Paul Graham Describes Dangers of Spam Blacklists

CRoby writes "Paul Graham posted an essay describing the danger and corruption of the main spammer blacklists today. It discusses MAPS and the SBL, the blacklist created to try to alleviate the abuses of MAPS, and suggests (maybe) another blacklist's creation."

Not like people get all radical about it...

[dmorin]

Actual quote I have heard on the subject of spam blacklists: "I don't care that you're not a spammer. Your ISP allows spammers in their midst and therefore you all go on the list. Get a new ISP."

Oh, ok. Nothing like over reacting a bit.

Re:Not like people get all radical about it...

[Uruk]

No, the principle is that if ISPs know that this kind of overreaction will occur, they will make quite sure that they don't have spammers in their midst. In essence, it's an attempt to incentivize ISPs to police themselves.

What's the alternative? Having some centralized, international spam cop whose job it is to clean up every ISP on the planet? If ISPs get a completely free pass on spam and don't have to care whether their subscribers are abusing other people or not, where is their incentive to prevent the abuse? The way you avoid the tragedy of the commons is by getting people to see their individual stake in the issue.

Certainly the quote that you're pointing out isn't the most diplomatic or effective way of putting it, and I doubt this kind of thinking is behind that quote - it probably is the knee-jerk reaction that you're identifying it for. Still, the idea might have some merit.

Pay and you get removed

[tmk]

I have found an interesting offer: pay 50 bucks and you are removed immediately from the spam list. Have a look here.

Interesting: The company won't say who they are. They say this was approved by local authorities, but this is bullshit. Local authorities can not brake federal law in Germany.

Guideline, not a rule

[bitflip]

I use blacklists all the time. Rather than simply rejecting the mail, if the server is on a blacklist, the initial OK is delayed by five seconds.

If you're sending a ton of mail, i.e., spam, little of it gets through. If you're only sending one or two messages, ie, likely legit mail, it goes through just fine.

Combined with more specific stuff further back (bayes, et. al), it's been quite effective at reducing the amount of spam sent, and the amount of mail that gets scanned.

The problem isn't blacklists, its how people use them.

Re:today?

[Joe+U]

"Vigilante is a very strong word "

You're right. The correct words are 'overreacting assholes'.

Most RBLs are run by assholes who have no concept of how to properly manage something as complex as a RBL.

And no, I've never been blocked by one and I weight RBL positives very low.

"Power-hungry weenies"

[slavemowgli]

Interestingly enough, the owner of the acme.com domain who was recently featured in a story due to his getting more than a million spam mails (well, attempts to send spam) a day, agrees:

DNS-RBLs - Domain Name System Realtime Black Lists. In theory the idea is fine. You have a set of sites that you blacklist, and you want to let other folks use the same list so you distribute it using DNS, which is a nice efficient de-centralized database. What's not to like?

Well, I don't know why, but in practice every single DNS-RBL eventually comes under the control of power-hungry weenies. They start listing sites unreliably, and if you complain you find yourself listed. And there's usually no way to get off the list.

A lot of people tell me I'm wrong about this. They say that certain DNS-RBLs are ok, with objective criteria for inclusion and simple procedures for getting off the list. The thing is, they give conflicting recommendations for which lists are good and which are bad. Some of these folks recommend lists which I know from personal experience are bad.

This problem is really inherent in the way DNS-RBLs are set up. You cede control of your mail system to a third party, with no real possibility of checking how they are doing. The people running the lists get overwhelmed with bogus feedback from spammers and/or idiots, to the point where they assume all their mail about the lists is from spammers and/or idiots.

If the lists you use have not yet descended into corruption and chaos, consider yourself temporarily lucky.

Do not use DNS-RBLs.

(from http://www.acme.com/mail_filtering/shame_frameset. html)

What a clusterfuck

[maynard]

blocking spammers via a central database just doesn't work. The spammers are constantly moving from zombie client to zombie client in huge waves of hundreds of thousands of infected systems, making the RBL always filled with obsolete and incorrect information. The problem - as everyone knows - is that the protocol is fundamentally broken. It's a tragedy of the commons played out in front of our eyes.

By allowing the abuse it's outcome becomes a certainty. We're going to have to bite the bullet and dump open SMTP. And I think we're going to have to do this quickly. The levels of SPAM continue to rise. I often see ten to twenty times as many spam connections on my mail servers than legitimate connections, and this is a constant, flowing, amount of SPAM 24/7. Even with RBLs, spamassassin, etc, SPAM still gets through. The solution will not be found with another bandaid. It's time to dump SMTP and move to something that demands cryptographic authentication for users and hosts before allowing the transport session to complete. --M

Re:Definitely a bad idea...

[Seumas]

Providers don't have a choice very often. It's incredibly easy for someone to use any number of credit cards (even stolen ones that haven't been reported) and various false identities to purchase hosting accounts. If a provider doesn't respond and just keeps letting the spammer have at it, that's fine. But if someone is cut off quickly, then restore their SBL credibility immediately. Duh.

Anyway, they shouldn't be blocking entire blocks of IPs. That doesn't even make sense. What does one guy on one IP out of hundreds or thousands who spammed for most of a day before he got caught have to do with my server which has run clean and reliable and secure and in good faith (including SPF and everything else) for the better part of a decade?

As Paul Graham already stated, this is just a strongarm tactic to harass as many innocent parties as possible. There's no other explanation for it. Are two spammers really worth denying tens of thousands of (in the case of Paul Graham) Yahoo customers?

There are bad-actors; rogue hosts. It's pretty clear when you're dealing with one who isn't. And if you were quick to put people on the SBL list, then take them down just as quickly. It is unacceptable that it took three weeks after the incident for them to finally remove them from the list.

Re:Definitely a bad idea...

[keraneuology]

this is just a strongarm tactic to harass as many innocent parties as possible

You hit the nail right on the head. In fact, a fly on the wall related to me the entire conversation from the morning they decided to set this thing up:

Person 1: I'm bored this morning, how 'bout you?

Person 2: Yeah, me too, dewd. Let's start harassing as many innocent parties as we can!

Person 1: Yeah, dewd! That'd be way wicked cool!

Anyway, they shouldn't be blocking entire blocks of IPs. That doesn't even make sense. What does one guy on one IP out of hundreds or thousands who spammed for most of a day before he got caught have to do with my server which has run clean and reliable and secure and in good faith (including SPF and everything else) for the better part of a decade?

Blame the spammers' money and the greed of the ISPs. It used to be quite common for a spammer to run under his pink contract from an IP address until people got fed up and blocked that specific IP. Certain ISPs would then assign the spammer a new IP address knowingly full well what they were doing with the explicit intent of allowing that spammer to bypass the blocklists from people who were obviously and explicitly taking steps to avoid the spam. Unfortunately as it turned out truly innocent customers were being assigned a dirty IP address that had been previously sullied by a spammer. The moment their email server came online they were already blocked because of what had happened there before. Talk about unfair.

The spam-friendly ISPs forced the blacklisting of IP blocks: there was simply no other way to filter out the spam coming from those netblocks. Other users of that hosting service may be inconvenienced, but the system admin's right to take steps to prevent spam from gumming up the works of HIS OWN NETWORK outweights the right of anybody else to expect email originating from the same IP address used to send out three trillion ads for vgiara the week before to be received with open arms.

Does this catch innocent people in the crossfire? Unfortunately, yes. But with 4,228,250,625 possible IP addresses those who maintain the blacklists can't be expected to personally review each and every email asking to be whitelisted and spend time and effort determining who is telling the truth and who is following spam rule #1.

If widget.qqq has your domain blacklisted then your beef is with the admin of widget.qqq. Period. End of story. Beg him to whitelist you. Buy him a pizza. Send him some free (as in beer) beer. Serenade him at three in the morning. Send three billion statements of character witness. But his network, his gate, his key, his rules on granting admission.

Let's look at this another way: If I am throwing a party and, on the advice of my friend who told me that people who wear Mickey Mouse shirts are boring, I deny admission to people wearing Mickey Mouse shirts from whom will you beg entry and who shall be called nasty names for listening to somebody else?

Of course, that's the solution, isn't it? We must ban any and all people from publishing an opinion regarding the statistical probability that an email from a given IP address is spam.