Perspectives on Spamhaus's Dilemma

The Illinois court that told Spamhaus to stop blocking the spammer filing suit against them — an order which Spamhaus ignored — is now considering ordering ICANN to pull Spamhaus's domain records. While Gadi Evron, whose blog posting is linked above, urges everyone to beat the judge with a clue stick, a guest writer on his blog counsels much greater restraint. Anti-spam lawyer Matthew Prince explains how Spamhaus got into its current pickle — apparently by following conflicting legal advice at two points in the process — and what they might have to do to get out. One spamfighter of my acquaintance says that Spamhaus's SBL and XBL blocklists knock out 75% of the spam at his servers before it hits and requires more CPU-intensive filtering. If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?

Ghostbusters

[eldavojohn (898314)]

One spamfighter of my acquaintance says that Spamhaus's SBL and XBL blocklists knock out 75% of the spam at his servers before it hits and requires more CPU-intensive filtering. If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?

I'm reminded of the part in the Ghostbusters movie when the man from the EPA shows up and demands that they shut down the containment unit which houses all the ghosts since it's in violation of EPA rules.

Yeah, I know it's just fiction but it seems like this could be the same kind of thing.

Excerpt from the movie:
Dr. Ray Stantz: Everything was fine with our system until the power grid was shut off by dickless here.
Walter Peck: They caused an explosion!
Mayor: Is this true?
Dr. Peter Venkman: Yes it's true.
[pause]
Dr. Peter Venkman: This man has no dick.
Walter Peck: Jeez!
[Charges at Venkman]
Mayor: Break it up! Hey, break this up! Break it up!
Walter Peck: All right, all right, all right!
Dr. Peter Venkman: Well, that's what I heard!

I think the problem that the Ghostbusters faced in the movie was that the guy from the EPA was a prick and didn't bother doing any follow up or open a channel of communication with the Ghostbusters. Now, Spamhaus might be violating rules at the same time they provide the public a valuable service. Has the United State's judicial system attempted any lines of communication with them aside from a cease-and-desist letter threatening them with $11.7 million?

The Illinois court that told Spamhaus to stop blocking the spammer filing suit against them...

Where does it say that e360insight is a spammer? I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business [spamhaus.org]. I think that's important. If e360insight is a spammer, I'm siding with Spamhaus. Since they have taken the roll of deciding who is spamming and who isn't, I think they could use more accountability [spamhaus.org] than what I find indicated on their website.

Re:

[mcrbids (148650)]

Where does it say that e360insight is a spammer? I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business [spamhaus.org]. I think that's important. If e360insight is a spammer, I'm siding with Spamhaus. Since they have taken the roll of deciding who is spamming and who isn't, I think they could use more accountability [spamhaus.org] than what I find indicated on their website.

Except that Spamhaus is not spam filtering or blocking software. It's merely a DNS da

Re:

[walt-sjc (145127)]

Here's the deal though.

If it wasn't for spamhaus and other blocklist services, it would be up to individual administrators to create their own blacklists (most savvy admins do anyway BTW...) Now I don't know about other admins, but once you are in MY blacklist, you are there FOREVER. If you are in 4,556,865 blacklists, good f-ing luck getting out. Being on ONE list you have a chance.

The other option is a reputation based system where "trusted" submitters send blacklist updates via usenet (GPG signed.) Since

Re:Ghostbusters

[eldavojohn (898314)]

Yup, they would have allowed them to defend their actions in court. Spamhaus chose not to appear, and instead have a default judgement rendered aginst them.

What court though? I mean, if some business that I slighted in China brings a lawsuit against me, I'm not going to fly half-way across the world to defend myself. If Spamhaus is offering the maintenance of this list for free, I doubt they make much money. Couple that with the fact that people choose to use the list, I don't blame Spamhaus for farting in their general direction.

Re:Ghostbusters

[ArsenneLupin (766289)]

I don't blame Spamhaus for farting in their general direction.

They just should be careful enough to widely publish their new .co.uk address before the hammer hits, so that we can reconfigure our MTA's in time.

Indeed, a fart is not really a fart if it doesn't smell...

Re:

[The Mgt (221650)]

They just should be careful enough to widely publish their new .co.uk address before the hammer hits
It's spamhaus.org.uk [spamhaus.org.uk].
spamhaus.co.uk is an unrelated site flogging antivirus software

Reconfigure your MTAs NOW..

[Ungrounded Lightning (62228)]

Reconfigure your MTAs NOW.

  - Use IP numbers or
  - host a domain resolution for spamhaus in a local name server and configure your MTA to hit that first. (Have your nameserver serve as an unofficial secondary pointing to their primaries, and squirrel a dump of their name service just in case the court gets their primaries shut down.)

Then ICANN can pull the record and it won't do squat.

For your convenience (from nslookup):

> server 204.74.101.1
Default Server: udns2.ultradns.net
Address: 204.74.101.1

> set type=soa
> spamhaus.org
Server: udns2.ultradns.net
Address: 204.74.101.1

spamhaus.org
                origin = need.to.know.only
                mail addr = hostmaster.spamhaus.org
                serial = 2006100802
                refresh = 3600 (1H)
                retry = 600 (10M)
                expire = 2419200 (4W)
                minimum ttl = 3600 (1H)
spamhaus.org nameserver = udns2.ultradns.net
spamhaus.org nameserver = udns1.ultradns.net
spamhaus.org nameserver = ns8.spamhaus.org
spamhaus.org nameserver = hq-ns.oarc.isc.org
ns8.spamhaus.org internet address = 216.168.28.44

(I'm presuming that the spamhaus.org domain contains the
servers in question. But if not, perhaps someone who
actually administers an MTA using their services can
follow up with the necessary info.)

Re:

[Ungrounded Lightning (62228)]

Oops. Meant to link to The Blue Meanie's instructions WITH the server addresses filled in. [slashdot.org]

Re:

[petermgreen (876956)]

unplugging a first world countries tld would probablly result in ICANN very rapidly losing its control over the root of the DNS.

Re:

[ArsenneLupin (766289)]

Not to mention that .uk is member of the "coalition of the willing". Disconnecting it would probably result in the US very rapidly losing its control over Iraq... oh wait!

Re:

[Eunuchswear (210685)]

Get real, Tony is George's bitch, if .UK was disconnected Tony would just say "oh, harder, harder my love" - after all, if .UK isn't disconnected then "Terrorists Win!"

Re:Ghostbusters

[harlows_monkeys (106428)]

What court though? I mean, if some business that I slighted in China brings a lawsuit against me, I'm not going to fly half-way across the world to defend myself

That's a perfectly reasonable attitude, provide you are aware that the chinese business will, therefore, win their lawsuit in a chinese court. If you have no assets anyplace that a chinese court could get to, then you are fine. Just don't miscalculate, ignore them, lose to a default judgement, and then remember that you do have stuff in China!

Also, you have to be careful HOW you ignore them. For example, if you start to defend yourself on the merits, and then say "screw this...you don't have any jurisdiction over me, so bugger off" and THEN start ignoring them, that initial defending on the merits might be seen as conceding jurisdiction to the court. That's bad, because then when the winner comes to your country to collect, there is a decent chance your country's courts will recognize the debt as a valid debt, and then it is a simple matter for that Chinese business to get a judgement in your country to enforce the debt.

The bottom line: ignoring a court anywhere in the world is not something to take lightly. You need to at least get a lawyer with experience in the laws of your country to tell you HOW to ignore the foreign court so that you won't accidently open yourself up to a nasty surprise.

Re:Ghostbusters

[Binestar (28861)]

However, we, in the US, have this little thing called the first amendment. The right to free speech. What Spamhaus (or rather, the email server admin) does is interfere with end users ability to receive free speech.

This is an opt-in DNSBL. So your little "free speach" defense doesn't work.
 
Even considering SPAM to be free speach, it doesn't hold up. The people subscribing to the DNSBL are doing do with their own private property. Your right to free speach ends on my property, just as your right to swing your arms wherever you want ends at my nose.

Re:

[by Anonymous Coward]

I'm the head of the email security team on a network with several million mailboxes. I have to set you straight on spam filtering and free speech. I won't talk about free speach, b/c I have no idea what that might be.

The network belongs to the company who built and operates it. No one else has any rights on that network. If you're buying bandwidth/an email address/hosting, etc., your contract with them may give you certain rights, but those rights are arbitrary and may or may not include any amount of free

Perspective from a damaged party

[Anonymous Brave Guy (457657)]

Let me put an alternative perspective to the AC e-mail security guy who wrote the parent post.

I am the IT officer for a local non-profit organisation, with a few thousand members. We run a mailing list, to provide announcements to those members. The list is opt-in (double opt-in to verify all addresses, in fact) and moderated, and everyone on it has explicitly asked to be there.

Our service provider has recently sent a notice to their announcements list (to which I subscribe) indicating that certain major names, including Hotmail and AOL, are no longer accepting mail from our provider. They don't even bounce it properly; they silently drop it. This is all done in the name of fighting spam, so they claim, because our service provider forwards a lot of spam onto them. (Our service provider forwards any mail received at a paying customer's address to any forwarding address requested by that customer, in fact.) The content of any given mail, and the specific people it's going from and to, are irrelevant to this blanket ban.

As a consequence of this, we now find that some of our members who use e-mail accounts at those hosts are not receiving mails they have explicitly asked for. Neither we, nor our members, nor our service provider is doing anything unreasonable. The only reason this system is broken is because of an arbitrary decision by a big name provider to throw their weight around, by blocking all incoming mail from a small provider (who are not the only ones being hit by this problem -- far from it, by the sounds of things), even if this goes against the explicit wishes of one of their own paying customers.

Now, you can rationalise that decision all you like as a big IT honcho, but the simple fact is that these organisations are screwing their own customers, and ultimately undermining the entire working of the Internet e-mail system, by being incompetent and not playing nice with others. Sooner or later, people are going to start missing really important messages as opposed to just convenient or entertaining ones, and those providers are going to learn a harsh lesson. I imagine a few small providers will start bringing anti-competition lawsuits if the big names carry on down their current road as well. But in the meantime, your approach sucks for your customers, it sucks for people working with your customers, and it sucks for other service providers working with you. It is an indefensible attack on the openness of the Internet, and you deserve to be shot down for it.

Re:

[inviolet (797804)]

Spamhaus doesn't block spam--they provide a database of IP addresses that mail server administrators can use at their own discretion to block suspected spam sources. So, if Spamhaus isn't blocking e360insight's mail servers (they aren't), then why should they have to "prove" that e360insight is a spammer? As I understand, Spamhaus essentially has a network of honeypot e-mail addresses. Anything hitting these addresses is, by definition, unsolicited, and therefore spam.

You are right and I agree. Death to s

Re:

[TekPolitik (147802)]

In a nutshell: I agree, the Illinois has no dick.

Obviously this is wrong - it has a huge dick who wears a black robe.

Would you like spam with that?

[Kelson (129150)]

If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?

On the plus side, that might convince the judge to rethink the order.

Re:

[LilGuy (150110)]

Easily said. Not so easily done. There are many businesses out there that can't even figure out how to lock down their MTAs and prevent asynchronous bouncing, let alone deal with an enormous influx of spam, which surely they won't see coming. Hell I worked at an ISP as the sole Abuse department tech, and that was plenty bad enough at the time, but after something like this... makes me glad I quit.

what pisses me off...

[cavtroop (859432)]

what pisses me off about this whole situation is that using the Spamhaus RBL is OPTIONAL, and initiated by the receiving servers. Nobody said you HAVE to use Spamhaus, people CHOOSE to.

Damn, judges really should be expected to have a clue when sitting in on a case...

The Q-Tip Solution...

[patrixmyth (167599)]

If you use cotton swabs, and I'm hoping that you do, then take a moment to read the package. It clearly states that they are not to be put into your ear, despite the fact that plainly that's the use that 90% of consumers make of them. This is plainly because of liability issues which arise from people who can't seem to figure out how far to stick them in their ear. Perhaps Spamhaus could adopt a similar defense by distributing the list with the explicit instructions that it is not intended to be used to block spam, especially in the U.S. and uber-especially in the region where this judge has authority. Just a thought, seems at least as effective as holding your ears and screaming "LA-LA-LA-LA" everytime the court tries to tell you what to do.

Hopefully ICANN is rational

[realmolo (574068)]

I imagine that ICANN will say "Uh...no" if they actually do get that court order. I mean, ICANN is kind of evil, but I guarantee they hate spammers AT LEAST as much as everyone else.

Re:Hopefully ICANN is rational

[maxwell demon (590494)]

Moreover, given that there are ambitions to get control away from ICANN to an internationally controlled entity, for ICANN it would essencially be suicide to follow such an order. Because it would deliver the perfect argument: A real world case causing huge damage to everyone, which would not have been possible if it were under international control.

Re:

[robertjw (728654)]

Exactly. A US court ordering ICANN to drop a name could have disasterous results. Not only would it be the end of ICANN, it could cause a MAJOR backlash resulting in a chaos of domain names.

I hate to bring up that whole slippery slope thing, but we can't just have courts ordering names removed from DNS. What's next? Porn sites? Music sharing? Terrorists? Communists? Democrats? Without an independent, (relatively) impartial name registration/IP address management system the whole concept of a glo

Re:Hopefully ICANN is rational

[Tony Hoyle (11698)]

The EU is ready to take over ICANN regionally already - they needed to to have a credible threat to get their own way last year, and make no mistake if they were pushed make the switch that will end ICANN (and probably end the idea of a single global entity controlling DNS.. it'll be down to regional ones, because China will want their own, the US will probably keep ICANN, etc..).

If ICANN start ordering UK websites down at the request of random US courts then that'll be a pretty hard push in that direction. Even the americans aren't that bloody stupid.

Re:Hopefully ICANN is rational

[cgenman (325138)]

It's a good thing that the management of ICANN was turned over to an international consortium to tend the domain name system in a broadly fair and equitable... wait, what? Crap. Nevermind.

What'll happen if spamhaus disappears from DNS?

[TheRaven64 (641858)]

I'll put them in my hosts file. I'm sure the follow-up story on Slashdot will have their IP addresses in it...

Re:What'll happen if spamhaus disappears from DNS?

[Kelson (129150)]

I'll put them in my hosts file.

Um... you are aware of how Spamhaus's list is distributed, right?

You convert the IP address of the server you're trying to check into a host name, such as W.X.Y.Z.sbl.spamhaus.org, then do a DNS lookup on that hostname. The result you get indicates whether the original IP is liste or not.

Trust me, you don't want to put 4 billion records in your hosts file!

Re:What'll happen if spamhaus disappears from DNS?

[TCM (130219)]

Hell, NO!

You would be trying to use their DNS server as a recursive resolver. DON'T do that! It wouldn't work and you'd be an annoyance to them.

I suggest you read about DNS before doing things of which you don't understand the impact.

What could work is running BIND and doing something along the lines of

zone "spamhaus.org" {
    type forward;
    forwarders <their ip address>;
};

Re:

[Tony Hoyle (11698)]

No they couldn't. Spamhaus is european and its IP addresses are allocated by RIPE.

I don't think ICANN even give out IP addresses in the US.

Plus if they did everyone would probably ignore them anyway.

ICANNot do it cap'n!

[Volante3192 (953645)]

Can ICANN even pull a second level domain? .org is managed by Public Interest Registry. One would imagine all ICANN could do would be to put a halt on the org TLD...

Confusing ICANN with the court

[shani (1674)]

They can do what they want if the registrar's offices are in USA. The data is stored on a hard disk in the USA then the court can sieze it.

The original poster was talking about ICANN not being able to do anything, and rightly so. I haven't read the contract between PIR [pir.org] and ICANN, but I doubt it includes the ability for ICANN to remove specific delegations from the .ORG domain.

You are correct that the court could theoretically size the servers that are located in the USA, although I'm not sure what the legal

ICANN abuse

[JonyEpsilon (662675)]

If I've ever heard a compelling argument for an independent ICANN, this is it!

Jurisdiction

[chiller2 (35804)]

Is this perhaps why there was pressure to separate the US government from ICANN? Maybe now we can see why.

US court
US spammer
UK RBL

Re:Jurisdiction

[McDutchie (151611)]

From here: (and elsewhere with a trivial search). http://news.com.com/5208-7350-0.html?forumID=1&thr eadID=21191&messageID=184631&start=-91 [com.com]

And yes, Spamhaus is a a non-profit corporation, yes, but it pulls in millions and millions of dollars a year from internet providers in PROFIT which is paid out to the executives every year.

That is libelous nonsense. The post, which sounds like it was written by a spammer, probably refers to Spamhaus' Data Feed service [spamhaus.org] for ISP's and large organizations. You can easily see with the price check on that page that the costs per year, even for large sites, are nowhere near such amounts and are simply designed to cover the costs of the operation (including their free public DNS query servers). Don't believe something just because some kook posted it in a discussion forum.

Go ahead - there's ALWAYS a workaround

[The Blue Meanie (223473)]

So go ahead and pull their domain from the DNS hierarchy.

# cat >> /etc/named.conf
zone "spamhaus.org" in {
                type forward;
                forwarders {216.168.28.44; 204.69.234.1; 204.74.101.1; 204.152.184.186; };
};
^D
# pkill -HUP named

All fixed!!

Um, the problem was that they switched horses...

[Mr. Protocol (73424)]

According to the article by the John Marshall Law School lawyer, the problem is not that Spamhaus ignored the initial TRO. The problem is that they didn't. They appeared in state court and asked that the case be moved to Federal Court, which it was. By doing so, they implicitly agreed that the Federal Court had jurisdiction.

Then they claimed it didn't.

I can't think of anything more likely to P.O. a judge than to ask to get into his courtroom, then call him a buffoon.

In the end, as the article says, ICANN may be forced to pull 'spamhaus.org', but ISPs that use it are savvy enough to move to using 'spamhaus.or.uk' or something similar, outside the court's control. But the individuals affected by the order may be unable to set foot in the U.S. for the rest of their lives, even to change planes.

This could be the end of U.S. DNS control

[by Anonymous Coward]

A reckless decision by this judge to crap on the internet over an uncontested U.S. based trial will be a huge motivation to wrest DNS control from U.S. control/jurisdiction.

If U.S. judges think they have carte blanche to impose their laws on foreign entities using domain listing as a weapon then we absolutely MUST get DNS control the heck out of U.S. control, i don't care what DARPA thinks they invented decades ago. The status quo currently is bad enough as it is, but if one person in a robe is going to single handedly eliminate the backbone of the international anti-spam war when the service is based in a foreign country, run by non-U.S. citizens and it's a voluntary subscription service then something drastic needs to be done.

The notion that the U.S. can 'summon' foreigners to defend themselves in U.S. domestic courts is deeply flawed to begin with. It's just amazing that anyone can mock the Chinese for their 'great firewall' when the U.S. is prepared to yank a site from the ENTIRE WORLD, and think they can just because it's domain name is published on a U.S. machine when that is mandated by an historical quirk.

Is it time we gave the United States their little .us domain to play with and left the rest to people who understand how serious this stuff really is.

Re:

[ScrewMaster (602015)]

Congratulations on posting one of the most arrogant, clueless remarks I've heard in a long time. The rest of you had just as many centuries as we did to come up with something like the Internet and failed. We gave it to you for free, let all of you use it, even our bitterest enemies, and have managed it with a far more even hand than ANY of you "people who understand how serious this stuff really is" would ever have done.

Truthfully, your comment smacks more of blindly uninformed anti-Americanism and unadult

Re:

[russotto (537200)]

Quite a rant, but that's all it is.

1) The U.S. hasn't summoned Spamhaus to appear in court. According to the court documents posted so far, Spamhaus was never served with this lawsuit.

2) The U.S. so far hasn't shown any willingness to yank the site. Rather, there's a _proposed_ order from a Federal judge in the Northern District of Illinois which would yank the site. IANAL, but I know a court's powers to compel third parties are limited, and there might be an issue of that district's jurisdiction over IC

I'm amazed

[belmolis (702863)]

I'm amazed at the knee-jerk reaction of so many people here. I hate spam as much as the next person, but claiming that the judge is ignorant, stupid, or malicious is ridiculous. The fact is, Spamhaus responded to the suit in the most inappropriate way imaginable, by acknowledging the federal court's jurisdiction and thereafter ignoring it. If you get a traffic ticket, even if it is unwarranted, what would you expect to happen if you turn up in court, then walk out and refuse to communicate any further with the court? What Spamhaus has done is the equivalent, only federal judges have a LOT more power. Spamhaus should either have challenged the court's jurisdiction from the outset or, having accepted it, complied with its orders and defended the suit.

Other than Spamhaus trying to correct the situation, I wonder if third parties might be able to submit an amicus brief to the court along the lines of: "Yes, Spamhaus behaved liked idiots, but cutting them off is not in the public interest.":

Re:

[cheshire_cqx (175259)]

This was a default judgment. They might have a decent chance to set aside the judgment and defend on the merits. I wonder where the EFF comes down on this?

Re:

[belmolis (702863)]

No, sorry. You've ignored my argument. This is Spamhaus's fault, not the judge's. The judge was correct in ruling against Spamhaus since Spamhaus failed to defend the suit, and as a non-techie cannot be expected to realize what the consequences of taking down Spamhaus would be. Had Spamhaus behaved responsibly, they might well not have lost the suit, but if they had, they would have had the chance to explain to the judge the consequences of different remedies.

Juristiction my ass

[digitalgimpus (468277)]

Lets look at the facts:
1. Spamhaus isn't in Illinois
2. Spamhaus isn't even in the US, no business presence on US territory at all.
3. Spamhaus only connection to the US is US companies utilize the service.

Based on that Illinois can only go after companies that use the database, not the provider overseas. They don't market or have any presence in the US. The court likely could go after these companies. Will they?

Now what I'd love to see is Illinois try and go after everyone in the US using the database... go ahead and try. I'll keep using it because it's a good effective database.

I've got a feeling there's money behind this ruling. It just sounds to fishy to be legitimate.

IF...

[SmoothTom (455688)]

...the judge orders ICANN to pull their DNS, and IF they actually do it, the estimate is that SPAM could incease 4X.

If so, I sincerely hope that somehow the increase in SPAM to the judge's court is even higher - at least double that.

The only way that folks who purposely damage the system for the majority of users will learn, no matter that it may be just not understanding what they are doing, is if they see a direct effect - a strong direct effect - on their own personal use of the system.

--
Tomas

Chicken Little FTL

[kindbud (90044)]

is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?

Not gonna happen.

Total number of recipients logged in one maillog file: 92033

Total number of messages in this logfile that got a SpamAssassin score increase thanks to XBL or SBL listing: 47818

Total number of scores that may have potentially been pushed over our threshhold (9.0) by the SBL/XBL score: 985

Big effing deal. All the RBLs could go offline this afternoon, and it would have minimal impact on our spam scoring system. It isn't necessary for any RBLs to exist to control spam. It just isn't.

Re:Chicken Little FTL

[dodobh (65811)]

92K messages in a maillog file? Over what time period? Is that a toy server?

My current estimates say that $ORK is blocking ~ 400 to 500 million messages a day using DNSBLs, about 80% of which is the sbl-xbl.

Re:Its a stupid arguement.

[El Torico (732160)]

Wait, we should see both sides of this argument. All of us can read what e360insight has to say at http://www.e360insight.com/case_history.html [e360insight.com], and yes, I mean all of us. Of course, since we are polite, all of us won't do it at the same time, will we?

Also, we can express our concerns directly to them at http://www.e360insight.com/contact.php [e360insight.com]. They were nice enough to have a comment submission form. I hope they have a lot of disk space for submitted comments.

Big PDFs

[JumperCable (673155)]

Wow. For being such big a-holes they sure do put up a lot of big PDF files on their website: http://www.e360insight.com/case_history.html [e360insight.com]

Re:Perspectives

[dodobh (65811)]

Spamhaus method of fighting spam dont stops 3/4 of the spam of the world. Probably graylists, bayesian analisys, and other methods stops far more.

You obviously don't run a mail server with > 1 user. The sbl-xbl list stops ~ 80% of our spam. That's for a small email service provider, defending only about 75 million email addresses.

Bayesian doesn't stop spam. It just flags stuff as possible spam. Humans are worse filters than any software. If you have to look for false positives in a spam folder, don't even bother to filter stuff. That is just a waste of CPU cycles.

On the smaller servers I run, recipient validation handles ~ 50% of the spam, the sbl-xbl stops ~ 80% of the rest, dynamic IP blocks and hostname checks stop the remaining.