Why Blacklisting Spammers Is A Bad Idea

Roland Piquepaille writes "For the last two months, an eternity in Internet time, I was unable to reach -- and to contribute to -- Smart Mobs, the collective blogging effort around the next social revolution initiated by Howard Rheingold. Why that? Because an unknown customer of Verio decided it was a spamming site and asked the company to blacklist the site. Verio complied -- probably without even checking it -- and my problems started. It took me dozens of e-mails and phone calls and two visits to the headquarters of my french ISP, Noos, to fix the situation. More about this horror story is available here."

ORBS

[olman]

And other RBLs require usually multiple reports from multiple sources. And you have fairly straightforward way of getting de-listed, too.

What's with the current boo-hoo over blacklists? Do we have some kind of spammer astroturf going here?

Why Blacklisting Spammers Is A Bad Idea

[wo1verin3]

This article should have been called...

"Why it's important to have good policies and procedures in place when blacklisting spammers"

Overzealous users

[Anonymous Coward]

I use blacklists to mark probable spam, but still generally see it. Recently, some people had reported an email from GoDaddy (domain registrar) that was only sent to customers, and it was asking them to very information. If, say, my ISP was blocking email from them based on this, I'd never see it. ISP's should err on the side of caution, let users take more risks if they personally desire.

Just to clarify

[Nachtwind]

"blacklisting" in this article refers to completely block an ip address. This is not a "bad idea", but complete nonsense. First time I've heard of something like that. This is not to be mistaken for using an open relay blacklist or similar, which only blocks mail from a certain address. I bet those "network administrators" clicked on some fancy "block site" button, not knowing what they were doing...

Non sequitur

[ScottSpeaks!]

The fact that a strategy (such as blacklisting) can be mismanaged and that it is not invulnerable to abuse does not necessarily make it a "Bad Idea". It just means it needs to be managed more carefully, and better secured from abuse.

Improperly done blacklist

[DaEMoN128]

Why is the blacklist being done on a domain level. Spam is usually email....so block the email address. That is simple enough to do with intrusion detection systems, some application level firewalls, and if your really bored....an access list on a router. Whoever decided to block ftp or http to stop spam was not all there. They should have stopped smtp traffic from there instead and been done with it.

Black listing of spammers is a good idea, we just have to make sure we are only blocking them and not innocent bystandards.

Re:Why Blacklisting Spammers Is A Bad Idea

[sweetooth]

No kidding. The primary problem is the ISPs and thier upstream.

Am I understanding this correctly?

[orthogonal]

From the article: My ISP has a partnership with Verio to handle its traffic in the U.S. When Verio blacklisted Smart Mobs, any request from Noos went unanswered -- sorry, there was the (in)famous 404 error.

I want to be sure I understand this correctly. Verio wasn't (only) discarding mail from Smart Mobs, because they thought it was spamming site, they were refusing to pass through http (or other) connections to it?

Discarding mail is one thing, but blocking an IP address is quite another. What's the justification for this? To prevent the (supossed) spammer from profitting from the spam, by preventing anyone from connecting to it to (presumably) buy the product touted in the spam?

Discarding mail from a spammer can be justified, by, among other things, the argument that spam mass-mailings strain system resources. But connecting to sites happens all the time -- an ISP should should be set up to handle that traffic, and can traffic to sites touted in spam really increase the volume that much?

To me, this seems like a dubious policy on Verio's part -- even without the problem of mis-identifying sites as in the case of Smart Mobs.

Yup, I was RBL'd

[kwerle]

I left an HTTP proxy on on an open port - on the same machine that does SMTP. I didn't even know that spammers could relay via an http proxy using a PUT to the local SMTP server. mea culpa.
I fixed it in 3 days (too long, I know).
I contacted mail-abuse.org and submitted a removal request. It took them 2 weeks to take me off the list.

It frustrates me that their site is so unresponsive to removal requests, and that they fail much of their process. They were supposed to send email at several stages, which they did not do. The email they did send was badly formatted (broken urls, urs that weren't relevent).

I won't ever use an RBL because they just don't seem responsible.

Yeah, I know - pot kettle black. But I'm not supplying a service to thousands of users.

Re:Am I understanding this correctly?

[sirket]

Discarding mail is one thing, but blocking an IP address is quite another. What's the justification for this?

Null routing of address blocks with a significant number of known spammers has been done for years. This is hardly new so please do not act so shocked.

-sirket

Re:Am I understanding this correctly?

[Anonymous Coward]

can traffic to sites touted in spam really increase the volume that much?

It's not about saving bandwidth -- it's about taking away the spammer's source of income. If you block email from a spammer, you've wasted a minimal amount of his time, and he'll quickly move to another mail server. If you take out his web site, he can't sell anything online.

Answering the question.

[_Sprocket_]

So the question presented by this article would be "WHY is blacklisting spammers a bad idea?" Unfortunately, it doesn't answer the question.

The blurb mentioned by the article submitter is the entire coverage of any such activity. The rest of the piece then goes on to complain about the user's ISP. Those who haven't RTFA'd can feel comfortable in skipping this one.

I'm sure this submission will provide nice fodder for expressing annoyance over spamming and horror stories of "collateral damage". But then - we've had plenty of those before. It would have been nice if an article had provided some framework around this kind of conversation.

This article doesn't.

Re:Improperly done blacklist

[spicedhamhawg]

Speaking as someone who fights spam for a living, effective blocking requires a combination of techniques. You need to filter on sender (both envelope and From:), sender domain, sender IP, and content filters.

Your statement that whoever decided to block ftp or http was not all there completely misses the point, I think. If a site is known to spamvertise, blocking *all* traffic to/from that site is actually a pretty good idea. Why? Consider why spammers send spam: to generate traffic to a web site, an email address, a phone number, some way to contact that. Since they know any email address they use to spam probably won't last as long as fart in a room full of air purifiers, the contact link is usually URL, whether by domain name or IP address. If they spam and you put in a filter for that spam, they may never get that spam through again, but they may still get some buyers from among your (stupider) customers. However, if your policy is to block all traffic to/from that IP address, they get zero traffic and zero business from your netblock and you really hit them in the wallet.

Verio's idea is good, but someone dropped the ball on implemenation in this case by not checking the facts before blocking.

What I'd like to know, though, is why the author of the article uses an ISP as bad as Noos. They sound so bad they make even wanadoo.fr (gee, speaking of spam!) sound good in comparison. Someone at Verio apparently made a mistake, but if so many people at Noos weren't so incompetent (did the PHB character come from their, I wonder?) the situation probably could have been resolved in a day or two.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Wrong. Not perfect != "bad."

[the_dreadnought]

The good it does is far outweighed by the bad. Just like everything else in life, mistakes will be made. You can have a problem with the process to correct mistakes, but advocating RDNS blacklisting should go away doesn't make sense.

Re:Why blacklisting won't work

[NSash]

How about making use of micropayments so that sender's account is charged some nominal amount that goes into receiver's account?

How about not? Of all of the proposed solutions to the spam problem, micropayments are the worst.

Re:That's what I'd call costumer care...

[Anonymous Coward]

In all fairness, some of this does make sense. 50% of calls are "When I click on the E thing I can't see the Internet.", the "Internet" being your ISP's home page. The first questions from technical support is usually your number, your name, what kind of cable modem you have, and how many lights are on. Fixing basic connectivity solves over half the problems.

40% of calls deal with email issues, of which half are actually connectivity problems, the rest are customers with a new computer that need to have their settings switched over to their new machine. This can be checked by having the customer email themself.

This leaves us with 10% viruses, spam, malware, browser settings, router settings, bricking, QOS/server issues, and the occasional kook that insists the ISP is blocking access to some obscure site.

Re:Improperly done blacklist

[ScrewMaster]

Yeah, I have a similar problem. I found that when I sent mail using my ISPs SMTP server (i.e., Comcast) it would go through fine. However, I also found that Comcast's SMTP server is unreliable: either it's down or it accepts messages and then eats them whole. Anyway, I set up a mail rule to route any AOL-bound messages through Comcast and everything else is routed directly to the destination host. That way I'm only dependent upon Comcast for mail going to AOL.

How was it blocked?

[Skapare]

Based on this story, it seems Verio decided to block the presumed source of spam by means of the routers. That's a rather extreme measure. Doing such things in routers, whether by access list, or by blackhole routing table entry, is not nearly as easy, and does not scale as well, as blocking at the receiving mail server. But they may have wanted to do so because so many mail servers are run by clueless people that can't configure their way out of a paper bag.

I block spam source at mail servers, not routers (except in very extreme cases, but there are current none blocked at routers). That gives me the option to whitelist specific senders and/or specific recipients. So I'd say the real issue he is not that blocking/blacklisting spammers is bad, but that blocking them in stupid ways that lose control is what is bad.

Blocking spam and spam sources should be an end-point decision. There are risks in blocking, and different people have different needs and different sensitivities to that risk. Even your own ISP shouldn't block spam for you unless you agree to it with the understanding of how they are doing it. The best solution is for you to have total control if you wish, particularly in the ability to whitelist, and even blacklist, specific exceptions you want. Those who don't know the details of how this is done would have to delegate that to someone (such as their ISP).

Even content based spam filtering can be broken. What if my girlfriend sends me mail telling me what she's going to do with certain parts when she comes over tonight. I sure would not want that to bounce. Of course I can whitelist her email address (and hope her computer doesn't get infected by some spamming virus).

Blacklisting spammers is good ... when done right. Verio didn't do it right.

Re:Hypocrisy

[sirket]

Why when this happened did he not instantly start shopping around and then demand to speak with a manager and tell them that unless they got a clue about the diffrences between protocals that he was leaving?

Actually you are right. The real problem is people willing to put up with shitty customer service. If enough people stopped putting up with it, and did switch, we might actually see some corporate changes.

When my last ISP gave me crap about a similar problem, I immediately started looking for a new ISP and eventually switched to Speakeasy. It was the best move I could have made. I have been with Speakeasy for over 3 years now and I honestly could not be happier. I have customer service that listens to me and technical support that actually helps me.

-sirket

Re:Improperly done blacklist

[Anonymous Coward]

Note that there is no confirmation that the site was in fact blacklisted, or that the customer call is what fixed it.

It could have been a routing issue: if the site was blocked, the site could have been hosting an open email relay and been blocked. It could have been a mis-configured DNS server that misused an email blackhole list for a total blackhole list, or a site that used it as a policy.

Don't blame blackhole lists for Noos being unable to handle requests for technical support, which was the *real* problem here.

Re:Improperly done blacklist

[e1mer]

Blacklisting is usually done when the domain administrators ignore request to deal with the spammers or when they simply continue to allow the spam to come in spite of stopping the individual offenders. If the blacklisting is done improperly, IMHO, it is because the IP is blocked, but the name service is allowed to continue to serve spammers. If cleansweep2001 spams, and the IP is blocked, they just move the IP and keep the name. For example, if I had the ability I would have no problem with blocking all domains registered through joker.com. Pretty much every email scam I get comes from a domain registered with them. (today it was for globalsecureorders.com) Perhaps there are valid domains hosted there too, but IMHO blocking the company would drive the good customers to responsible name registrants, encouraging them to clean up their act or go out of business. Simply saying the name registrar is not responsible for the content hosted by the registant is a straw man argument.

Proper spam blocklisting (for mail)

[bigberk]

First, it's obviously a bad idea to block all IP traffic for an entire netblock (except under extreme circumstances -- attacks, for instance).

Spam is a huge problem, and there are some very effective DNSBL's (DNS blocklists) out there that can let a mailserver reject mail coming from a certain IP address. There are many different DNSBL's out there, and each has their own policies on what IPs they will list, how they will de-list, etc.

I don't like DNSBL's that list IPs based on non-spam related criteria. Examples include: country/continent of origin and service class (consumer vs. commercial). Blocks based on such criteria just divide the Internet, and don't even take into account where spam is coming from. I think it's a slap in the face of the Internet for a company to say, "I'm going to block all traffic from dynamic IPs, because they are not commercial connections".

Then there are the blocklists that block IPs that send spam. I like this approach because the lists are designed to block what I don't want; spam. sbl.spamhaus.org blocks regions of the Internet that perpetually send spam. blackholes.easynet.nl similarly list established spam sources. relays.ordb.org and list.dsbl.org block open relays and proxies that were found to be points of abuse.

Re:Improperly done blacklist

[bigberk]

Amen! This is a perfect example of one of many serious threats to end-to-end transparency in the Internet . . . I don't know what can be done

Unfortunately, these Windows viruses that make a broadband customer act as a spam relay are a big reason that ISPs are considering blocking mail from dialups/dynamics.

If Internet communications gets divided between consumer/corporate lines, I will place the blame on spammers and Microsoft (no joke).

Re:Why Blacklisting Spammers Is A Bad Idea

[rgmoore]

Yeah, because blacklisting has been so effective thus far, we just need to do more of it. Yeah, right. Blacklisting is basically playing a game of whack-a-mole; it makes things a bit less convenient for spammers, but doesn't seem to be doing them serious harm. OTOH, crippling the email of innocent bystanders who happen to share IP blocks with spammers seems a rather steep price to pay for something that does very little to stop spam.

Spam is a tough problem, and it's going to take more than just vigilante action to deal with it. What's needed is a two pronged approach. One prong is legal and is being followed fairly well; pass laws that make spamming illegal. The other prong, which is still under development, is to make technical changes to email so that spammers can't hide their addresses. Neither one will succeed alone- laws can't help as long as spammers can hide, and making spammers stand still won't help if there's no legal recourse against them- but the combination of the two should help a lot.

Re:ORBS

[t0ny]

This sounds more like a complaint about the potential for human error, rather than a complaint about the idea or technology itself.

Rather silly, Slashdot. I suppose next we will have an article saying how security is evil, because some LUser gave his password to a hacker who phoned in posing as tech support. Or even that DNS is evil, because someone can hijack your listing (which was posted a few days ago...)

some IP addresses blow spam

[chongo]

While I feel sorry for those who are innocent victims of blacklists, I cannot also ignore the most of the spam comes from a only few IP addresses.

Over the past 6 months, some 65% of spam (and spam attempts) that my ISP received came from less than 0.16% of the assigned IPv4 address space.

Almost 2/3's of the spam we saw was sent over SMTP connections from one of 77 CIDR blocks (ranging from /16 to /30 in size). These 77 CIDR blocks represent less than 1/6 of 1 percent of the assigned IPv4 address space.

BTW: The CIDR list growth factor is not much when you move from the 65% level to the 90% level.

... your stats may vary. :-)

Spam is truly a world wide problem. Those 77 blocks, by national/region, break down as follows:

1. 1 Australia
2. 1 Belgium
3. 8 Brazil
4. 1 Canada
5. 8 China
6. 3 Dominican Republic
7. 1 Spain
8. 1 France
9. 1 Israel
10. 1 Italy
11. 1 Japan
12. 15 Korea, Republic of
13. 3 Mexico
14. 1 Poland
15. 1 Russia
16. 2 Thailand
17. 3 Taiwan
18. 25 US

The above list is provided for the curious. I do not recommend that people block IP addresses based on the hosting country.

"Yes, Virginia", a few IP address blocks do transmit most of the spam.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:ORBS

[PurpleFloyd]

The current "boo-hoo" over blacklists can be mostly summed up by one word: SPEWS.

They operate on the "nuclear bomb" method: list spammers, plus anyone using a "spam-friendly" mailserver (a definition that can be stretched to cover almost anyone) or anyone who is simply "suspicious." Oh, and you might also be listed if your new IP block was once used by a spammer. Don't worry, though. You can just wait a few weeks and lose massive amounts of buisiness because many customers can't recieve email from you and have no idea why - they just think you aren't responding. Or you can go onto NANAE and post a delist request, which will get you nothing but "Whiner! Eat your SPEWS, it's good for you!"

To be sure, a large portion of the problem comes from ISPs implementing SPEWS incorrectly - silently dropping all IPs listed, not just tagging level 2 and dropping only level 1 (confirmed spammers), and the spammers have created this problem themselves. However, SPEWS' "list 'em all, let God sort 'em out" approach is irresponsible, particularly when they know that ISPs are applying the filtering with a wide brush.

Re:Had the same problem..

[ninjaz]

A fairly high-profile example of this was when (now defunct) ORBS announced that all of above.net was an open relay a few years ago (in response to above.net blocking network scans from ORBS). A mention of how it blocked the PHP mailing list is here [phpbuilder.com].

6 months later, its proponents were telling people the same thing - "every entry was verified an open relay" (here [ornl.gov])

Of course, these lists can be workable when combined with a system such as spamassassin, which uses them to weight whether or not a message might be spam, thus taking into account the too often power tripping and overreacting operators.

It must be frustrating playing whack-a-mole with spammers, but, slandering entire network service providers is wrong, too.

Remember the old adage: "be careful when you fight monsters lest you become one yourself"?

Or, how about "100 guilty men go free than for one innocent man to be put to death"? Just like with censorware, when people see legitimate sites and users suffering at the hands of the "protectors", it leads to wariness of placing much trust in these "protectors".

Re:ORBS

[Eggplant62]

[SPEWS] operate[s] on the "nuclear bomb" method: list spammers, plus anyone using a "spam-friendly" mailserver (a definition that can be stretched to cover almost anyone) or anyone who is simply suspicious." Oh, and you might also be listed if your new IP block was once used by a spammer. Don't worry, though. You can just wait a few weeks and lose massive amounts of buisiness because many customers can't recieve email from you and have no idea why - they just think you aren't responding. Or you can go onto NANAE and post a delist request, which will get you nothing but "Whiner! Eat your SPEWS, it's good for you!"

Incorrect characterization of SPEWS methods. From my own personal observations, a SPEWS listing starts out with the spammer's IP addresses based on spam received at multiple spamtrap accounts. Complaints are filed by the people who run the SPEWS list and, of course, they do not identify themselves as SPEWS operators in those complaints. Some time elapses (I'm not SPEWS, how should I know how much time exactly?). Either the spammer is removed (Yay! The listing drops off the list) or the complaints go ignored and more spam is received at the spamtrap accounts. The listing gets widened to the /24 in which the spammer space is included (this may happen immediately in the case of a spammer identified by Steve Linford's ROKSO (Registry of Known Spam Organizations) at spamhaus.org [spamahaus.org] (may be difficult to reach due to the Slashdot effect or DDoS by virus)).

Lather, rinse, repeat the above until someone at the responsible ISP who received the original complaints wakes the fuck up and notices the situation, usually after their own customers are screaming at them, asking them to fix the problem that got them blocklisted. Then again, this is all laid out in the SPEWS faq [spews.org] in fairly clear, easy to understand language.

If ISP's are dropping mail from both level1 and level2 listings, they've made their own bed and are now laying in it. Only an idiot would block on level2 listings as they are meant as an historical indicator of problems with an ISP and do age off after an indeterminate period of time, again outside my control or knowledge.

SPEWS is the only thing thus far in the war against spam that actually has an effect at the ISP level to get some of these outfits to wake the fuck up and see what's happening in their own abuse@ mail accounts. ISP's think they can continue to shine on the spam problem, thinking they have no responsibility for their customers' actions. We, the users of SPEWS blocklist, say otherwise.

If I decide I don't want mail from a corner of the Internet that has sent me nothing but spam, that's my right. If I decide to rely upon the opinion of another Internet service who tracks this kind of information for themselves and elects to share it with the public, that's my right also. SPEWS works for me and mine.

Re:Improperly done blacklist

[Mastoid]

Because DSL providers' SMTP relays don't come without strings attached.

Consider Verizon, for example. In order to relay out, you not only have to authenticate with the assigned Verizon id & password (not a huge problem, but weird, considering that they still only accept relay from their netblock--guess they're worried about rogue wireless connections), but the servers refuse to relay if your email address isn't one of the official "Verizon" hosts (bellatlantic, verizon, etc).

This leaves many in the uncomfortable position of having domains hosted somewhere reliable and being forced to use Verizon for a return address, or try to work around the problem by setting the Reply-To as appropriate (which breaks mailings lists, etc).

Verizon's answer to this idiocy is that they'll happily allow you to pay to host your domain with them, at which point they'll add it to the list of allowed relaying domains.