[Coco] Re: Boisy & Mark

[John E. Malmberg]

Allen Huffman wrote:

> I've noticed these ISP spam blocks, which is really starting to be a 
> problem.  I use my server's mail server and since this box hosts 
> thousands of accounts other than mine, any one of those users could have 
> sent spam, got cancelled (so what, they don't care, they got their spam 
> sent) and now the box's IP is blacklisted rendering everyone else using 
> it unable to send mail.
> 
> There's gotta be a better way...

First of all, if you are going to complain about blocking lists, then 
much more information is needed.  The available blocking lists range 
from conservative ones, aggressive ones, all the way to ones that are 
slowly listing the entire internet.

So in order to put a reference on where the problem is, the specific 
blocking list needs to be identified, and the specific I.P.

With that information, there are many public places that the issue can 
be looked up to determine why the IP got listed, and when the first spam 
was reported coming from it.


So far, blacklisting is the only way to get most ISPs to look at their 
abuse e-mail box more than once a year if that often.  The ones that do 
pay attention generally do not get listed in anything other than the 
multi-hop lists, and the multi-hop lists are too aggressive for most 
people to use.

Almost all mail servers can use a blocking list as an absolute block, 
only a few can use it as a scoring system.  Some mail server operators 
may feel that the ability of some of the more aggressive lists to block 
spam balances their tendencies of having the occasional real e-mail to 
be rejected.

And any mail server operator using www.spews.org is making a political 
statement, especially if they are using level 2 to block.


And block listing has so far proved to be the most accurate method of 
separating real e-mail from spam.  Of all the mail servers that I get 
e-mail on, the ones that use blocking lists have the lowest reports of 
blocked real e-mail and of leaked spam, and also have the highest uptime.

In contrast, the mail servers that use primarily content filtering have 
been shown to both leak the most spam and have a significantly 
measurable amount of real e-mail also rejected, quarantined or black holed.

I have not seen in several years any other method proposed that would 
work better with out increasing the costs for the recipient.

Keep in mind that while you may pay a fixed cost for your internet 
connection, when your connection gets big enough, you are paying a 
metered rate.  And when over 80% of the attempted e-mail delivery is 
spam, rejecting by the source I.P. is the only economical way to do it.

So what ever your better solution is, it can not require any changes in 
the receiver's side.  Why should my email provider pay more so that 
other operators do not have to make sure that their servers do not send 
spam?

Blocking lists put the cost of spam sending on the networks that permit 
it to be sent.

It is very rare that a production mail server gets blacklisted with out 
either the mail server operators ignoring abuse reports, and in most 
cases it is not because one of their users is intentionally sending 
spam, but because either there is a security problem in the mail server, 
or the mail server is abusively generating bounce or virus detected 
messages to forged addresses.

I have been monitoring several e-mail and blocking forums for several 
years.  Usually when someone complains of a real mail server being 
blocked and they claim their ISP is blaming the blocking list operators 
for blocking with out notice, when the I.P. address is looked up on on 
the places where spam is archived, it is found that notifications had 
attempted to be sent to the abuse or postmaster LISP for at least a week 
before the block was put in place, and usually longer.

An LISP that allows sign ups with immediate unlimited e-mail privileges 
will end up primarily hosting spammers, and usually eating a false 
credit card charge for doing so.  But usually the case is that the 
spamming is through a security hole.

For shared hosting, the two most common causes of spam is a PHP 
scripting exploit that effectively gives full control of the server to 
the spammer, and easily guessed passwords.

-John
wb8tyw(at)qsl.net
Personal Opinion Only