On Wed, 23 May 2007 09:50:19 GMT ***@harkless.org wrote:
| On May 22, 5:21 am, Phil Howard wrote:
|>
|> This is something frequently said about SPEWS. Given the similarity of
|> APEWS, I believe there may be similar goals here. An objective of the
|> DNSBL is to create an incentive to the ultimate controlling entity, the
|> ISP, to clean up their act and reduce the overall level of spam coming
|> through their network. Since this is a corporation that is motivated
|> only be profit and financial growth, any incentive mechnism must work
|> by influencing that motivation in a legal way. A major part of that
|> would be to convince customers that they, even though they are not
|> involved in the spam, need to quit being a customer of that provider.
|> At some point, the numbers would convince the executives of the provider
|> that they meet their own goals best by cleaning up the spam problem.
|> Those customers who stay with the provider are effectively communicating
|> the message "I do not care if you allow others to let spam through, I am
|> a loyal customer and will stay with you through to the bitter end". With
|> customers like that, why would they ever do anything to reduce spam, much
|> less stop it?
|
| If there were a good alternative to my AT&T DSL available, I would
| very seriously consider it.

If your definition of "good" is a company that does just as much skimping
on the "technical due diligence" as AT&T does, so they can give you as
cheap a rate as AT&T does, then that's not going to help.

It is unfortunate that the next level up is a big jump, and that big telcos
have in many areas eliminated alternatives that are just a small step up.

The standing alternatives are:

1. Colocated or dedicated hosting of a mail server reached through a
secure connection via the retained AT&T DSL service.

2. A reduced service like ISDN for the email traffic, via a different
provider.

3. Fractional T1, possibly in conjunction with DSL.

The first choice I believe is more common.


|> But if theu list some other /11 that you do not fall int, that's OK?
|
| No, I don't use DNSBLs that take such a blunt approach without
| allowing innocent server owners caught in the collateral damage to
| request exclusions for their IPs.

You and I have a different preference. I prefer that customers of those
providers switch to a different provider, so that it creates an incentive
the provider understands to clean up their act (and the only incentive a
big corporation understands is whatever affects the value of their stock).


|> And what of those who feel that since AT&T is doing so little to stop or
|> reduce spam, that they should de-peer the AT&T network entirely?
|
| That doesn't seem realistic.

That's being done just with the SMTP port level. It's called blocking.


|> You'd rather just block the spam, but leave all the attempts to send spam
|> running so your mail server is constantly pounded by SMTP connections that
|> are going to just get rejected?
|>
|> Me? I'd rather get the provider to shut down the spamming.
|>
|> Make it stop!
|
| No, of course I'd rather have the spamming be stopped. Is APEWS'
| current approach the best way to accomplish that? I would say no, but
| obviously fighting spam is not an exact science and opinions will
| differ.

What do you think would convince AT&T to change course and stop taking
steps that really reduce the spam level, targetted at eliminating it?
I think the only thing that would get them to do that is money. The
fear of less revenue for not doing so, or the anticipation of more for
doing so. What other ways can you think of that are legal and work on
a big corporation?

Many smaller providers do the right thing _for_ the right reason (that
spamming and other abuses steal from others, and is wrong). Corporations
just don't operate that way. They operate on making financial reports
to stock holders look good, and keep stock values going up.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-05-23-***@ipal.net |
|------------------------------------/-------------------------------------|

Have you looked at Speakeasy? They don't seem to get noticed by
blocklists.

Apparently, in your evalutation of "goodness", you don't give much
weight to "ability to have email accepted". That's your choice.
Nobody is obligated to use your criteria for selecting spam-blocking
methods when dealing with mail from you. They use their own decisions
in all cases.
There are those who have done it, hence it's quite realistic. It may
be foolish, but there's no lack of foolishness in the world (or on the
net).
Who knows? Apparently the people running APEWS think it works. Their
service, their decisions.
If you offer a better method, theirs will wither. But you have to
actually offer it and make it available, not just say that it should
exist.

Seth

On Wed, 23 May 2007 09:55:42 GMT ***@harkless.org wrote:

| I consider any such listing of large provider netblocks (the majority
| of whose IPs are no doubt operated by non-spammers) to be an
| unreasonable level of false positives, particularly if there's no way
| for innocent server operators within the range to request exclusion.

Maybe it's time for my "two internet analogy" (again).

Let's suppose we have two separate internets. One of them operates exactly
like the current internet in terms of interconnect rules: there are for the
most part no rules. Any provider can interconnect as long as they can pay
the costs. However, the other internet (2nd internet) is controlled by an
organization that sets some for specific and strict rules about what may be
done on the 2nd internet, and has the power to immediately shut off anyone
that breaks the rules, including whole providers. These rules focus mainly
on abuses that cost other parties money, and include absolute restrictions
against all forms of unsolicited bulk email. Other rules also exist against
providing any kinds of services to abusers, and providing services to other
providers downstream that have been ordered disconnected for failure to
follow the rules. And one more rule prohibits the forwarding of any email
or other traffic from the 1st internet.

AT&T, and many other providers, with their current practices, simply would
not qualify for connection to the 2nd internet. However, many others have
chosen to connect _only_ to the 2nd internet. Customers and providers may
operate in both internets, but must obey the rules. The 2nd internet ends
up costing about 75% more, and has say 20% of the population connected, of
which more than half is connected exclusively to the 2nd internet because
it has been highly successful in eliminating spam (if you connect to both
you still end up getting spam via the 1st internet).

It will cost you X dollars to connect to the 1st internet. It will cost
you 1.75X dollars to connect to the 2nd internet. It will cost you 2.75X
dollars to connect to both (and make you liable for any leakage between
them that might happen at your network).

Which internet will you connect to?

If the number of people moving from 1st internet to 2nd internet is a big
number, would that change your preference?

Now consider this. From the perspective of just the SMTP protocol, those
who use lists like APEWS, including making their own, or by other means,
are effectivly forming a 2nd internet (just for SMTP). It's not 100% split,
yet, but it is clearly moving in that direction.

There are people that simply don't want to be a part of "an internet" that
chooses to let spam run rampant. They don't want to be a part of any
peering with providers that allow this to happen. Think of these people
as members of the 2nd internet.

Now do you want to connect to the "2nd internet", of which AT&T is NOT a
provider for?
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-05-23-***@ipal.net |
|------------------------------------/-------------------------------------|

If "false positives" are IPs listed in a DNSbl, where you
want /need / expect messages from, and you checked messages
against SPEWS, you must not get much e-mail from almost
anywhere.

Take a look at the zone file, search for Comcast for example
<http://spews.org/packetreject.html>
<http://spews.org/spews_list_level2.txt.bz2>
<http://spews.org/ask.cgi?x=24.0.0.0>
<http://spews.org/html/S2963.html>

<http://news.com.com/2102-1034_3-5218178.html>
Story last modified Mon May 24 11:41:16 PDT 2004
Comcast's high-speed Internet subscribers have long been
rumored to be an unusually persistent source of junk e-mail.
Now someone from Comcast is confirming it.
"We're the biggest spammer on the Internet," network
engineer Sean Lutner said at a meeting of an antispam
working group in Washington, D.C., last week.
Lutner said Comcast users send out about 800 million
messages a day, but a mere 100 million flow through the
company's official servers. Almost all of the remaining
700 million represent spam erupting from so-called zombie
computers -- a breathtaking figure that adds up to six or
seven spam-o-grams for each American family every day.

That is one reason large consumer ISPs might get many of
their IP ranges listed in an aggressive DNSbl like SPEWS,
APEWS, ..., and exceptions aren't made, the ISPs are not
being responsible, and preventing their IPs from being
used for abuse, they don't have resources to deal with
every other enduser getting trojaned every other week,
and most not even knowing it, not running anti-virus,
not running anti-spyware, not using a hardware firewall,
not having any general clues, ISP not blocking Port 25,
...

If your ISP is currently ranked at #2 on SpamHaus,
I don't think I would be very far off to guess that your
ISP has some kind of similar issues (too many clueless
endusers, and not enough resources to babysit them 24/7,
hold their hands and clean up their messes for them).

I notice over the past week that APEWS has listed some outgoing
servers
for Yahoo, Hotmail, and AOL. Much of the traffic to our site from the
listed servers is 4-1-9 spam, but there are such significant numbers
of
"desirable" messages in the tube that I cannot do more than tag-and-
sort them right now (rather than 5xx them all).

How do these listings influence the use of APEWS by others here?
--
Michael

"Guaranteed white" is far more difficult of a statement to make than
"probably dirty."
KWW

Are you actually seeing your email *rejected?* It seems to me
the great majority of email users are on providers with thousands
of customers. Email service providers that big will generally
not get away with rejecting email based on a DNSBL with known
high false positive rate. They might use it to add a point or
two to a spamassassin score, but that's all.

Every day you will see people announce in some newsgroup that
they are blocking 200/7 or 60/8 or all IPAs belonging to
Everyone's Internet/The Planet, etc. But as spammy as those
places are, among the general email using population a few
users in a thousand are going to miss email from those places
(one in dozens in the EV1/theplanet case) and complain.
You can be pretty sure the guy who blocks EV1 only has a few
customers, and the guy who blocks everything Hurricane Electric
owns (people brag about that too) is only running a hobby
server for himself. SPEWS was somewhere in that range, and I
suppose APEWS isn't much different. So your best option may
be to simply ignore the listing. Maybe you'll have to ask
a particular APEWS user for an exception, but that won't
happen very often.


Cameron

Perhaps not known to you; certainly known to its victims.
That's a consequence of their policy rather than a component of it.
No, because such an update would be false.
People mislead themselves. No matter what APEWS, Spamhaus or anybody
else puts on their web sites, people will attribute to them things
that they didn't say. Anybody using *any* DNSBL should test how well
it works for their network and their users. The FAQ should not be
loaded down with basics.
Or that specify the wrong list :-(
There is absolutely no connection between using APEWS data and
silently dropping suspect e-mail.
Then your "of course" is even more bizarre than it first appeared to
be.
Perhaps "dropped" means something different in your neck of the
woolds, but you wrote "I'll probably have a lot of mail just get sent
quietly into junk mail folders"; to the user unable to see his valid
e-mail that sure looks like it was dropped.
No.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to ***@library.lspace.org

On Tue, 22 May 2007 11:22:20 GMT ***@harkless.org wrote:
| On May 21, 4:08 pm, Phil Howard wrote:
|>
|> I believe you will find that pretty much all DSL and cable providers
|> fall into the same category: they skimp on costs they should bear the
|> burden for, as I detailed, which passes those costs on to the victims
|> of the abuses from their network they fail to control.
|>
|> I share your concern about shared hosting. I wouldn't go that route.
|> But somehow you need to move up out of the rut you are in, and it is
|> very likely that no DSL/cable options will achieve that.
|>
|> How much of your traffic is outbound email?
|
| I don't have detailed stats at hand, but yeah, probably not that large
| a percentage. I don't monitor how much bandwidth my users (friends
| and family) use, though, and they may be using "email as a file
| transfer protocol" for large files. I would hate to have to restrict
| them.
|
|> Another option, if that
|> traffic level is smaller, is to get an ISDN or dialup service from a
|> different provider. Otherwise, finding a colocation or dedicated
|> hosting provider remains your big option.
|
| I like my email to go out as instantly as possible (another reason I
| don't like having to take an unnecessary hop through ISP mailservers),
| so dialup wouldn't be a good solution. ISDN from someone other than
| my phone company? I didn't realize that was possible. Tried to do
| some searching just now and I'm not seeing any such providers. AT&T
| requires you to call if you're ordering ISDN and doesn't list prices
| online, but last I knew, several years ago, ISDN was a lot more
| expensive than DSL (despite the much slower speeds). If that's still
| the case, co-lo or dedicated hosting would seem a better use of money.

The number of providers is dropping. But a great many still offer that
as a backup means. ISDN is just a switched network that happens to be
digitally interfaced. It's a circuit (64kbps) or two (128kbps) that is
directly feeding the underlying switched circuit for voice calls in the
traditional call switching networks.

These services can generally be operated nailed-up, too. Analog dialup
is essentially the same, but you get a slower speed (and the other end
has to have a modem, too, which may not exist for some ISPs).


|> I'm not expecting any lists that list big provider blocks to be cutting
|> any holes. If they do, they would have to for everyone else who makes
|> the same claims as you do, and there is a huge list of that. They would
|> end up having to expend a huge cost burden to carry out verifications of
|> such requests.
|
| The dynablock.njabl.org (recently deprecated in favor of:),
| pbl.spamhaus.org, dul.dnsbl.sorbs.net, and dhcp.tqmcube.com DNSBLs
| (and others, I believe) all list large ISP netblocks yet provide the
| ability for server owners to get their IPs excluded. It appears
| they've been able to successfully manage the potential costs of the
| verification (e.g. through automation).

I was thinking of starting a blacklist of my own that just lists the
whole internet :-) Then I'd punch out holes for whoever asks :-)


|> Charging to be exempted from such a listing would sure
|> be seen as a conflict of interest, and possibly illegal.
|
| I note that uceprotect.net charges to be removed, but that's only if
| you want to be removed immediately, and their system drops entries
| automatically after 7 days (assuming no more spam from an IP hitting
| the spamtraps).

Right. And I like that idea.


|> Otherwise it is just entirely impractical to do that.
|
| Apparently it's not -- see the DNSBLs I mentioned above (which do not
| charge for removal).

I'll check them out. I don't know if I'll ever be able to test their
hole drilling procedures, though.


|> What I am doing with my own lists (not publically available right now)
|> is listing by domain NAME, rather than IP address. The effect of such
|> a list is that your correctly rDNS'd addresses would not be affected
|> unless and until your own domain somehow got listed. If those who have
|> the resources to operate a worldwide public DNSBL were convinced to run
|> a list that used names like that, maybe it would become more popular
|> to use instead of lists based on IP address. So maybe you might want
|> to take the position of supporting that concept.
|
| At first blush, that sounds like RHSBLs, which are indeed offered by a
| number of public providers. Of course the problem with them is that
| spammers can evade them by forging the envelope From domain and not
| all domains publish SPF (or similar) records to deal with the forging
| problem.

They cannot forge the verification of rDNS very easily. That's what my
idea would be based on.


| But since you mention rDNS, perhaps you're talking about a list that
| checks to see if the IP address of the sending SMTP server resolves to
| a domain that's listed? How do you deal with forged rDNS? Require
| reverse and forward lookup to match? How do you allow for virtual
| hosting on the same IP? And what about spammer servers that have no
| rDNS? Also, do you only support domain names, or full hostnames? If
| the former, I guess you have no way of listing one rogue server inside
| verizon.net without blocking the entire domain?

The end user would have to enable the rDNS check to make it work right.
That would be a good idea even if the list wasn't used. If rDNS does
not validate, the mail should be rejected unless a specific whitelist
over that is applicable (I do have a few sender email addresses listed
that can override rDNS failures).


|> | I dunno, other DNSBLs are able to make IP exceptions work. It's
|> | generally pretty automated.
|>
|> How do they verify that a request for exception is valid (e.g. does not
|> meet the criteria that the rest of the large enclosing subnet does meet)?
|
| I'm not sure -- not all of them publish exactly how it works (perhaps
| to help avoid abuse). Here's what the SORBS DUHL requires:
|
| We also operate a self-help exclusion interface that allows the
| owner of a system to quickly exclude a single IP address (or, in
| some cases, multiple IP addresses) from the DUHL. For this to
| be possible, the following criteria need to be met:
|
| * The MX record of a domain needs to contain a host name
| that maps to the IP address involved. The Time to Live of
| the MX record needs to be at least 43200 seconds.
| * The A record for the host name needs to have a TTL of at
| least 43200 seconds.
| * The reverse DNS PTR record for the IP address involved
| needs to map back to the name given in the MX record,
| and to have a TTL of at least 43200 seconds.
| * If there are multiple MX entries, these rules apply to them
| all.

Sounds like they might want to have the same effect as name-based.
This might work. Maybe for them and maybe not for APEWS.

So I'll think about what I might do to create a white-only list that
works that way.


| No doubt they also have stuff in place to block exclusion requests if
| the requester is found to be spamming.


|> Find a provider that fully understands APEWS (and SPEWS).
|
| Sounds easier said than done. Even if such providers are around, I
| probably won't usually be able to get access to the people on staff
| who have that understanding.

You might be surprised, especially at the smaller ISPs.


|> Talk with the
|> candidate providers about this and see what they say. Be sure to avoid
|> those who say things like "we can't control who lists us where" as that
|> can either be weasling to avoid a commitment they know they cannot make,
|> or just plain ignorance about the whole issue. Ask for a contract that
|> states that during any time either your IP space, or any other space at
|> least /24 in size, is listed in APEWS (or any other list you itemize and
|> agree to in the contract), then you cost is reduced to some substantially
|> low percentage, and the contract cannot be terminated early by them during
|> that period (unless they can show you were the spammer, which we assume
|> is something they will never be able to do).
|
| It's an interesting thought, but I really doubt I'd have the leverage
| to get them to agree to that kind of risk ("What, some faceless entity
| that can't be contacted lists some IP space that includes us on some
| whim and you no longer have to pay us enough to cover our costs? I
| don't think so."), especially since I'd of necessity have to go with
| one of the lower-cost providers (and packages).

Then you will need to keep yourself agile, mobile.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-05-22-***@ipal.net |
|------------------------------------/-------------------------------------|

In <***@h2g2000hsg.googlegroups.com>, on
05/22/2007
There's a difference between a list of known spam sources and a list
of known IP addresses with generic rDNS. There's also a difference
between a list that is intended to be an early warning system and one
that is not.
You need to learn how such lists work.
Why do you believe that full host names are not domain names?
Recognized has two possible signs. They're recognized like habeus is
recognized.


In <***@o5g2000hsb.googlegroups.com>, on
05/23/2007
Well, e.g., 12/8, 38/8 are single companies, while, e.g., 200/7,
210/7, are geographical areas.
It's not blocking anybody; it's just supplying data. The admins using
those data are free to use them as they wish, and that includes
whitelisting whatever IP blocks they choose.
You can consider an apple to be an orange, but that doesn't make it
one. A large list not only is not "an unreasonable level of false
positives", it is not *any* "level of false positives." If no message
matches the list then there are no false positives no matter how large
the list is. The only way to measure the false positive rate is no
count the actual messages that get rejected and the subset of those
that should not have been rejected.
They can call you and ask for whitelisting.


In <***@q69g2000hsb.googlegroups.com>, on
05/23/2007
They *do* seem to be targeting "spammers and spam operations"; they
never claimed to exclude the ones that are large. AT&T has been a spam
operation for over a decade.
I can acknowledge the possibility that I run the Trilateral Commission
as well. I can acknowledge the possibility that *you* are SPEWS.
Unlikely possibilities don't butter any parsnips. As for the epithet,
it was awarded to me by one of the frothier loons infesting NANAE and
intended as an insult; instead it was an undeserved compliment.
A difference that makes no difference is no difference. Filing them in
a folder stuffed to the gills with spam means that the vast majority
of users will never find them.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to ***@library.lspace.org

If you go read RFC 2606, I think you will see that is the TLDs,
not the second level domain names.
(Shrug) I don't much care, I just thought I would point
to you out what the RFC says and that the rDNS PTRs you
are using may forward resolve to an unrelated IP
and that isn't under your control.

In <***@q69g2000hsb.googlegroups.com>, on
05/23/2007
Definitely in a different context. There's an IETF working group
trying to produce a replacement for RFC 1036, and they specify the
invalid TLD. My guess is that will still be there if and when they
produce the final version.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to ***@library.lspace.org

In <***@q69g2000hsb.googlegroups.com>, on
05/23/2007
Definitely in a different context. There's an IETF working group
trying to produce a replacement for RFC 1036, and they specify the
invalid TLD. My guess is that will still be there if and when they
produce the final version.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to ***@library.lspace.org