Why Blacklisting Spammers Is A Bad Idea

Roland Piquepaille writes "For the last two months, an eternity in Internet time, I was unable to reach -- and to contribute to -- Smart Mobs, the collective blogging effort around the next social revolution initiated by Howard Rheingold. Why that? Because an unknown customer of Verio decided it was a spamming site and asked the company to blacklist the site. Verio complied -- probably without even checking it -- and my problems started. It took me dozens of e-mails and phone calls and two visits to the headquarters of my french ISP, Noos, to fix the situation. More about this horror story is available here."

Re:Run your own mail server on your own domain

[bhtooefr]

RTFA. Verio was doing blacklisting on ALL PROTOCOLS for this ISP. The guy could not even GET TO THE SITE.

That's what I'd call costumer care...

[rune.w]

Quoting from the article:

1. Technical support people don't have access to Internet;
2. They are not allowed to phone to customers;
3. And they are not allowed to send them emails.

Maybe it is a good time to change ISP?

Re:My own slashdot horror story...

[Guppy06]

"It was hell. I spent *hours* unable to access /. -- can you imagine the suffering that such a fate would cause *you*??!

Eventually, I was issued a new IP address from earthlink"

And you couldn't manually request a new DHCP address because... ?

Details?

[Dimensio]

I love hearing these "horror stories" about people listed by some well-known DNSbl like SpamCop or SPEWS, telling us how unfair it was and how impossible it was to work with the list maintainers, but they never provide any details so we can't investigate their case.

Of course, in one case a company did provide extensive details that, when looked into, showed that their listing was perfectly justified.

Re:My own slashdot horror story...

[Anonymous Coward]

And you couldn't manually request a new DHCP address because... ?

If he's using Earthlink Cable, it's because he can't.

Back when they issued CybrSurfr cable modems, the DHCP server assigned you an IP based upon the MAC address of your NIC. If you wanted a new IP, all you had to do was ifconfig yourself a new MAC, do a network restart, and voila... Brand new IP, usually in a totally different /16 and occasionally in a different /8 (24.0.0.0/8 vs 6x.0.0.0/8).

Now, they've migrated everyone to SurfBoard 4x00 series modems. DHCP assigns an IP to the modem based upon its HFC MAC, not based upon your NIC's MAC. As best I can tell - believe me I've tried - there is no way to change the MAC of the modem, at least not without physical tampering. Unless the DHCP server itself is rebooted, or runs out of IPs to assign and needs to cycle through, you WILL get the same IP every time on the SurfBoard 4x00's. When I had a 5-day outage over the summer, after the connection was fixed I came back up with the same IP.

In other words, short of getting a different modem, it's nearly impossible to proactively request a new DHCP lease with a new IP.

Re:Improperly done blacklist

[l-ascorbic]

I'm assuming that by "running your own SMTP server" you mean you're running one at the end of a DSL line or similar. If so, why don't you use your ISP's server as smarthost and relay through them? Avoids DSL/dialup/dynamic blacklisting, and reduces the strain on your server. Win-win, surely?

Verio = SBF (Spammer's Best Friend)

[NoSuchGuy]

To get kicked from Verio, you have to burn down a network center or something like this. About 500 mails from users to abuse@verio.net for one spamvertized website netmails.com [google.de] and no action taken ==> They do nothing against spam. They tolerate spam.

Check for yourself: Verio's Listing [spamhaus.org].

I use blackholes.us [blackholes.us] to block (port 25) entire countries (cn, kr, tw) and ISPs (Verio, interbusiness.it...) that do not qualify (in my standards) for connecting to my mailserver.

NSG

This stuff is PROBABILISTIC, people!

[Anonymous Coward]

Blacklists, and pretty much any other spam detection technique, work just fine as long as people are intelligent enough to realize that they're not absolute indicators of anything. If you use a combination of multiple blacklists, content analysis, and whatever else you can come up with, weighing each one according to the correlation between messages matching it and actually being spam, you'll generally do just fine. Rejecting mail solely on the basis of its presence in a single blacklist or its matching a single heuristic will pretty much always lead to lossage sooner or later.

Re:Pot/Kettle

[ScrewMaster]

Yes, you have. Let me warn you, however, that we took a slightly different evolutionary path than the majority of alternate Universes. To wit: the women here have their breasts coming out of their backs. Now admittedly this looks kinda funny to some of you continuum-jumpers, but hey ... its great for dancing.

Re:My own slashdot horror story...

[pyrrhonist]

And you couldn't manually request a new DHCP address because... ?

He probably could, but unfortunately he'll probably get the same IP address. From the RFC:

If an address is available, the new address SHOULD be chosen as follows:

• The client's current address as recorded in the client's current binding, ELSE
• The client's previous address as recorded in the client's (now expired or released) binding, if that address is in the server's pool of available addresses and not already allocated, ELSE
• The address requested in the 'Requested IP Address' option, if that address is valid and not already allocated, ELSE
• A new address allocated from the server's pool of available addresses; the address is selected based on the subnet from which the message was received (if 'giaddr' is 0) or on the address of the relay agent that forwarded the message ('giaddr' when not 0).

Bummer, dood.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Had the same problem..

[Anonymous Coward]

Given that it was an MS Exchange Server, why do you think it *wasn't* an open relay server? The configuration certainly won't prevent this, the setups lie pretty horribly about what they block so that "trusted" users can relay freely, and the spammer need merely forge one of the "trusted" account names.

Which have been published in alt.2600.....

Blacklist=BAD Bayesian=GOOD

[Anonymous Coward]

Blacklists are bad, they foster lazyness, splinter access, and all sorts of other nasty problems that make the Internet fall short of what it promises. I recently started using Eudora 6 with Bayesian filtering, it has worked really well so far.

free markets

[Anonymous Coward]

Choose another ISP...If enough people do this those that blacklist without checking will eventually learn better.

Re:Spamcop

[Anonymous Coward]

No, SpamCop requires 2.

Re:Improperly done blacklist

[Anonymous Coward]

Actually, within the past couple of weeks AOL has started blocking all inbound e-mails that do not have a valid DNS reverse lookup. This certainly includes most dynamic ip addresses but could also include static IP addresses. (This was specifically done to reduce the volume of spam.)

Re:The replies

[kwerle]

Leaving a proxy open for raping by spammers doesn't make you a bloodsucking demon, but it is definitely grounds for having your IPs locally blocklisted.

It frustrates me that the http proxy:
1. Didn't warn me that this was an issue upon install
2. **Allowed this to happen at all**

I have submitted a bug to the developers. This is a known issue, though I'd never heard of it before, nor had 2/3rds of my geek (professional programmers, recreational sysadmins - which describes myself as well) friends. If http proxies blocked all requests (or at least PUTs) to localhost/127.0.0.1 and all know network interfaces on the local machine, this kind of thing either wouldn't be a problem, or would be much less a problem.

Again, pot - kettle - black. Still, good software wouldn't allow this kind of thing in the first place, and recreational sysadmins wouldn't have to worry so much.

Finally, as I'll mention in another thread, I only discovered I was an open relay when my DSL line acted up (total "lucky" coincidence) and I did a lot of investigation on the server. I discovered a huge email queue (which I nuked) and lots of RBL delivery rejections in the mail log. If they had sent ONE message to root@[my ip address] I'd have found out immediately and shut it down within a day.