Re: SPEWS removal (SPEWS: S1970, 65.107.235.160/27)
Ok -- I'm a dumbass. Sorry about this posting. Next time I'll drink my coffee before trying to read web pages. *sigh* -- Michael L. Barrow E: [EMAIL PROTECTED]P: 805-566-0885
Re: SPEWS?
On Thu 20 Jun 2002 (15:51 -0400), Sandy Harris wrote: [EMAIL PROTECTED] wrote: On Thu, 20 Jun 2002 14:33:18 EDT, Sandy Harris [EMAIL PROTECTED] said: If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - ... and you've waited a reasonable time ... Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has? What do you do if the ISP says We want to turn them off, but they've managed to get a restraining order preventing us? We've seen THAT before Then the part above about If the offending ISP does not respond, ... obviously does not apply. They are responding. You clearly do not even consider blacklisting them. You might ask them for help in blacklisting exactly the spammer's addresses. All this sounds very nice. But: If the only way to contact SPEWS is via postings in a newsgroup, an ISP may find themselves unable to make any meaningful response (there are issues of customer confidentiality, business considertaions, a whole lot of reasons that an ISP might not wish to discuss the alleged wrongoings of one of its customers, the measures which it has or might take or the details of contractual relationships or legal advice they have received. So all of this is really irrelevant to the topic at hand. An anonymous group using unknown criteria, however well motivated, is not useful. And any mail administrator who uses their lists is, in my opinion, a fool. -- Jim Segrave [EMAIL PROTECTED]
Re: SPEWS?
--On Thursday, June 20, 2002 19:34:55 -0400 [EMAIL PROTECTED] wrote: When you're dealing with what some people refer to as tier 1 providers (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated): UUnet (Worldcom) I have had excellent results with UUnet Sweden. I mainly get in touch with them to tell them they have an AUP-violating customer; most ISPs here have an thou shalt not spam part of their AUP, so even if the moron lobbyists for the advertising industry managed to trick the government into an opt-out spam law (which they did, but they haven't figured out who is to run the opt-out list. Quite the farce.) nobody will be able to legally send spam from them. Spam from swedish netblocks is thus mainly due to open relays. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: SPEWS?
anybody else see the irony of posting to USENET as an anti-spam measure? USENET being one of the harvesting engines the spammers use to collect addresses. i still get spam sent to the id i only used i used when i actually still used news. -- [ Jim Mercer[EMAIL PROTECTED] +1 416 410-5633 ] [ I want to live forever, or die trying.]
Re: SPEWS?
On Fri, Jun 21, 2002 at 10:45:03AM +0200, Jim Segrave wrote: All this sounds very nice. But: If the only way to contact SPEWS is via postings in a newsgroup, an ISP may find themselves unable to make any meaningful response (there are issues of customer confidentiality, business considertaions, a whole lot of reasons that an ISP might not wish to discuss the alleged wrongoings of one of its customers, the measures which it has or might take or the details of contractual relationships or legal advice they have received. So all of this is really irrelevant to the topic at hand. Not to mention the fact that they probably won't believe you or delist you. Take a looksie through: http://groups.google.com/groups?group=news.admin.net-abuse.email Hi, we used to have a spam problems from our customers but we've cleaned up You profited from spam! You go to hell, you go to hell and you die! Hi, we are a law firm that bought from UUnet and it seems the last owners of this IP block were spammer. We're not, can you please remove us. Every heard of due diligence? Thats what you get for buying from UUNet, you'll get unlisted when they clean up all their spammers. Hi, we bought from some people who turned out to have a problem with hosting some spammers, but we're locked into a 3 year contract. We're a small shop without the money for lawyers to get out of it. We're not spammers, could you please unblock this one piece of IP which is just us. Sorry, you have to change providers. They breached your contract by failing to provide full internet access (since people are filtering them based on our listing) Noone in their right mind would trust SPEWS directly, the problem is people trust Spam Assassin, and Spam Assassin uses relays.osirusoft.com with enough weight to kill an email, and osirusoft uses SPEWS. I don't like spam any more then anyone else, but this situation is damn near pathetic. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: SPEWS?
But then there are the whacko's like SpamCop who just ignore every mail you send them anyway. i.e. My company set up the RIPE LIR for the UK company 'III' many years ago. I was listed as a contact for a while, then when we stopped providing services I removed my contact from the RIPE records. I am regularly getting SpamCop alerts that I am a spammer - from an obviously out of date copy of the RIPE database (which breaches RIPE copyright anyhow). But will they respond to any e-mail ? Hell no. What makes me laugh more is that SpamAssissin labels SpamCop alerts as spam and they get dumped in my SPAM catch mailbox. Almost cute. Peter
Re: SPEWS?
[ On Thursday, June 20, 2002 at 15:48:41 (-0700), John Payne wrote: ] Subject: Re: SPEWS? On Thu, Jun 20, 2002 at 04:38:02PM -0400, Geo. wrote: I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist. Why spamcop and not spews? My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems? That's how you know bl.spamcop.net is a good and useful list! The maintainer(s) wouldn't use such a disclaimer if it wasn't. -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: SPEWS?
On 03:48 PM 6/20/02, John Payne wrote: On Thu, Jun 20, 2002 at 04:38:02PM -0400, Geo. wrote: I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist. Why spamcop and not spews? My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems? There was a product called a wine brick (made from compressed grapes) that was sold during Prohibition. The label read: Warning: Do not place this wine brick in a one gallon crock, add sugar and water, cover and let stand for seven days, or else an illegal alcoholic beverage will result. IMNSHO SPEWS' disclaimer is worded the way it is for similar effect. They are telling you to not do the very thing that their product is clearly designed to be used for. jc (who thought this list was nanog, and not spam-l... hmmm)
Re: SPEWS?
Alex, We also ran into a problem with the guys from news.admin.net-abuse.email. I think that they are a bunch of cklueless people trying to do anti-spam by personal vendettas. one of the guys actually told me that MAPS was a dead issue ever since they 'allowed' a company to spam because they received a sum of money for it. I doubt Paul would enjoy hearing about this, but I also think he isn't suprised. SPEWS is not a good service, yet you get all these system admins with a chip on their shoulder to back it up and support it. My two cents. Shon Elliott Systems/Network Administrator; NetAsset Alex Rubenstein wrote: I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email. I'm curious; do folks take these guys serious? I'll admit, we had an issue with a customer who spammed, and it took us a little while to zap him. Nevertheless, he was zapped. He had a /27, and SPEWs listed the entire /24 surrounding it. When I asked about this, they said, in not-so-many-words, that by doing this, punishing innocent bystanders, that as long as the ISP noticed and fixed the issue, this was essentially OK to do. Of course, I disagreed, and was called all sorts of names that I'd not used since I was 14. So, to the point; what is the consensus on SPEWs? I've never really noticed them until this point. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: SPEWS?
I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is in order. Let me clarify, then. If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too. Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive. SPAM prevents people from reading their email by a) filling up mail server queues b) filling up user mailboxes (and/or quotas) c) increased message count causes more time to be spent hitting delete, than searching for operational or important communications. This all boils down to more or less the user missing/not receiving an important email. So by blacklisting a netblock which originated SPAM, and more importantly, its neighbors (or in SPEWS case, the entire AS and netblocks announced from it), you are preventing valid emails from being delivered. So SPEWS is just as guilty of depriving people of their mail as spammers are IMO. Regarding your last comment, when tracking down and filtering a DoS, do you filter just the offending IP space, or ALL netblocks announced by that AS?
Re: SPEWS?
On Thu, Jun 20, 2002 at 01:12:20PM -0400, Steven J. Sobol wrote: If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. This principle is based on the fact that an ISP is more likely to listen to its paying customers than to outsiders. Fair enough. I agree with the idea in spirit. However, care must be taken to define acceptable criteria. I think the concerns here (at least my concerns) are that a) some organizations do it before exhausting other avenues, and b) the avenues for removal from such listings can be difficult to nonexistent (as is the case with SPEWS, from the sound of it). As for specific criteria, I think this is probably where the most debate lies. If an ISP is a haven for a significant (yes, that is a subjective term, but humor me) number of spammers, or if they have either actively refused to solve the problem or allowed a spammer to evade filtering by renumbering into a new block, then I'd say this is a reasonable action to take against them. However, if it is only one or two problem customers, and they are not being evasive, renumbering, etc then I'm not so sure the end justifies the means. After all, you do have the means to avoid receiving the spam (such as listing them on a blackhole list). I think one must be cautious to avoid seeking vengeance on something whose mere existence bothers them, independent of whether it actually affects them or not. It's easy to make such a decision, but most people fail to account for the other side of that collateral damage. One cannot assume that all of the non-spamming customers of an ISP can afford to be blackholed in order to facilitate one's own moral victory. Unfortunately, this discussion provides an avenue to the age-old thread about blackhole lists with political agendas, which imho is not the point of this thread. And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too. Agreed. I don't advocate doing it unless you have tried all other reasonable methods to get in touch with the ISP and ask them to disconnect or otherwise educate their customer. Agreed. However, my impression from the initial post(s) in this thread is that the specific list(s) in question have not been doing this. -c
Re: SPEWS?
On Thu, 20 Jun 2002, Clayton Fiske wrote: Fair enough. I agree with the idea in spirit. However, care must be taken to define acceptable criteria. Oh, absolutely. Escalation is not something that should be taken lightly. e.g. for MAPS, escalation was (is?) only used as a last resort. I think the concerns here (at least my concerns) are that a) some organizations do it before exhausting other avenues, and b) the avenues for removal from such listings can be difficult to nonexistent (as is the case with SPEWS, from the sound of it). Agreed. I think one must be cautious to avoid seeking vengeance on something whose mere existence bothers them, Yes. There are well-documented cases of people getting into trouble when they let their personal opinions and emotions get in the way of running such a list. Agreed. However, my impression from the initial post(s) in this thread is that the specific list(s) in question have not been doing this. Yup. I think we have to be careful not to let this thread go completely off-topic. I think I'm going to do a little more research before posting further on the topic, though. As I said, I've never been in a situation where I have to ask SPEWS to delist me. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
Andy Johnson wrote: Let me clarify, then. If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - ... and you've waited a reasonable time ... Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has? then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. The objective isn't just to stop that spammer. If the ISP is clearly acting irresponsibly and not dealing with a spam problem, getting them to wake up is more important than the individual spammer. And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too. Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive. ... Not if its the only way to wake up that ISP. Of course, this sort of block must be a last desparate measure. At a minimum, the spammer's been at it for weeks and you've mailed abuse, postmaster and the whois contacts without eliciting a response from the ISP, before you even consider it. Even then, you should likely try phoning the ISP and/or browsing their website for other contact addresses before taking such a drastic action. But if drastic action seems the only way, don't stop at half measures. Blackhole every netblock they have, and for all packet types, not just email.
Re: SPEWS?
Steven J. Sobol wrote (on Jun 20): If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me. The service providers are not the enemies. If you treat them like enemies then enemies they will become. Perhaps we should move mail transfer to a peering model. You wanna send email to my SMTP server? Where's the peering contract? BGP-equivalent for SMTP anyone? -C (tired of getting bounces for email I never sent!)
Re: SPEWS?
It seems to me that this issue is being highly obfuscated. SPEWS publishes a list. It is the ISP of your MAIL RECIPIENT that CHOOSES to use it. Take up the issue with them. It was their choice to use it - no one forced them to. I recently pointed out to the sendmail folks that their blacklist rejection message was misleading, and I believe they changed it. The mail is not being blocked by SPEWS. It is being blocked/refused as local policy by the ISP, who chooses to use the SPEWS list as part of their decision policy. -- -=[L]=-
Re: SPEWS?
On Thu, 20 Jun 2002 14:33:18 EDT, Sandy Harris [EMAIL PROTECTED] said: If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - ... and you've waited a reasonable time ... Then the ISP is obviously either incompetent or deliberately aiding the spammers. Why should you even consider anything less than blacklisting every netblock the ISP has? What do you do if the ISP says We want to turn them off, but they've managed to get a restraining order preventing us? We've seen THAT before -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg02832/pgp0.pgp Description: PGP signature
Re: SPEWS?
I'll probably get flamed for saying this, but the fact of the matter is, if SPEWS behavior is abusive towards a network, that network does have a limited recourse: null-route SPEWS. Thus, the more providers they anger, the less network they can reach. Some users may complain, but if SPEWS is abusing your customer base, I think it's a valid response. It's a powerful threat, and incentive for SPEWs to play fair. On 6/20/2002 at 20:33:43 +0100, Chrisy Luke said: Steven J. Sobol wrote (on Jun 20): If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me. The service providers are not the enemies. If you treat them like enemies then enemies they will become. Perhaps we should move mail transfer to a peering model. You wanna send email to my SMTP server? Where's the peering contract? BGP-equivalent for SMTP anyone? -C (tired of getting bounces for email I never sent!)
Re: SPEWS?
On Thu, 20 Jun 2002, Chrisy Luke wrote: Can't find the terrorists you're looking for so start killing bystanders until someone submits? Sounds militia to me. And your suggested alternatives are...? The service providers are not the enemies. You'll never convince me of that fact as a generality... Many aren't. Some simply don't care what happens on their network. For example, Home, which (in my direct experience) tried to actively discourage abuse reports. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
On Thu, 20 Jun 2002, Chrisy Luke wrote: David Lesher wrote (on Jun 20): The service providers are not the enemies. If you treat them like enemies then enemies they will become. That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will. Name the ones that do. All of them. Name the ones that will. chinanet -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: SPEWS?
On Thu, 20 Jun 2002 12:41:45 PDT, [EMAIL PROTECTED] said: But there is intermediate altenative - create organization with all isps as its members (kind of like ARIN/APNIC/RIPE for mail service providers) and have all downstream corporate customers be required to either also be member of this organization or relay email through its isp. Do note that I'm *sure* that our connectivity provider will want us to forward us several million pieces of email a day, just so they can forward it along, if we decided to not join. So we have our choices of joining (probably with a membership fee), letting a provider that probably doesn't want our load relay our mail (and that will cost *them* money for a mail server hefty enough to do it), or filter port 25 because we didn't pay... Looks like a good candidate for getting sued via RICO. An offer you can't refused. Hmm... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg02838/pgp0.pgp Description: PGP signature
Re: SPEWS?
I'v had similar problems as Alex with SPEW and also got the same reaction. They have serious attitude problem. And no, SBC is not using SPEW, I think they have their own blacklist based on actual incidents and I think they are smart enough not to put themselve under legal risks for using SPEW. Overzealous to say the least (i.e. without using language used by people at spews Uh... Most of the people that were yelling at Alex probably had absolutely nothing to do with SPEWS. NANAE != SPEWS. which by itself should already say something about how professional they are). Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them, I believe SBC's ISPs are. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a
Re: SPEWS?
On 06/20/02, Sabri Berisha [EMAIL PROTECTED] wrote: On Wed, 19 Jun 2002, Alex Rubenstein wrote: I've had a little run-in with SPEWS, and the crowd on news:news.admin.net-abuse.email. I'm curious; do folks take these guys serious? Any non-contactable blacklist should not be taken serious. Posting to a public forum (ie usenet) to contact the maintainer of such is list is not acceptable and I for one can not understand why any responsible site administrator would use such a list. Because they're desperate. Everyone is, these days. Death of the net predicted, etc etc. -- J.D. Falk It's all vegan, except for [EMAIL PROTECTED]the goat squeezings! -- rachel
Re: SPEWS?
But there is intermediate altenative - create organization with all isps as its members (kind of like ARIN/APNIC/RIPE for mail service providers) and have all downstream corporate customers be required to either also be member of this organization or relay email through its isp. Do note that I'm *sure* that our connectivity provider will want us to forward us several million pieces of email a day, just so they can forward it along, if we decided to not join. So we have our choices of joining (probably with a membership fee), letting a provider that probably doesn't want our load relay our mail (and that will cost *them* money for a mail server hefty enough to do it), or filter port 25 because we didn't pay... Actually I was thinking more along the lines of autentication with using SSL certicates for authentication of mail servers from member.Administering large list is a nightmare so its easier that initial or direct member get certicare from root organization and then members can themselve issue (and revoke) a certificate to large enough customers with a backroute that if mailserver does not accept your certificate, you can send email through upstream. Looks like a good candidate for getting sued via RICO. An offer you can't refused. Hmm... This one I agree, serious legal problems that will arise due to large marketing houses and some free-speach groups will need to be worked out. But if there are anti-SPAM laws on country-level on majority of the world and most isps agree that to some kind of mediation organization, this can be overcome. --- William Leibzon Elan Communications Inc.
Re: SPEWS?
Dan Hollis wrote: Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. If you're installing a blacklist on a mail server you keep at home for yourself, then yes. If you're running an ISP with thousands of customers, then you also have to deal with how you're impacting them. Sure, it may still be your equipment, but that won't matter if you tick off your paying customers and they decide to cancel their accounts and go to your competitors. Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept. -- David
Re: SPEWS?
On Thu, Jun 20, 2002 at 01:48:48PM -0700, Dan Hollis wrote: On Thu, 20 Jun 2002, Regis M. Donovan wrote: On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote: *Spamming* or launching a DoS attack in response to spam is definitely abusive. and black-holing innocent bystander networks not a denial of service? Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. of course. but blocking the networks involved in the spam takes care of that. blocking these innocent bystander networks does nothing to solve your spam problem and merely blocks potentially useful traffic. black-holing networks that are not engaged in any abusive behavior in the vain hopes of getting a response from some difficult-to-contact ISP seems a bit excessive. particularly coming from a group that is, itself, difficult to contact. --regis
Re: SPEWS?
On Thu, 20 Jun 2002, Regis M. Donovan wrote: vain hopes of getting a response from some difficult-to-contact ISP s/difficult-to-contact/blackhat or rogue/ -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: SPEWS?
if grandma is hosted on chinanet she is already blackholed by most western civilization anyway no, just by some self-marginalizing jingoists who don't know how to filter
Re: SPEWS?
Dan Hollis wrote: On Thu, 20 Jun 2002, David Charlap wrote: Blackholing grandma because a spammer uses the same ISP isn't going to be an easy thing to get your customers to accept. if grandma is hosted on chinanet she is already blackholed by most western civilization anyway Who said anything about chinanet? You're the only one who keeps on harping back to them. In case you weren't paying attention, much of this discussion got started because of a comment about blocking all of sprintlink.net. -- David
Re: SPEWS?
On Thu, 20 Jun 2002, David Charlap wrote: if grandma is hosted on chinanet she is already blackholed by most western civilization anyway Who said anything about chinanet? You're the only one who keeps on harping back to them. Well if you want to talk about western networks, qwest ranks second just behind chinanet in terms of black hat and spam. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: SPEWS?
In the immortal words of [EMAIL PROTECTED] ([EMAIL PROTECTED]): Its used primarily by very small sstem operators and I don't know any isp of any serious size (i.e. over 1000 users or domains) that is using them Sprintlink, mail.com/iname/outblaze, and I believe possibly PacBell all use SPEWS. Do with this info what you will. -n [EMAIL PROTECTED] My goal is real simple: to write better than anyone who can write faster than me, and faster than anyone who can write better than me. (--J.M. Straczynski) http://blank.org/memory/
Re: SPEWS?
On Thu, Jun 20, 2002 at 04:38:02PM -0400, Geo. wrote: I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist. Why spamcop and not spews? My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems?
Re: SPEWS?
When you're dealing with what some people refer to as tier 1 providers (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated): UUnet (Worldcom) Sprint Just about every network in the Far-East in Latin America ATT Verio I'm sure I'm forgetting some...point is, if you cut them off, there ain't much Internet left, ergo, you're no longer an ISP... On Thu, 20 Jun 2002, Steven J. Sobol wrote: On Thu, 20 Jun 2002, Clayton Fiske wrote: I agree with that, *if* initial notifications to the ISP are ignored. Escalations are then in order, definitely. I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is in order. Let me clarify, then. If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. This principle is based on the fact that an ISP is more likely to listen to its paying customers than to outsiders. And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too. I don't advocate doing it unless you have tried all other reasonable methods to get in touch with the ISP and ask them to disconnect or otherwise educate their customer. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me... James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: SPEWS?
On Thu, 20 Jun 2002, Andy Johnson wrote: I fail to see how blacklisting neighboring subnets (not associated with the organization in question) instead of just the offending one is in order. Let me clarify, then. If the offending ISP does not respond, and you have exhausted all avenues available to you to get the ISP to get its customer to stop spamming - whether by TOS'ing the customer, education or whatever - then escalation may work if the collateral damage caused by escalation is enough to get the spammers' neighbors to complain to the ISP. And I don't think this is a potential solution only for spam; it is appropriate (IMESHO) in other abusive situations too. Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat counter-productive. SPAM prevents people from reading their email by a) filling up mail server queues b) filling up user mailboxes (and/or quotas) c) increased message count causes more time to be spent hitting delete, than searching for operational or important communications. BLing isn't abuse. Anyone has a right to subscribe to any BL they like, as long as both the BL and the subscriber (if it's an ISP) disclose their guidelines to their customers. Of course, for an ISP to subscribe to a capricious, arbitrary or over-zealous BL is likely suicidal for their business. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: SPEWS?
On Thu, 20 Jun 2002, Dan Hollis wrote: On Thu, 20 Jun 2002, Chrisy Luke wrote: David Lesher wrote (on Jun 20): The service providers are not the enemies. If you treat them like enemies then enemies they will become. That's right; no service provider will ever harbor spammers just to make a quick buck. It's never happened, and never will. Name the ones that do. All of them. Name the ones that will. chinanet There is actually a guy trying to clean up Chinanet now. Home was my favorite example before they went titsup.com. Just about any of the Korean providers would be a good current example. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
On Thu, 20 Jun 2002, Dan Hollis wrote: On Thu, 20 Jun 2002, Regis M. Donovan wrote: On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote: *Spamming* or launching a DoS attack in response to spam is definitely abusive. and black-holing innocent bystander networks not a denial of service? Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. Hear, hear. Dan sounds like he agrees with my assessment of property rights taking priority over rights to expression. Anyone using SPEWS, the MAPS RBL+, SpamCop's blacklist, or *any* arbitrary list of abusive ISPs or ISP customers does so voluntarily, and I consider the action to be similar to companies sharing credit information. You can deny credit or employment, or refuse to do business with an individual or company based on the information in a credit report. Likewise, you can choose to communicate or not communicate with an AS or network (or server) based on whether you think the people running the server(s) are good net-neighbors. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: When you're dealing with what some people refer to as tier 1 providers (I'll just say really big networks), this can be counter-productive. From what I've seen the following providers have been notoriously unresponsive to spam complaints (apologies if any of this is dated): UUnet (Worldcom) Sprint Yeahbut the only blocklist I know of that is blocking all of Sprintlink is spambag. And again, folks... we're discussing SPEWS here, not spambag. And yes, spambag is an extremely aggressive list that its homepage specifically *states* is a personal blacklist. If you're foolish enough to use an overly aggressive blacklist that was never intended for public use, sorry, but you don't *deserve* to talk to half the Internet. Is SPEWS blocking all of Sprint? All of ANY large provider, for that matter? -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: There is actually a guy trying to clean up Chinanet now. @Home was my A guy. Singular. I'm not going to hold my breath, unless he has the authority to deploy military forces. ;) From what I hear, he's having some effect. Perhaps not much... -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
Why spamcop and not spews? My question is why a dnsbl that the *maintainer* of which says should not be used for production mail systems? Because it's a targetted dynamic solution for a dynamic problem and I believe it has a chance at working? That was kinda my point. We need to stop this pushing and shoving back and forth and find solutions that work and don't depend on bending every ISP on the planet to conformity because that's never going to happen. The forcing approach reminds me of copy protection, lets force everyone to be good. Guess what, it's a big network and it's getting bigger and you'll never get everyone to conform. So I suggest we take a different road whether that be dynamic blocking as soon as a spamming starts or heuristic filters or whatever else we can come up with that works. Note, I'm not saying don't use spews, just realize it's a copy protection type of approach and will be of limited success for the same reasons. Geo.
Re: SPEWS?
On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: Well if you want to talk about western networks, qwest ranks second just behind chinanet in terms of black hat and spam. s/qwest/verio/g As someone who has recently had the pleasure of dealing with some of their pink sheet clientele... IME, Verio has been clueless in many ways in the past, but they do have an abuse desk. It appears that the guy in charge is a white-hat. I have even met someone who claims to work the Qwest abuse desk, and I haven't been given any reason not to believe her yet! :) (She even LARTed a spamming Qwest salesrep for me, which was cool.) -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
e-mail blacklists (was Re: SPEWS?)
On 06/20/02, Geo. [EMAIL PROTECTED] wrote: That was kinda my point. We need to stop this pushing and shoving back and forth and find solutions that work and don't depend on bending every ISP on the planet to conformity because that's never going to happen. The forcing approach reminds me of copy protection, lets force everyone to be good. Guess what, it's a big network and it's getting bigger and you'll never get everyone to conform. So I suggest we take a different road whether that be dynamic blocking as soon as a spamming starts or heuristic filters or whatever else we can come up with that works. Note, I'm not saying don't use spews, just realize it's a copy protection type of approach and will be of limited success for the same reasons. Copy protection is a good comparison, and one which I haven't seen before. However, dynamic blacklists will eventually fall into the same trap; spammers will find ways around 'em. Static or dynamic, you're still trying to apply a purely technical solution to a social problem. All that said, I do agree that dynamic lists are the obvious next step; they'll probably buy us another six months to a year. But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted. -- J.D. Falk It's all vegan, except for [EMAIL PROTECTED]the goat squeezings! -- rachel
RE: SPEWS?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 8:45 PM To: Dan Hollis Cc: Regis M. Donovan; [EMAIL PROTECTED] Subject: Re: SPEWS? On Thu, 20 Jun 2002, Dan Hollis wrote: On Thu, 20 Jun 2002, Regis M. Donovan wrote: On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote: *Spamming* or launching a DoS attack in response to spam is definitely abusive. and black-holing innocent bystander networks not a denial of service? Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. Hear, hear. Dan sounds like he agrees with my assessment of property rights taking priority over rights to expression. Anyone using SPEWS, the MAPS RBL+, SpamCop's blacklist, or *any* arbitrary list of abusive ISPs or ISP customers does so voluntarily, and I consider the action to be similar to companies sharing credit information. You can deny credit or employment, or refuse to do business with an individual or company based on the information in a credit report. But credit reports *are* legislated, whether you want them to be or not. The reason they are is that since two or three large warehousers of information are used by a substantial portion of the populace, it gives them inherent power. That power is both intentionally and unintentionally abusable. You can also say that credit reports should be unregulated since companies don't have to use them, but you and I both know that's unrealistic. A critical mistake is failing to recognize that the *consumer does not subscribe to credit reporting agencies*, much like those who are reported to blacklists do not subscribe to the blacklists, yet are affected by them. Many of the operators on this list are experiencing this today due to a bad experience with an errant spammer. Likewise, you can choose to communicate or not communicate with an AS or network (or server) based on whether you think the people running the server(s) are good net-neighbors. Sometimes legislation occurs to regulate the principle, even though reality has shown regulation to be unnecessary. Sometimes legislation occurs to regulate the reality of what in principle shouldn't need regulation. Credit reports and blacklists (they are basically the same thing) in principle are a subscription service--and therefore in principle exempt from any legal standing to provide good information. But the reality is that credit services (and if not now, then soon blacklists) have become such a prevalent tool as to make them a de-facto public record, whether the owners says they are or not! In credit services this happened because the usefulness of the credit reports depends on a limited number of repositories--forcing a sort of oligopoly. In blacklists, it occurs because people distribute software that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already). This occurs frequently with credit reporting agencies--both they and the clients who report entries make errors very, very often. This is why legislation exists to protect consumers that allow them a free copy of their credit report if they are ever turned down, as well as a legislated means to resolve disputes with the credit reporting agency. So in general, I tend to agree in principle with your views on private property--but in reality it's useful to recognize when the line is crossed between good service and public utility. The telephone company started by Bell didn't start life as a lifeline service, but it became that due to adoption. There are numerous other examples of the line, and companies (or individuals) that cross it. It took decades of high prices and lousy service to force regulation on the telephone industry. I'd rather force appropriate controls to be in place before I get bent over for a few years waiting for the government to poorly regulate what may very well become an abusive industry. Cheers, Ben -- Benjamin P. Grubin, CISSP, GIAC Information Security Consulting [EMAIL PROTECTED]
Re: e-mail blacklists (was Re: SPEWS?)
On Thu, 20 Jun 2002, J.D. Falk wrote: But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted. How? I find spamcop to be very reliable, and the basis of many actions. -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
RE: SPEWS?
On Thu, 20 Jun 2002, Benjamin P. Grubin wrote: But credit reports *are* legislated, whether you want them to be or not. Regulated, yes. That really has no bearing on the fact that companies can choose to use or not use credit reports in determining whether to do business with, extend credit to, or employ someone. The credit bureaus maintain files which are used in an advisory manner and the use of such information is completely voluntary. that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already). That doesn't negate the point I was trying to make. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: e-mail blacklists (was Re: SPEWS?)
On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: On Thu, 20 Jun 2002, J.D. Falk wrote: But spamcop's in specific is still based on spamcop user complaints, and most of the spamcop user complaints I've seen have been grossly mistargetted. How? I find spamcop to be very reliable, and the basis of many actions. Spamcop is a perfect example of garbage in / garbage out. I've had a number of servers in spamcop's blacklist for the following reasons: 1) Local user misinterprets headers and reports one of our own MX's thinking it generated a spam he/she received. We get blacklisted. 2) Remote user gets the same message a few times from one of our users (some tax related documents) and for reasons unknown to us, reports it as spam, and we're blacklisted. 3) Local user runs a mailing list on one of our servers and leaves posting open (yeah...that was a bad idea, but lots of lists still do it). List gets spammed. A list member reports our server, causing it to be blacklisted. This one is actually listed right now, and we've gotten a few why can't I send email to ...? questions from other customers on the same server. The idea of a spam blacklist with an army of contributors is appealing. In theory, it could blacklist large numbers of spam sources, perhaps before they get a chance to hit your servers...but the reality is an army of idiots turning a good idea into an unusable mess. Some sort of hybrid of spamcop with dsbl, where those who screw up have their contributing rights revoked would be far more interesting. There also needs to be some method for intervening when someone screws up rather than having to just wait out expiration of a listing that should never have happened. -- -- Jon Lewis *[EMAIL PROTECTED]*| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: SPEWS?
Steven, You are saying that the right to defend property trumps the right to free expression. In principle, that is a very agreeable thing to say. But you are using that argument to defend blacklisters with questionable operational skills. My guess would be that when someone inappropriately blacklists one of your netblocks from a quentionably-run-but-widely-used blacklist, your thinking will change somewhat. Similarly I expect that your credit record has always been free of defect, and you are lucky. Several years ago I had an IRS default for $22,000 placed on my credit record erroneously, which took half a year to clear. During that time I was a consultant, and had to go through several background investigations. Inconvenience doesn't cover it. Saying that a report is voluntary and/or advisory gets more and more irrelevant as rate of adoption increases. Yes, the thousands of credit card companies could choose to evaluate you in any manner they wish, but yet they *all* judge you solely on your credit report. So in *reality*, is it really still useful to say it is voluntary and advisory therefore undeserving of scrutiny/complaint? Cheers, Ben -- Benjamin P. Grubin, CISSP, GIAC Information Security Consulting [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 10:21 PM To: Benjamin P. Grubin Cc: 'Dan Hollis'; 'Regis M. Donovan'; [EMAIL PROTECTED] Subject: RE: SPEWS? On Thu, 20 Jun 2002, Benjamin P. Grubin wrote: But credit reports *are* legislated, whether you want them to be or not. Regulated, yes. That really has no bearing on the fact that companies can choose to use or not use credit reports in determining whether to do business with, extend credit to, or employ someone. The credit bureaus maintain files which are used in an advisory manner and the use of such information is completely voluntary. that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already). That doesn't negate the point I was trying to make. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
RE: SPEWS?
I am a 99% lurker, but I didn't assume you were beating around the bush. It *seems* to me that in response to complaints about how several blacklists were run you said that because blacklists are subscription services, and everyone has a choice whether or not to use them, that the poorly-operated blacklists are not dangerous. That implies (to me!) an understatement of the potential effect of poorly-operated blacklists. If I am wrong in that implication, I apologise. -- Benjamin P. Grubin, CISSP, GIAC Information Security Consulting [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 11:13 PM To: Benjamin P. Grubin Cc: 'Dan Hollis'; 'Regis M. Donovan'; [EMAIL PROTECTED] Subject: RE: SPEWS? On Thu, 20 Jun 2002, Benjamin P. Grubin wrote: Saying that a report is voluntary and/or advisory gets more and more irrelevant as rate of adoption increases. Yes, the thousands of credit card companies could choose to evaluate you in any manner they wish, but yet they *all* judge you solely on your credit report. So in *reality*, is it really still useful to say it is voluntary and advisory therefore undeserving of scrutiny/complaint? I'm really not sure why you're making these assumptions. I don't beat around the bush... I've never seen you on NANOG before, nor have I talked to you in any other venue, so I assume you aren't aware of that particular point. I didn't say SPEWS or any other listing service was undeserving of scrutiny. I didn't even try to imply that. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me...
Re: SPEWS?
[ On Thursday, June 20, 2002 at 17:01:20 (-0400), David Charlap wrote: ] Subject: Re: SPEWS? Dan Hollis wrote: Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient. If you're installing a blacklist on a mail server you keep at home for yourself, then yes. If you're running an ISP with thousands of customers, then you also have to deal with how you're impacting them. Sure, it may still be your equipment, but that won't matter if you tick off your paying customers and they decide to cancel their accounts and go to your competitors. You, or at least I, really don't want paying customers who demand to receive e-mail from known spam sources and open relays. They cost far to much in support to be worthwhile keeping -- I'd much sooner keep the good customers and get the support-heavy ones to go suck on some competitor's pipe! On the other hand a clever business person might want to set up two mailers for their customers -- one normal spam-free one; and another for those customers who want all their e-mail regardless of where it comes from. Maybe we can write up an RFC/BCP to define a standardized name like iwantspam for the second one, and mailboxes could always exist for every user on both servers and the users could choose to read from either or both, and the expiry policy and quotas could be set a bit lower on iwantspam one. :-) That way everyone who was getting bounces because they were using a spam-infested ISP would know to try sending to their friends a the standard iwantspam subdomain (and they could phone their friends to let them know legit e-mail was being sent there too! :-). In any case the onus is still on the sender to correct the problem, and after all they are paying the offending ISP for service too -- if they're not getting service because the offending ISP would rather have spammers than grandmas as customers then the best thing is for everyone to block the offending ISP's netblocks so that both grandma and the spammers will get the message that their service provider is no longer worth using. -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
