Slashdot Mirror
Email Servers Will Choke, Says Spamhaus
Rub3X writes, "The legal battle between antispam organization Spamhaus and e360 Insight is heating up. Spamhaus has a user base of around 650 million, and its lists block some fifty billion spam emails per day, according to the project's CEO Steve Linford. Spamhaus CIO Richard Cox says the immediate issue is that if the domain is suspended, the torrent of bulk mail hitting the world's mail servers would cause many of them to fail. More than 90% of of all email is now spam, Cox says, and he doubts that servers worldwide would be able to handle a ten-fold increase in traffic." Others estimate Spamhaus's blocking efficacy as closer to 75%; by this metric spam would increase four-fold, not ten-fold, if Spamhaus went unavailable. The article paraphrases CIO Cox as saying that the service will continue "even if there is a short-term degradation."
It would be interesting if all email server admins suddenly opened the flood gates for a day or two. Maybe then the general population will gain a better appreciate of the scale of the matter.
I still think they 3360 guys just look and smell like spammers. That spamhaus aggrees just adds to this conclusion. Here's what seems to amount to the spam histroy of the "plantiff".
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
I am so ready to walk away from email. I just need someone to point me to a workable replacement.
Maybe some legal problems could be avoided by having two lists. One, a list of spammers. The second list is people who are not spammers (cough) who have threatened or engaged in legal action to be removed from the first list. In other words a list of plaintiffs in court cases. Mail server admins could choose whether to use one list or both for blocking mail.
-- Ed Avis ed@membled.com
Maybe spamhaus going dark for a bit will be enough to wake people up to the problem a bit more and maybe finally get people working on a solution. Im all for registered mail (whitelists) or even pay to send email within reason.
I have a client who complains daily about the amount of spam she recieves (4-6 a day) and takes probably half an hour a day forwarding each of them to me along with rants about them. I have tried to explain that if she would parlay that half hour into about 5 seconds of clicking the delete button she would save herself alot of grief. She just wants it all eradicated, and frankly I dont think its really possible with an open email address. She will download things like weatherbug and signup for webshots or any other "free" service without regard to what "free" means when it comes to the web. I have tried explaining that you simply cant stop all of it and that level of spam control I have been able to maintain in far superior than most, but she insists I just dont know what im doing. The latest problem has been with image spams regarding penny stocks. The source shows basically nothing filterable, anyone ever find a way to deal with those?
I am now evaluating a Deep Six spam box to see if that helps but with what little is trickling through now I dont see alot of improvements, im already catching hundreds a day without it.
I can back up the AC's statement. I work for an IT multinational and our e-mail servers run close to the edge. If we were to see a significant increase in e-mail levels, be it x4 or x10, or even x2, our e-mail system would grind to a halt. We, along with every organisation have become totally dependant on e-mail. For example, one of our customers requires that financial information it sent to the Bank of England by close of play every day. It is sent using (encrypted) e-mail. A delay of a few hours would give us major headaches. And yes, we could use alternative methods but it would take some time to put these in place.
If the preditions came true it would be bad for us.
init 11 - for when you need that edge.
have to agree with the above, i remember working for a large web hosting company 6 months back, fighting the rise in mail was like fighting the tide (and spam blocking was optional), a rise of 2 times the amount of email always caused delays which took a long time to filter through, one of the biggest headaches was customers complaining of delayed email (and they would phone as an order placed on their website 15 minutes ago hasnt come through yet).
if the amount of email traffic more than doubled for a day or 2 we would end up with weeks worth of backlogs as smaller isp's clog up (and even the bigger ones), then you would start losing email which is not acceptable to any business. most companies cannot upgrade their infrastructure fast enough to cope with this kind of thing.
these days email is expected to be instantaneous like a phone call, but if you were constantly being phoned by telemarketers when you were waiting for an important customers call someone would kick off, but for email it seems to be acceptable.
All I can say is, pray that IPv6 doesn't get adopted or it will be even worse.
Why? There will be more IPs, but if everyone has a permanent IP it will be easier to block offenders and infected machines.
Meanwhile the rest of the planet will treat an unenforcable court order from this judge about as seriously as they would a court order from the judge in this case.
GP was missing the link above.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Most of the comments I've read so far seem to be in favour of Spamhaus, and while I agree that they do some good work, they are not all good. Specifically, they seem over keen to blacklist address ranges without providing any proof, and very reluctant to unblock these.
/27 subnet), and their explanation was that we were hosting someone from their ROKSO list.
I work for an ISP providing dedicated server hosting & colocation. Recently a couple of our customers contacted us saying that they had appeared on the Spamhaus blacklist, and were consequently having trouble sending e-mails. They claimed that they had not involved in any spamming activities, and that this listing was therefore incorrect. We found out that Spamhaus had blacklisted a range of our IP addresses (specifically a
While it was indeed true that we were hosting a server for this person, Spamhaus had a) blocked an address range larger than the IP addresses involved with this spammer, and b) would not offer any proof that the spammer had been using the server we host for him to involve in any spamming activities. When we contacted them, they refused to unblock this range unless we suspended the account of this spammer (again without providing any proof of activities conducted from our network that would breach our TOS), even though they acknowledged that the range they were blocking involved innocent customers. For us to suspend him at the request of Spamhaus would have been US breaking our contract with him, as there was no indication that he had violated our AUP (which DOES prohibit involvement with spam).
When we refused to break our contract with our customer at the request of a third party (perfectly acceptable position imho!), Spamhaus said that if they blocked any of our customers in future, they would blacklist our entire network (which is a considerable amount of addresses). This is unacceptable in my view, they are essentially trying to hold us to ransom without providing any proof of activities. When talking with some other ISPs, we heard of similar stories. In one case, the ISP concerned suspended the spammer's account and contacted Spamhaus to have their blacklist removed, and were told that "due to under-staffing, Spamhaus would not be able to remove the blacklist entry for a couple of days. however, if they would like to make a donation to spamhaus, they would remove the entry much sooner".
To reiterate my earlier point, Spamhaus does provide a valuable service, there's not much doubt of this. But they way in which they are organised leaves a lot to be desired!
No one will be hiding behind NAT's or using dynamic IP's with IPv6. These two abuses of IPv4 addressing are the main reason why it is so difficult these days to track down and control sources of network abuse, including spam. This will make it easier to make computers and people responsible for them accountable for their actions, which means spammers and people who insist on running insecure operating systems can no longer hide or deny responsibility so easily as they can now.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
The interesting legal argument here is, that by pointing out that the case is (among other flaws) on a level of jurisdiction that surely can't be right, you voluntarily subject yourself to whatever that legal systems likes to come up with next.
The next interesting legal argument here is, that the judge seems not to be a judge, but a referee. His job is not to descide what's right and what's wrong, but to make sure the rules of the game are observed. They can't even descide that the case does not belong before them.
The last interesting legal argument is, that if the one who's sued doesn't appear, the one who sues gets all they want. Hell, they should have asked for a billion or two along with eevryone working for spamhaus and their children, relatives and frieds as slaves (for the next 7 generations). By the logic of the US legal system, they might just have won that as well.
Would I have appeared bofore them? And let the spammer force me and my non-profit organization to accept to be financially crippled by the spammer's for-profit ressources? No, I'd have shown them the finger as well (living in Europe and feeling there's a lot of nice areas for vacation that are on this side of the pool, so I don't really need to visit the US).
> SPF has serious technical problems:
SMTP has serious technical problems, it wasn't designed to be deployed on a hostile network.
> Not to mention the legal uncertainty surrounding the version hijacked by Microsoft.
???
There is no legal uncertainty. Microsoft SenderID has nothing to do with SPF other than checking SPF records created for a SMTP transaction against a message body. Sender ID has zero technical merit, it was a Microsoft attempt to muddy the waters, and the IETF was complicit.
Not everyone has the privilege of setting their own budget.
To worries over Spamhaus outages, from what I heard, they maintain a regularly updated list that people retrieve from them. Power outages wouldn't be a problem, shutting down however would make the list gradually less relevant. In practice it would have to be dropped fairly quickly though, for the sake of those who have plugged security holes but can't be removed.
How about Spamhaus taking them to the UK court for spamming (illegal in the UK). Then, when they don't turn up and Spamhaus wins by default, the judge orders the e360 website removed and (because this is an illegal rather than civil breach) extradition to the UK of the site owners.
For some reason, most people do not consider that as a realistic possibility. Personally, I think it should be illegal to be stupid, in a lot more situations than it is today.
This isn't exactly revolutionary. People are already being put into jail, for buying stolen goods, if the police can demonstrate that "they should have known it was stolen". And if you drive over some schoolkids while fondling with your car-radio, you are still guilty of murder. And if you are a surgeon and kills a patient through malpractice, you are also in deep trouble.
The society needs more legislation against stupidity, not less. It's too easy to excuse away all the damage you have done, by putting up the "I'm stupid" excuse. So, yes, let it be punishable for up to n years in jail, to through stupid or uninformed actions, create life more profitable for spammers.
The best way to get enough spam to swamp almost any filter is to fwd all mail for a domain to a single inbox.
Google has reported 60K spam over the last 30 days, and about 10 messages in hour still get through to my inbox.
Worse is these asscactuses start sending mail that looks like it was from my domain, so I get all the bounces, and look like an asshole myself.
That one Russian spammer who was savagely murdered... it's hard to drum up sufficient sympathy for that.
If all the world is bending over backwards to find new ways of plugging their ears, stop yelling.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
...that we're not the only ones. I've seen the rate of blocked spam messages on our spam firewall increase from 75% to 97% in the past few months. That means only 3% of our total message stream is allowed through as "legit" and our users are STILL seeing about 20 spam messages a day. So this, is apparently normal e-mail in this day and age? Sad.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I am serious: If any politican would seek to introduce the death penalty for spammers, he'd have my vote. I have lived with this nonsense now for ten years, and my patience is wearing thin.
I agree that spam email is about 90% of traffic. In my case the ratio is probably even higher. I get a lot of spam. Most of it gets filtered out by spamcop.
If RBLs suddenly became unavailable, the only - and I do mean only - option for me would be to reject any email that doesn't come with correct sender verification of some sort, say, SPF. Then, once spammers start using those systems too I'd have to start whitelisting senders.
I really can't believe that the US is putting up with that. I think only judges who have no email account could even agree to hear such a case.
This is precisely what happens when you elect judges.
IN this case, the action was taken by a federal judge, who are appointed, not elected, but many state judges have to run for office.
In Ohio, they've found a state judge who finds infavor of campaign contributors 90% of the time, and one decision by the state Supreme Court that was split 4-3, exactly along the lines of donation by the two parties in the lawsuit. (one side contributed to the four, the other to the three)
Justice isn't only not blind in Ohio, hell, it's for rent.
I'd love to see all of the spam-fighting services go on strike for a week. DNS blackholes, spam filters, the works. Let spam flow uninterrupted. Let every user on the internet see just how bad spam really is. THAT would get some useful laws in place, and some criminals behind bars.
Unfortunately, too much of the IT economy is closely tied to fighting spam, and they can't afford to let that happen.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban