not spammed badly enough for me to need a filter. However, as stated in a different reply by me, this could provide companies an excuse to raise fees by some unreasonable amount (i.e. more than $.25)

    --
    Wheel in the sky keeps on turnin'.
  18. Corporate thinking and expensing. by j3ll0 · · Score: 5, Insightful


    I may be an idiot, but it seems to me that most organisations could justify any of the amounts listed by doing some simple cost benefit analysis.

    My understanding is that Spamhaus allows you to blackhole IP blocks that are known to tolerate\encourage spam.

    If you step back and work out the cost of bandwidth to accept all of that spam, versus the cost to pay Spamhaus to blackhole it, it probably works out in favour of paying for Spamhaus.

    Here in .au, I seem to remember that a 2Mb FR link to .sg (our next corporate uplink) was in the order of AU$10K a month. So 14.5K = approx US$18K = approx 2/12 FR service. Given that the current stats say the amount of spam crossing the internet as a percentage is HEAPS higher than that, it would have to work out as more cost effective to pay Spamhaus, and save the bandwidth.

  19. Literally... by Angry+Black+Man · · Score: 4, Funny

    "$190 and $14,500"

    This takes the sound bite "prices may vary" to a new level.

    --
    the byproduct of years of oppression by the white man
    1. Re:Literally... by LostCluster · · Score: 1

      With "Free" also in existance...

      This seems a lot like the donation box at a museum. No reqired payment for walking through, but there's a table of suggested donations based on how much you should be able to pay, and most people are going to pay it because how else does the museum stay in business...

    2. Re:Literally... by mdfst13 · · Score: 1

      I see it as more like a museum store where you can buy your own copy of works in the museum (e.g. a lithograph of a painting or a miniature version of a sculpture). You have the option of just taking pictures (free), but if you want an official copy, you have to pay the museum. Similarly, Spamhaus offers a free service (DNSBL request) and a pay service (Zone/Data Transfer).

  20. Forced costs by jnicholson · · Score: 1

    Do you buy insurance? You may never use it. It's private sector.

    --
    "Do not drill any holes in your cat - it will not like it."
    -- Nick Davies
  21. Re:Spamhaus and IronPort by Anonymous Coward · · Score: 2, Informative

    You're confusing Spamhaus with SpamCop. Only the latter has an affiliation with IronPort.

  22. Re:Spamhaus and IronPort by Anonymous Coward · · Score: 1, Informative

    Spamhaus is a voluteer non-profit organization and is not owned by IronPort. I think you've mixed Spamhaus with Spamcop, which is owned by IronPort.

  23. No, Spamhaus has no affiliation with IronPort! by int2str · · Score: 4, Informative


    You are confusing Spamhaus with SpamCop...
    Spamhaus has no affiliation with IronPort!

  24. Re:Spamhaus and IronPort by jnicholson · · Score: 1
    You're thinking of SpamCop, I think.

    I haven't passed judgement yet on the association of Ironport with Spamcop. It's possible (albeit a slim possibility) that Ironport are part of the good guys, but it remains to be seen.

    --
    "Do not drill any holes in your cat - it will not like it."
    -- Nick Davies
  25. Confusion of two anti-spam sites by wintermute42 · · Score: 2, Informative

    Several people have posted that I've confused Spamhaus with SpamCop. Sorry. It was careless on my part. My appologies to Spamhaus.

  26. They can fund themselves for life... by cgenman · · Score: 1

    Just move to a state that has anti-spam laws, like North Carolina. North Carolina statures allow for 10 dollars per spam. California allows for 500 dollars per spam. Either way, with millions of pieces of spam per day intercepted by their service, they should stand to gain quite ludicrously on the deal. If they can track down 20 of the top spammers, and one of them has insurance, SpamHous will suddenly have far more money than it will know what to do with. Sadly indentured servitude is not a viable option for the other 19, as the US has bankruptcy laws. Still, assuming the congress hasn't passed any laws saying that people CAN SPAM, the plan is perfect.

    --
    The ______ Agenda
    1. Re:They can fund themselves for life... by humankind · · Score: 2, Insightful

      ust move to a state that has anti-spam laws, like North Carolina. North Carolina statures allow for 10 dollars per spam. California allows for 500 dollars per spam. Either way, with millions of pieces of spam per day intercepted by their service, they should stand to gain quite ludicrously on the deal. If they can track down 20 of the top spammers, and one of them has insurance, SpamHous will suddenly have far more money than it will know what to do with. Sadly indentured servitude is not a viable option for the other 19, as the US has bankruptcy laws. Still, assuming the congress hasn't passed any laws saying that people CAN SPAM, the plan is perfect.

      ROFL.

      Good luck finding a lawyer who will take on a case with a $10 or $500 virtually impossible payout.

      Good luck finding a spammer who has insurance, hasn't declared bankruptcy a few times already, or wouldn't make all his net worth (if any) disappear as soon as he was caught. Not that he's going to get caught because you'll never find a lawyer dumb enough to take on a case based on such an ineffective law.

      More laws are needed? We currently have several hundred civil-oriented anti-spam laws on the books and not a single one of them has paid off or curtailed spam in the slightest. The same thing happened with anti-UCE-faxes and those were even easier to track and pursue and they still didn't do a thing.

      Perfect plan? I think not. When 200+ laws don't work, thinking that passing civil law #201 will make the difference is the definition of hopeless.

      Passing yet another law has about the same effect on stopping spam as buying a book does in mysteriously making you an expert on that books's subject. You have to read the book. You have to enforce the law. Right now, spammers break lots of criminal laws that aren't being enforced. Passing more laws without beefing up law enforcement is like sptting in the wind and calling it rain.

  27. How to Stop Spam by Anonymous Coward · · Score: 2, Interesting
    The answer is with SPF, or Sender Policy Framework. This is how it works:

    SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send. Close the hole, and we can easily block spammers by sender domain.

    SPF closes the hole by using a DNS record that says which hosts can send email with a from address in the domain. The record is a simple TXT record that looks something like this:

    <domain> IN TXT "v=spf1 ptr ip4:<address block> ~all"

    What most of you don't know is that this is a Microsoft technology. Remember when Bill Gates said that he'd solve the spam problem in two years and you all laughed? Read this for the all the technical details. As it is an internet draft, this is completely patent free and anybody can use it.

    1. Re:How to Stop Spam by BdosError · · Score: 3, Insightful

      This will be fine if/when everyone upgrades their DNS & MTA software to accept and use those standards. In addition, there are competing standards/proposals too, so which is the right one to choose?

      As an aside, I don't think that making it an RFC necessarily makes it patent free.

      --
      Complexity is Easy. Simplicity is Hard.
    2. Re:How to Stop Spam by humankind · · Score: 3, Interesting

      SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send.

      Yea, right. My mailbox isn't filling up with messages I didn't send. It's just plain filling up. This method is no more difficult to defeat that the current content-based anti-spam methods and requires major upgrades to both DNS and MTAs.

      Of course this is a Microsoft idea. Rather than improve the system, in typical Microsoft fashion they want to employ a new standard indigenous to their systems. Another marketing ploy that promises an amazing improvement that would never materialize.

      While some improvements to DNS authentication could prove helpful, they're not worth the trouble because in the end, this idea is little more than another flavor of whitelisting, which has proven to be most effective by a small config change to most MTAs and services like Spamcop, Sorbs and Spamhaus's RBL.

      What you're proposing is that the burden be switched from MTA to MTA+DNS. The problem is that it's not that much more difficult for spammers to forge additional DNS records in most cases.

      Yes, this scheme might address zombie proxy armies, BUT that presupposes that the major ISPs would actually properly manage their DNSes, which they DON'T NOW, so why would they update the new DNS records properly? They WOULDN'T. It's better to have the DNS records managed by an independent third party such as Spamhaus or Spamcop, that sysops can choose to use that are more responsible and more accurate in determining which hosts are allowed to deliver SMTP traffic.

    3. Re:How to Stop Spam by thogard · · Score: 1

      I'm alreadying getting spam with vaild SPF records from throw away domains. SPF has nothing to do with spam prevention.

    4. Re:How to Stop Spam by msblack · · Score: 1

      SPF is flawed because computer users can't always specify their SMTP gateway when using a closed application (e.g., BlackBoard group learning systems).

      --
      signature pending slashdot approval
    5. Re:How to Stop Spam by mdfst13 · · Score: 4, Informative

      SPF is not a Microsoft technology. Caller ID is the Microsoft solution (similar but different). SPF was designed by pobox.com. Microsoft and pobox.com recently agreed to make SPF and Caller ID compatible, but they are still different methods:

      1. SPF is text based; Caller ID is XML based (even though no other email header or DNS record is).

      2. SPF verifies the envelope sender; Caller ID verifies the From header of the email. While both will be the same in many cases, they do not have to be.

    6. Re:How to Stop Spam by mdfst13 · · Score: 1

      The only spam that has gotten past my SpamAssassin recently would have been stopped if my MTA was SPF compatible. It shows up as coming from the address to which it was sent.

      It is very difficult to forge DNS records (one needs access to the legitimate name server). What is not difficult is creating legitimate DNS records. However, if spammers have to buy legitimate domains, then we can easily fix this by blacklisting those domains (and possibly revoking them). This can actually be done quite agressively with honeypot addresses (such addresses are set up such that no one has a legitimate reason to send to them and advertised as such on the web; thus, anyone who sends to them can be assumed to be a spammer and blacklisted).

      Most ISPs do properly list their MX records (which list incoming mail servers). The problem comes with PTR records which should exist but are frequently outside the purview of small domains (requiring them stops over 90% of all spam, but blocks a small but significant number of legitimate senders who can't change the PTR records for their own IPs). SPF is simply a more flexible version. One can use SPF to specify that email is restricted to senders who have PTR records (if available) or list one's IPs or make all outgoing mail servers have MX records or whatever.

      I agree that querying Spamhaus (etc.) and letting them interpret the SPF records is better than querying the DNS system direct. Spamhaus can block queries on spammer throwaway domains as they discover them (merging SPF and RBL into one query).

    7. Re:How to Stop Spam by AKnightCowboy · · Score: 3, Informative
      SPF is flawed because computer users can't always specify their SMTP gateway when using a closed application (e.g., BlackBoard group learning systems).

      SPF isn't flawed, the application is flawed. Put in a trouble ticket to the company that makes BlackBoard group learning systems and tell them they need to add outbound SMTP gateway support. That's a seriously misbehaved application if it just assumes it can send mail directly out. We haven't allowed users to send mail directly out for 12 years.. everyone has to relay through a central mail gateway for logging purposes.

    8. Re:How to Stop Spam by miley · · Score: 1

      Yesterday at the Inbox Conference, one of the panelist said that over 500 domains of known spammers were publishing SPF records. One of the mail points of this technology is that its braindead easy to publish the record. In the example you state above, you use the ~all flag -- meaning that any IP address across the internet can send mail for that domain, thus avoiding solving the security problem you mention. Can you remind us all again why you thing this will stop spam?

  28. Good or bad? by xenobyte · · Score: 4, Interesting

    One can wonder whether additional funding will have the effect of actually having the records reflect the realities. The trouble is that I know of at least one record (SBL6024) that is filled with errors and despite several attempts at having Steve correct them, all that happened was a bunch of insults in response.

    All content in that record except *one* line is completely wrong and/or severely outdated. The bad content reflects an old customer long gone (booted late 2002) whose IP-ranges were mixed up with Dynamic Pipe. All that remains valid is a single nameserver (freya.wildrhino.com) belonging to a different customer/alledged spammer: Wild Rhino.

    If the info should be correct that entire record should be removed and the /29 belonging to Wild Rhinos nameserver moved to their record (SBL14379) - or similar. I know it would not delist anything (that's not the issue) but it would correct the information and that's what's important here.

    But Steve does not want to admit his mistakes here, and one can wonder just how many other records in his system are equally flawed, mislisted or plain false. If the incorrectness is rampant throughout, one can wonder just what these businesses would be buying. I think Steve needs to learn a bit about humility and responsibility before he starts making money big-time on this. Because making money off lies and false pretenses has always been the domain of those he claims to hate the most: SPAMMERS.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    1. Re:Good or bad? by valmont · · Score: 3, Informative

      ey, dude, steve won't exactly be "making money big time" on this, as you assert in your post. The whole point for this price structure is to ensure the continued longevity of an essentially free-for-most, not-for-profit service. get it? And yeah maybe that money will give them more resources to deal with fringe cases such as the one you're outlining. The fact is, at some point, an ISP gave that IP block to a spammer. And for some reason spamhaus doesn't seem to feel confident about de-listing that block, maybe there's a good reason for that, i'll give spamhaus the benefit of the doubt any day. Maybe that'll teach ISPs to more carefully scrutinize who they give blocks to, and be more mindful of what sort of traffic goes on there.

      --
      Extraordinary Vacations. Exceptional Prices
    2. Re:Good or bad? by xenobyte · · Score: 1

      Let me begin by repeating myself - They never asked for a delisting from SpamHaus, only that the record be corrected so that blatantly incorrect info is removed.

      Maybe that'll teach ISPs to more carefully scrutinize who they give blocks to...

      First of all, most startup ISPs will not know how to research the hats of potential customers and will thus be innocent in assigning an IP block to a spammer. And in the western world any customer must be presumed innocent until proved otherwise (to the ISP that is).

      The point is that services like SpamHaus should become as universally known as Google to anyone, even people starting out as ISP salesdroids. That way spammers won't be signed up out of ignorance/inexperience.

      The ISP I mentioned started out in 2001 and they had zero knowledge of ROKSO, SpamHaus, SPEWS and all that. They happily signed up customers that would pay the setup fee upfront. The contracts were all long-term and while they had provisions against spamming they only covered abuse of the ISPs networks, not abuse elsewhere. This means that their contracts cannot be terminated just because they spam from elsewhere for sites elsewhere, and that's exactly why Wild Rhino still has a nameserver there.

      Being a small startup ISP they would be driven out of business from just a single lawsuit, and terminating a customer without due course in the contract will result in a lawsuit (both spammers and their lawyers are greedy in the worst sense of the word).

      So my point is that some ISPs may look like their hat is black but if you look closely you'll see that it's actually a doofus-hat awarded for cluelessness. They will learn and not renew those spammers contracts but until that time they'll have to let them live - or themselves be killed by lawsuits.

      --
      "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    3. Re:Good or bad? by JuggleGeek · · Score: 1
      The contracts were all long-term and while they had provisions against spamming they only covered abuse of the ISPs networks, not abuse elsewhere. This means that their contracts cannot be terminated just because they spam from elsewhere for sites elsewhere, and that's exactly why Wild Rhino still has a nameserver there.

      Summary : A small, startup ISP isn't bright enough to get rid of their spammer, so they get listed as supporting spam.

      And you have the gall to bitch about being listed! So my point is that some ISPs may look like their hat is black but if you look closely you'll see that it's actually a doofus-hat awarded for cluelessness.

      From the point of view of Spamhaus, what's the difference? Either way, the spammer is still doing business there, Spamhaus knows it, and Spamhaus's job is to tell people "This IP is associated with spam".

      The ISP in question needs to quit supporting spammers. When they do, the listing will go away. (Eventually. The longer they support spammers, the longer it will take to go away.) If the only way they can stay in business is to support spammers, I'd just as soon they went out of business.

      Steve has to listen to people whine all the time about "We shouldn't be listed because...." You're complaining that the info is wrong, while at the same time admitting that the ISP is supporting a known spammer. How that differs from the whining of the other spammers that want to be delisted seems to be beyond my ken.

  29. Relative costs: by Stephen+Samuel · · Score: 1
    Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

    Part of the reason why you get so little spam is organizations like spamhaus.

    Compare the top-end $14,500 cost of spamhaus to the $400,000 price tag for one of the highest-end routers. If Spamhaus saves MSN from buying 2 more intel servers, then they'll recover their costs.
    For the largest ISP's (we're talking the likes of MSN, Yahoo, etc.) this comes to about 1/4 of a full person's salary (or about 1/10th if you include secondary costs). I have a friend who pays about that for some of his servers... (we won't even start looking at what some people pay for SUNs).

    Even for the medium-sized ISPs who will be asked to pay $190.. they'll probably spend almost that much processing the bill. We're talking less than the price of an XP-Professional license.

    For the smallest ISPs and single users (like me) they're promising to remain free -- in fact that's why they're doing this.

    --
    Free Software: Like love, it grows best when given away.
  30. No spam in my Hotmail account by waynemcdougall · · Score: 1
    Never. Not 1 spam in Junk mail or anywhere else. Ever. Not since I first opened it 3 years ago with the sole purpose of testing how much spam I get.

    I've never publicised the email address.

    More importantly the address is obscure. I've seen /.ers offer their so-called "obscure" email addresses and I've thought them all laughably likely to be hit in a dictionary attack.

    Mine is 14 characters, mixing letters and numbers, as a sentence implying a certain head of state doing something naughty. Easy to rememebr, and not in any dictionary attack. :-o

    And no spam!

    I have to say those who claim to have got spam within minutes of opening an account and blaming Microsoft) need to adjust their tindoil, and learn what obscure really means when a computer is systematically working through a dictionary.

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
  31. World governments by waynemcdougall · · Score: 4, Funny
    However, several large users, including world governments, have voiced their opinions that they love what Spamhaus has done

    Gee, I leave my tinfoil hat off for just one lousy week and there's not just one but multiple world governments. I was just getting to grips with overthrowing a few national governments.

    Do I get to choose which world government I'm under? Given the choice I, for one, would like to welcome my new illuminati overlords.

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
    1. Re:World governments by Eggplant62 · · Score: 1

      World governments == large nations

      There, I said it. Happy?

  32. Re:How to Stop Spam - Filter it at the SMTP level. by iamcf13 · · Score: 1

    No need to add a new wrinkle to SMTP, just analyze the SMTP traffic to detect relaying by remote users and refuse to relay and force the local users to POP-BEFORE-SMTP to use the mail server. This is a simple 1-2 punch to stamp out a lot of spam

  33. No Need by Robmonster · · Score: 2, Funny

    They already have access to all those emails desperately trying to give away $3.5M . They have all the funding they'll ever need....

    --
    I have no sig yet I must scream.
  34. What exactly is the point? by blorg · · Score: 2, Insightful

    I've got a 14-character alphanumeric obscure email address that I've never given anyone - but at least I don't get spam!

    Do you get any email at all?

    Spam is all about the signal to noise ratio, you know.

    1. Re:What exactly is the point? by waynemcdougall · · Score: 1
      Yes I get email, but your comment:

      Spam is all about the signal to noise ratio, you know.

      is completely wrong.

      Ratios of spam, and false positives and false negatives are relevant to spam detection.

      But by and large only absolutes are relevant to amount of spam received. The fact business colleagues send me 1,000 messages a day does not change the amount of spam I receive. I would neither receive less or more spam if they increased or decreased their so-called signal.

      Spam is not proprotional to non-spam email (ok there is a possible _very minor_ correlation in that you may receive a lot of email because your email address is widely distributed. But that is not a necessary factor and is not always true).

      The usual Hotmail allegation is that Microsoft sells off your Hotmail address as soon as you sign up. As evidence people point out they receive email as soon as they sign up. My point is that is provably false.

      --
      Recycle PCs and build a wireless community network www.hillsborough.org.nz
  35. Futureproofing? by Strange_Attractor · · Score: 1

    Fireproofing - protecting against a fire happening.
    Waterproofing - making sure water can't get in.
    Spamhaus is a GoodThing (TM) - is futureproofing it a good idea?

    --

    ----
    WWJD...For a Klondike Bar?
  36. Re:YES, nihirnighthawk@aol.com by drakaan · · Score: 1
    Maybe I'm the only one who sees it this way, but:

    1. one man's "-1 troll" is another man's "+5 funny" (and this AC owes me a new keyboard...apparently mine doesn't like cherry coke)

    2. you had the balls to say "I only get one spam a day" and didn't think anything would happen? Puh-leeeeeease.

    --
    "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
  37. Patents by gd2shoe · · Score: 1

    You're right, it doesn't make it patent free. Once an idea/invention is published there is a one year fileing period. After that it stayes in the public domain. Patent applications can stay in the approval process for several years though. I don't know how long this has been out, or whether it can be a "submarine patent".

    IANAPL

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
  38. The Spamhaus XBL remains free for AXFR by Anonymous Coward · · Score: 2, Informative

    Spamhaus is selling access to two lists.

    One of them, the SBL, is a list used to apply pressure to ISPs. It doesn't stop that much spam. It's a political tool, just the same as the MAPS RBL was.

    The other, the XBL, is extremely effective at stopping spam. But Spamhaus doesn't run the XBL. They're just downloading the (freely available) CBL and BOPM lists, then selling access to them for thousands of dollars a year.

  39. Yes, there is. by Ayaress · · Score: 1

    Don't set up a public display address. Ever. Anywhere. If you have to, use a throwaway spamtrap like Hotmail or Yahoo that you can just forget about if things get out of hand.

    1. Re:Yes, there is. by Anepthia · · Score: 1

      But what happens when someone else registers with your address (this is not just a hypothetical question to me, it just happened on my main address)? There are only two reliable solutions to spam: a good spam filter or not having a e-mail address. Anything else fails the instant they find or guess your address.

    2. Re:Yes, there is. by Anepthia · · Score: 1

      Yes, I am an idiot who mixed up parent posts. Sorry.

  40. Linford? by jeffkjo1 · · Score: 1

    According to Linford's announcement

    Something tells me Lindows's new company name isn't going to last...

  41. Re:Spamhaus and IronPort by JuggleGeek · · Score: 1
    First, Spamhaus isn't associated with IronPort in any way. You are thinking of Spamcop.

    Second, while you claim you don't like *anyone* to do mass email, you are posting on Slashdot, and you have a registered account here. I'd bet you that Slashdot would qualify under the "mass email" category. They use email when people register accounts, they email people to give them the current headlines, results of their moderations, to let people know someone either replied to or moderated a comment - that's lots of email every day. But none of it is abuse - it's entirely opt in, and anyone that doesn't want those emails can turn them off. (Or, simply not register in the first place.)

    Third, if your "all mass mailers are bad" theory were enforced, then there are lots of mailing lists, newsletters, news report services, etc that we could no longer take advantage of. Google News helps keep me informed of news stories on areas I'm interested in - should Google be shut down? The NYTimes and Reuters both send me messages with news headlines. Does that make them evil?

    I don't think you understand what spam is. You seem to think "All email except email from close friends is spam", but that simply isn't true.

    At the very minimum, you should learn the difference between solicited email and unsolicited email. Without much effort, you could also learn the difference between spammers and Spamhaus, which you imply are the same thing. Learning that Spamhaus and Spamcop are unrelated might also help you get a clue. And you are in desperate need of one.