[In the message entitled "Re: Stealth Blocking" on May 24, 14:05, Mitch Halmu writes:]

On Thu, 24 May 2001, Dave Rand wrote:

...

The MAPS RSS(sm) is a list of open relays *which have been abused*. These are sites which have been reported to MAPS as open relays, and have spam samples. Once the spam has been verified, a test is performed to verify that the site is, indeed, an open relay. If a sample message is accepted, and then returned by the site as a relay, the host is listed. Removal from the RSS requires that the host no longer relays. Automated probes are never done - a human must request the test, and spam must be available. Because of the very large number of hosts listed (around 100,000 as I write this), it's generally used in DNS mode only. It's pretty easy to get a host which is an open relay that has transmitted spam onto the list. Between 100 and 1,500 hosts per day are added, and hundreds per day are taken off (as soon as they let MAPS know that the relay has been closed).

Very interesting statistics. It gives you a clear picture of the magnitude of the squeeze. Now I understand why such heavy hammer was needed at the helm full-time. Supposing that 100,000 server owners plus those forcibly 're-educated' get together and do something about it, like scream, or jump of a 12 inch stool, or donate $10 each, would they be able to shake Dave off his high horse? How about if they also rally their users that were suddenly cut off?

The vast majority of the open relays that are left are on systems that are unmanned. Another is on systems that "aren't running a mail server" (the classic case is "that is my DNS server, not my mail server! Why is it on the RSS?" - of course, they didn't realize that they had, in fact, left the mail server enabled). No need to shake me off a horse - just close the open mail server. It's a few minutes of work, in most cases, and a few hours in some. Yes, there are some "hard cases" that take much longer to close for various reasons, but it is 2001, not 1997. There's been plenty of time for people to close their mail servers. And note, again, that these hosts are on the RSS. A BGP feed of the RSS is not practical, so only hosts that choose to run the DNS version of RSS on their mail servers will have their mail affected.

The collateral damage in blocking 100,000 hosts is simply unacceptable. Especially because there are only a few hundred die-hard professional spammers that need to be rooted out, and the problem diminishes, or at least becomes manageable in another way. As an ISP, I have yet to see a list of black sheep compiled consisting of individuals, spam companies, or credit cards used to defraud that should not be subscribed. Banks share such information, why can't ISPs?

It would be wonderful if we could. And I do agree that there are relatively few hard-core spammers. And we are rooting them out, one by one, and forcing them into a smaller, and smaller number of ISPs that still permit anonymous sign-up, or unrestricted port 25 access from their dialup ports. The latest kick is to break into machines, and install spamware on them. That's a great sign that the spammers have well and truely crossed the line into already illegal ground. It can also be argued that the collateral damage from *not* blocking spam is unacceptable. But *no one* is forcing you to use any blocking methods. If you don't want to, don't. If you want to, go ahead. Your wires: your rules. Your equipment: your rules. If you choose not to accept mail from people with two wives, that's your choice to make. If you want to accept traffic only from even-numbered IP addresses, that's also your choice. The RSS simply gives you a method to choose from. "These host have be abused in the past, and we have verified them as still open. The traffic you get from here might be spam.". Some people reject it, some mark it. Others don't. What's the problem?

No matter how noble the cause, the methods are wrong. In all the debate, it was perhaps lost that no viable technological solution to roaming, meaning one that is happily accepted by the end user, exists yet. And please don't mention SMTP Auth, it's not perfected yet.

Many large ISPs are quite happily using pop-before-smtp, and other secondary authentication schemes. Other ISPs are using various other methods to ensure that only their customers get to relay through their mail server. If you have a better method for ferreting out spam, please let us know. If you think you can find a way to stop known spammers (when court orders, fines, ANI blocking, and the like have failed), I'm all ears. Until a better method comes along, I'll continue to make the RSS available. It's my earnest desire that the count of hosts in the RSS reach zero. It's my earnest desire that the count of hosts in the RBL reach zero. Help achiving this goal, by eliminating spam, is appreciated. --