Spam Fighting Part 2: Sources and Causes

By Ed Hurst | Posted at 10:20 PM

How did we get in this mess? How have we come to the place where a relatively small group of rogue Internet users are on the verge of bringing the whole thing to a grinding halt because of their short-sighted greed?

Defining Terms

To answer that requires we decide just what the Internet is, for the purpose of this discussion. Technically, we know the Internet is a network of networks. Networking two or more machines is something worked out long ago, deep in the mists of Unix history. Numerous institutions had such networks, mostly colleges and military labs that were researching this field of technology, at first. Publicly owned institutions gave birth to the Internet, but it quickly grew out of government hands and into private hands. It took entrepreneurs to make it econimically efficient as a means of communication. You can read the details for yourself here on this linkpage, but for now it's enough to note that someone found a way to use phone lines, among other things, to connect these various private networks into one big network. The one thing that made it worth all the trouble for many was e-mail. With some fairness, we could say e-mail built the Internet.

Since then, this network of networks has grown, and is held together by a dozen or so "backbone" networking centers around the world, along with other major nodes here and there. While the colleges and military labs are still hooked into it, the Internet is now mostly a series of servers and lines owned privately or by corporations. It would be a serious error to think of the Internet in terms of a public accommodation. The vast majority of it is private property.

So far, that's been just fine. With a few exceptions, anyone in the world with a bit of money can get connected to this vast Electronic Freeway and enjoy its benefits. Still today, one of the primary uses of the Internet is e-mail. So important is e-mail that numerous services have arisen offering only that, many of them essentially free. Millions of people who might never afford to buy their own computer still have a webmail account, which they access from public or private terminals owned by others. In spite of all the high-powered uses of the Internet, its life-blood appears still to be e-mail. Only recently has Instant Messaging begun displacing some of it's functions.

All those private and corporate servers pass e-mail along based on one simple concept: trust. Each entity that owns a piece of the Web is extending trust to all the other owners that everyone will at least try to play by the rules. Those rules of play were established long ago, and are evolving slowly to take in new ideas, new technology. Still, the whole thing is a Web of Trust. For now, all the money in the world can't replace that matter of trust based on voluntary compliance. Without apology I would say that is the way it should be. I'm hoping we can keep it that way.

Who Will Defend Us?

I'd be reluctant to call for my government to intervene or interfere at this point. We've seen examples of how badly government bureaucracies have fallen behind on understanding the Internet. It could be argued some other national governments have a better track record, and I can't speak for people living under them, but in general I don't trust governments. Nor would I care for major corporate control, for similar reasons. I subscribe to the notion the end user is the purpose of it all, and rightfully rule in all decisions. I'd like to believe civilization makes possible resolving the problem of spam without a centralization of power over the Net in fewer hands. Such control would mean the end to all the freedoms offered by the Web that aren't available anywhere else.

Of course, there still needs to be some sort of "The Buck Stops Here" kind of agency. We will forever be torn between needing someone with the power to moderate disputes which threaten to harm bystanders, yet someone restrained enough to mostly stay out of the way. You may have read recently where something called ICANN (Internet Corporation for Assigned Names and Numbers) ordered one of those private entities that own the pieces of the Internet to shut down their "innovation." This was the brouhaha over VeriSign's move to capture misspelled website searches in order to thrust their ads in user's faces. This remains a bitter memory in the minds of serious Net users. VeriSign even sued ICANN for, of all things, doing their job. While the issue is currently silent, no one can say when the melodrama will be over. The incident is an example of why new and ever more restrictive rules are written in every part of our world. While VeriSign's action may have arguably been within the rules as written, it was most certainly a violation of the expectations of all the other players. It was a violation of the Web of Trust. Every stupid and restrictive rule and law today is a direct result of someone else being stupid and pushing the envelope of accepted practice for private gain, for an unfair advantage.

You may also note that ICANN was accused of moving far too slowly on this problem. A couple of years ago, ICANN was proposing holding registrars accountable for not verifying DNS info, yet nothing changed. If you read ICANN's FAQ, you'll learn they make lots of rules, but have no real interest in enforcing them. They quickly pass the buck, but hope you'll keep those donations coming. They are the only ones in a position to do anything resembling enforcement and they patently refuse more often than many like. While they have a link on their website for comments from the public, it didn't work last time I checked. We find no champion of the defenseless there.

So where do you turn? The concept of "Web of Trust" would naturally indicate that we take our specific complaints to the owners, those entities that own the pieces of the Internet. I've already indicated that by common sense we know spam is essentially criminal in nature, because the spammers have no intention of playing by the rules. Whining to spammers about their spam is a sure guarantee you'll get more. So we go to the folks who make their spamming possible: their Internet Service Providers.

That's fine, but all too many businesses fail to understand what "Web of Trust" means, and they gladly accept spammers' dollars and ignore your complaints. We have a whole class of commercial providers who would prefer to push the envelope, and increasingly defy even established laws, to profit unfairly by abusing their trust. So we go up the line a bit to increasingly higher levels of ownership, and still run across far too many who refuse to act on abuse issues. Big companies can offer the advantages of economies of scale, and thus lower the price of connection, but they also tend to be more insensitive to complaints.

One proposal has been to change the whole protocol for e-mail handling (SMTP) and make it more difficult to abuse. Sadly, that's a long way down the road. We would still have to get the compliance of major players, players who stand to gain from not playing by the new rules. The problem of spam brought quite a few of those major players together a while back. One company has threatened to institute unilateral measures, in part just to be seen doing something even if it's wrong. Likely it's just another ploy to dominate the market. I wouldn't hold my breath waiting for it to work. Some of these same companies are directly responsible for part of our spam problem, and have demonstrated no real interest in doing anything about it -- aside from making public announcements.

I support the free market, but bullying is not a part of that. A free market is free on both sides of the transaction. What do the little companies do when swamped by the spewage of spammers hiding behind the cash registers of big companies? They call it blocklisting -- simply refusing to accept any e-mail from certain sources. Those who own the machines on the receiving end have a perfect right to refuse traffic from anyone else. It's all voluntary in the first place. When certain players refuse to honor the Web of Trust, they lose the privilege of connection. That's right; I said privilege.

Blocklisting

r

No one has the right to swamp your machine with electronic garbage, nor even the right to send you anything at all outside of official traffic. The guidelines require only that there be some way of contacting you if there are problems coming from your system. If the responsible parties involved in passing along that garbage won't do the right thing, you are fully justified in ignoring their traffic along with the garbage. Anyone who won't carry their own share of responsibility for the Web of Trust will lose all trust. Since my machine is a logical endpoint on the Internet -- a stand alone dialup computer -- it's a simple matter of not accepting spam for my accounts. I am insignificant among the millions of recipients targeted by spammers. If I were a technician in a major Internet corporation, or a large college campus, and I blocked spam from your major Internet company by blocking all e-mail coming from you, it gets more interesting. Your customers won't be able to send legitimate messages, either. Those customers are likely to fuss about it. Those running the blocklists surely hope the customers fuss. The logic is creating a group of victims within an offending ISP, complaining about blocked messages, as a means to pressuring that ISP to get rid of their spammers. "Lose the spammers or lose the bulk of your legitimate customers."

Before anyone raises the hue and cry about innocent victims caught in the crossfire, they should consider the victims of the spamming. Consider the reality of what's happening. Do you accept 50MB of junk for the sake of 12 legitimate messages, or do you save yourself from wasting time and resources? Filtering content takes processing; accepting all traffic takes bandwidth -- doing nothing is not an option. In a world where no perfect answer exists, blocklisting is the lesser of evils, when done carefully. A provider that can't act against their spammers quickly has no business trying to profit from the Internet. They are violating others, violating the Web of Trust. However, our sense of fair play says we should try to minimize interfering with legitimate e-mail to and from end users who may have no idea what's going on. The systems administrators using blocklists must accept a certain reponsibility for ensuring their lists accurately reflect the real threat, and not some mere personal or political choices. They owe that to their own users. They can't just blindly accept a list without agreeing to take the heat when the list has false targets.

SPEWS

There are a growing number of commercial outfits that sell the service of filtering e-mail based on content, header entries, etc. This, of course, requires letting the mail traffic in so as to be analyzed. Some services work by simply blocking certain known sources of spam, and nothing at all is transmitted beyond the initial contact between machines. Because these commercial filtering/blocking companies are selling a service, they tend to be less restrictive in what they block. When money chages hands, there's a higher burden of liability, called a contract. Barratry is always a threat in contracts. There are also a handful of volunteer operations, not beholden to anyone. They can be frankly brutal. One in particular takes a lot of heat: SPEWS -- the Spam Prevention Early Warning System. The people involved in SPEWS are volunteers; nobody makes money off the service, as far as I can tell. The service is free to anyone. No one openly admits to being a member of the team that decides whom to block; it's all anonymous. It's also very effective and quite popular with overworked systems administrators.

Personally I prefer the atmosphere with the folks at Spamhaus, but then I make no pretense of experienced systems administrator judgement. I simply like their apparently open process. There are quite a few different services and you should check them all, if you can, before selecting one or more. One of my primary arguments with the supporters of SPEWS is the complete lack of accountability. While that may be no more than a means to prevent bogus lawsuits, it also breeds a mean streak. I can't rightfully make the broad accusation that SPEWS is hateful, but I will say some of their supporters are. It is simple human nature that, when completely shielded from all repercussions, we all tend to become arrogant and arbitrary. Those who dare to criticise the procedures of SPEWS are automatically dismissed, branded as supporting spam and spammers. It would seem the message to outsiders is there is no such thing as a valid criticism of the SPEWS system.

SPEWS is essentially a database of IP addresses that are identified as sources of spam, with files showing evidence to support that. If the folks who own IPs from which spam issues respond to complaints about the spam, they generally aren't listed for blocking. If they fail to take verifiable action, or respond with hostility, the IP address is listed for blocking. The database is rather actively maintained, and updated quite often. Since it is based on DNS registry, it is commonly referred to as DNS blocklisting (DNSBL). The complaints against SPEWS allege it is too easy to get on their list, and too hard to get off. My personal research indicates this is partly true, with comments to penitents along the lines of, "We'll keep an eye on you for month or two." Don't take my word for it; read the SPEWS website for yourself, check the evidence files for some of their listings. If you own some of what they are blocklisting, their website is the key to getting de-listed. Their stated requirements are pretty clear, and sound quite fair. The idea is that you shouldn't have to be notified directly by SPEWS if you are listed. The SPEWS team make all their complaints as individuals. A valid complaint is valid regardless of the source.

It's also valid regardless of the target of the complaint. The difficulty comes with judging what constitutes a valid complaint against either side. If the mere possibility of negative press for SPEWS generates a stream of invective and profanity from supporters, then it's just a matter of electronic warfare, plain and simple, with no claim to moral high ground. As long as the SPEWS administrators don't identify themselves, they cannot separate themselves from their rabid defenders. The harshest verbiage I've seen from either side concerns the issue usually referred to as "collateral damage" -- the blocklisting on SPEWS is wide enough in some cases to stop messages from rather large numbers of Internet users. SPEWS' stated intention is to expand the blocklist to include ever larger portions of the webspace owned by the entities they deem responsible for violating the Web of Trust, until those entities get a clue.

For many, the problem with this is two-fold: (1) In some cases, the upstream provider is tageted. This ignores the very real and legitimate reponsibility assumed by subcontractors who rightfully deserve to be targeted. (2) It assumes the innocent victims have a choice in buying services, when they may not. While the stated objective of SPEWS is getting victims to pressure their provider, or move their account, the defenders curtly dismiss any protest that either of those options may not exist in some cases. Your losses are your problem. They make insufficient effort to fine-tune the process by exempting or "whitelisting" even their erstwhile allies.

The opposite of blacklisting bad guys is to whitelist good guys. That means putting certain senders from blocked IPs on a list to accept before the block is applied. Consumers of SPEWS' services get a quick and easy method for automatic blocklisting, but whitelisting must be done manually by each user of SPEWS. Obviously, this tilts the odds against anyone seeking exemption, since they have to contact each individual service user. Oddly, those who take the initiative are usually successful in getting whitelisted by the various users of SPEWS, and can get their messages through to customers that have asked for them. SPEWS activists reject consideration of requests for assistance in this. This results in charges that their service borders on extortion -- "Get involved on our side or be a target!" Instead of end users complaining to their ISP about outgoing mail blockage, end users on the receiving end could rightfully complain against their ISP for using SPEWS. You'll have to decide for yourself which is the worse violation of the Web of Trust.

Wrangling with Words

You will no doubt hear from the defenders of SPEWS: "SPEWS doesn't block anybody; they just provide a list. Individual administrators decide whether to use that service." Strictly speaking, that is true. However, an older saying is that appearance is reality. That is, in purely pragmatic terms, the supporters of SPEWS have to face the reality of public perception. That perception places the blame on SPEWS as responsible for this overly zealous blocking. SPEWS is largely losing the public relations battle.

Part of the reason for this is their choice to remain anonymous. Right or wrong, with that choice comes certain consequences. I've already said SPEWS cannot separate itself from it's most obnoxious supporters. Beyond that, SPEWS-the-service cannot separate itself from SPEWS-the-network of clients using that service. In a very real sense, then, SPEWS is indeed responsible for the blocking. That's the whole purpose of the list in the first place, and the business-like website which advertises their service. To claim SPEWS does no blocking comes off as pedantic nit-picking. For supporters to say, "I just use what they give me" is verbally dodging the other way. You end up with two entities pointing fingers back at each other, which guarantees the public perceives them both as guilty and they are together one big problem. And it brings us right back to my primary complaint: lack of accountability to the rest of the Web.

Ethical blocklisting offers de-listing as soon as the complaints are resolved. The SPEWS FAQ at one time stated boldly

You will probably have to wait a while, both while SPEWS makes sure you really did shut down those customers, and to give you a bit of time to think about how you got in SPEWS and how to stay out in the future.

While I note that the statement disappeared from their their FAQ Page sometime before January 2004, I can state with certainty it was there before that. Whether SPEWS would admit this is a change in policy, or even admit the FAQ had been edited, is unknown. I suspect that sort of vindictiveness continues to be their unstated policy.

The Next Step

No one denies SPEWS is effective against spam. Much bigger than the service they provide, SPEWS is a symbol of the resistance from the grass roots level. The consumer of Internet services are the Davids, and spammer hosts are Goliaths. Large commercial entities often resemble Goliath, it seems. It's never that simple, but close enough for many end users to feel powerless and angry, searching for a weapon -- any weapon. When whole regions of the Internet -- virtually and geographically -- refuse to bear the responsibilities of the Web of Trust, it's obviously a culture war. Indeed, if you read postings on the newsgroup news.admin.net-abuse. email, you'll find several whole countries, it seems, are routinely blocklisted by many systems administrators. Current whipping boys include China, Korea, Brazil, and Spain. Spammers hosted in these countries may find other services from which to send spam, using throw-away accounts or hijacking servers, for example. However, most of the messages link back to sites in these countries willing to host spammers.

If you follow the logic, you know the next step in this escalating war is to block all traffic coming from those countries. For now, most ISPs would be willing to use e-mail blocklists, but won't go so far as firewalling. Yet there are a growing number of smaller listing operations doing just that. There are several major Internet hosting companies that are in the same boat as spam-friendly countries, already experiencing that firewall effect here and there, because they refuse to act responsibly about abuse.

Obviously, it's impossible to block or filter all spam perfectly. To connect to the Internet at all will guarantee a certain amount of unwanted traffic slips past even the most extensive filtering. While waiting for the delayed reaction to wholesale blocking, and the vague possibility of corporate solutions, of -- Heaven forbid -- government action, or even a genuine technological solution, there are some actions you and I can take to hurry things along.

That's for the next article.