Thursday, October 17, 2002

SPEWS, Blacklists and Vigilantes

I wasn't going to post about this, but I've changed my mind. It's really got me worked up. A non-centralized entity called SPEWS ( has created a list of spammers. These lists can be used my email admins all over the world. If an ISP or company employs this list then you're e-mail will be bounced back to you with a note to go here (

Here you find out that you're email is blocked and will remain so until your ISP (or your ISPs ISP) stamps out spammers on their systems. You are basically told your options are:

  1. Live with it, there is nothing you can do.
  2. Call your ISP and tell them to stop supporting spammers.
  3. Get a new ISP.

I don't know about you but to me those options stink!

Why am I making a fuss over this? Because my companies email server is being blocked. We have never sent spam and never will. We sell mid-range software that costs thousands of dollars. Spamming isn't going to get us customers. We don't usually even bother with companies that have less than 50 employees, so why would we want to send your grandma an email?

However someone in an IP block next to ours was spamming. Think of an IP block as a section of town. Our section of town has three streets;, and Each street can have 254 houses on it. My companies house is on street 2, house 130. The spammers house was on street 1, house 38. Our neighborhood association (ISP) is Verio, a big host and ISP.

The watchdog group SPEWS noticed that house 1.38 was sending out lots and lots of spam. They contacted Verio and the residents at 1.38. The residents replied:
“i dont care about being blocked. nor will i try to get off the block list. i just think its funny how upset people get from getting mail. i told the person who sent the mail out that there were certain rules they had to follow such as a link for the recipient to remove themselves from the mailing and a return email address. they followed the rules. but in any event people are taking this Spam mail wayyyyy tooo serious, there is a delete button on your keyboard. its the same as watching t.v., when a commercial comes on use your remote if you do not want to watch it. are you going to black list the t.v. station?? LOL.. or when you get junk mail from usps, you do have the option of putting it in the trash can. good luck with your anti spamming efforts :)”

I won't speak for Verio but apparently they didn't feel the need to drop 1.38 as a customer.

So SPEWS chose to block the WHOLE neighborhood. 'Your neighborhood sucks. Get a new one or complain until the spammers move out.'

Do you see the problem yet?

SPEWS makes this list. Some hosts choose to use this list to block spam and unfortunately innocent companies as well. But who now has to do all the work? Oh the list maintainers have to constantly add more and more bad guys to their list (until the whole Internet is blacklisted) but all they have to do is wait until the spam comes in, run a few network checks and add them to the list.

The innocent by-standards on the other hand have to figure out how to get around the problem, spending valuable time and resources investigating the problem and searching out a solution with their ISP. Now if they choose to go to another ISP they are then burdened with the task of moving all their services to a new host and HOPE they don't get blocked again with this ISP. The time spent researching ISPs, prices, relocating data and servers could potentially sky-rocket for larger companies and be a dangerous load on resources for a smaller company.

Now assuming that all that goes well, what about legitimate communications lost and the possibility of lost sales (non-spam email communications)? I've seen it suggested that you bill your old “spam friendly” ISP for all these costs. Yea, that's gonna happen.

On the flip-side the argument is that all this spam is eating up tons and tons of bandwidth. And there are potential liability issues for companies when their employees are receiving XXX porn spam, with embedded images, so the recipient gets to see the full glory of the spammers wares, even when web filtering software, like NetNanny is being used.

I don't disagree with those arguments. However lets look at a couple interesting things. The big ISPs that are accused of allowing all this spam are also the major providers of Internet access and hosting, companies like; XO Communications, Verio, and Uunet. So blocking these guys is like blocking out entire cities. SPEWS does seem to at least pay attention a little bit and doesn't stop ALL traffic from Verio or XO, but smaller 'neighborhoods'. But if you have the misfortune of moving in next door to one of those spammers, you're S.O.L.

Also, if these big ISPs are providing access to so many. Having HUGE data pipes through out the world, don't you think they'd be the first ones cracking down on bandwidth abuse? But lets say that the spammer is sending out a 250K message. That's a pretty reasonable guess based on the spam I see. Let's just say they send out 2000 messages a day. While this is a small amount for a serious spammer, some other companies that are being listed as spammers probably get listed for less. That's 50 MB's per day. I have users on my network at work who surf the net more than that. The bandwidth usage is insignificant by the ISPs point of view.

Now from a customers point of view, perhaps a email admin using SPEWS, the inflow of spam is too high. Perhaps they pay for their Internet access by megabyte, though I don't think that happens as much these days in the business world. Perhaps their company has strict content rules and regulations and they want to make sure no porn spam makes it through.

However there are a LOT of very good applications designed to filter spam at the server and at the desktop. Larger companies would obviously do the filtering at the server. Yes it uses server resources. Yes they can fail and block legitimate email. Yes they can fail and let spam in. But this scenario allows for the recipient and the bounced email sender to communicate and say, 'hey, what's the deal?' (Which is what I'll be doing.) It also allows the recipient to perhaps see that the email may in fact be legitimate. That's why personal spam filters don't just delete spam. They move it so you can make sure nothing legitimate is lost.

SPEWS doesn't suggest contacting the ISP who blocked you but tells you instead to yell at your ISP. The list and the people who use it don't care if your email is lost. All they care about is stopping spam at all costs, even if that means innocent companies and individuals have to suffer for it.

These are the old west vigilantes who made their own “laws” and damned anyone who chose to disagree with them. I expect to be flamed for speaking out against SPEWS, but that's fine. They go to far. They are no better than the spammers themselves. They both hide in the shroud of Internet anonymity.

To respond to some of the questions that were posed to me regarding this issue:

You say you are angry and frustrated at not being able to contact SPEWS. If you COULD contact them, what would you say? What difference could it
possibly make? SPEWS will not de-list you if you ask, plead, pay, or threaten.

My problem is the fact that even if I COULD talk directly to the individuals behind SPEWS is that they will not 'white list' legitimate companies. They spend plenty of time researching and tracking down spammers, certainly they have the skill and insight to go look at our company's website and see that we have nothing to do with the spamming that was going on around us. They are holding innocent companies accountable for 'crimes' they didn't commit. That's not right. And no I will not accept that they are holding the ISP accountable. The ISP isn't suffering, its customers are. Because an anonymous organization states that they are doing wrong.

How dare you come here and say SPEWS is irresponsible while you give your money to a provider that has allowed this crap to go on for well over a year? You should be ashamed of yourself for using the title Sys Admin and not knowing how screwed up your ISP really is.

Hey I never said Verio wasn't responsible for it's spam issues. However those issues did not effect our company until SPEWS “black listed” 3 class C subnets. So pardon me if I see the problem being with SPEWS. As for shame in my title, well I never said I was a Sys Admin. I'm a Systems Engineer. I make things work. I have to work within certain financial limits. For the little we pay per year for what has been very good service from Verio I have little incentive to try to explain to the President of our company that we should change web/email hosts because an anti-spam vigilante group says that it's the “right” thing to do. And I have many other more important things to do within my company rather than sit and chase down spammers all day long. I wish I was afforded that luxury.

I wrote: “If they refuse (to white list our IP address) we can talk to the prospective customer and explain why their ISP will not let them communicate with us."

They responded: “I hope you'll also explain to the prospective customer that it's your supplier that's at fault.”

Actually I won't. I'll tell you why. Our prospect will not care why outside of the fact their ISP is preventing it. These are payroll and human resources people. They aren't tech savvy. Some perhaps are, but in general they aren't. Now trying to explain IP blocks and blacklists and SPEWS and the whole situation would take time out of both of our busy schedules and would not change a single thing. I will not spread your propaganda.

Well until I hear more, that's the story. This was something I was completely in the dark about. I bet most of my blog readers were too.

No comments: