Slashdot Mirror
Should You Trust MAPS?
"I spent all weekend long trying to get a hold of the people at MAPS, as they don't bother telling you when they are open. When I finally got a hold of someone on Monday morning (not an easy task, mind you!), they told me that they are not open on the weekend, so it would have been *impossible* to resolve this issue quickly. And because I was only a customer of the company who owns these IPs, they would not unblock my subset of IPs. Despite the problem originating from a handful of IP addresses, MAPS saw it appropriate to block over 180,000 IP addresses just before the weekend! I had already made several phone calls and emails to my co-location facility, and they told me they were doing their best to get a hold of someone there. Several emails had been sent, and just as I first experienced, they could not reach anyone at MAPS by phone. When I finally talked to someone at MAPS, he told me that he would not be proactive in the matter by actually phoning my co-locator to work this out.
These people at MAPS thinks themselves quite high and holy, and in some ways they are: many ISPs and the like will bounce emails just because MAPS tells them to. (I've since removed MAPS from my list of RBL servers to check.) As a small-business owner, MAPS can be very hurtful to a business and very uncooperative in helping resolve the issue. I gave them a couple subnets of mine to unblock, but they would not, even though my IPs were not involved in the original complaint.
This experience has certainly made me think twice about who I trust to decide the fate of my incoming email."
MAPS saw it appropriate to block over 180,000 IP addresses just before the weekend.
MAPS didn't block you.
MAPS added you to a blacklist.
Some admins have decided to block you based on you being in the MAPS list.
That may or may not be a good decision on the part of the admins.
Its easy to get angry with MAPS, but they're just publishing a list.
Uh, that helps absolutely none in this particular case. If you'd bother to read the text, and it wasn't even a full article, some OTHER company/person was responsible for 180,000 IPs getting blocked, including his subnets which had ABSOLUTELY NOTHING to do with it.... His company's customer service had squat to do with it. Neither did his ISP's really...
(\(\
(^v^)
(")")
This is the cute vorpal bunny virus, copy to your sig or runaway, runaway in fear!
RBLs do not block anything. They provide attributes for every IP address, and users of the RBLs can decide the fate of communication with these IP addresses based on the RBL-provided attributes. The effect is similar, but not the same, and there's a big legal difference.
Actually, no, that's not what I'm admitting. My co-location provider had some customers that were the problem. And when I talked to them, they said those problem customers were terminated before the blacklist even happened. They didn't respond to MAPS in time, and MAPS took it upon themselves to blacklist 180,000 IPs, affecting innocent people like myself all over the world.
So you admit, that you were relaying SPAM No, read the guy's story again. A) He was not sending spam. B) Someone else at his ISP did send spam through the IPs they get from the ISP. C) His ISP did not respond 'fast enough' for MAPS. What is not clear is what is 'fast enough'. D) MAPS blacklisted him.
The problem wasn't that we used MAPS -- we didn't. It's that other large organizations do, and we were adversely affected by an over-zealous "investigator" and an co-location facility who wasn't able to respond to MAPS's notification email within a day -- not all that unreasonable, in my opinion.
In fact, it *is* criminal--it's called extortion. Have the charity talk to their lawyers.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Once upon a time, I monitored the SMTP traffic on one of my systems very carefully. I wrote a special-purpose demon that pretended to be an SMTP server, which logged attempts at sending email, but still passed email to postmaster and from specific people (just like the RFCs say it must).
One day, I found a series of attempts at routing email through my server. A whole series of email with RCPT TO's that were off-site. I reported this to the abuse addresses that were responsible for the IP address that was the source.
Now, I expected one of two things to happen: they'd ignore the problem report, or I'd get a "thanks" for pointing out the problem. What I GOT was a cranky response from an anti-spammer telling me it was his GOD GIVEN RIGHT to hammer on my server in any way he saw fit, and a listing for the entire ORGANIZATION in one of the RBL-like listings as "uncooperative". All because I caught him testing my system and reported it.
Needless to say, I no longer bother reporting the routing attempts to anyone. If reporting spam relay tests gets me labelled a spammer and included in blocking lists, fuck it.
Put up or shut up, n3c. Give us the IP to judge for ourselves. We'll check the evidence, and probably learn the truth. I bet you don't want that.
Oh, and in your quest to learn to speak and write English, please remember to review the meaning of perjury. In a legal sense (it IS a legal term, BTW) it means knowingly false statements made under oath in a legal proceeding. Nothing of that nature cited here.
Spamhaus is the best in every way. Fewest false positives, due diligence to prevent collateral damage. Your rant reflects on YOU!
Your point is correct. It's also the reason MAPS expands blocked netblocks. If they only block the specific IPs that originated the spam, unscrupulous ISPs merely move the spammers to different IPs and let them continue. Note that this isn't a theoretical statement, it's observed behavior. If an ISP does that, MAPS responds by expanding the block to include more and more of the ISP's assigned addresses, until (if the ISP doesn't get the hint first) the ISP has no unblocked address space left.
Yes, non-spammers get affected. That's the point. The recipients of the spam are the ones being damaged, but since they aren't paying customers of the ISP hosting the spammer that ISP has no reason to do anything about their complaints. Once non-spamming customers start being affected, though, they start complaining. Now the ISP's facing real financial impact: if they don't do something about the spammer, they may begin losing customers.
ISPs don't like this, it makes them have to choose whether they want the spammers' money or their legitimate customers. They'd much rather have both. As a recipient of spam, I've no sympathy for their plight at all.
First of all I can completely understand your frustration - it's a bastard of a situation. You appearently didn't do anything and was hit hard by MAPS.
:)?
That being said, I think blacklists are a necessary evil. At the university where I currently work (as a student-aid, not responsible for the whole operation) we employ three different blacklists. Why? Becausse they filter out about 2/3 of the mails sent to our users (roughly 2.500-3.000 on a workday). If we didn't remove theese mails, we would be overrun by users complaining. As the situation is now, we only have to deal with the legit mail, that is accidently blocked.
Of course there are alternatives like bayesian filtering, but theese unfortunately take up processing power and storage. It is perhaps an approach we should investigate further, but I must admit we haven't gotten around to it, as the blacklists are serving us fine.
PS. Are you sure you don't have any zombie's on your network segments? Is smtp (both incoming and outbound) firewalled off for all machines (except perhaps mailservers
One of the customers where I work was recently added to a bunch of RBLs, all because people who signed up for their mailing list decided they didn't want it anymore. This is fairly common, as several other customers have had to deal with it in the past (in every single case I was able to easily confirm they were not spamming, only opt-in, and they don't buy addresses.)
Many times it has nothing to do with the ISP, but about stupid people who don't understand what is in their inbox. Given how easy it is to get added to a RBL it's not surprising, really. What annoys me is when our customers don't notice or don't tell me, and 6 months later the blacklist expands to our entire IP block. We're not spammers and we don't host spammers, but we're blacklisted as spammers.
And boy, did spamhaus roll us over the coals on that one. Our ISP changed providers and bought into one that had a block of IP addresses that used to be owned by a spammer and when the spammer vacated the premises, they weren't nice enough to let Spamhaus know that they had left the neighborhood, and consequently, when we moved in, WHAMMO, blacklisted.
It took a lot of investigation, and then using a different email server to forward all of our email through for a couple of MONTHS to get everything resolved.
And, boy were the Spamhaus people super nice and helpful.
Ocean is land, covered with water.
AT&T Worldnet also maintains an internal RBL that is very difficult to get off of primarily because there is no documentation on how to get off their RBL! To find out you pretty much have to do a search in Google Groups for some posts to the abuse newsgroups where other admins ask "How the (*&#$&*#$ do I get off the Worldnet RBL?". Another cute trick with the Worldnet RBL is, once you've been blocked you must email your RBL removal petition from an IP/domain outside the blacklisted one as mail sent to their abuse admins will bounce due to the RBL. It's just annoying as all hell if you ask me.
A couple of the blacklists and AOL's mailserver blacklisted the IP's for being "home IP's", even though they weren't. Took a number of emails from both us and Qwest's NOC to get removed off all the blacklists.
So, beware of situations where ISP's designate blocks of IP's for business use "within" those they've classified as "home". It happens.
I'm Rick James with mod points biatch!
It doesn't matter if it's MAPS, ORBS, SPEWS, Spamhaus, or even AOL; if you administer outbound email, you are likely to be affected by someone protecting their email systems from spam. It is usually not your fault, but if others don't normally get listed frequently, there has to be some reason (unresponsive upstream ISP, something one of your customers or users is doing, a preventable misunderstanding about mailing lists) that got you listed.
If one RBL service has too many false positives, ISPs usually stop using them. MAPS is still in business, so their false positive rate probably isn't absurdly high.
Here are some tips to help email administrators keep their email flowing:
1. Negotiate ahead of time to get your servers whitelisted or registered as a "good" server. This means setting up proper forward/reverse DNS, configuring SPF, possibly registering with one or more "bonded sender" programs, looking at the AOL postmaster FAQ and getting into their whitelist system, etc.
2. Lease yourself a shared or dedicated server (think $25/mo -$60/mo) at another colocation facility that you can use to configure to be a mail relay for your primary mail servers. If delivery fails enough from your primary server, it should requeue the message to go out via your relay, perhaps after you've diagnosed the cause of the blocking complaint.
3. Setup test scripts to periodically poll major DNS RBLs for the status of your IP address and alert you when you're listed. (Perhaps tie this in to automatically activate your relay server in #2).
4. Ask your ISP what their spam policies are and assess your risk to getting mixed up in their other customers' problems. If they aren't vehemently anti-SPAM themselves, consider another provider for your outbound mail. By "vehemently", I mean: They have their own enformcement policies and 24-hour contact escallation policies with each customer, and will shut down customers that are not responsive to handling complaints.
5. If you manage mailing lists, make sure each and every message at the bottom has a link to the proof about how the recipient opted in for the message. (PS: Stop using email to distribute content! It's so, like, 20th-century. If your content is any good, they'll access it regularly via the web or RSS it into their portal.)
-ez
(Disclaimer: I'm the the inventor of DNS RBL. Your misery is partly my fault. Mua ha ha ha.)
Karma: Whore (you look at your score after posting)
Peer1.net did not appropriately respond to their spam complaints, and simply moved known spammers from one IP block to another. It is unknown if they were knowingly harboring spammers (MAPs seems to think so), but the reason MAPs escalated to all of their netblocks was because they could not get the attention of Peer1 with previous attempts, and the best way to get their attention when they are ignoring you is to get every single one of your customer's attention and have them all call you. I emailed MAPs, they didn't respond, I called them and got a human on the phone and they explained this to me. I called Peer1 to chew them out for doing this and will demand that they give me outage credit.
r g,
I rely on RBLs to block a significant amount of spam, however I use conservative ones that the anti-spam community seems to be fairly confident in their abilities, attitude, de-listing policy. They constantly need to be re-evaluated (in fact I need to do that soon) as to their effectiveness, but with this list I have not had a customer complaint about us blocking mail.
list.dsbl.org,
opm.blitzed.org,
relays.ordb.o
cbl.abuseat.org,
NB: MAPs is not listed because they do this sort of thing. While it may sound like I support what they did above, I also am really pissed off because I've got a lot of trouble tickets from people wanting to know why their mail bounced. It is for this reason that I am not using MAPs in my RBL list.
it looks like his personal domain is patrickg.com
soooo, lets see......
host -t mx patrickg.com
patrickg.com mail is handled by 0 poopsmith.retrix.com.
host poopsmith.retrix.com
poopsmith.retrix.com has address 69.90.28.179
whois 69.90.28.179
Peer 1 Network Inc. PEER1-BLK-08
69.90.0.0 - 69.90.255.255
Patrick Gibson PEER1-RETRIX-05
69.90.28.128 - 69.90.28.191
peer1 is a spammy shithole.
1840 complaints in NANAS for peer1 spam sightings.
http://tinyurl.com/6gvqw
and a whopping 37 sbl listings
http://tinyurl.com/52z4z
MAPS is the least of your problems buddy. You need a new isp, and soon. A lot of mail admins (including yours truly) block peer1 on sight.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Most block lists which use IPs are granular to the netblock level. That's not much help to you if you only have a few IPs, but if you have a block of 8 or more from your ISP you should probably do a WHOIS search at arin.net and make sure the block you were assigned shows up.
We got burned by our ISP when they didn't do that. We were blocked because our ISP (the local cable company) had us lumped in the same netblock as their entire home cable Internet user address space.
In that case, however, the maintainer of the block list was at least willing to unblock us when I could show him that reverse DNS returned hosts with our domain name.
I agree fully. We only use Spamhaus which has proved itself to be highly effective, plus to date no clients have noticed legitimate email being blocked. Spamhaus have a very clear policy and procedure, significantly reducing the chance of legitimate mail being impacted. Their Register of Known Spamming Organisations (ROKSO) is also brilliant.
I had a server blocked by some really dumb anti spam site a while back, there was an open formmail on some customer's site, we recieved a complaint, we found it, we deleted it, I think in all we got 2 spamcop complaints and one complaint from a person so obviously there wasn't -that- much spam sent before we were notified and nuked the formmailer.
Time between us recieving the -first- complaint and the script being nuked from the server? Minutes, not even half an hour. It's not like we ignored the problem and allowed it to fester.
Well we ended up on some spam list that (get this) requires you to make a $50 donation to some charity to get off the list! Oh and it gets better, they listed 3 charities, 2 of them didn't work because they wanted NOTHING to do with this spam list after they were dossed, attacked, hounded, and overall just harassed for these bozos listing them on their site. The 3rd charity? Some legal defense fund, via PAYPAL for... the owner of the site!!
Well the -1- server blocking email because of that list I just contacted them and pointed them at this podunk little anti spam site and they quit using them and email went through and all was well.
Months later, 4 or more, we're STILL listed on that damned spam site. I could care less.
Spews and maps are just making it so any serious sysadmin/network/provider can NOT use them for RBL blocking, they're just overzealous.
I use spamcop, ordb, blitzed, and spamhaus quite regularly on a variety of servers, the "false positives" are low, and I rarely hear of someone legitimately not able to send email to anyone I host.
--- www.f-theocean.com
The point is it doesn't have to be a spam friendly ISP. All it takes is some server at the colo getting cracked and used for spam. Or some idiot setting up an open relay at the colo because they don't know what they are doing.
Bullshit.
MAPS (and almost every other RBL) won't blacklist an entire ISP for one machine.
They start with one machine (the one sending the spam), and if the ISP does nothing about it, the block starts growing.
See, read the article - they were blocked because of repeated complaints. This is not just one machine.
Define "quickly enough". If it's been more than 48 hours and the spammers are still there, that's too slow.
To make matters worse, they put this in effect either late Friday night, or early Saturday morning -- hours during which MAPS is not available for contact! (Mon-Fri, 9-5 only) How do people deal with MAPS and other RBL services who will not cooperate or be reasonable?
By not having a spam/virus transmisison problem. Works for me.
And on a broader front, are you really prepared to trust a company like Kelkea, Inc. (owners of MAPS) to decide what emails gets to you without really knowing how they operate and deal with resolution processes?"
Yes.
"I spent all weekend long trying to get a hold of the people at MAPS, as they don't bother telling you when they are open.
Their web forms are always open.
When I finally got a hold of someone on Monday morning (not an easy task, mind you!), they told me that they are not open on the weekend, so it would have been *impossible* to resolve this issue quickly.
Impossible without using their web forms, that is.
And because I was only a customer of the company who owns these IPs, they would not unblock my subset of IPs.
Lets see, you are a customer of the people with the problem, you are not in the loop with your ISP as to exactly what actions have been taken, you don't know exactly what customers were involved, nor any of the sensitive details someone is going to want to know when there has been a massive spam run. Gee, that's too bad poor baby.
Despite the problem originating from a handful of IP addresses, MAPS saw it appropriate to block over 180,000 IP addresses just before the weekend!
Never heard of snowshoe spamming? You live in a cave? News flash, many responsible systems admins block far more than just a /19. Many block /7's and /6's on private block lists.
I had already made several phone calls and emails to my co-location facility, and they told me they were doing their best to get a hold of someone there. Several emails had been sent, and just as I first experienced, they could not reach anyone at MAPS by phone.
See link to web form above.
When I finally talked to someone at MAPS, he told me that he would not be proactive in the matter by actually phoning my co-locator to work this out.
See above about having "standing".
These people at MAPS thinks themselves quite high and holy, and in some ways they are: many ISPs and the like will bounce emails just because MAPS tells them to. (I've since removed MAPS from my list of RBL servers to check.) As a small-business owner, MAPS can be very hurtful to a business and very uncooperative in helping resolve the issue.
If you are a business owner and fail to understand exactly why email is not a garenteed delevery system, and your business depends on email, then you are very stupid and deserve to go broke.
I gave them a couple subnets of mine to unblock, but they would not, even though my IPs were not involved in the original complaint.
And spammers NEVER lie. They NEVER pose as someone else. They ALWAYS tell everybody what IP ranges they intend to use in their spam run two weeks before thay use it.
This experience has certainly made me think twice about who I trust to decide the fate of my incoming email."
Good for you. Now, when you get finished thinking about that, think about how you can make your small business profitible when you can't use email. It's obvious to me that you fail to understand what went wrong, who is to blame for it, and what to do about it.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
MAPS isn't doing anything wrong, they simply gather findings and make them available to their subscribers. They exist to serve the interests of those subscribers, not the interests of some random nobodies who wish to send mail to those subscribers. MAPS is under no obligation to provide 24/7 assistance to the ``unfairly'' blacklisted domains. What exactly would be the business case for doing that? Who would pay those operators who wake up at 3:30 a.m. on a Saturday to service a complain?
MAPS subscribers are aware of its limitations and problems and, guess what, they don't care and use the blacklist anyway! A MAPS user doesn't care that some random nobody sometimes gets ``unfairly'' blacklisted and is unable to contact them for an entire weekend. They care most about not getting spam and are glad that MAPS is so strict. In other words, the subscribers share the same values as the MAPS operators! If MAPS were to change the way it operates, those users might well switch to some other service that follows the original policies. MAPS users even accept that sometimes they won't be able to talk to other MAPS users because of the same problem you are having. Yet they remain MAPS users. Therefore, they will hardly be sympathetic to your case.
So basically, your complaint boils down to the existence of difficult people who have very particular rules about being talked to because they don't want to be bothered. The system by which they share those rules with each other isn't what's standing in your way here.
Well, well:
my recommendation to you:
switch providers ASAP.
One spam complaint, or 'a couple' of complaints not being followed up does not bring anyone into a blackhole list.
RBL lists and spam tagging services (spamcop, spamhaus, etc.) are a very good thing: they keep in check those who want to take more for themselves than they have the right to.
Your hosting provider did not get into the RBL for 'one or two' spam complaints 'not dealt with fast enough':
it takes a couple of independent complaints, each backed up with full spam emails, including all headers. I am not sure how many MAPS requires to see before acting, but I would guess it is not one alone.
MAPS also works with providers before swinging the big axe.
Spammers do good bandwidth, and I guess your provider is cashing for GB/month.
Maybe they did not prevent spammers from signing up again, so the spammer could actually 'poison' a ouple of different subnets. Maybe there were several different spammers operating successfully off your hosting provider.
Switch to a different provider now.
You are probably working with one of the 'spam friendly' ones, who actually advertise that, and hide spam hosts with all kinds of 'no traceroute', no lookups, etc.
Just check, there's more to it than you think, and than your provider tells you.
Calling the list or spam tagging service is the wrong approach.
You should have called your provider, who should have given you immediately an address outside of the blackholed ranges. Sure, that takes a while to trickle through the Internet, but is still faster than waiting for a resolution of the blackhole listing issue.
Did your provider do that?
Was your provider available?
Did they send you to MAPS?
If they sent you to MAPS then they know what they are doing and just try to give MAPS unjustified grief by directing 100s of customers to their phones. And that's spam too.....blocking someones phone lines this way...
Go get your money back.
da micha