FC: Three tales of firsthand problems with "anti-spam" blacklists

[Declan McCullagh <declan () well com>]

Previous Politech message:

"David Scott Anderson: An unapologetic resume spammer, and a twist"
http://www.politechbot.com/p-03730.html

As a brief followup to my earlier message, I give the SpamCop folks (some 
of whom subscribe to Politech) high marks for responsiveness, although they 
also incorrectly listed my mail server as spam for 18 hours on Feb. 11. But 
the relays.osirusoft.com admin never explained why my server was 
blacklisted last week without a check performed first.

-Declan

---

Date: Mon, 8 Jul 2002 21:31:03 -0700
From: "James J. Lippard" <lippard () discord org>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: David Scott Anderson: An unapologetic resume spammer, and 
a twist

I've also had problems with "jump-the-gun" blacklists--spamcop's blacklist
has incorrectly listed securityfocus.com's mail server a few times.

My most reliable spam filter seems to be Spam Assassin
(http://spamassassin.taint.org).  Spam Assassin is a spam scoring mechanism
that can be used in conjunction with procmail to filter, saving copies
of messages tagged as spam for periodic examination.  It also can be
used in conjunction with Vipul's Razor, where you report message body
hashes to a central server, and Spam Assassin downloads the hashes reported
by others periodically, so that you can be prepared to block spams that
others have already received.

--
Jim Lippard        lippard () discord org       http://www.discord.org/
GPG Key ID: 0xF8D42CFE

---

From: "Bort, Paul" <pbort () tmwsystems com>
To: "'declan () well com'" <declan () well com>
Subject: The dark side of spam prevention (was David Scott Anderson: An un
        apologetic resume spammer, and a twist)
Date: Tue, 9 Jul 2002 13:31:02 -0400

Declan,

Our company was recently blacklisted as well, with the www.spews.org system,
which blocks by IP address. Our IT staff spent a couple of weeks trying to
figure out how this had happened, and how to contact SPEWS to get us
removed. They not only appear to have an add-first-and-check-later policy
similar to the one you encountered, but they also seem to consider
themselves infallible. In our case, it took us a while to find why we were
being blocked because they had added a very unclear IP address range to
their files (their record # S888):

1, 64.211.95.0/23, COWLES/LUSKY/RALSKY / "XStrings/1.001" / Bridgecom.com
(gblx.net)
1, 65.168.225.0/23, COWLES/LUSKY/RALSKY (Sprint)

In both cases, a /23 network is described with the third octet being
an odd number. "64.211.95.0/23" means that the first 23 bits of
64.211.95.0 plus 9 zeros is the lowest address of the subnet, and that
the first 23 bits of 64.211.95.0 plus nine ones is the highest address
of the subnet. In this case, that's 64.211.94.0 through 64.211.95.255.

This caused our subnet to be blocked even though it wasn't obviously on the
list. SPEWS' web site suggests that if there is something wrong with their
data, I should post to net.admin.net-abuse.email describing the problem.
This caused what appeared to be a knee-jerk reaction to expand the IP
addresses covered by the block to any address that might have been
originally intended: 64.211.94.0 - 64.211.96.255.

Further examination of their records led me to post a second message on
nanae, asking to have our range removed and suggesting a plausible
explanation for the error (namely, that the subnet should have been /25
instead of /23, which would be consistent with the starting IP address
specified and the details included in their record.) A couple weeks later,
they removed us from their list.

If I found two bad address ranges in just that one record, how many false
positives are scattered throughout their database? Similar to your concern
that a netizen might be intimidated by a spammer's harangue, I am concerned
that blacklistings like the one we were subject too are very difficult to
correct without a good understanding of CIDR and a little luck. One of the
things that helped us was that while our e-mail administrator was getting
frustrated and upset about this, I managed to stay calm enough to be polite
in my newsgroup postings. From the rude messages others had posted to nanae
regarding SPEWS, I suspect that shouting would not have gotten me very far.

References:
My postings to nanae:
http://groups.google.com/groups?q=blacksilver23517&ie=UTF-8&oe=UTF-8&hl=en

The SPEWS Record that we were included in: (which is now much shorter than
it was in April)
http://spews.org/html/S888.html

And finally, SPEWS contact policy:
http://spews.org/faq.html (Question 41)

Please feel free to publish or excerpt this message for the list if you
would like. I'm available at pbort () tmwsystems com if you have any questions.

Paul Bort
Systems Engineer
TMW Systems, Inc.
pbort () tmwsystems com
blacksilver23517 () mail yahoo com

P.S. Thanks for running a great list. It's a bit of sanity amidst the chaos.

---

Subject: RE: David Scott Anderson: An unapologetic resume spammer, and a twist
Date: Tue, 9 Jul 2002 01:39:08 -0700
From: "Clinton D. Fein" <clinton.fein () apollomedia com>
To: <declan () well com>

Hi Declan:

I was sorry to learn about your "spam incident," and couldn't agree with
you more that the current systems designed to prevent abuse are
fundamentally flawed, and often end up doing a disservice to the wrong
people.

A couple of years back, before Mindspring was purchased by Earthlink,
Mindspring blocked all postcards that were sent from annoy.com by adding
it to their "Spaminator" service (which is now an Earthlink offering).
While annoy.com postcards are not exactly Hallmark, and since we do not
authenticate the identity of the sender (allowing for anonymous
communications), we specifically have not enabled the ability to send
bulk communications, and certainly are not attempting to sell any
commercial services. In fact, in six years, we have yet to send one
email message to our own registered users

Despite numerous attempts to get Mindspring to take annoy.com off their
list, Mindspring deemed that merely facilitating unsolicited
communications met their definition of spam, and refused to remove
annoy.com from their list. (This despite their own "refer a friend"
service, or the countless "Send this Story to a Friend" feature on most
news sites). Wired News covered the incident at the time
(http://www.wired.com/news/topstories/0,1287,19680,00.html ) which was
helpful in focusing attention on the definitions of spam, unsolicited
vs. unwanted communications, commercial vs. non commercial
communications and the extent to which complaints by consumers are
appropriately managed. As you appear to have discovered for yourself,
dealing with such accusations is time consuming and tedious, but in
addition, there are other more serious implications.

To erroneously list or characterize the communications of any service,
whether its annoy.com or Politech as spam can dilute the trademark of
the service, or the credibility and well earned reputation of a service
like Politech. If Mindspring blocked annoy.com because they felt we
suck, or because our content is awful or whatever reason they wanted to
block us for, by all means. But to simply list us as spam is ridiculous.
It's the equivalent of our placing Earthlink on a list of pedophiles,
because there may be a chance that some of their customers collect
child-pornography, and simply because one of our users requested it
because they don't like Earthlink.

In addition, both annoy.com and Politech genuinely block delivery to a
specific email address upon request from the email address owner. More
than I can say for most other companies that facilitate postcard or
other content delivery systems.

Finally, certain states define spamming as a criminal activity, the
accusation of which is not to be taken lightly. It is encouraging to see
that SpamCop consider false accusations a violation of their rules, and
lends a glimmer of hope that future systems will recognize or
investigate genuine reports of spam such as your initial one, as opposed
to false accusations such as Anderson's. However, until companies like
Earthlink clearly define what spam is -- is sending an unsolicited
resume to you, for instance, spam if it is deliberately mailed to you
because the sender knows who Declan McCullagh is? -- this problem will
only worsen, damaging a lot of innocent people and organizations in the
process. (I don't know whether annoy.com is still on the Spaminator
list, since it is no longer accessible to the public).

Your recent unpleasant experience reveals the complexity of the
situation - still unresolved and fraught with problems years later. In
much the same way that people's anxiety over perceived privacy
violations often tends to cloud their First Amendment inclinations, the
definition of spam and the technological and social protocols around it
could definitely use some clarification.

Clinton
_____________________________________

Clinton Fein
Editor & Publisher
Annoy.com
370 7th Street, Suite 6
San Francisco, CA  94103
Phone: 415-552-7655
Fax: 415-552-7656
http://annoy.com/
_____________________________________

---




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------