Blacklisting IP addresses of spammers is a common and effective method of keeping spam away from our inboxes. There are many excellent lists that can be used for this purpose. Personally I like ordb which is a list of open relays and sbl.
Another list is SPEWS which goes a step further than majority of lists and blacklists entire IP blocks of ISPs known to host spammers. On the surface this may seem like a good idea - after all, if an ISP hosts a spammer it is more likely to host more spammers and blocking the entire range may be useful in stopping such future crops of bad guys. This feeling quickly goes away when one realizes that innocent customers of the same ISPs are also blocked by the list -- without a chance of being removed until the ISP cleans up its act. In other words, they're collateral damage and this seems acceptable to those behind the list.
DSLReports found itself in just such situation recently as I discovered the reason some of our users were not receiving their requested email is due to ISPs filtering their incoming traffic through SPEWS. There is another factor to consider here.. the IP of our server is blacklisted at level 2 which, according to SPEWS FAQ should only be used if someone wants to filter their email very aggressively. It isn't surprising that with the ever increasing deluge of spam a couple ISPs would follow the advice of "professionals" and use the more aggressive method of filtering their traffic. (Incidentally, I have been asked by several people to expose the ISP(s) who are filtering at this level but I refuse to start a witch hunt and will not do this).
To make the long story short, the article Karl and I wrote created some noise (slashdot, etc) and grabbed the attention of news.admin.net-abuse.email, which is the newsgroup you're directed to when you wish to be removed from the SPEWS blacklist. We followed up with an interview with the CEO of our ISP and it seems nac is well on their way to cleaning up house with the 3 listing remaining on spamhaus down from 12 just a few days ago. Not bad, hopefully it'll be zero very soon.
Of course, what this results in is claims that "DSLR showed that SPEWS works". Well, not really. Yes, we did manage to grab the attention of our ISP and get the CEO involved in cleaning up their abuse department.. that's true, but this is because we are a relatively well known site and can create enough noise to be a pain. Your average ISP customer does not have that leverage. So, yes, it worked, nac is cleaning house, but no, this does not prove the method of blacklisting entire block ranges works in the long run. Not to mention that if we were approached with "hey guys, nac is a pain, help us" we probably would have.. nobody wants to be associated with what is seen as "spam friendly ISP". Of course, case might be made that we should have been watching the lists and seen this sooner, but neither of these things happened and 'what ifs' aren't very productive.
In the last few days I have read many arguments for the way SPEWS operates and many against it.. What it boils down to for me, is that the people behind SPEWS do not see anything wrong with the collateral damage of blacklisting innocent people who may not have the resources to affect how their ISP operates and are only left with the choice of either switching to a different provider (not always possible or easy as anyone with a website knows) or routing email through an external host (ironic, that this is the same method spammers use to by-pass blocks).
The most popular of arguments:
SPEWS doesn't block anyone, they just provide a list.
True, they do not block anyone, their lists is utilized for that. Now let's pretend that an adult makes this argument, one may assume that as an adult s/he understands that actions have consequences. The list is published with a specific purpose in mind -- to be utilized as a list of IPs to block from receiving mail servers. Anyone can make a list, but as soon as you make it publicly available and clearly describe what this list includes you need to take the responsibility to make sure that the content is accurate and true. So, yes, while SPEWS themselves do not block anyone, as producers of the list they are responsible for its content.
Administrators have a right to block whoever they want
That they do, my argument isn't with the administrators blocking anyone, my argument is with SPEWS knowingly including IPs that have never produced a byte of spam on a list that is used by many administrators to filter incoming email. It's an unfortunate fact that many admins do not even know that SPEWS does this, that's clearly seen if you scan comments in both our news stories - quite a few people admitted to using SPEWS and being unaware that innocent customers of ISPs are listed, not just spammers. In my honest opinion, any administrator of a large server who refuses email solely on a SPEWS listing is irresponsible and if s/he were my employee they would be looking for a new job.
SPEWS works
I addressed a part of this earlier. It worked in this case, it doesn't work in the other cases, otherwise the list would be much shorter, wouldn't it? If it worked ISPs wouldn't stay listed on it for long (nearly a year for nac).
Using SPEWS means I get less spam
I'm sure you do, I'm sure you would get even less spam if you blacklisted the entire Internet, in fact you would get no spam, but you'd also get no email. If you can live with that, be my guest, but can your customers? (Obviously people running their own servers can do as they please).
There are few to none false positives with SPEWS
That's my favorite. Running a large mail server (that's 40K+ emails a day) means you cannot possibly know what your false positive rate is. Anyone who claims they do is full of it. With a smaller server, it's possible to scan through logs and see what was rejected, but once again, for anyone running a small server none of this applies as their email blocking choices affect only them, not thousands of customers as would be the case with an ISP.
You support a spam-friendly ISP therefore you support spam
I think this one just deserve a thorough and complete eye-roll.
Fact is, there is no evidence that a list like SPEWS is anymore effective in stopping spam than a less aggressive list that blacklists only known spammers. I would venture an opinion that any administrator who is responsible for a large mail server and uses SPEWS to deny incoming email is irresponsible and is allowing his/her personal feelings about spammers get in the way of performing a service to his users.
TrackBack URL for this entry: http://www.unix-girl.com/mt/mt-tb.cgi/1101
In order:
"Anyone can make a list, but as soon as you make it publicly available and clearly describe what this list includes you need to take the responsibility to make sure that the content is accurate and true."
SPEWS happily will tell you "this network is listed because it has escalated from a narrow listing to a large one". They *are* being truthful in their advertising.
"It's an unfortunate fact that many admins do not even know that SPEWS does this"
Don't blame SPEWS because people who use it fall into the category of (a) stupid by not paying attention to what they're doing, or (b) of a different opinion than you are as to whether or not they want to block "collateral" IP address space.
"If you can live with that, be my guest, but can your customers?"
If they don't like it, they can go elsewhere. Market dynamics will determine whether such blocking techniques are what customers want or not.
"I think this one just deserve a thorough and complete eye-roll"
You can roll your eyes all you want, but it's true. Spam-friendly ISPs need to be hurt the only place that they, as corporations, are legally bound to care about -- their bottom line.
If they're a spam-friendly ISP but people keep giving them money, they're not going to fix their problem.
#Derek, market dynamics gave us Walmart.
#If that's your only rebuttal to all of those points, I think I can just rest my case. ;-)
#Spam is getting way out of hand. As someone who has spent most of my internet life behind .co.uk domains I've not really been party to much of it... However, I'm now firmly ensconced behind some .com and .net entities, and even just days after registration the pop boxes are humming!
Any company that can provide a true and total solution to Spam is going to clean up, let's be honest, but the problem is that the majority of ANY internet companies are managed by people that sit in their Ivory Towers hidden behind a bunch of policy that absolutely precludes ANY contact from the world enmasse. This is great in general, but the problems arise when action is taken that actually has a counterproductive effect on the innocents are are influenced by the Ivory Tower kingdom!
So - I guess what I'm saying is that unless the situation changes and either a not-for-profit anti-SPAM organisation (aka Nominet et al), or every ISP has a real-time situation in place that allows them to be fully accountable and take action for/against SPAM, then we're stuck with this mess.
Frankly, I say DDoS the lot of them! Does ANYONE buy from these people? ...or they purely just the most annoying group of individuals on the planet?
I'd assume that in the report for some of these: http://spews.org/html/S2814.html that they actually figured *hey DSLR/BBR is on this block, lets add them to our list and see what happens*.
I sure wish that some admins would just use OTHER lists. This is simply eye rolling sad.
Ever since I got on the wrong end of a an IP based blacklist, I decided to stop using them.
My employer had an old OSF box around that was the mail gateway, and it turned out spammers were using it. I upgraded sendmail so that we could use anti-relaying tactics, but even a year later, were still on blacklists. There were two cases where a company had a copy of a blacklist that was old, they never bothered to grab the latest one.
Yea, they block a lot of spam, but at what cost? Too high a price for me.
#Sean, did you request of them to be delisted (need to do that by posting to news.admin.net-abuse.email)?
I would love to have evidence they don't delist people when they should, but I don't think they actively verify listed IPs.. so if a request hasn't been made it will probably remain listed.
#Kasia, very well put. Although we use SPEWS in our spam service we don't give it much weight so that it is only a small indication of whether the email MAY be spam.
Anything along these lines was also a major factor in why we don't block spam either.
#Getting rid of spam is so easy. I have several web logs and one of them has comments. What I did was remove the url address part of the comments and that totally ended the spam. Spammers only spam their url address to get google points so remove the reason for the spam and you got it licked. Why does anybody need url in comments? Just exchange links with people on the blog itself.
#Kasia is talking about email spam, Bob. You know, that stuff that's selling bigger penises and breasts in one of those parts of the Internet which aren't weblogs?
#