Telewest UK Discovers SPEWS Critics of the SPEWS anonymous spam blacklist claim the intentionally broad IP blacklisting causes more problems than it solves via collateral damage; supporters argue this is the only real way to get ISPs to clean up their networks. The latest to bump into spews is UK ISP Telewest, who has a million subscribers suddenly screaming at them because they can't send e-mail. The Spam Kings blog recently opined on the large number of infected spambots allowed to roam free on the Blueyonder/Telewest network: "Fifty six "/18" netblocks owned by Blueyonder, a service of UK broadband provider Telewest, are currently on the "Level 1" blacklist maintained by Spews. Do the CIDR math (56 * 16,384) and that's one heck of a lot (917,504) of IP addresses.."
|
 | | What a non issue. Get hotmail if your sad that you can't send email. The problem is ISPs that don't do anything to prevent mass spam from being sent out via their email servers. By blacklisting all email from an ISP, it forces the ISP to actually do something to prevent the spam. Any less action and the ISP wouldn't care. | |
|  |  TransmasterDon't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY
2 edits | Re: What a non issue. SPEW isn't that The Society for the Protection of Elfin Welfare  Sorry I am a Harry Potter fan  | |
| | |  richk_1957If ..Then..ElsePremium
join:2001-04-11
Minas Tirith | Re: What a non issue. First Thing I thought of, also:D | |
|
| | | Your theory is wrong.
We are an ISP. We have a netblock of (for example) 192.168.1.1 - 192.168.1.255
We use 192.168.1.1 to 192.168.1.32 for our own usage, and we have customers (different ones) on the remaining ip address range.
If 192.168.1.35 decides to spam (even though they signed a terms of service stating that wouldn't) all of a sudden SPEWS marks our entire subnet causing innocent neighbors to that spammer to be listed w/o cause.
This does absolutely a bad thing to the entire network of innocent parties. They claim it will help ISPs run a clean network but it also destroys a lot of things in the process.
The CORRECT method would be to give a 30 day notice or something similar to remove the offending system from the network so that the ISP has a CHANCE to fix the problem.
This happened to us recently with spamhaus who labelled the entire subnet as a spammer where only 1 ip address was at fault which was removed. It took over 3 weeks to get delisted and we lost several customers. | |
| | | noone1
join:2004-06-04
Nashua, NH | Re: What a non issue. said by rizwan602:The CORRECT method would be to give a 30 day notice or something similar to remove the offending system from the network so that the ISP has a CHANCE to fix the problem. This happened to us recently with spamhaus who labelled the entire subnet as a spammer where only 1 ip address was at fault which was removed. It took over 3 weeks to get delisted and we lost several customers. Let me get this strait, mass amounts of spam flowing through your network and you dont see it? You want SPEW to warn you and give you 30 days to fix your problem?
I simply ask..
Why the heck didnt you not notice the spam traffic when it happened and stop it?
Why did you have to wait till an outside source told you?
Do you have so little insight into your network that you cant tell when spam is originating inside of it within hours?
If I was using an ISP and they did not have the capacity to monitor their traffic and to shutdown spam flying out of it, but instead want an outside source to inform them of their internal problem, I would find someplace else also.
How do you tell if spam is coming out of your system?
If you do not know how to do this, every time an email leaves your system, write a little event to a log with the source and time stamp, once every so often, once an minute, have a process check the logs, if any source sends more email over a certain time frame, raise an alert.
A simple bash script could handle all of this. | |
| | | |
1 edit | Re: What a non issue.
You have overlooked the possibility that:
1) spam was sent from a computer in the network
2) we have either shut it down or contacted the computer owner to stop this activity
3) spews has noticed what happened AND should work with us to minimize the impact of it w/o listing us.
In good faith we work hard to remove offending systems from our networks. But 'blanket listing' the entire network along with other customers on the network is LAZY and IRRESPONSIBLE ACTIVITY!
You are assuming that we only respond to SPEWS activity. Why would you assume that given the above example?
Next time... consider what is being said. | |
| | | | |  sweintzPremium
join:2002-03-01
Chester, CT | Re: What a non issue. said by rizwan602:You have overlooked the possibility that: 1) spam was sent from a computer in the network Of COURSE the spam was sent from a computer on the network (I assume you mean other than the ISP's mail servers) This is where MOST spam comes from - hijacked machines, throw away accounts, etc. running their own smtp services.
Oftentimes spews will list address blocks that do not send spam at all, but are hosting http servers that are advertised in spam. ISP's need to be more diligent about that as well - and need to make certain that they state in their TOS that any site advertised in UCE will be taken down.
2) we have either shut it down or contacted the computer owner to stop this activity
It needs to stop immediately. within 24hrs at the most is fair I think. Contact the customer immediately upon first report of spam. If they cannot be reached and/or cannot resolve the problem within 24hrs, shut off their account. Period. Put that policy in your TOS in writing.
3) spews has noticed what happened AND should work with us to minimize the impact of it w/o listing us.
In what way do they need to work with you beyond what they already do? Netblocks don't get spews level1 listing very easily - the problem has to be ongoing with a demonstrated history of not fixing the problem.
In good faith we work hard to remove offending systems from our networks. But 'blanket listing' the entire network along with other customers on the network is LAZY and IRRESPONSIBLE ACTIVITY!
Letting the problem for on long enough that spews gives you a level 1 listing is pretty much proof that any claims that you "work hard to remove offending systems" is BS.
Seriously. How long does it take to cancel an account? 30 seconds or so.
The problem is most ISP's are more concerned with keeping paying customers than they are about keeping their network clean. Rather than "terminate on site", they terminate the account as a last resort. IMO this is just WRONG.
The blanket listings (on the rare occasions that SPEWS does that) cause the necessary collateral damage needed to get the ISPS to wake up and take the problem seriously. It changes the economics so that they now have to worry about losing ticked off users (who's outgoing mail is being blocked) and makes it so that it is better business to shoot spammers on site (to avoid such listings)
ISPS of course want to have their cake and eat it to, so they wine about this.
You are assuming that we only respond to SPEWS activity. Why would you assume that given the above example?
Next time... consider what is being said.
This is a thread about spews. spews is what was being discussed. Seems like a fair assumption. | |
| | | | | irod4
join:2004-10-12
Delta, BC | Dear rizwan602 (if that really is your name);
You write:
"all of a sudden SPEWS marks our entire subnet causing innocent neighbors to that spammer to be listed w/o cause."
From your own descriptions, I am confident that you are the cause.
"The CORRECT method would be to give a 30 day notice or something similar to remove the offending system from the network so that the ISP has a CHANCE to fix the problem."
WRONG. In your case 30 days would be a minimum; a guideline. If you want readers to believe that it takes you that long to get on top of this problem, as you state it, then I suggest 3 months on RBL before hearing your reasons for being taken off. One of the reasons would needs include some credible documentation that you have basic internet savvy; say grade 10 or equivalent. Even a 2-day workshop would help. It would then be reasonable, based on your own testimony on how long things take in your world, to allow you a couple of months to absorb the information and have a CHANCE to apply it.
"You [noone 1] are assuming that we only respond to SPEWS activity.Why would you assume that given the above example?"
Who are you trying to kid?? You did none of the 3 exculpatory things you mention, and you know this just as well as the folks at Spamhaus know it. You only state these 3 things as hypotheticals,... "what if I had done these 3 things?". .....as if that is supposed to get you off the hook. You got RBL'd precicesly because you *didn't* do these things, even though by including them in your 'whine' you have made it clear you know you *should* have done them.
Your clients got gagged with the RBL because of your, "LAZY and IRRESPONSIBLE ACTIVITY!", not because Spamhausers didn't do their job.
Noone 1 is right in calling you on this. The only reason this occured "all of a sudden", is because you were asleep at your desk until teach came along and gave you a cuff upside. If you aren't excercising due diligence and control, you and yours are precisely the reason the internet needs RBLs. Your protestations contrariwise carry about as much weight as a DWI blaming the judge for his driving suspension. | |
|
| | | | Somehow I must have missed the memo that said I was obligated to accept any packets whatsoever from your ISP. If I choose to immediately start ignoring your packets based on the fact that your ISP is a spam host, that is your problem, not mine. Think of it as an incentive to proactively keep your network clean. | |
| | | sweintzPremium
join:2002-03-01
Chester, CT | said by rizwan602:Your theory is wrong. This happened to us recently with spamhaus who labelled the entire subnet as a spammer where only 1 ip address was at fault which was removed. It took over 3 weeks to get delisted and we lost several customers. How long did it take from the first spam report before you kicked the user off? If more than 24hrs, you are not doing your job.
Were there other factors? were you hosting websites that were advertised in spam? ISPS need to watch for and be aware of that as well.
Do you check new account contact info against ROKSO listings? (you should!) Were they a ROKSO listed spammer? if so, you should not have ever given them an account in the first place. Spamhaus usually only lists an entire block if you are hosting a known ROKSO listed spammer. Inexcusable if you were.
Do you check news.admin.net-abuse.email regularly to see if any of your IP addresses are mentioned? Do you register the email address of your abuse desk with abuse.net? Do you have people dedicated to reading, evaluating and responding to spam complaints? | |
|
|  scoobyPremium
join:2001-05-01
Schaumburg, IL
kudos:1 | You would be a moron for putting customers in the same subnets as your servers. | |
| | |  Wills
join:2001-01-03
Port Charlotte, FL | Re: What a non issue. said by scooby:You would be a moron for putting customers in the same subnets as your servers. It's an example. Unclench.
--
I have a shaved head, a goatee, and tatoos. Don't you realize the rules don't apply to me. | |
|
| | |  keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | Using Hotmail or Yahoo to avoid the effects of being on a blacklisted ISP doesn't usually work.
Hotmail records your individual IP address in the email header records it creates.
And usually it is those individual IP addresses that are blacklisted on a lawless ISP.
The only solution is for the customers of a lawless ISP to switch providers, or to push their ISP to cleanup.
And if their customers don't want to do that, then their customers simply have to accept that many of the rest of us will choose to block their email.
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC) | |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Mischaracterization of SPEWS said by Matt Peachey, European director of Ironport software:
"I would challenge the idea that all the net addresses they are blocking are spamming" He knows better than this; SPEWS has never put forth that idea. Ever.
SPEWS starts by blacklisting just the spammers, and if that doesn't work, then it's obvious that the ISP doesn't really care about their customers spamming, so the whole ISP gets listed. This is nut squeezing by proxy.
It's perfectly fair to object to this approach on principle, but it's not OK to mischaracterize your opponents.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | | Re: Mischaracterization of SPEWS Your point is correct, but you're really asking for honest discourse between the parties involved when one of them hide behind anonynimity and are only available for communication via one-way newsgroup postings? | |
| | | SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Re: Mischaracterization of SPEWS said by Karl Bode:Your point is correct, but you're really asking for honest discourse between the parties involved when one of them hide behind anonynimity and are only available for communication via one-way newsgroup postings? You mean the spammers?
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | |
2 edits | Re: Mischaracterization of SPEWS Hadn't you heard? There are no spammers anymore, since collateral damage is so effective. I'd be more impressed with them if they actually were: a. effective and b. accountable for error. | |
|
| | sweintzPremium
join:2002-03-01
Chester, CT | said by Karl Bode:Your point is correct, but you're really asking for honest discourse between the parties involved when one of them hide behind anonynimity and are only available for communication via one-way newsgroup postings? Um, what discourse is needed exactly? The terms of these services are clearly listed on their website (what causes listings, what it akes to make them go away, etc) | |
| | | | Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| Re: Mischaracterization of SPEWS quote:
what discourse is needed exactly?
Error accountability. But I've had that debate, and it bores the shit out of me.
My point was that demanding honest representation of SPEWS strikes me as disingenuous. I think you've got to expect some misrepresentation when you hide anonymously in digital caves and only speak via proxy servants.... | |
|
scoobyPremium
join:2001-05-01
Schaumburg, IL
kudos:1 | Spews rocks when you need something done. thank god. blueyonder.co.uk is a terrible spammer. We now need spews to wake up comcast. | |
| | | | Re: Spews rocks when you need something done. You got that right. Between those two, and MCI, I clear over a hundred spam e-mails out of my wife's business mailbox every day. I ran SpamX for almost a month, and all it did was increase the amount of spam we got. Those ISP abuse departments don't give a crap about spam, as long as they're making money. Go SPEWS! | |
| | | | | Re: Spews rocks when you need something done. Do what I do. Connect your Pc to a router with its firewall. Run SpyBot and Adaware regularly....I stopped getting spam almost totally. | |
| | | | | | Re: Spews rocks when you need something done. I have, and have always had, all that in place, it doesn't do any good. She uses Mozilla 1.2.1 for Mac OS 9.2.2, and its built-in e-mail client. Unless she switches OS, or browser/e-mail clients, it isn't going to change. MCI/Cyberonic does no spam filtering whatsoever, which doesn't altogether displease me. What does is the fact that I can't find an effective tool to deal with her spam problem unless she changes e-mail clients, or operating systems. She can't close her business e-mail to new clients, and she won't change her on-line surfing habits, or the IP address she web-shops from. I'm too lazy to try and adapt the limited filtering features of Mozilla 1.2.1 to mitigate the problem. So, it's spam city 'round here. | |
|
| keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | I use spamcop.net to analyze and report my spam.
Blueyonder.co.uk is a fairly frequent source of the spam I receive. | |
|
| | Blueyonder's mail servers are untouched Note that Blueyonder's SMTP servers are NOT among the ~million IPs on SPEWS. This block is relatively surgical and is clearly aimed at stopping zombied PCs from sending spam. It really shouldn't affect legitimate email leaving Blueyonder's net space. | |
| keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | How To Tackle Blacklisting As Steve points out, SPEWS (and other blacklist outfits) start out by blacklisting the actual source IPs of spam. If spam occurs with a much frequently than is typical on a range of IP addresses, then they move to blacklisting that range of IP addresses.
The ISP is in control of this process. If the ISP investigages and terminate spamming customers, and helps customers with victimized computers secure them, the ISP will have industry average levels of spam and not be blacklisted.
ISPs have 3 main options in how to tackle this:
1. ISPs can tell their customers they don't care about security, that they don't care if the customers of other ISPs are spammed, and that they consider security to be a waste of profits. They can tell their customers to be satisfied that they can at least email each other.
2. ISPs can spend big bucks to manually tutor customers in cleaning infected machines and chasing spammers from their customer lists.
3. ISPs can use automated tools:
a) To filter infected email attachments and spam as it passes through their email servers (some of which links to infectious sites) inbound to their customers. (Customers should be able to alter the filter settings by themselves, but the filters should default to "on" for new customers.)
b) To detect and block scanning IPs (infected machines) trying to infect their customers. (Monitored decoy IP addresses would be one way to do this. Have 1000 decoy IP addresses quietly listening in their address space, and place a 24 hour block any source IP that hits more than 5 or 10 of them in a 12 hour period.)
c) Promote software firewall, anti-malware and anti-viral software to their customers in their installation proceedures, customer info update emails, and customer support website.
Maybe even arrange discount pricing for customers with the vendors on the basis that:
(i) An uninfected customer costs you less to service and support than an infected customer.
(ii) If customers are running software your support staff are familiar with, they cost less to support.
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC) | |
| | sweintzPremium
join:2002-03-01
Chester, CT | Re: How To Tackle Blacklisting said by keith2468:As Steve points out, SPEWS (and other blacklist outfits) start out by blacklisting the actual source IPs of spam. If spam occurs with a much frequently than is typical on a range of IP addresses, then they move to blacklisting that range of IP addresses. The ISP is in control of this process. If the ISP investigages and terminate spamming customers, and helps customers with victimized computers secure them, the ISP will have industry average levels of spam and not be blacklisted. ISPs have 3 main options in how to tackle this: 1. ISPs can tell their customers they don't care about security, that they don't care if the customers of other ISPs are spammed, and that they consider security to be a waste of profits. They can tell their customers to be satisfied that they can at least email each other. 2. ISPs can spend big bucks to manually tutor customers in cleaning infected machines and chasing spammers from their customer lists. 3. ISPs can use automated tools: You forgot option 4, which I consider to be the best approach of all - quickly suspend any account that is causing spam complaints. If the account is found to be doing any kind of deliberate mass mailing, whether or not they claim it is "opt-in" or not, IMMEDIATELY and PERMANENTLY terminate the account.
If it appears to be a trojaned/zombied machine, then give the user 1 (and only one) chance to clean it up. If it generates another compaint after you renable the account, then IMMEDIATELY and PERMANENTLY terminate the account. | |
|
nozzer
join:2004-06-25
Waltham, MA | That'll teach them not to block port 25 outbound Port 25 outbound should be blocked by default. Only when a residential customer can demonstrate they know what they are doing should the block be removed.
noz | |
|
| |
|
|
·
