RE: Spam. Again.. -- and blocking net blocks? -- and ddos..
Uh.. duh! :) On Wed, 2002-12-11 at 10:39, Mark Segal wrote: > Apparently not everyone understood my joke on ddos, as per some emails and a > voice mail from level 3.. :) I apologize if it wasn't clear... Usually a > smiley denotes joking or sarcasm.. But anyway... IT WAS A JOKE > > > > Mark > > -- > Mark Segal > Director, Data Services > Futureway Communications Inc. > Tel: (905)326-1570 > > > > -Original Message- > > From: Jason Lixfeld [mailto:[EMAIL PROTECTED]] > > Sent: December 11, 2002 8:51 AM > > To: Neil J. McRae > > Cc: Sabri Berisha; Stephen Sprunk; [EMAIL PROTECTED] > > Subject: Re: Spam. Again.. -- and blocking net blocks? > > > > > > > > Sorry for top posting, but I'm late for work... > > > > -- > > > > Agreed. I believe that society dictates that the > > accumulation of personal wealth is one of the most important > > factors to most people who have the means to generate it in > > abundance. Any avenue to make a buck will supersede any > > legislation or "Please don't do that because it's not > > (nice|safe|legal|honest|)". > > > > Until spam is no longer synonymous with generating revenue or > > growing personal wealth, it's here to stay. Until drugs are > > legal, or dealers are killed if caught, the fact that dealers > > know pushing that crap on the streets is harmful, it doesn't > > matter. The need, or desire to have more money than the next > > guy is more important to someone than the other people who > > exist outside their little box. Different circumstances, but > > the same thing at the end of the day, I think. > > > > > It won't fix the problem. The world needs to change to stop driving > > > the possible gains from sending spam. Its an eduction/social issue. > > > > -- > > -JaL > > > > "AFAIK, You think I'm a BOFH for continually bashing you over > > the head with a clue-by-four. OTOH, if you would just RTFM > > every once in a > > while, my life would suck *much* less." > > > > -- -JaL "AFAIK, You think I'm a BOFH for continually bashing you over the head with a clue-by-four. OTOH, if you would just RTFM every once in a while, my life would suck *much* less."
RE: Spam. Again.. -- and blocking net blocks? -- and ddos..
Apparently not everyone understood my joke on ddos, as per some emails and a voice mail from level 3.. :) I apologize if it wasn't clear... Usually a smiley denotes joking or sarcasm.. But anyway... IT WAS A JOKE Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570 > -Original Message- > From: Jason Lixfeld [mailto:[EMAIL PROTECTED]] > Sent: December 11, 2002 8:51 AM > To: Neil J. McRae > Cc: Sabri Berisha; Stephen Sprunk; [EMAIL PROTECTED] > Subject: Re: Spam. Again.. -- and blocking net blocks? > > > > Sorry for top posting, but I'm late for work... > > -- > > Agreed. I believe that society dictates that the > accumulation of personal wealth is one of the most important > factors to most people who have the means to generate it in > abundance. Any avenue to make a buck will supersede any > legislation or "Please don't do that because it's not > (nice|safe|legal|honest|)". > > Until spam is no longer synonymous with generating revenue or > growing personal wealth, it's here to stay. Until drugs are > legal, or dealers are killed if caught, the fact that dealers > know pushing that crap on the streets is harmful, it doesn't > matter. The need, or desire to have more money than the next > guy is more important to someone than the other people who > exist outside their little box. Different circumstances, but > the same thing at the end of the day, I think. > > > It won't fix the problem. The world needs to change to stop driving > > the possible gains from sending spam. Its an eduction/social issue. > > -- > -JaL > > "AFAIK, You think I'm a BOFH for continually bashing you over > the head with a clue-by-four. OTOH, if you would just RTFM > every once in a > while, my life would suck *much* less." > >
Re: Spam. Again.. -- and blocking net blocks?
Sorry for top posting, but I'm late for work... -- Agreed. I believe that society dictates that the accumulation of personal wealth is one of the most important factors to most people who have the means to generate it in abundance. Any avenue to make a buck will supersede any legislation or "Please don't do that because it's not (nice|safe|legal|honest|)". Until spam is no longer synonymous with generating revenue or growing personal wealth, it's here to stay. Until drugs are legal, or dealers are killed if caught, the fact that dealers know pushing that crap on the streets is harmful, it doesn't matter. The need, or desire to have more money than the next guy is more important to someone than the other people who exist outside their little box. Different circumstances, but the same thing at the end of the day, I think. > It won't fix the problem. The world needs to change to stop > driving the possible gains from sending spam. Its an eduction/social issue. -- -JaL "AFAIK, You think I'm a BOFH for continually bashing you over the head with a clue-by-four. OTOH, if you would just RTFM every once in a while, my life would suck *much* less."
Re: Spam. Again.. -- and blocking net blocks?
> What I'm trying to say is that 'the solution' will probably have to be a > combination of legislation and technical measures. It won't fix the problem. The world needs to change to stop driving the possible gains from sending spam. Its an eduction/social issue. Regards, Neil. -- Neil J. McRae - Alive and Kicking [EMAIL PROTECTED]
Re: Spam. Again.. -- and blocking net blocks?
I'm not taking sides here, but do want to mention some other aspects: Unnamed Administration sources reported that Scott Silzer said: > > > I could understand if an ISP was allowing spam from a portion of > there (sic) network. But in this case the only thing that the ISP did is > host a website, the SPAM was sent from from a third party's network. > The ISP did terminate the customer but in the meantime the entire > NSP's network has been blacklisted, for a rouge webhosting account > does sound a bit harsh. Excuse me, the ONLY thing? I don't think it's quite fair to condemn a whole program because of a single slip-up. General "Buck" Turgidson Since 90% of the spam I get is relay-raped off of some .kr/cn site, It'd say the gonads^H^Hweb address is exactly the correct target. It's the asset in place. What's missing in your report is timeframes. How long was the spamsite up? When did the first report hit .sightings? Were there responses from abuse@, postmaster@ etc? For the record, my view on SPEWS is this 0) I'm less than comfortable with it but... 1) It would not exist if there was not a demand for it; after all, it's powerless if no mail host looks at it. 2) The fact there is so much heat over it is proving its impact. 3) Past, more moderate approaches proved very ineffective, for reasons of policy or getting sued into silence. 4) Like it or not, it IS waking up large carriers who have previously turned a blind eye. 5) No one has offered a better solution so far. As Perot said - "I'm all ears.." -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
RE: Spam. Again.. -- and blocking net blocks?
I like Segal's DoS idea, except instead of the packet generators, let's be nice and just DDoS port 25 on the sunzofbiatches mail servers/load balancers... fight fire with fire... :) On Tue, 2002-12-10 at 20:39, Scott Silzer wrote: > That is exactly what was done to to Futureway a third party spammed > for a site hosted by a downstream ISP and the result was there entire > network begging blacklisted by SPEWS. > > At 15:41 -0800 12/10/2002, David Schwartz wrote: > >On Tue, 10 Dec 2002 15:45:29 -0500, Scott Silzer wrote: > > > >>I could understand if an ISP was allowing spam from a portion of > >>there network. But in this case the only thing that the ISP did is > >>host a website, the SPAM was sent from from a third party's network. > >>The ISP did terminate the customer but in the meantime the entire > >>NSP's network has been blacklisted, for a rouge webhosting account > >>does sound a bit harsh. > > > > A spam blocking service that worked that way would be > >useless. Anyone could > >get any site they didn't like blacklisted simply by spamvertising it. Anyone > >who uses a spam blocking list that works that way is DoSing themselves. > > > > DS -- -JaL "AFAIK, You think I'm a BOFH for continually bashing you over the head with a clue-by-four. OTOH, if you would just RTFM every once in a while, my life would suck *much* less."
RE: Spam. Again.. -- and blocking net blocks?
That is exactly what was done to to Futureway a third party spammed for a site hosted by a downstream ISP and the result was there entire network begging blacklisted by SPEWS. At 15:41 -0800 12/10/2002, David Schwartz wrote: On Tue, 10 Dec 2002 15:45:29 -0500, Scott Silzer wrote: I could understand if an ISP was allowing spam from a portion of there network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh. A spam blocking service that worked that way would be useless. Anyone could get any site they didn't like blacklisted simply by spamvertising it. Anyone who uses a spam blocking list that works that way is DoSing themselves. DS -- Scott A Silzer
Re: Spam. Again.. -- and blocking net blocks?
On Tue, 10 Dec 2002, Barry Shein wrote: > The only solution to spam is to start charging for email (perhaps with > reasonable included minimums if that calms you down for some large set > of "you") and thus create an economic incentive for all parties > involved. Absolutely unrealistic... micropayments never got off the ground for a number of good reasons - some of them having to do with unwillingness of national governments to forfeit financial surveillance. Even if e-mail will cost something, you'd still be getting a lot more spam than useful mail. Check your snail-mail box for empirical evidence :) I'd say strong authentication of e-mail sources and appropriate sorting at the receiving end should do the trick. When I give someone e-mail address, I may just as well get their fingerprint and put in my "allowed" database. The question is, as always, convinience and useability - with a good design that doesn't seem unsurmountable. > Face it folks, the party is over, the free-for-all was a nice idea but > it simply did not work. See "The Tragedy of the Commons". Linux does not exist, science disappeared long time ago, etc, etc. Those are commons, too. In fact, the prevailing myth is that property system is the primary driver of progress. As if. It existed for several millenia (in fact, all higher animals exhibit behaviour consistent with notion of property, usually territory and females) and not much happened most of that time, aside from endless wars. Then the decidedly anti-proprietary "gift economy" of science comes along and in couple hundred years completely changes the world. The free-for-all is a nice idea. Should be preserved whereever possible. Spam is not "tragedy of commons" (i.e. depletion of shared resources because of uncontrolled cost-free accessibility) - the spam traffic does not kill the network, last I checked (in fact, TCP's congestion control provides a basic fairness enforcement in the Internet - which explains why the backbones aren't really prone to the "tragedy of commons", even when demand is massively larger than supply). Spam is theft (i.e. unauthorized use of private resources), and should be fought as such - by prosecuting perps, by installing locks, and by checking ids before granting access. --vadim
RE: Spam. Again.. -- and blocking net blocks?
On Tue, 10 Dec 2002 15:45:29 -0500, Scott Silzer wrote: >I could understand if an ISP was allowing spam from a portion of >there network. But in this case the only thing that the ISP did is >host a website, the SPAM was sent from from a third party's network. >The ISP did terminate the customer but in the meantime the entire >NSP's network has been blacklisted, for a rouge webhosting account >does sound a bit harsh. A spam blocking service that worked that way would be useless. Anyone could get any site they didn't like blacklisted simply by spamvertising it. Anyone who uses a spam blocking list that works that way is DoSing themselves. DS
Re: Spam. Again.. -- and blocking net blocks?
Ok on a serious note can we not try to solve the spam problem here? its a never ending loop (tech problem or social problem who cares.. its a problem and we all know it, be a good operator and kill anyone who wants to spam on your network). On a not-so-serious note maybe if we just assigned spammers 69.0.0.0/8 ip space the problem would take care of itself. -Scotty - Original Message - From: "hostmaster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 10, 2002 1:00 PM Subject: Re: Spam. Again.. -- and blocking net blocks? > > > The only solution for eliminating spam is a radical change in social > behavior of those whom are causing, allowing and facilitating it. All > reasonable attempts to do so have failed, mainly due to commercial > interests. Thus only a primitive and for some painful interference > helps. Though few want to admit it, as long as all the backbones - > unanimously - are not seriously addressing this problem, and factually > accept the financial consequences of cut off's, and forcefully propagate > those policies to whomever is connected to them, only the hard way remains. > I advocate that spews and others are tough, but apparently necessary means. > The more spam, the harder the action-pack to combat it. > The problem is not necessarily only Korea, Nigeria, Costa Rica, etc. We, in > the US are a significant source of this activity ourselves, probably the > biggest. Painfully enough we lack the initiative to set a standard for the > rest for the World. > > best, > > Bert > [EMAIL PROTECTED] > > > > > > > > >
Re: Spam. Again.. -- and blocking net blocks?
On Tue, 10 Dec 2002, Stephen Sprunk wrote: > > Barry Shein wrote: > > The only solution to spam is to start charging for email (perhaps with > > reasonable included minimums if that calms you down for some large set > > of "you") and thus create an economic incentive for all parties > > involved. > > > > Face it folks, the party is over, the free-for-all was a nice idea but > > it simply did not work. See "The Tragedy of the Commons". > > Sure, because charging for postal mail has certainly stopped the deplorable > practice of junk mailing. > > As long as spamming is legal, people will do it, period. You cannot solve > administrative problems with technical solutions. The key is for ISPs to > form a political lobby (with the same power as the DMA) and push for > reasonable laws to protect consumers. Until then, we're all pissing in the > wind. This discussion is very familiar! ... and that will stop for example the nigeria scams how? or the asian porn sites how? Steve
Re: Spam. Again.. -- and blocking net blocks?
Barry Shein wrote: > The only solution to spam is to start charging for email (perhaps with > reasonable included minimums if that calms you down for some large set > of "you") and thus create an economic incentive for all parties > involved. > > Face it folks, the party is over, the free-for-all was a nice idea but > it simply did not work. See "The Tragedy of the Commons". Sure, because charging for postal mail has certainly stopped the deplorable practice of junk mailing. As long as spamming is legal, people will do it, period. You cannot solve administrative problems with technical solutions. The key is for ISPs to form a political lobby (with the same power as the DMA) and push for reasonable laws to protect consumers. Until then, we're all pissing in the wind. S
Re: Spam. Again.. -- and blocking net blocks?
The only solution to spam is to start charging for email (perhaps with reasonable included minimums if that calms you down for some large set of "you") and thus create an economic incentive for all parties involved. Face it folks, the party is over, the free-for-all was a nice idea but it simply did not work. See "The Tragedy of the Commons". On December 10, 2002 at 13:00 [EMAIL PROTECTED] (hostmaster) wrote: > > > The only solution for eliminating spam is a radical change in social > behavior of those whom are causing, allowing and facilitating it. All > reasonable attempts to do so have failed, mainly due to commercial > interests. Thus only a primitive and for some painful interference > helps. Though few want to admit it, as long as all the backbones - > unanimously - are not seriously addressing this problem, and factually > accept the financial consequences of cut off's, and forcefully propagate > those policies to whomever is connected to them, only the hard way remains. > I advocate that spews and others are tough, but apparently necessary means. > The more spam, the harder the action-pack to combat it. > The problem is not necessarily only Korea, Nigeria, Costa Rica, etc. We, in > the US are a significant source of this activity ourselves, probably the > biggest. Painfully enough we lack the initiative to set a standard for the > rest for the World. > > best, > > Bert > [EMAIL PROTECTED] > > > > > > >
Re: Spam. Again.. -- and blocking net blocks?
Are you billing and presumably suing (if they don't pay) the owners of the website et al for the damages they've caused your business by all this? If not you're just subsidizing their attempt to profit off of mayhem at your expense. The question of course is rhetorical. On December 10, 2002 at 10:00 [EMAIL PROTECTED] (Mark Segal) wrote: > > Before the flame begins.. > > I'm not sure when this started.. > > Background: > We have a downstream ISP, who hosts a website of questionable material. > This customer (of our customer) used a third party to spam on their behalf.. > Which is a violation of our AUP. (In fact we null0 the /32 in question). > > Problem: > For some reason, spews has decided to now block one of our /19.. Ie no mail > server in the /19 can send mail. > > Questions: > 1) How do we smack some sense into spews? > 2) Does anyone else see a HUGE problem with listing a /19 because there is > one /32 of a spam advertised website? When did this start happening? > > Regards, > Mark > > -- > Mark Segal > Director, Data Services > Futureway Communications Inc. > Tel: (905)326-1570
Re: Spam. Again.. -- and blocking net blocks?
Hello Hansel, Tuesday, December 10, 2002, 3:08:20 PM, you wrote: LH> The SPEWS concept prevents an ISP from allowing spammers on some blocks LH> while trying to service legitimate customers on others. For an ISP - it is LH> either all or none over time, you support spammers and are blocked as a LH> whole (to include innocent customers). Not speaking for or against SPEWS, but couldn't this eventually work against people using the list? If I were a spammer I would keep signing up for accounts, and getting larger and larger blocks of IP Addresses added to the SPEWS list. Eventually, so many blocks would be added to the list, that it would make SPEWS worthless. Once SPEWS is worthless, people will stop using it, and the spammers win. allan -- Allan Liska [EMAIL PROTECTED] http://www.allan.org
RE: Spam. Again.. -- and blocking net blocks?
I could understand if an ISP was allowing spam from a portion of there network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh. At 12:08 -0800 12/10/2002, Lee, Hansel wrote: Quick Comment as a NANOG lurker and SPEWS lurker (news.admin.net-abuse.email). I'm not defending SPEWS, don't speak for SPEWS but will describe what I understand happens: SPEWS initially lists offending IP address blocks from non-repentant SPAM sources. If the upstream ISP does nothing about it, that block tends to expand to neighboring blocks to gain the attention of the ISP. High level concept: Block the SPAMMER - ISP Does nothing Block the SPAMMER's Neighboring Blocks (Collateral Damage) - Motivates neighbors to find new Upstream/Isp - Motivates neighbors to complain to upstream/ISP - Gains the attention of the Upstream/ISP Expand the Block - Ditto Block the ISP as a whole The SPEWS concept prevents an ISP from allowing spammers on some blocks while trying to service legitimate customers on others. For an ISP - it is either all or none over time, you support spammers and are blocked as a whole (to include innocent customers). If you do end up mistakenly on SPEWS or take care of your spamming customers - you can appeal to them at news.admin.net-abuse.email, get flamed pretty bad, and eventually fall off the list. I do personally like the idea of holding the ISP as a whole accountable over time. An ISP can stay off spews, I've never had a block listed - though when I'm in a decision making position, I've never tolerated a spammer. Hansel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 08:36 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Spam. Again.. -- and blocking net blocks? Problem: For some reason, spews has decided to now block one of our /19.. Ie no mail server in the /19 can send mail. Questions: 1) How do we smack some sense into spews? Make it easy for them to identify the fact that your downstream ISP customer has allocated that /32 to a separate organisation. This is what referral whois was supposed to do but it never happened because development of the tools fizzled out. If SPEWS could plug guilty IP addresses into an automated tool and come up with an accurate identification of which neighboring IP addresses were tainted and which were not, then they wouldn't use such crude techniques. Imagine a tool which queries the IANA root LDAP server for an IP address. The IANA server refers them to ARIN's LDAP server because this comes from a /8 that was allocated to ARIN. Now ARIN's server identifies that this address is in your /19 so it refers SPEWS to your own LDAP server. Your server identifies your customer ISP as the owner of the block, or if your customer has been keeping the records up to date with a simple LDAP client, your server would identify that the guilty party is indeed only on one IP address. Of course, this won't stop SPEWS from blacklisting you. But it enables SPEWS to quickly identify the organization (your customer ISP) that has a business relationship with the offender so that SPEWS is more likely to focus their attentions on these two parties. 2) Does anyone else see a HUGE problem with listing a /19 because there is one /32 of a spam advertised website? When did this start happening? It's a free country, you can't stop people like the SPEWS group from expressing their opinions. As long as people are satisfied with crude tools for mapping IP address to owner, this kind of thing will continue to happen. --Michael Dillon -- Scott A Silzer
RE: Spam. Again.. -- and blocking net blocks?
I agree.. Problem was it was a downstream ISP.. This all comes down to, we warn them since it is their customer, they don't deal with it, we black hole part of their network.. But it take 3-4 days to do that to a large downstream. Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570 > -Original Message- > From: Lee, Hansel [mailto:[EMAIL PROTECTED]] > Sent: December 10, 2002 3:08 PM > To: '[EMAIL PROTECTED]' > Cc: '[EMAIL PROTECTED]' > Subject: RE: Spam. Again.. -- and blocking net blocks? > > > > Quick Comment as a NANOG lurker and SPEWS lurker > (news.admin.net-abuse.email). I'm not defending SPEWS, don't > speak for SPEWS but will describe what I understand happens: > > SPEWS initially lists offending IP address blocks from > non-repentant SPAM sources. If the upstream ISP does nothing > about it, that block tends to expand to neighboring blocks to > gain the attention of the ISP. > > High level concept: > Block the SPAMMER > - ISP Does nothing > Block the SPAMMER's Neighboring Blocks (Collateral Damage) > - Motivates neighbors to find new Upstream/Isp > - Motivates neighbors to complain to upstream/ISP > - Gains the attention of the Upstream/ISP > Expand the Block > - Ditto > Block the ISP as a whole > > The SPEWS concept prevents an ISP from allowing spammers on > some blocks while trying to service legitimate customers on > others. For an ISP - it is either all or none over time, you > support spammers and are blocked as a whole (to include > innocent customers). > > If you do end up mistakenly on SPEWS or take care of your > spamming customers > - you can appeal to them at news.admin.net-abuse.email, get > flamed pretty bad, and eventually fall off the list. > > I do personally like the idea of holding the ISP as a whole > accountable over time. An ISP can stay off spews, I've never > had a block listed - though when I'm in a decision making > position, I've never tolerated a spammer. > > Hansel > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 10, 2002 08:36 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Spam. Again.. -- and blocking net blocks? > > > > > Problem: > > For some reason, spews has decided to now block one of our > /19.. Ie no > mail > > server in the /19 can send mail. > > > Questions: > > 1) How do we smack some sense into spews? > > Make it easy for them to identify the fact that your downstream ISP > customer has allocated that /32 to a separate organisation. > This is what > referral whois was supposed to do but it never happened because > development of the tools fizzled out. > > If SPEWS could plug guilty IP addresses into an automated > tool and come up > with an accurate identification of which neighboring IP > addresses were > tainted and which were not, then they wouldn't use such crude > techniques. > > Imagine a tool which queries the IANA root LDAP server for an > IP address. > The IANA server refers them to ARIN's LDAP server because > this comes from > a /8 that was allocated to ARIN. Now ARIN's server identifies > that this > address is in your /19 so it refers SPEWS to your own LDAP > server. Your > server identifies your customer ISP as the owner of the > block, or if your > customer has been keeping the records up to date with a simple LDAP > client, your server would identify that the guilty party is > indeed only on > one IP address. > > Of course, this won't stop SPEWS from blacklisting you. But > it enables > SPEWS to quickly identify the organization (your customer > ISP) that has a > business relationship with the offender so that SPEWS is more > likely to > focus their attentions on these two parties. > > > 2) Does anyone else see a HUGE problem with listing a /19 because > > there > is > > one /32 of a spam advertised website? When did this start > happening? > > It's a free country, you can't stop people like the SPEWS group from > expressing their opinions. As long as people are satisfied with crude > tools for mapping IP address to owner, this kind of thing > will continue to > happen. > > --Michael Dillon >
RE: Spam. Again.. -- and blocking net blocks?
Quick Comment as a NANOG lurker and SPEWS lurker (news.admin.net-abuse.email). I'm not defending SPEWS, don't speak for SPEWS but will describe what I understand happens: SPEWS initially lists offending IP address blocks from non-repentant SPAM sources. If the upstream ISP does nothing about it, that block tends to expand to neighboring blocks to gain the attention of the ISP. High level concept: Block the SPAMMER - ISP Does nothing Block the SPAMMER's Neighboring Blocks (Collateral Damage) - Motivates neighbors to find new Upstream/Isp - Motivates neighbors to complain to upstream/ISP - Gains the attention of the Upstream/ISP Expand the Block - Ditto Block the ISP as a whole The SPEWS concept prevents an ISP from allowing spammers on some blocks while trying to service legitimate customers on others. For an ISP - it is either all or none over time, you support spammers and are blocked as a whole (to include innocent customers). If you do end up mistakenly on SPEWS or take care of your spamming customers - you can appeal to them at news.admin.net-abuse.email, get flamed pretty bad, and eventually fall off the list. I do personally like the idea of holding the ISP as a whole accountable over time. An ISP can stay off spews, I've never had a block listed - though when I'm in a decision making position, I've never tolerated a spammer. Hansel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 08:36 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Spam. Again.. -- and blocking net blocks? > Problem: > For some reason, spews has decided to now block one of our /19.. Ie no mail > server in the /19 can send mail. > Questions: > 1) How do we smack some sense into spews? Make it easy for them to identify the fact that your downstream ISP customer has allocated that /32 to a separate organisation. This is what referral whois was supposed to do but it never happened because development of the tools fizzled out. If SPEWS could plug guilty IP addresses into an automated tool and come up with an accurate identification of which neighboring IP addresses were tainted and which were not, then they wouldn't use such crude techniques. Imagine a tool which queries the IANA root LDAP server for an IP address. The IANA server refers them to ARIN's LDAP server because this comes from a /8 that was allocated to ARIN. Now ARIN's server identifies that this address is in your /19 so it refers SPEWS to your own LDAP server. Your server identifies your customer ISP as the owner of the block, or if your customer has been keeping the records up to date with a simple LDAP client, your server would identify that the guilty party is indeed only on one IP address. Of course, this won't stop SPEWS from blacklisting you. But it enables SPEWS to quickly identify the organization (your customer ISP) that has a business relationship with the offender so that SPEWS is more likely to focus their attentions on these two parties. > 2) Does anyone else see a HUGE problem with listing a /19 because there is > one /32 of a spam advertised website? When did this start happening? It's a free country, you can't stop people like the SPEWS group from expressing their opinions. As long as people are satisfied with crude tools for mapping IP address to owner, this kind of thing will continue to happen. --Michael Dillon
Re: Spam. Again.. -- and blocking net blocks?
The only solution for eliminating spam is a radical change in social behavior of those whom are causing, allowing and facilitating it. All reasonable attempts to do so have failed, mainly due to commercial interests. Thus only a primitive and for some painful interference helps. Though few want to admit it, as long as all the backbones - unanimously - are not seriously addressing this problem, and factually accept the financial consequences of cut off's, and forcefully propagate those policies to whomever is connected to them, only the hard way remains. I advocate that spews and others are tough, but apparently necessary means. The more spam, the harder the action-pack to combat it. The problem is not necessarily only Korea, Nigeria, Costa Rica, etc. We, in the US are a significant source of this activity ourselves, probably the biggest. Painfully enough we lack the initiative to set a standard for the rest for the World. best, Bert [EMAIL PROTECTED]
Re: Spam. Again.. -- and blocking net blocks?
I tend to agree. We had the same issue a customer who we did not know was a spammer did something similar and they listed our blocks. I terminated the customer. I believe spews has a newsgroup that is listed on their site you can post to but more than that I'm not certain. Also its funny how they don't block all the blocks originated by cnw but listed mine. Either way I think you did the correct thing the deal now is to post to the newsgroup and let them know you cleared the issue. That's all I have heard can be done. On Tue, 10 Dec 2002, Mark Segal wrote: > > Before the flame begins.. > > I'm not sure when this started.. > > Background: > We have a downstream ISP, who hosts a website of questionable material. > This customer (of our customer) used a third party to spam on their behalf.. > Which is a violation of our AUP. (In fact we null0 the /32 in question). > > Problem: > For some reason, spews has decided to now block one of our /19.. Ie no mail > server in the /19 can send mail. > > Questions: > 1) How do we smack some sense into spews? > 2) Does anyone else see a HUGE problem with listing a /19 because there is > one /32 of a spam advertised website? When did this start happening? > > Regards, > Mark > > -- > Mark Segal > Director, Data Services > Futureway Communications Inc. > Tel: (905)326-1570 >
Re: Spam. Again.. -- and blocking net blocks?
On Tue, 2002-12-10 at 17:03, Bryan Bradsby wrote: > > > Check out www.antispews.org > > -kyle > > There are two SPEWS lists. > > SPEWS[1] lists direct spam sources as accurately as /32 Which is the list that our corporate servers and my home lan ended up on, despite never having sent direct spam > SPEWS[2] includes SPEWS[1] plus collatteral damage. Which was the rest of our address range and that of my home ISP > to clarify, nothing more. The intent of the double spews listing is good, but it isn't adhered to in practice. signature.asc Description: This is a digitally signed message part
Re: Spam. Again.. -- and blocking net blocks?
> Check out www.antispews.org > -kyle There are two SPEWS lists. SPEWS[1] lists direct spam sources as accurately as /32 SPEWS[2] includes SPEWS[1] plus collatteral damage. to clarify, nothing more. -bryan bradsby
Re: Spam. Again.. -- and blocking net blocks?
Check out www.antispews.org -kyle On Tue, 10 Dec 2002, Mark Segal wrote: > > Before the flame begins.. > > I'm not sure when this started.. > > Background: > We have a downstream ISP, who hosts a website of questionable material. > This customer (of our customer) used a third party to spam on their behalf.. > Which is a violation of our AUP. (In fact we null0 the /32 in question). > > Problem: > For some reason, spews has decided to now block one of our /19.. Ie no mail > server in the /19 can send mail. > > Questions: > 1) How do we smack some sense into spews? > 2) Does anyone else see a HUGE problem with listing a /19 because there is > one /32 of a spam advertised website? When did this start happening? > > Regards, > Mark > > -- > Mark Segal > Director, Data Services > Futureway Communications Inc. > Tel: (905)326-1570 >
Re: Spam. Again.. -- and blocking net blocks?
Looking at this from another angle, what RBL set are people using that works well? This is our current set: blackholes.mail-abuse.org, dialups.mail-abuse.org, relays.mail-abuse.org, dynablock.wirehub.net, inputs.relays.osirusoft.com, socks.relays.osirusoft.com, formmail.relays.monkeys.com, proxies.relays.monkeys.com We were using spamcop until I found out about the 7-day timeout for delisting. We get some complains about the formmail relay blocking, but that just seems to be for customers trying to get email from web hosting companies that don't care to clean their servers of old copies of FormMail.pl. Ralph Doncaster principal, IStop.com
Re: Spam. Again.. -- and blocking net blocks?
On Tue, 10 Dec 2002, Neil J. McRae wrote: > There is no technical solution to spam. Nor is there a legal or political one... Deeann M.M. Mikula Director of Operations Telerama Public Access Internet http://www.telerama.com * 412.688.3200
Re: Spam. Again.. -- and blocking net blocks?
> > Questions: > > 1) How do we smack some sense into spews? > > Very difficult we had a similar problem. One bad customer and SPEWS > blackholes not only our corporate LAN but also my HOME address range, > and that of my home ISP, who was not even peripherally involved. > > We just had to sit it out, as SPEWS is not accountable, or contactable. > Eventually the listing decayed, but it was a real problem for us while > it lasted. > There is no technical solution to spam. Regards, Neil.
Re: Spam. Again.. -- and blocking net blocks?
On 10 Dec 2002, Nigel Titley wrote: > > 2) Does anyone else see a HUGE problem with listing a /19 because there is > > one /32 of a spam advertised website? When did this start happening? > > Since SPEWS, with its complete lack of accountability, started being > used by respectable spam blocking software. Yes, its a massive problem. We had this problem a while back too. One particular problem is that the relays.osirusoft.com block-list - which seems to be used by an awful of people - aggregates data from several dozen sources, including spews.
RE: Spam. Again.. -- and blocking net blocks?
We did swip the block to the isp (as an assignment, not allocation).. That is the problem, they kept recursively looking up the assignment.. Maybe they should block 64/8 or maybe 0/0 :). Anybody interested in a coordinated denial of service attack? :). Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: December 10, 2002 10:36 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Spam. Again.. -- and blocking net blocks? > > > > Problem: > > For some reason, spews has decided to now block one of our > /19.. Ie no > mail > > server in the /19 can send mail. > > > Questions: > > 1) How do we smack some sense into spews? > > Make it easy for them to identify the fact that your downstream ISP > customer has allocated that /32 to a separate organisation. > This is what > referral whois was supposed to do but it never happened because > development of the tools fizzled out. > > If SPEWS could plug guilty IP addresses into an automated > tool and come up > with an accurate identification of which neighboring IP > addresses were > tainted and which were not, then they wouldn't use such crude > techniques. > > Imagine a tool which queries the IANA root LDAP server for an > IP address. > The IANA server refers them to ARIN's LDAP server because > this comes from > a /8 that was allocated to ARIN. Now ARIN's server identifies > that this > address is in your /19 so it refers SPEWS to your own LDAP > server. Your > server identifies your customer ISP as the owner of the > block, or if your > customer has been keeping the records up to date with a simple LDAP > client, your server would identify that the guilty party is > indeed only on > one IP address. > > Of course, this won't stop SPEWS from blacklisting you. But > it enables > SPEWS to quickly identify the organization (your customer > ISP) that has a > business relationship with the offender so that SPEWS is more > likely to > focus their attentions on these two parties. > > > 2) Does anyone else see a HUGE problem with listing a /19 because > > there > is > > one /32 of a spam advertised website? When did this start > happening? > > It's a free country, you can't stop people like the SPEWS group from > expressing their opinions. As long as people are satisfied with crude > tools for mapping IP address to owner, this kind of thing > will continue to > happen. > > --Michael Dillon >
Re: Spam. Again.. -- and blocking net blocks?
> Problem: > For some reason, spews has decided to now block one of our /19.. Ie no mail > server in the /19 can send mail. > Questions: > 1) How do we smack some sense into spews? Make it easy for them to identify the fact that your downstream ISP customer has allocated that /32 to a separate organisation. This is what referral whois was supposed to do but it never happened because development of the tools fizzled out. If SPEWS could plug guilty IP addresses into an automated tool and come up with an accurate identification of which neighboring IP addresses were tainted and which were not, then they wouldn't use such crude techniques. Imagine a tool which queries the IANA root LDAP server for an IP address. The IANA server refers them to ARIN's LDAP server because this comes from a /8 that was allocated to ARIN. Now ARIN's server identifies that this address is in your /19 so it refers SPEWS to your own LDAP server. Your server identifies your customer ISP as the owner of the block, or if your customer has been keeping the records up to date with a simple LDAP client, your server would identify that the guilty party is indeed only on one IP address. Of course, this won't stop SPEWS from blacklisting you. But it enables SPEWS to quickly identify the organization (your customer ISP) that has a business relationship with the offender so that SPEWS is more likely to focus their attentions on these two parties. > 2) Does anyone else see a HUGE problem with listing a /19 because there is > one /32 of a spam advertised website? When did this start happening? It's a free country, you can't stop people like the SPEWS group from expressing their opinions. As long as people are satisfied with crude tools for mapping IP address to owner, this kind of thing will continue to happen. --Michael Dillon
Re: Spam. Again.. -- and blocking net blocks?
On Tue, 2002-12-10 at 15:00, Mark Segal wrote: > > Before the flame begins.. > > I'm not sure when this started.. > > Background: > We have a downstream ISP, who hosts a website of questionable material. > This customer (of our customer) used a third party to spam on their behalf.. > Which is a violation of our AUP. (In fact we null0 the /32 in question). > > Problem: > For some reason, spews has decided to now block one of our /19.. Ie no mail > server in the /19 can send mail. > > Questions: > 1) How do we smack some sense into spews? Very difficult we had a similar problem. One bad customer and SPEWS blackholes not only our corporate LAN but also my HOME address range, and that of my home ISP, who was not even peripherally involved. We just had to sit it out, as SPEWS is not accountable, or contactable. Eventually the listing decayed, but it was a real problem for us while it lasted. > 2) Does anyone else see a HUGE problem with listing a /19 because there is > one /32 of a spam advertised website? When did this start happening? Since SPEWS, with its complete lack of accountability, started being used by respectable spam blocking software. Yes, its a massive problem. Nigel signature.asc Description: This is a digitally signed message part
Spam. Again.. -- and blocking net blocks?
Before the flame begins.. I'm not sure when this started.. Background: We have a downstream ISP, who hosts a website of questionable material. This customer (of our customer) used a third party to spam on their behalf.. Which is a violation of our AUP. (In fact we null0 the /32 in question). Problem: For some reason, spews has decided to now block one of our /19.. Ie no mail server in the /19 can send mail. Questions: 1) How do we smack some sense into spews? 2) Does anyone else see a HUGE problem with listing a /19 because there is one /32 of a spam advertised website? When did this start happening? Regards, Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570