I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email. I'm curious; do folks take these guys serious? I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him. Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do. Of course, I disagreed, and was called all sorts of names that I'd not used since I was 14. So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point. -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Overzealous to say the least (i.e. without using language used by people at spews which by itself should already say something about how professional they are). Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them, but things maybe changing as other blacklists used before by isps have been shutdown. They do also the most number of dns servers for one domain (that I know of) which is the reason I regularly run whois on them to check completewhois.com engine performance. On Wed, 19 Jun 2002, Alex Rubenstein wrote:
I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email.
I'm curious; do folks take these guys serious?
I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him. Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do.
Of course, I disagreed, and was called all sorts of names that I'd not used since I was 14.
So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point.
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Wed, 19 Jun 2002 20:07:40 -0700 (PDT) william@elan.net wrote:
... I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them,
outblaze (who do outsourced mailbox handling for a variety of email services like mail.com) use SPEWS. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
On Wed, 19 Jun 2002 william@elan.net wrote:
Overzealous to say the least (i.e. without using language used by people at spews
Uh... Most of the people that were yelling at Alex probably had absolutely nothing to do with SPEWS. NANAE != SPEWS.
which by itself should already say something about how professional they are). Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them,
I believe SBC's ISPs are. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
I'v had similar problems as Alex with SPEW and also got the same reaction. They have serious attitude problem. And no, SBC is not using SPEW, I think they have their own blacklist based on actual incidents and I think they are smart enough not to put themselve under legal risks for using SPEW.
Overzealous to say the least (i.e. without using language used by people at spews
Uh...
Most of the people that were yelling at Alex probably had absolutely nothing to do with SPEWS. NANAE != SPEWS.
which by itself should already say something about how professional they are). Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them,
I believe SBC's ISPs are.
-- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a
On Wed, 19 Jun 2002 william@elan.net wrote:
Overzealous to say the least (i.e. without using language used by people at spews which by itself should already say something about how professional they are). Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them, but things maybe changing as other blacklists used before by isps have been shutdown.
which ones are shutting down? I'm still using njabl.org and ordb.org with decent results. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
In the immortal words of william@elan.net (william@elan.net):
Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them
Sprintlink, mail.com/iname/outblaze, and I believe possibly PacBell all use SPEWS. Do with this info what you will. -n ------------------------------------------------------------<memory@blank.org> My goal is real simple: to write better than anyone who can write faster than me, and faster than anyone who can write better than me. (--J.M. Straczynski) <http://blank.org/memory/>----------------------------------------------------
So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point.
It's sort of an interesting concept but at least in my opinion it is unusable as a blacklist. Did you find the listing was causing a lot of mail to bounce? Mark Radabaugh Amplex (419) 833-3635
Quite. Since my last posting, I've told SpamAssassin (which, btw, is a rocking piece of ware) to count osirussoft (sp?) as a 0 point rule. They are so unilateral in the way they do this, and, often times don't even provide a _chance_ for the ISP to rectify the situation. It's crazy. On Wed, 19 Jun 2002, Mark Radabaugh wrote:
So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point.
It's sort of an interesting concept but at least in my opinion it is unusable as a blacklist. Did you find the listing was causing a lot of mail to bounce?
Mark Radabaugh Amplex (419) 833-3635
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
[emailed to Alex & the list] On Wed, 19 Jun 2002 23:14:28 -0400 (Eastern Daylight Time), Alex Rubenstein <alex@nac.net> wrote:
Since my last posting, I've told SpamAssassin (which, btw, is a rocking piece of ware) to count osirussoft (sp?) as a 0 point rule.
They are so unilateral in the way they do this, and, often times don't even provide a _chance_ for the ISP to rectify the situation.
It's crazy.
I know I'm going to regret commenting, but hopefully it'll help. How long had you been getting complaints about your user before you were SPEWS listed? -- W . | ,. w , "Some people are alive only because \|/ \|/ it is illegal to kill them." Perna condita delenda est ---^----^---------------------------------------------------------------
On Wed, Jun 19, 2002 at 11:14:28PM -0400, Alex Rubenstein wrote:
Quite.
Since my last posting, I've told SpamAssassin (which, btw, is a rocking piece of ware) to count osirussoft (sp?) as a 0 point rule.
which is not the correct thing to do. 1) If you don't like SPEWS/Osirusoft, set the score to 0 on your server Quite honestly, I don't think you'll convince the SA developers to set the score to 0. 2) You seem to be missing the entire point of SpamAssassin, it allows you to combine several RBLs and only reject/flag the Email if several factors combined hint that the message is spam 3) Osirusoft returns 8 different codes depending on the match for an IP http://relays.osirusoft.com/faq.html If you don't like SPEWS, just don't pay attention to 127.0.0.6 Stick this in local.cf: header X_OSIRU_SPAMWARE_SITE eval:check_rbl_results_for('osirusoft', '127.0.0.6') describe X_OSIRU_SPAMWARE_SITE Don't trust spews score X_OSIRU_SPAMWARE_SITE -2.0 Marc (SpamAssassin developer) -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key
On Wed, 19 Jun 2002, Marc MERLIN wrote:
which is not the correct thing to do.
1) If you don't like SPEWS/Osirusoft, set the score to 0 on your server Quite honestly, I don't think you'll convince the SA developers to set the score to 0.
I suspect he was referring to his local copy when he said that. Jason -- Jason Slagle - CCNP - CCDP /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . X - NO HTML/RTF in e-mail . / \ - NO Word docs in e-mail .
On Wed, 19 Jun 2002, Alex Rubenstein wrote:
I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email.
I'm curious; do folks take these guys serious?
You don't have much choice. I don't know how commonly SPEWS itself is used to refuse email, but for some times it's been incorporated into relays.osirusoft.com, which, AFAIK, is one of the more commonly used dnsbl's. If you're listed in SPEWS, lots of sites will refuse your email. NANAE is a tough crowd. According to some there, I'm a spammer.
I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him. Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do.
I'm curious how you got into SPEWS, and why they chose to hit just the /24 and not a much larger block. They claim to track and pre-emptively block known spammers. Was this a new customer that recently switched to your service and likely spammed before and got their previous ISP into SPEWS?...or was this an isolated spam incident followed by a surprise listing in SPEWS? -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, Jun 19, 2002 at 10:58:52PM -0400, Alex Rubenstein wrote:
I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email.
I'm curious; do folks take these guys serious?
I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him. Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do.
Of course, I disagreed, and was called all sorts of names that I'd not used since I was 14.
So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point.
I hate these people. I've been in a block listed by SPEWS for quite some time, over 2 spams from customers in like 2 years. They didn't send mail to abuse@, they just started blacklisting every IP they could find and justifying it by claiming that the ISPs involved need to be filtered until the customers are gone. What ticks me off is there is noone to talk to about it, you are expected to grovel on some usenet group and hope that they are reading and will remove you after sufficient heckling. The problem is that all the thousands of people installing Spam Assassin have it set to check relays.osirusoft.com with enough weight to kill an email by default, osirusoft references many lists with political agendas, and then mail starts bouncing. I for one refuse to play that pathetic little game, I keep myself listed as an example of why people should not use them. So far I've had a fairly large number of people who decided they would rather get email from me, but it's still mildly annoying. Not to sound too much like our friend Mitch, but people who run blackholes with agendas are really sitting on a lot of power to abuse. The end users who install software like Spam Assassin usually have no idea that a couple chains down the link there are insane people injecting bunk data. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Wed, 19 Jun 2002, Richard A Steenbergen wrote:
What ticks me off is there is noone to talk to about it, you are expected to grovel on some usenet group and hope that they are reading and will remove you after sufficient heckling. The problem is that all the
I haven't actually tried using any of this info...but Domain, Contact chip@sendmail.ru Sergei ''chip'' Didorenko Visit Lake Biakal! :: http://baikal.irkutsk.org po box 61, Baikalsk-2 Irkutsk region, -- 665914 RU (7-3952) 348-335 (7-3952) 348-335 I wonder what it costs to call Russia? I also wonder...can you register domains you really don't want to be contacted about with 900 numbers? Now that would be cool. 'You want to call and whine...ok, but it's going to cost you.' :)
Not to sound too much like our friend Mitch, but people who run blackholes with agendas are really sitting on a lot of power to abuse. The end users who install software like Spam Assassin usually have no idea that a couple chains down the link there are insane people injecting bunk data.
That's their fault though for using a blacklist or software without looking into how it works or what its policies are. A blacklist is only as powerful as the people using it make it. If it pisses off its users too many times, they'll quit using it. If you're listed on a blacklist nobody uses, does your mail get blocked? :) -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, 19 Jun 2002, Alex Rubenstein wrote:
I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him.
Quantify "a little while". (I'm not trying to be argumentative here...)
Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do.
I agree with that, *if* initial notifications to the ISP are ignored. Escalations are then in order, definitely. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, Jun 20, 2002 at 08:40:11AM -0400, Steven J. Sobol wrote:
On Wed, 19 Jun 2002, Alex Rubenstein wrote:
Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do.
I agree with that, *if* initial notifications to the ISP are ignored. Escalations are then in order, definitely.
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is "in order". -c
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is "in order".
It depends on your maturity and 'professionalism' I guess. Some of us see the problem, some see it as a 'cool way of getting attention'. Peter
On Thu, 20 Jun 2002, Peter Galbavy wrote:
the organization in question) instead of just the offending one is "in order".
It depends on your maturity and 'professionalism' I guess. Some of us see the problem, some see it as a 'cool way of getting attention'.
I'd have no respect for people who do it just to get attention. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002, Clayton Fiske wrote:
I agree with that, *if* initial notifications to the ISP are ignored. Escalations are then in order, definitely.
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is "in order".
Let me clarify, then. If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. This principle is based on the fact that an ISP is more likely to listen to its paying customers than to outsiders. And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too. I don't advocate doing it unless you have tried all other reasonable methods to get in touch with the ISP and ask them to disconnect or otherwise educate their customer. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is "in order".
Let me clarify, then.
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP.
And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too.
Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive. SPAM prevents people from reading their email by a) filling up mail server queues b) filling up user mailboxes (and/or quotas) c) increased message count causes more time to be spent hitting delete, than searching for operational or important communications. This all boils down to more or less the user missing/not receiving an important email. So by blacklisting a netblock which originated SPAM, and more importantly, its neighbors (or in SPEWS case, the entire AS and netblocks announced from it), you are preventing valid emails from being delivered. So SPEWS is just as guilty of depriving people of their mail as spammers are IMO. Regarding your last comment, when tracking down and filtering a DoS, do you filter just the offending IP space, or ALL netblocks announced by that AS?
Andy Johnson wrote:
Let me clarify, then.
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever -
... and you've waited a reasonable time ... Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has?
then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP.
The objective isn't just to stop that spammer. If the ISP is clearly acting irresponsibly and not dealing with a spam problem, getting them to wake up is more important than the individual spammer.
And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too.
Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive. ...
Not if its the only way to wake up that ISP. Of course, this sort of block must be a last desparate measure. At a minimum, the spammer's been at it for weeks and you've mailed abuse@, postmaster@ and the whois contacts without eliciting a response from the ISP, before you even consider it. Even then, you should likely try phoning the ISP and/or browsing their website for other contact addresses before taking such a drastic action. But if drastic action seems the only way, don't stop at half measures. Blackhole every netblock they have, and for all packet types, not just email.
On Thu, 20 Jun 2002 14:33:18 EDT, Sandy Harris <pashley@storm.ca> said:
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever -
... and you've waited a reasonable time ...
Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has?
What do you do if the ISP says "We want to turn them off, but they've managed to get a restraining order preventing us"? We've seen THAT before.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Valdis.Kletnieks@vt.edu wrote:
On Thu, 20 Jun 2002 14:33:18 EDT, Sandy Harris <pashley@storm.ca> said:
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever -
... and you've waited a reasonable time ...
Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has?
What do you do if the ISP says "We want to turn them off, but they've managed to get a restraining order preventing us"? We've seen THAT before....
Then the part above about
If the offending ISP does not respond, ...
obviously does not apply. They are responding. You clearly do not even consider blacklisting them. You might ask them for help in blacklisting exactly the spammer's addresses.
On Thu 20 Jun 2002 (15:51 -0400), Sandy Harris wrote:
Valdis.Kletnieks@vt.edu wrote:
On Thu, 20 Jun 2002 14:33:18 EDT, Sandy Harris <pashley@storm.ca> said:
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever -
... and you've waited a reasonable time ...
Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has?
What do you do if the ISP says "We want to turn them off, but they've managed to get a restraining order preventing us"? We've seen THAT before....
Then the part above about
If the offending ISP does not respond, ...
obviously does not apply. They are responding. You clearly do not even consider blacklisting them.
You might ask them for help in blacklisting exactly the spammer's addresses.
All this sounds very nice. But: If the only way to contact SPEWS is via postings in a newsgroup, an ISP may find themselves unable to make any meaningful response (there are issues of customer confidentiality, business considertaions, a whole lot of reasons that an ISP might not wish to discuss the alleged wrongoings of one of its customers, the measures which it has or might take or the details of contractual relationships or legal advice they have received. So all of this is really irrelevant to the topic at hand. An anonymous group using unknown criteria, however well motivated, is not useful. And any mail administrator who uses their lists is, in my opinion, a fool. -- Jim Segrave jes@nl.demon.net
On Fri, Jun 21, 2002 at 10:45:03AM +0200, Jim Segrave wrote:
All this sounds very nice. But:
If the only way to contact SPEWS is via postings in a newsgroup, an ISP may find themselves unable to make any meaningful response (there are issues of customer confidentiality, business considertaions, a whole lot of reasons that an ISP might not wish to discuss the alleged wrongoings of one of its customers, the measures which it has or might take or the details of contractual relationships or legal advice they have received. So all of this is really irrelevant to the topic at hand.
Not to mention the fact that they probably won't believe you or delist you. Take a looksie through: http://groups.google.com/groups?group=news.admin.net-abuse.email "Hi, we used to have a spam problems from our customers but we've cleaned up" "You profited from spam! You go to hell, you go to hell and you die!" "Hi, we are a law firm that bought from UUnet and it seems the last owners of this IP block were spammer. We're not, can you please remove us." "Every heard of due diligence? Thats what you get for buying from UUNet, you'll get unlisted when they clean up all their spammers." "Hi, we bought from some people who turned out to have a problem with hosting some spammers, but we're locked into a 3 year contract. We're a small shop without the money for lawyers to get out of it. We're not spammers, could you please unblock this one piece of IP which is just us." "Sorry, you have to change providers. They breached your contract by failing to provide full internet access (since people are filtering them based on our listing)" Noone in their right mind would trust SPEWS directly, the problem is people trust Spam Assassin, and Spam Assassin uses relays.osirusoft.com with enough weight to kill an email, and osirusoft uses SPEWS. I don't like spam any more then anyone else, but this situation is damn near pathetic. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
But then there are the whacko's like SpamCop who just ignore every mail you send them anyway. i.e. My company set up the RIPE LIR for the UK company 'III' many years ago. I was listed as a contact for a while, then when we stopped providing services I removed my contact from the RIPE records. I am regularly getting SpamCop alerts that I am a spammer - from an obviously out of date copy of the RIPE database (which breaches RIPE copyright anyhow). But will they respond to any e-mail ? Hell no. What makes me laugh more is that SpamAssissin labels SpamCop alerts as spam and they get dumped in my SPAM catch mailbox. Almost cute. Peter
[ On Friday, June 21, 2002 at 14:48:36 (+0100), Peter Galbavy wrote: ]
Subject: Re: SPEWS?
But then there are the whacko's like SpamCop who just ignore every mail you send them anyway.
Why would anyone even bother to try to contact SpamCop about a listing in the first place!?!?!?!? SpamCop merely lists known sources of spam. So long as spam comes from some source, it'll likely be listed by SpamCop. They very VERY clearly state their mode of operation and they clearly tell those who are listed that they can only ever be de-listed by stopping the spam (and waiting for some delay). SpamCop really is just an impartial listing of spam sources. Its content is defined by its users, not by its operator -- it really is as impartial as it can possibly be. If its operator were to selectively de-list some of the people who asked then the result would be that the list would not be impartial any more. If you want someone using the DNS-BL at bl.spamcop.net who's blocking or filtering mail from you then you have to go directly to that person doing the blocking and ask them to whitelist your server(s). The same thing essentially goes for SPEWS or any other blacklist too. If you're operating a mail server that's listed in some blacklist, or providing connectivity for some customer who's IP#s are so listed, and you/they are being blocked by some mailer/firewall to which you/they are trying to connect to, then you should contact the administrators of the mailer/firewall doing the blocking. They're the ones in control here, not the blacklist operators! If you're spending all your time contacting blacklist users then maybe you should think about why so many of your good neighbours are using those blacklists, and why your mailer/network is getting listed in various blacklists. The very last thing you should do is try to contact any blacklist operator and try to gget them to remove the entry for your server(s) or network(s). If there's no "de-list my server" or "re-check my server" button on the main web site for a given blacklist then there's probably no mechanism, formal or otherwise, for getting de-listed (and there doesn't need to be). Your issue is with those using the blacklist to block your server(s) or network(s), not with the blacklist operator. Remember if you and/or your customers (or you on behalf of your customers) wish to connect to some remote network in order to deliver e-mail there or whatever, then the onus is on you to figure out why connection attempts might be being blocked and to negotiate to get the remote operator to lift their ban, not to moan and whine about why some shared blacklist manager might have listed your network and why they won't remove you or why they ignore you. Now that we've sorted out the operational procedures for dealing with these issues can we please stop all this silly whining? Thanks! -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
Please learn to read and go back to my *operational* point about SpamCops abuse of out of date RIPE data. Peter ----- Original Message ----- From: "Greg A. Woods" <woods@weird.com> To: "Peter Galbavy" <peter.galbavy@knowtion.net> Cc: "North America Network Operators Group Mailing List" <nanog@merit.edu> Sent: Friday, June 21, 2002 8:10 PM Subject: Re: attention network operators who are listed in blacklists! your problem is with the blockers, not the blacklist managers! (was: SPEWS?)
[ On Friday, June 21, 2002 at 14:48:36 (+0100), Peter Galbavy wrote: ]
Subject: Re: SPEWS?
But then there are the whacko's like SpamCop who just ignore every mail you send them anyway.
Why would anyone even bother to try to contact SpamCop about a listing in the first place!?!?!?!? SpamCop merely lists known sources of spam. So long as spam comes from some source, it'll likely be listed by SpamCop. They very VERY clearly state their mode of operation and they clearly tell those who are listed that they can only ever be de-listed by stopping the spam (and waiting for some delay).
SpamCop really is just an impartial listing of spam sources. Its content is defined by its users, not by its operator -- it really is as impartial as it can possibly be. If its operator were to selectively de-list some of the people who asked then the result would be that the list would not be impartial any more.
If you want someone using the DNS-BL at bl.spamcop.net who's blocking or filtering mail from you then you have to go directly to that person doing the blocking and ask them to whitelist your server(s).
The same thing essentially goes for SPEWS or any other blacklist too. If you're operating a mail server that's listed in some blacklist, or providing connectivity for some customer who's IP#s are so listed, and you/they are being blocked by some mailer/firewall to which you/they are trying to connect to, then you should contact the administrators of the mailer/firewall doing the blocking. They're the ones in control here, not the blacklist operators!
If you're spending all your time contacting blacklist users then maybe you should think about why so many of your good neighbours are using those blacklists, and why your mailer/network is getting listed in various blacklists.
The very last thing you should do is try to contact any blacklist operator and try to gget them to remove the entry for your server(s) or network(s). If there's no "de-list my server" or "re-check my server" button on the main web site for a given blacklist then there's probably no mechanism, formal or otherwise, for getting de-listed (and there doesn't need to be). Your issue is with those using the blacklist to block your server(s) or network(s), not with the blacklist operator.
Remember if you and/or your customers (or you on behalf of your customers) wish to connect to some remote network in order to deliver e-mail there or whatever, then the onus is on you to figure out why connection attempts might be being blocked and to negotiate to get the remote operator to lift their ban, not to moan and whine about why some shared blacklist manager might have listed your network and why they won't remove you or why they ignore you.
Now that we've sorted out the operational procedures for dealing with these issues can we please stop all this silly whining? Thanks!
-- Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Fri, 21 Jun 2002, Greg A. Woods wrote:
The very last thing you should do is try to contact any blacklist operator and try to gget them to remove the entry for your server(s) or network(s). If there's no "de-list my server" or "re-check my server" button on the main web site for a given blacklist then there's probably no mechanism, formal or otherwise, for getting de-listed (and there doesn't need to be). Your issue is with those using the blacklist to block your server(s) or network(s), not with the blacklist operator.
Actually, I would contend that. When a blacklist operator has not played Find-The-Authoritative-Database to its final conclusion, the issue _is_ with the blacklist operator in getting them to use the correct database, _not_ the blacklist user. Occasionally, the issue of educating the blacklist operator does fall to the operator of the authoritative database, and a formal contact address does indeed help with that. However, education is a two-way process, and with SPEWS intentionally being a system that you cannot contact, this tends to fall down.
Now that we've sorted out the operational procedures for dealing with these issues can we please stop all this silly whining? Thanks!
--==-- Bruce. I work for, but do not speak for, the RIPE NCC.
On Thu, 20 Jun 2002 Valdis.Kletnieks@vt.edu wrote:
What do you do if the ISP says "We want to turn them off, but they've managed to get a restraining order preventing us"? We've seen THAT before....
Then the ISP shouldn't be punished just because they wrote a bad contract. In such a case I would say that escalation is *not* appropriate, since we have prima facie evidence that the ISP is trying to do the right thing. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002 16:07:40 -0400 (EDT) "Steven J. Sobol" <sjsobol@JustThe.net> wrote:
On Thu, 20 Jun 2002 Valdis.Kletnieks@vt.edu wrote:
What do you do if the ISP says "We want to turn them off, but they've managed to get a restraining order preventing us"? We've seen THAT before....
Then the ISP shouldn't be punished just because they wrote a bad contract.
actually, i think Valdis was alluding to the Paetec fiasco with Monsterhut. in that particular case, the contract was ok, but Monsterhut lied to the court about the source of their addresses in order to try and weasel out of being terminated. the whole mess took a year or so to wend its way through the NY court system. bleah. richard ("spammers lie? i'm shocked!") -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
On Thu, 20 Jun 2002, Richard Welty wrote:
Then the ISP shouldn't be punished just because they wrote a bad contract.
actually, i think Valdis was alluding to the Paetec fiasco with Monsterhut. in that particular case, the contract was ok, but Monsterhut lied to the court about the source of their addresses in order to try and weasel out of being terminated.
the whole mess took a year or so to wend its way through the NY court system. bleah.
I remember that. Although Paetec is now being implicated in some TCPA violations over on the junkfax mailing list, so I'm no longer convinced they're whitehat. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002 20:39:58 -0400 (EDT) "Steven J. Sobol" <sjsobol@JustThe.net> wrote:
Although Paetec is now being implicated in some TCPA violations over on the junkfax mailing list, so I'm no longer convinced they're whitehat.
i never claimed they were white hat. i have some direct personal experience them, and believe that at best, they're deeply confused. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
On Thu, 20 Jun 2002, Richard Welty wrote:
On Thu, 20 Jun 2002 20:39:58 -0400 (EDT) "Steven J. Sobol" <sjsobol@JustThe.net> wrote:
Although Paetec is now being implicated in some TCPA violations over on the junkfax mailing list, so I'm no longer convinced they're whitehat.
i never claimed they were white hat. i have some direct personal experience them, and believe that at best, they're deeply confused.
I never claimed that you claimed they were white hat. The "white hat" assessment was based on what I've seen of their fight with Monsterhut. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
--On Thursday, June 20, 2002 15:58:35 -0400 Valdis.Kletnieks@vt.edu wrote:
What do you do if the ISP says "We want to turn them off, but they've managed to get a restraining order preventing us"? We've seen THAT before....
Emigrate to somewhere with a usable legal system. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
anybody else see the irony of posting to USENET as an anti-spam measure? USENET being one of the harvesting engines the spammers use to collect addresses. i still get spam sent to the id i only used i used when i actually still used news. -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ I want to live forever, or die trying. ]
On Thu, 20 Jun 2002, Andy Johnson wrote:
Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive.
*Spamming* or launching a DoS attack in response to spam is definitely abusive. I understand your point here. I don't think it's an invalid one. I do believe that whether escalations are abusive is a question that is open to debate. Indeed, I believe the question *should* be debated.
This all boils down to more or less the user missing/not receiving an important email. So by blacklisting a netblock which originated SPAM, and more importantly, its neighbors (or in SPEWS case, the entire AS and netblocks announced from it), you are preventing valid emails from being delivered. So SPEWS is just as guilty of depriving people of their mail as spammers are IMO.
Which is more important? The right to express yourself or the right for a property owner to protect his property? I've always claimed that property rights trump free-speech rights, and where spam is concerned, the courts have agreed with me (e.g. the AOL case and the CompuServe case against Sanford Wallace back in the mid-1990's). Now, the big question with blocking is whether or not your users are aware of the blocking happening. In a service-provider environment, a good network admin will make his customers aware of the blockage and either have them agree to it or allow them to turn it off. But that is not a moral or ethical issue. That's a contractual issue. If the provider is arbitraily blocking stuff without telling his customers, yes, that can be said to be a moral or ethical issue, but I make the assumption, for the sake of this particular thread, that the customers know what's going on. As to whether it's counter-productive, again, whether or not it is is based in large part on whether or not the customers have agreed to it. My opinion is that the end-users *must* always have final say over what is blocked or not blocked.
Regarding your last comment, when tracking down and filtering a DoS, do you filter just the offending IP space, or ALL netblocks announced by that AS?
Neither; I don't run any devices that need to speak BGP. If I did, I'd start by filtering the offending IPs only. If I still saw attacks coming from elsewhere in the ISP's netspace I would broaden the range of the blocks. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002, Regis M. Donovan wrote:
On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote:
*Spamming* or launching a DoS attack in response to spam is definitely abusive. and black-holing "innocent bystander" networks not a denial of service?
Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Dan Hollis wrote:
Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient.
If you're installing a blacklist on a mail server you keep at home for yourself, then yes. If you're running an ISP with thousands of customers, then you also have to deal with how you're impacting them. Sure, it may still be your equipment, but that won't matter if you tick off your paying customers and they decide to cancel their accounts and go to your competitors. Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept. -- David
On Thu, 20 Jun 2002, David Charlap wrote:
Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept.
if grandma is hosted on chinanet she is already blackholed by most western civilization anyway -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Dan Hollis wrote:
On Thu, 20 Jun 2002, David Charlap wrote:
Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept.
if grandma is hosted on chinanet she is already blackholed by most western civilization anyway
Who said anything about chinanet? You're the only one who keeps on harping back to them. In case you weren't paying attention, much of this discussion got started because of a comment about blocking all of sprintlink.net. -- David
On Thu, 20 Jun 2002, David Charlap wrote:
if grandma is hosted on chinanet she is already blackholed by most western civilization anyway Who said anything about chinanet? You're the only one who keeps on harping back to them.
Well if you want to talk about western networks, qwest ranks second just behind chinanet in terms of black hat and spam. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu, 20 Jun 2002, Dan Hollis wrote:
Well if you want to talk about western networks, qwest ranks second just behind chinanet in terms of black hat and spam.
s/qwest/verio/g As someone who has recently had the "pleasure" of dealing with some of their pink sheet clientele... -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Thu, 20 Jun 2002 measl@mfn.org wrote:
Well if you want to talk about western networks, qwest ranks second just behind chinanet in terms of black hat and spam.
s/qwest/verio/g
As someone who has recently had the "pleasure" of dealing with some of their pink sheet clientele...
IME, Verio has been clueless in many ways in the past, but they do have an abuse desk. It appears that the guy in charge is a white-hat. I have even met someone who claims to work the Qwest abuse desk, and I haven't been given any reason not to believe her yet! :) (She even LARTed a spamming Qwest salesrep for me, which was cool.) -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
[ On Thursday, June 20, 2002 at 17:01:20 (-0400), David Charlap wrote: ]
Subject: Re: SPEWS?
Dan Hollis wrote:
Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient.
If you're installing a blacklist on a mail server you keep at home for yourself, then yes.
If you're running an ISP with thousands of customers, then you also have to deal with how you're impacting them. Sure, it may still be your equipment, but that won't matter if you tick off your paying customers and they decide to cancel their accounts and go to your competitors.
You, or at least I, really don't want paying customers who demand to receive e-mail from known spam sources and open relays. They cost far to much in support to be worthwhile keeping -- I'd much sooner keep the good customers and get the support-heavy ones to go suck on some competitor's pipe! On the other hand a clever business person might want to set up two mailers for their customers -- one normal spam-free one; and another for those customers who want all their e-mail regardless of where it comes from. Maybe we can write up an RFC/BCP to define a standardized name like "iwantspam" for the second one, and mailboxes could always exist for every user on both servers and the users could choose to read from either or both, and the expiry policy and quotas could be set a bit lower on "iwantspam" one. :-) That way everyone who was getting bounces because they were using a spam-infested ISP would know to try sending to their friends a the standard "iwantspam" subdomain (and they could phone their friends to let them know legit e-mail was being sent there too! :-). In any case the onus is still on the sender to correct the problem, and after all they are paying the offending ISP for service too -- if they're not getting service because the offending ISP would rather have spammers than grandmas as customers then the best thing is for everyone to block the offending ISP's netblocks so that both grandma and the spammers will get the message that their service provider is no longer worth using. -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Thu, Jun 20, 2002 at 01:48:48PM -0700, Dan Hollis wrote:
On Thu, 20 Jun 2002, Regis M. Donovan wrote:
On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote:
*Spamming* or launching a DoS attack in response to spam is definitely abusive. and black-holing "innocent bystander" networks not a denial of service? Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient.
of course. but blocking the networks involved in the spam takes care of that. blocking these "innocent bystander" networks does nothing to solve your spam problem and merely blocks potentially useful traffic. black-holing networks that are not engaged in any abusive behavior in the vain hopes of getting a response from some difficult-to-contact ISP seems a bit excessive. particularly coming from a group that is, itself, difficult to contact. --regis
On Thu, 20 Jun 2002, Dan Hollis wrote:
On Thu, 20 Jun 2002, Regis M. Donovan wrote:
On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote:
*Spamming* or launching a DoS attack in response to spam is definitely abusive. and black-holing "innocent bystander" networks not a denial of service?
Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient.
Hear, hear. Dan sounds like he agrees with my assessment of property rights taking priority over rights to expression. Anyone using SPEWS, the MAPS RBL+, SpamCop's blacklist, or *any* arbitrary list of abusive ISPs or ISP customers does so voluntarily, and I consider the action to be similar to companies sharing credit information. You can deny credit or employment, or refuse to do business with an individual or company based on the information in a credit report. Likewise, you can choose to communicate or not communicate with an AS or network (or server) based on whether you think the people running the server(s) are good net-neighbors. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 8:45 PM To: Dan Hollis Cc: Regis M. Donovan; nanog@nanog.org Subject: Re: SPEWS?
On Thu, 20 Jun 2002, Dan Hollis wrote:
On Thu, 20 Jun 2002, Regis M. Donovan wrote:
On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote:
*Spamming* or launching a DoS attack in response to
spam is definitely
abusive. and black-holing "innocent bystander" networks not a denial of service?
Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient.
Hear, hear. Dan sounds like he agrees with my assessment of property rights taking priority over rights to expression.
Anyone using SPEWS, the MAPS RBL+, SpamCop's blacklist, or *any* arbitrary list of abusive ISPs or ISP customers does so voluntarily, and I consider the action to be similar to companies sharing credit information. You can deny credit or employment, or refuse to do business with an individual or company based on the information in a credit report.
But credit reports *are* legislated, whether you want them to be or not. The reason they are is that since two or three large warehousers of information are used by a substantial portion of the populace, it gives them inherent power. That power is both intentionally and unintentionally abusable. You can also say that credit reports should be unregulated since companies don't have to use them, but you and I both know that's unrealistic. A critical mistake is failing to recognize that the *consumer does not subscribe to credit reporting agencies*, much like those who are reported to blacklists do not subscribe to the blacklists, yet are affected by them. Many of the operators on this list are experiencing this today due to a bad experience with an errant spammer.
Likewise, you can choose to communicate or not communicate with an AS or network (or server) based on whether you think the people running the server(s) are good net-neighbors.
Sometimes legislation occurs to regulate the principle, even though reality has shown regulation to be unnecessary. Sometimes legislation occurs to regulate the reality of what in principle shouldn't need regulation. Credit reports and blacklists (they are basically the same thing) in principle are a subscription service--and therefore in principle exempt from any legal standing to provide good information. But the reality is that credit services (and if not now, then soon blacklists) have become such a prevalent tool as to make them a de-facto public record, whether the owners says they are or not! In credit services this happened because the usefulness of the credit reports depends on a limited number of repositories--forcing a sort of oligopoly. In blacklists, it occurs because people distribute software that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already). This occurs frequently with credit reporting agencies--both they and the clients who report entries make errors very, very often. This is why legislation exists to protect consumers that allow them a free copy of their credit report if they are ever turned down, as well as a legislated means to resolve disputes with the credit reporting agency. So in general, I tend to agree in principle with your views on private property--but in reality it's useful to recognize when the line is crossed between "good service" and "public utility". The telephone company started by Bell didn't start life as a "lifeline" service, but it became that due to adoption. There are numerous other examples of the line, and companies (or individuals) that cross it. It took decades of high prices and lousy service to force regulation on the telephone industry. I'd rather force appropriate controls to be in place before I get bent over for a few years waiting for the government to poorly regulate what may very well become an abusive industry. Cheers, Ben ------ Benjamin P. Grubin, CISSP, GIAC Information Security Consulting bgrubin@pobox.com
On Thu, 20 Jun 2002, Benjamin P. Grubin wrote:
But credit reports *are* legislated, whether you want them to be or not.
Regulated, yes. That really has no bearing on the fact that companies can choose to use or not use credit reports in determining whether to do business with, extend credit to, or employ someone. The credit bureaus maintain files which are used in an advisory manner and the use of such information is completely voluntary.
that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already).
That doesn't negate the point I was trying to make. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Steven, You are saying that the right to defend property trumps the right to free expression. In principle, that is a very agreeable thing to say. But you are using that argument to defend blacklisters with questionable operational skills. My guess would be that when someone inappropriately blacklists one of your netblocks from a quentionably-run-but-widely-used blacklist, your thinking will change somewhat. Similarly I expect that your credit record has always been free of defect, and you are lucky. Several years ago I had an IRS default for $22,000 placed on my credit record erroneously, which took half a year to clear. During that time I was a consultant, and had to go through several background investigations. Inconvenience doesn't cover it. Saying that a report is voluntary and/or advisory gets more and more irrelevant as rate of adoption increases. Yes, the thousands of credit card companies could choose to evaluate you in any manner they wish, but yet they *all* judge you solely on your credit report. So in *reality*, is it really still useful to say it is voluntary and advisory therefore undeserving of scrutiny/complaint? Cheers, Ben ------ Benjamin P. Grubin, CISSP, GIAC Information Security Consulting bgrubin@pobox.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 10:21 PM To: Benjamin P. Grubin Cc: 'Dan Hollis'; 'Regis M. Donovan'; nanog@nanog.org Subject: RE: SPEWS?
On Thu, 20 Jun 2002, Benjamin P. Grubin wrote:
But credit reports *are* legislated, whether you want them to be or not.
Regulated, yes. That really has no bearing on the fact that companies can choose to use or not use credit reports in determining whether to do business with, extend credit to, or employ someone. The credit bureaus maintain files which are used in an advisory manner and the use of such information is completely voluntary.
that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already).
That doesn't negate the point I was trying to make.
-- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002, Benjamin P. Grubin wrote:
Saying that a report is voluntary and/or advisory gets more and more irrelevant as rate of adoption increases. Yes, the thousands of credit card companies could choose to evaluate you in any manner they wish, but yet they *all* judge you solely on your credit report. So in *reality*, is it really still useful to say it is voluntary and advisory therefore undeserving of scrutiny/complaint?
I'm really not sure why you're making these assumptions. I don't beat around the bush... I've never seen you on NANOG before, nor have I talked to you in any other venue, so I assume you aren't aware of that particular point. I didn't say SPEWS or any other listing service was undeserving of scrutiny. I didn't even try to imply that. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
I am a 99% lurker, but I didn't assume you were beating around the bush. It *seems* to me that in response to complaints about how several blacklists were run you said that because blacklists are subscription services, and everyone has a choice whether or not to use them, that the poorly-operated blacklists are not dangerous. That implies (to me!) an understatement of the potential effect of poorly-operated blacklists. If I am wrong in that implication, I apologise. ------ Benjamin P. Grubin, CISSP, GIAC Information Security Consulting bgrubin@pobox.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 11:13 PM To: Benjamin P. Grubin Cc: 'Dan Hollis'; 'Regis M. Donovan'; nanog@nanog.org Subject: RE: SPEWS?
On Thu, 20 Jun 2002, Benjamin P. Grubin wrote:
Saying that a report is voluntary and/or advisory gets more and more irrelevant as rate of adoption increases. Yes, the thousands of credit card companies could choose to evaluate you in any manner they wish, but yet they *all* judge you solely on your credit report. So in *reality*, is it really still useful to say it is voluntary and advisory therefore undeserving of scrutiny/complaint?
I'm really not sure why you're making these assumptions. I don't beat around the bush... I've never seen you on NANOG before, nor have I talked to you in any other venue, so I assume you aren't aware of that particular point. I didn't say SPEWS or any other listing service was undeserving of scrutiny. I didn't even try to imply that.
-- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002, Andy Johnson wrote:
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is "in order".
Let me clarify, then.
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP.
And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too.
Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive. SPAM prevents people from reading their email by a) filling up mail server queues b) filling up user mailboxes (and/or quotas) c) increased message count causes more time to be spent hitting delete, than searching for operational or important communications.
BLing isn't "abuse". Anyone has a right to subscribe to any BL they like, as long as both the BL and the subscriber (if it's an ISP) disclose their guidelines to their customers. Of course, for an ISP to subscribe to a capricious, arbitrary or over-zealous BL is likely suicidal for their business. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Thu, Jun 20, 2002 at 01:12:20PM -0400, Steven J. Sobol wrote:
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP.
This principle is based on the fact that an ISP is more likely to listen to its paying customers than to outsiders.
Fair enough. I agree with the idea in spirit. However, care must be taken to define acceptable criteria. I think the concerns here (at least my concerns) are that a) some organizations do it before exhausting other avenues, and b) the avenues for removal from such listings can be difficult to nonexistent (as is the case with SPEWS, from the sound of it). As for specific criteria, I think this is probably where the most debate lies. If an ISP is a haven for a significant (yes, that is a subjective term, but humor me) number of spammers, or if they have either actively refused to solve the problem or allowed a spammer to evade filtering by renumbering into a new block, then I'd say this is a reasonable action to take against them. However, if it is only one or two problem customers, and they are not being evasive, renumbering, etc then I'm not so sure the end justifies the means. After all, you do have the means to avoid receiving the spam (such as listing them on a blackhole list). I think one must be cautious to avoid seeking vengeance on something whose mere existence bothers them, independent of whether it actually affects them or not. It's easy to make such a decision, but most people fail to account for the other side of that "collateral damage". One cannot assume that all of the non-spamming customers of an ISP can afford to be blackholed in order to facilitate one's own moral victory. Unfortunately, this discussion provides an avenue to the age-old thread about blackhole lists with political agendas, which imho is not the point of this thread.
And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too.
Agreed.
I don't advocate doing it unless you have tried all other reasonable methods to get in touch with the ISP and ask them to disconnect or otherwise educate their customer.
Agreed. However, my impression from the initial post(s) in this thread is that the specific list(s) in question have not been doing this. -c
On Thu, 20 Jun 2002, Clayton Fiske wrote:
Fair enough. I agree with the idea in spirit. However, care must be taken to define acceptable criteria.
Oh, absolutely. Escalation is not something that should be taken lightly. e.g. for MAPS, escalation was (is?) only used as a last resort.
I think the concerns here (at least my concerns) are that a) some organizations do it before exhausting other avenues, and b) the avenues for removal from such listings can be difficult to nonexistent (as is the case with SPEWS, from the sound of it).
Agreed.
I think one must be cautious to avoid seeking vengeance on something whose mere existence bothers them,
Yes. There are well-documented cases of people getting into trouble when they let their personal opinions and emotions get in the way of running such a list.
Agreed. However, my impression from the initial post(s) in this thread is that the specific list(s) in question have not been doing this.
Yup. I think we have to be careful not to let this thread go completely off-topic. I think I'm going to do a little more research before posting further on the topic, though. As I said, I've never been in a situation where I have to ask SPEWS to delist me. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Steven J. Sobol wrote (on Jun 20):
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP.
Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me. The service providers are not the enemies. If you treat them like enemies then enemies they will become. Perhaps we should move mail transfer to a peering model. You wanna send email to my SMTP server? Where's the peering contract? BGP-equivalent for SMTP anyone? -C (tired of getting bounces for email I never sent!)
Paul Vixie has been talking about mail peering for years. Unlike him I personally do not believe exact equivalent of BGP peering for mail is a solution and will ever happen. But there is intermediate altenative - create organization with all isps as its members (kind of like ARIN/APNIC/RIPE for mail service providers) and have all downstream corporate customers be required to either also be member of this organization or relay email through its isp. Do note that right now already many new isp customers relay mail as well as all dialups, but actually making this work for number of large corporate customers is a problem but if we really want this to happen, we can!
Perhaps we should move mail transfer to a peering model. You wanna send email to my SMTP server? Where's the peering contract? BGP-equivalent for SMTP anyone?
-C (tired of getting bounces for email I never sent!)
william@elan.net wrote (on Jun 20):
Paul Vixie has been talking about mail peering for years. Unlike him I personally do not believe exact equivalent of BGP peering for mail is a solution and will ever happen.
Never say never. :) As blandly as stated it would be unworkable, though. Though I recall people saying similar about ipv6.
But there is intermediate altenative - create organization with all isps as its members (kind of like ARIN/APNIC/RIPE for mail service providers) and have all downstream corporate customers be required to either also be member of this organization or relay email through its isp. Do note that
I'm not sure this helps. In the same way that being an LIR of, say, RIPE doesn't in fact mean you have any clue how the Internet is put together at the BGP level, so joining a club that lets you run a mail- relay doesn't mean anything about you ability to do so in a clean way. If you mean I can grass up a relay for sending naughty messages, then the beaurocracy of ARIN/RIPE I can do without. Nothing gets resolved quickly and the issue will remain until it is. The attractiveness of the "peering" idea is that I, representative of my network have some direct legal recourse against someone who breaks the rules. No 3rd parties required. I can pinpoint the offenders. I don't need to shutdown the peering, but I have legal means with which to raise the issue - assuming of course it went into the agreement. The details beyond this gets messy and way OT, but it does have aspects that appeal, though with a lot of work. -C
On Thu, 20 Jun 2002 12:41:45 PDT, william@elan.net said:
But there is intermediate altenative - create organization with all isps as its members (kind of like ARIN/APNIC/RIPE for mail service providers) and have all downstream corporate customers be required to either also be member of this organization or relay email through its isp. Do note that
I'm *sure* that our connectivity provider will want us to forward us several million pieces of email a day, just so they can forward it along, if we decided to not join. So we have our choices of joining (probably with a membership fee), letting a provider that probably doesn't want our load relay our mail (and that will cost *them* money for a mail server hefty enough to do it), or filter port 25 because we didn't pay... Looks like a good candidate for getting sued via RICO. "An offer you can't refused". Hmm... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
But there is intermediate altenative - create organization with all isps as its members (kind of like ARIN/APNIC/RIPE for mail service providers) and have all downstream corporate customers be required to either also be member of this organization or relay email through its isp. Do note that
I'm *sure* that our connectivity provider will want us to forward us several million pieces of email a day, just so they can forward it along, if we decided to not join. So we have our choices of joining (probably with a membership fee), letting a provider that probably doesn't want our load relay our mail (and that will cost *them* money for a mail server hefty enough to do it), or filter port 25 because we didn't pay...
Actually I was thinking more along the lines of autentication with using SSL certicates for authentication of mail servers from member.Administering large list is a nightmare so its easier that initial or direct member get certicare from root organization and then members can themselve issue (and revoke) a certificate to large enough customers with a backroute that if mailserver does not accept your certificate, you can send email through upstream.
Looks like a good candidate for getting sued via RICO. "An offer you can't refused". Hmm... This one I agree, serious legal problems that will arise due to large marketing houses and some free-speach groups will need to be worked out. But if there are anti-SPAM laws on country-level on majority of the world and most isps agree that to some kind of mediation organization, this can be overcome.
--- William Leibzon Elan Communications Inc.
Unnamed Administration sources reported that Chrisy Luke said:
The service providers are not the enemies. If you treat them like enemies then enemies they will become.
That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will..... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
David Lesher wrote (on Jun 20):
The service providers are not the enemies. If you treat them like enemies then enemies they will become.
That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will.....
Name the ones that do. All of them. Name the ones that will. You can't. So don't tar the rest of us with the same brush just because you can't identify the good from the bad. Assuming everyone is bad somewhat goes against the principles of some of our countries. Overall, it's not the solution. Just band-aid to make it go away for a while. To hide it. And annoy quite a few "good" providers in the process. (I use the term "your" loosely here, I do not intend to imply your good self) -C
On Thu, 20 Jun 2002, Chrisy Luke wrote:
David Lesher wrote (on Jun 20):
The service providers are not the enemies. If you treat them like enemies then enemies they will become. That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will..... Name the ones that do. All of them. Name the ones that will.
chinanet -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu, 20 Jun 2002, Dan Hollis wrote:
On Thu, 20 Jun 2002, Chrisy Luke wrote:
David Lesher wrote (on Jun 20):
The service providers are not the enemies. If you treat them like enemies then enemies they will become. That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will..... Name the ones that do. All of them. Name the ones that will.
chinanet
There is actually a guy trying to clean up Chinanet now. @Home was my favorite example before they went titsup.com. Just about any of the Korean providers would be a good current example. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002 Valdis.Kletnieks@vt.edu wrote:
There is actually a guy trying to clean up Chinanet now. @Home was my
A guy. Singular. I'm not going to hold my breath, unless he has the authority to deploy military forces. ;)
From what I hear, he's having some effect. Perhaps not much...
-- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
The guy "cleaning up" Chinanet should be given a medal, ..no better yet, we should ask everyone in the US who's ever been spammed from them to send in a US dollar to be forwarded to this guy....something tells me he's overworked and his job doesn't pay much....he needs to be supported in his endless endeavor..perhaps they'd hire some more to help him? When he's done there, he's got a job waiting for him forever it would appear... Shutting off sections of the Internet seems to be counterproductive to me...if this continues unabated, we will see connectivity diminish over time, and the Internet de-construct itself. At 20:38 6/20/02 -0400, you wrote:
On Thu, 20 Jun 2002, Dan Hollis wrote:
On Thu, 20 Jun 2002, Chrisy Luke wrote:
David Lesher wrote (on Jun 20):
The service providers are not the enemies. If you treat them like
enemies
then enemies they will become. That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will..... Name the ones that do. All of them. Name the ones that will.
chinanet
There is actually a guy trying to clean up Chinanet now. @Home was my favorite example before they went titsup.com. Just about any of the Korean providers would be a good current example.
On Thu, 20 Jun 2002, Chrisy Luke wrote:
Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me.
And your suggested alternatives are...?
The service providers are not the enemies.
You'll never convince me of that fact as a generality... Many aren't. Some simply don't care what happens on their network. For example, @Home, which (in my direct experience) tried to actively discourage abuse reports. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me.
The service providers are not the enemies. If you treat them like enemies then enemies they will become.
Folks, I've been watching this discussion and holding my fingers but now I have to speak. I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist. Why spamcop and not spews? Simple, the problem is spammers and open relays and that's what we need to deal with. If we can solve that problem without relying on the ISP to find and close every open relay then it will work better for us and it will be better for the ISP's. Remember the idea is to eliminate the spam so the rest of us can enjoy the internet. Geo.
it may have slipped a little but.. the original point was that spews blocked larger IP ranges than was being used purely by the spammer affecting other customers and they could not be contacted to declare the ip range a spam free zone again otherwise I agree with your comments.. Steve On Thu, 20 Jun 2002, Geo. wrote:
Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me.
The service providers are not the enemies. If you treat them like enemies then enemies they will become.
Folks, I've been watching this discussion and holding my fingers but now I have to speak.
I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist.
Why spamcop and not spews? Simple, the problem is spammers and open relays and that's what we need to deal with. If we can solve that problem without relying on the ISP to find and close every open relay then it will work better for us and it will be better for the ISP's.
Remember the idea is to eliminate the spam so the rest of us can enjoy the internet.
Geo.
On Thu, Jun 20, 2002 at 04:38:02PM -0400, Geo. wrote:
I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist.
Why spamcop and not spews?
My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
Why spamcop and not spews?
My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
Because it's a targetted dynamic solution for a dynamic problem and I believe it has a chance at working? That was kinda my point. We need to stop this pushing and shoving back and forth and find solutions that work and don't depend on bending every ISP on the planet to conformity because that's never going to happen. The forcing approach reminds me of copy protection, lets force everyone to be good. Guess what, it's a big network and it's getting bigger and you'll never get everyone to conform. So I suggest we take a different road whether that be dynamic blocking as soon as a spamming starts or heuristic filters or whatever else we can come up with that works. Note, I'm not saying don't use spews, just realize it's a copy protection type of approach and will be of limited success for the same reasons. Geo.
On 06/20/02, "Geo." <georger@getinfo.net> wrote:
That was kinda my point. We need to stop this pushing and shoving back and forth and find solutions that work and don't depend on bending every ISP on the planet to conformity because that's never going to happen. The forcing approach reminds me of copy protection, lets force everyone to be good. Guess what, it's a big network and it's getting bigger and you'll never get everyone to conform. So I suggest we take a different road whether that be dynamic blocking as soon as a spamming starts or heuristic filters or whatever else we can come up with that works.
Note, I'm not saying don't use spews, just realize it's a copy protection type of approach and will be of limited success for the same reasons.
Copy protection is a good comparison, and one which I haven't seen before. However, dynamic blacklists will eventually fall into the same trap; spammers will find ways around 'em. Static or dynamic, you're still trying to apply a purely technical solution to a social problem. All that said, I do agree that dynamic lists are the obvious next step; they'll probably buy us another six months to a year. But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted. -- J.D. Falk "It's all vegan, except for <jdfalk@cybernothing.org> the goat squeezings!" -- rachel
On Thu, 20 Jun 2002, J.D. Falk wrote:
But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted.
How? I find spamcop to be very reliable, and the basis of many actions.
-- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Thu, 20 Jun 2002 measl@mfn.org wrote:
On Thu, 20 Jun 2002, J.D. Falk wrote:
But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted.
How? I find spamcop to be very reliable, and the basis of many actions.
Spamcop is a perfect example of garbage in / garbage out. I've had a number of servers in spamcop's blacklist for the following reasons: 1) Local user misinterprets headers and reports one of our own MX's thinking it generated a spam he/she received. We get blacklisted. 2) Remote user gets the same message a few times from one of our users (some tax related documents) and for reasons unknown to us, reports it as spam, and we're blacklisted. 3) Local user runs a mailing list on one of our servers and leaves posting open (yeah...that was a bad idea, but lots of lists still do it). List gets spammed. A list member reports our server, causing it to be blacklisted. This one is actually listed right now, and we've gotten a few "why can't I send email to ...?" questions from other customers on the same server. The idea of a spam blacklist with an army of contributors is appealing. In theory, it could blacklist large numbers of spam sources, perhaps before they get a chance to hit your servers...but the reality is an army of idiots turning a good idea into an unusable mess. Some sort of hybrid of spamcop with dsbl, where those who screw up have their contributing rights revoked would be far more interesting. There also needs to be some method for intervening when someone screws up rather than having to just wait out expiration of a listing that should never have happened. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
At 09:20 PM 6/20/2002 -0500, measl@mfn.org wrote:
On Thu, 20 Jun 2002, J.D. Falk wrote:
But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted.
How? I find spamcop to be very reliable, and the basis of many actions.
I find spamcop to be a supreme pain in the ass with very many false positives. -- Martin Hannigan hannigan@fugawi.net
On Thu, Jun 20, 2002 at 09:58:57PM -0400, Geo. wrote:
Why spamcop and not spews?
My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
Because it's a targetted dynamic solution for a dynamic problem and I believe it has a chance at working?
You have more faith than the person behind that list?
On Thu, 20 Jun 2002, John Payne wrote:
On Thu, Jun 20, 2002 at 09:58:57PM -0400, Geo. wrote:
Why spamcop and not spews?
My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
Because it's a targetted dynamic solution for a dynamic problem and I believe it has a chance at working?
You have more faith than the person behind that list?
"This blocking list is somewhat experimental and should not be used in a production environment where legitimate email must be delivered. " Which basicly says to me that it's not 100% accurate and will sometimes drop that vital letter from your lover/lawyer/customer. The same is true for just about every other anti-spam filter or serivce. Thats where a rule based system like Spamassassin is good, you can put in even a flawed test, give it a point or two and it's still useful. The sum is a lot better than the parts. -- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
[ On Thursday, June 20, 2002 at 15:48:41 (-0700), John Payne wrote: ]
Subject: Re: SPEWS?
On Thu, Jun 20, 2002 at 04:38:02PM -0400, Geo. wrote:
I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist.
Why spamcop and not spews?
My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
That's how you know bl.spamcop.net is a good and useful list! The maintainer(s) wouldn't use such a disclaimer if it wasn't. -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On 03:48 PM 6/20/02, John Payne wrote:
On Thu, Jun 20, 2002 at 04:38:02PM -0400, Geo. wrote:
I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist.
Why spamcop and not spews?
My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
There was a product called a "wine brick" (made from compressed grapes) that was sold during Prohibition. The label read: Warning: Do not place this wine brick in a one gallon crock, add sugar and water, cover and let stand for seven days, or else an illegal alcoholic beverage will result. IMNSHO SPEWS' disclaimer is worded the way it is for similar effect. They are telling you to "not do" the very thing that their product is clearly designed to be used for. jc (who thought this list was nanog, and not spam-l... hmmm)
When you're dealing with what some people refer to as "tier 1 providers" (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated): UUnet (Worldcom) Sprint Just about every network in the Far-East "" """ """ "" in Latin America ATT Verio I'm sure I'm forgetting some...point is, if you cut them off, there ain't much Internet left, ergo, you're no longer an ISP... On Thu, 20 Jun 2002, Steven J. Sobol wrote:
On Thu, 20 Jun 2002, Clayton Fiske wrote:
I agree with that, *if* initial notifications to the ISP are ignored. Escalations are then in order, definitely.
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is "in order".
Let me clarify, then.
If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP.
This principle is based on the fact that an ISP is more likely to listen to its paying customers than to outsiders.
And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too.
I don't advocate doing it unless you have tried all other reasonable methods to get in touch with the ISP and ask them to disconnect or otherwise educate their customer.
-- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Thu, 20 Jun 2002 up@3.am wrote:
When you're dealing with what some people refer to as "tier 1 providers" (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated):
UUnet (Worldcom) Sprint
Yeahbut the only blocklist I know of that is blocking all of Sprintlink is spambag. And again, folks... we're discussing SPEWS here, not spambag. And yes, spambag is an extremely aggressive list that its homepage specifically *states* is a personal blacklist. If you're foolish enough to use an overly aggressive blacklist that was never intended for public use, sorry, but you don't *deserve* to talk to half the Internet. Is SPEWS blocking all of Sprint? All of ANY large provider, for that matter? -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
On Thu, 20 Jun 2002 19:34:55 -0400 (EDT) up@3.am wrote:
When you're dealing with what some people refer to as "tier 1 providers" (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated):
UUnet (Worldcom) Sprint Just about every network in the Far-East "" """ """ "" in Latin America ATT Verio
i have some knowledge of the situations at Sprint, Verio, and Qwest (who you don't mention but others do mention.) there are functioning abuse staffs at all three providers, and they are making serious efforts at cleaning up messes that were permitted to exist for far too long. they need a little time, but they are terminating spammers as they put the cases together. complaints to sprint, verio, and qwest will not be ignored, however, you do need to be aware that the situations that are being dealt with are so bad, that of necessity triage is being applied and it may take awhile before they develop the reputations for responsiveness that an outfit like rcn currently has. give 'em a little time, guys. they're working on it. complaint to abuse@ like you're supposed to, and give them a chance to deal with it. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
As a person who actively works an abuse department... We need to remember that while lots of folks will scream like banshees at the reciept of a single email, very few (none that I know of personally) will help a place *stay* "white hat" by voting with their wallets to support the killing of spammers. It's a business folks - if you kill a customer who is paying his bills every month (and full DS3's are not cheap), you must make it up somewhere. When I kill a *small time* spammer (a T1 or a pair of T1s), I have to be able to make a business case that the guy is costing more than he is bringing in, and I need to do this for each and every kill. Where are the hordes who will support the ISP/NSP who makes these kills? It CANNOT be a one-way street (which it pretty much is today). I work goddamn hard keeping my corner crispy white, but the crispy whites are invisible when it comes to sales time. No sales means I can't justify what I do. And if I can't justify it, then SPEWS, or Selward, or God herself isn't going to make any difference screaming that a pink contract is the wrong thing to do... <asbestos underwear firmly in place> -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On 06:45 PM 6/20/02, measl@mfn.org wrote:
I work goddamn hard keeping my corner crispy white, but the crispy whites are invisible when it comes to sales time.
Perhaps you should help the sales department position this important data in their marketing literature and sales pitches. Tout the advantages of doing business with a crispy white hat, how it improves the reliability of one's Internet connection and services, etc. You can't blame the Internet community for not knowing about your "secret efforts" to stay crispy white if you keep those efforts secret! jc (posted and emailed)
On Fri, 21 Jun 2002, JC Dill wrote:
On 06:45 PM 6/20/02, measl@mfn.org wrote:
I work goddamn hard keeping my corner crispy white, but the crispy whites are invisible when it comes to sales time.
Perhaps you should help the sales department position this important data in their marketing literature and sales pitches. Tout the advantages of doing business with a crispy white hat, how it improves the reliability of one's Internet connection and services, etc. You can't blame the Internet community for not knowing about your "secret efforts" to stay crispy white if you keep those efforts secret!
There is no secret here. Our stance is in all the literature, in the AUP/TOS/etc. However, as I have pointed out, when it comes time to buy, nobody I have seen says "hrm: they're white-hat, that decides it" whereas I *have* had prospects send me humongous emails telling how they will "never" buy any service from us because they received an email from one of my downstream customers (maybe 4 times removed...). The anti-spammers need to put up or shut up. -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
--On Thursday, June 20, 2002 19:34:55 -0400 up@3.am wrote:
When you're dealing with what some people refer to as "tier 1 providers" (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated):
UUnet (Worldcom)
I have had excellent results with UUnet Sweden. I mainly get in touch with them to tell them they have an AUP-violating customer; most ISPs here have an "thou shalt not spam" part of their AUP, so even if the moron lobbyists for the advertising industry managed to trick the government into an opt-out spam law (which they did, but they haven't figured out who is to run the opt-out list. Quite the farce.) nobody will be able to legally send spam from them. Spam from swedish netblocks is thus mainly due to open relays. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
On Wed, 19 Jun 2002, Alex Rubenstein wrote:
I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email.
I'm curious; do folks take these guys serious?
Any non-contactable blacklist should not be taken serious. Posting to a public forum (ie usenet) to contact the maintainer of such is list is not acceptable and I for one can not understand why any responsible site administrator would use such a list. -- Sabri Berisha "I route, therefore you are" ~ my own opinions etc ~ Join Megabit LAN in open air! http://www.megabit.nl http://www.telegraaf.nl/imail/teksten/imail.lan.staat.party.megabit.html
Any non-contactable blacklist should not be taken serious. Posting to a public forum (ie usenet) to contact the maintainer of such is list is not acceptable and I for one can not understand why any responsible site administrator would use such a list.
I've always had the impression that SPEWS did this to make legal action difficult. Many of the other RBL, ORB, are targets of legal action. If it is difficult to contact "them" how does one pursue the matter? SPEWS has no due process procedure for handling issues and the flip side of that is that there is no clear-cut process for dealing with them legally either. I would guess that by "raising the bar" for their responsibility they are also, ultimately, setting themselves up for a larger action, perhaps even under RICO. I see them as some kind of amorphous SPAM militia. Responsible, overloaded administrators might. IMHO blacklists should always be local to the organization. Anything else is to abdicate responsibility for the result because what constitutes SPAM is a subjective judgment. (analagous to what constitutes pornography.) -John
On Thu, Jun 20, 2002 at 11:00:32AM -0400, John Ferriby wrote:
I've always had the impression that SPEWS did this to make legal action difficult. Many of the other RBL, ORB, are targets of legal action. If it is difficult to contact "them" how does one pursue the matter?
SPEWS has no due process procedure for handling issues and the flip side of that is that there is no clear-cut process for dealing with them legally either. I would guess that by "raising the bar" for their responsibility they are also, ultimately, setting themselves up for a larger action, perhaps even under RICO. I see them as some kind of amorphous SPAM militia.
You can sue someone without even knowing their name, much less having any contact with them. And once you have, it becomes trivially easy to both identify and locate them, with the full blessing of the legal system. --msa
Unnamed Administration sources reported that Sabri Berisha said:
I'm curious; do folks take these guys serious?
Any non-contactable blacklist should not be taken serious. Posting to a public forum (ie usenet) to contact the maintainer of such is list is not acceptable and I for one can not understand why any responsible site administrator would use such a list.
Has anyone here acknowledged why it is that SPEWS is like this? MAPS was easy to reach, easy to find; they got sued into submission time & again, by spammers with big money... SPEWS has yet to be sued, AFAIK. As as bonus, it's great fun to see a spamhaus show up and bleat about how virginal they are, and they made one little mistake, and it's fixed; can they PLEASE wear a white dress....? And then the replies appear with records of spam after spam, often still in progress, get posted in reply.... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
MAPS was easy to reach, easy to find; they got sued into submission time & again, by spammers with big money... SPEWS has yet to be sued, AFAIK.
Perhaps, because they are hiding behind some connection not in the US? -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On 06/20/02, Sabri Berisha <sabri@cluecentral.net> wrote:
On Wed, 19 Jun 2002, Alex Rubenstein wrote:
I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email.
I'm curious; do folks take these guys serious?
Any non-contactable blacklist should not be taken serious. Posting to a public forum (ie usenet) to contact the maintainer of such is list is not acceptable and I for one can not understand why any responsible site administrator would use such a list.
Because they're desperate. Everyone is, these days. Death of the net predicted, etc etc. -- J.D. Falk "It's all vegan, except for <jdfalk@cybernothing.org> the goat squeezings!" -- rachel
Alex, We also ran into a problem with the guys from news.admin.net-abuse.email. I think that they are a bunch of cklueless people trying to do anti-spam by personal vendettas. one of the guys actually told me that MAPS was a dead issue ever since they 'allowed' a company to spam because they received a sum of money for it. I doubt Paul would enjoy hearing about this, but I also think he isn't suprised. SPEWS is not a good service, yet you get all these system admins with a chip on their shoulder to back it up and support it. My two cents. Shon Elliott Systems/Network Administrator; NetAsset Alex Rubenstein wrote:
I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email.
I'm curious; do folks take these guys serious?
I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him. Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do.
Of course, I disagreed, and was called all sorts of names that I'd not used since I was 14.
So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point.
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
participants (42)
-
Alex Rubenstein
-
Andy Johnson
-
Benjamin P. Grubin
-
blitz
-
Bruce Campbell
-
Chrisy Luke
-
Clayton Fiske
-
Dan Hollis
-
David Charlap
-
David Lesher
-
Geo.
-
J.D. Falk
-
Jason Slagle
-
JC Dill
-
Jim Mercer
-
Jim Segrave
-
jlewis@lewis.org
-
John Ferriby
-
John Payne
-
Lionel
-
Majdi S. Abbas
-
Marc MERLIN
-
Mark Radabaugh
-
Martin Hannigan
-
measl@mfn.org
-
Måns Nilsson
-
Nathan J. Mehl
-
Peter Galbavy
-
Randy Bush
-
Regis M. Donovan
-
Richard A Steenbergen
-
Richard Welty
-
Sabri Berisha
-
Sandy Harris
-
Shon Elliott
-
Simon Lyall
-
Stephen J. Wilcox
-
Steven J. Sobol
-
up@3.am
-
Valdis.Kletnieks@vt.edu
-
william@elan.net
-
woods@weird.com