Friday, October 18, 2002

Counter Arguement

Jason, a happy user of SPEWS (not affiliated with SPEWS), has graciously allowed me to post an email that he sent to me regarding SPEWS. My coorespondaces with Jason have been pleasent and professional. We don't agree 100%, but I do respect his opinion.

Hi Marc,

Thanks for the follow up. I read (and replied) to your followup post this morning, as well.

Your issue/disagreement with SPEWS methodology is common, and I actually used to have the same opinion as you. But when I really watched what was happening for a while, I changed my opinion.

The rest of this email is not important, but I'm going to write it anyway, just in case you are interested. Often it IS hard to filter through the more abrasive posts in NANAE to get the real info. I try to help people understand why SPEWS is a really good system, even though it IS highly controversial.

I actually found out about SPEWS when my email server got listed. A client of mine had allowed a spam campaign to be sent out on their behalf. I didn't know this had happened, and my client didn't know that he was spamming. He was employing what he thought was a legitimate email marketing company. We got out of SPEWS in less than a week by fixing the problem, and I enacted new policies in my company to prevent us from ever being listed again.

SPEWS doesn't start out listing a whole Class C. They list the spammer's IP address first, (immediately to stop the spam) and complain to the ISP. Most ISP's have Acceptable Use Policies that expressly forbid spamming. A few ISP's don't enforce their AUP.

When an ISP doesn't stop a spammer, but allows them to continue spamming, it can be reasonably assumed that that ISP is "spam-friendly." Or, at the very least that they are slow to act. Spammers keep track of ISPs who are spam friendly and migrate to them. Verio is a prime example of this.

So, how does one convince an ISP that allowing spammers on their network is "bad business?" An organized boycott is one way. SPEWS essentially facilitates an organized boycott, but they don't normally list a major ISP's _entire_ address range. They list increasingly larger blocks of that IP space until someone finally acts.

A few years ago, the U.S. Congress stated that they didn't want to pass any laws regarding spam. They specifically stated that they wanted the free market to handle the problem if at all possible.

Hundreds of companies have tried just blocking the IP addresses of spammers. But, spam supporting ISP's learned that they could just move the spammer to a new IP address, and then the block would be useless. So, private system administrators spent hours just trying to keep up with what IP addresses spammers were using on any given day. This is called "playing whack-a-mole" (like the carnival game).

SPEWS has accomplished a few things in the free market fight against spam (which will cost businesses an estimated $10 Billion this year).

(1) Because of SPEWS agressive methods, there has been a lot of media attention on "how to stop spam." This is good, because it is forcing our elected officials to look at the issue.

(2) It has virtually stopped the "whack-a-mole" game. ISP's are learning that just moving spammers around doesn't work anymore.

(3) ISP's are being forced to make a decision as to whether they will support spam or not. If they do support spam, they are tending to move their spammers into more consolidated netblocks, effectively "containing" spammers.

Believe me, I don't think that SPEWS is the _best_ way to handle the spam problem, but I do think that it is a good way. I've got a few better ideas, but don't have the time or inclination to build them.

Which comes to the final point. SPEWS is run by a group of anonymous volunteers. A bunch of very intelligent system administrators have found a good way to fight spam, and they are donating their work to the internet at large. Until a commercial service that is accountable to its paying customers creates a more effective solution, or governments create effective anti-spam laws, then we have to rely on outfits like SPEWS to create a temporary fix with "consolidated power."

One could also argue that a commercial service solving the problem is a bad thing. Why should I have to pay "protection money" to keep spammers from abusing my email server?

I'm not going to go into the whole "why spam is bad" thing, because I think we agree on that. But spam is more than an inconvenience. 38% of all internet email is spam, and spammers rely on a number of destructive techniques to operate. The spam problem truly threatens the viability of email as a useful communications medium, and it has got to be stopped.

Best wishes,


Jason is also known as Ziggy in the NANAE ( newsgroup.

No comments: