Zombie Spam Blacklists Return From The Dead To Make A Point

from the if-your-mail-isn't-getting-through... dept

I have to admit that I don't follow the "spam" world as closely as I used to, but I remember back around 2003, one of the hot topics was whether or not the various spam blacklists went too far at times. The anti-spam fighters behind those lists would often take a rather... inclusive attitude to putting IP addresses and address ranges into their lists, and plenty of giant ISPs relied on the judgment of those spam fighters by simply plugging in their lists. This often resulted in significant collateral damage, as perfectly legitimate emails would get blocked as coming from a "spam IP." Of course, those lists needed to change frequently, but at times, they would just suddenly disappear. That last link was about a popular anti-spam blacklist from Osirusoft that was shut down -- with its owners changing the settings to include all addresses. The idea was to make it clear to ISPs who didn't pay attention, to stop using the list, but in the meantime, think of all the damage?

It looks like that same sort of thing may be happening six years later. Michael Scott points us to the news of another long-abandoned blackhole list, called blackholes.us, that was abandoned a couple years ago -- but which some ISPs still rely on. However, whoever now controls the nameservers where blackholes.us used to be, apparently decided to set up a new "list" that (again) includes the entire range of IP addresses -- so every query is returned as being a spammer IP.

Again, the idea is to force ISPs to stop using that blacklist -- and perhaps you can make the argument that (unlike the Osirusoft situation) these ISPs have had two years to stop relying on the "zombie" blacklist, but it still seems unwise to create so much collateral damage, just to force the issue.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Rose M. Welch (profile), Oct 20th, 2009 @ 12:01am

    Disagree.

    Nope, makes sense to me. I think the damage is acceptable in this case.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Michael Vilain, Oct 20th, 2009 @ 1:24am

    I've seen both sides of this

    I contribute daily to SPAMCOP, a user-contributed blocklist. Anyone can add emails they consider spam to the block list which is parsed with Baysian and IP filters. The resulting list is used to filter email processed by SPAMCOP and some ISPs use it as a block list as well. Oftentimes, some spammer gets all cartoony in the support forums threatening to sue for being put on the blocklist. 48 hours later, if no more spam comes from that ISP, it drops off. But if there's a spammer on the ISP, more spam will be reported and the wait is longer.

    The other side of this is I administer a members-only listserv which sometimes gets flagged as spam by various ISPs. Everyone on this list has to personally send me an email and I verify them to be a dues-paying member of a professional organization. Roadrunner is the latest SPAM Nazi to blacklist the ISP serving the list and their support people have no clue why. It left the members using that ISP no access to the list until they moved to Gmail or just left. For many of the older members, Gmail is to much for them to fathom (really, I'm not kidding).

    I'm all for spam block lists, but I warn members to avoid ISPs that act unilaterally by denying stuff rather than just categorizing emails and putting them in a SPAM folder. Comcast and Hotmail also do weird things but they seem to be transient mistakes rather than anything permanent. And I still report spam to SPAMCOP.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Cynix, Oct 20th, 2009 @ 2:03am

    Yahoo has blocked email alerts from various legitimate forums and refuse to remove it when advised of their error from users and the forum admins. Muppets.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Pangolin, Oct 20th, 2009 @ 4:50am

    I don't get it

    Why not just remove the data?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 20th, 2009 @ 5:20am

    Re: I don't get it

    Judging from the story, they removed the blacklist two years ago. But ISPs were still sending requests to the address (using bandwidth - which of course is not free). Maybe they sent requests to the ISPs to stop, maybe not, it is not clear from the story.

    New owners were sick of getting hit with the constant traffic, so decided to make the ISPs wake up.

    Perfectly acceptable to me, so long as they tried to contact the ISPs first.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Oct 20th, 2009 @ 5:24am

    Re: I don't get it

    Because that is not nearly as much fun now is it?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Rich Kulawiec, Oct 20th, 2009 @ 5:36am

    There's much more here than meets the eye

    For starters, any mail system administrator that's not paying attention to their own logs is incompetent and fully deserves all the pain that things like this cause. Unfortunately, "incompetent" easily covers 90% of all mail system administrators these days, which is part of the reason why we have the problem set we do.

    More to the point, there exists a BCP document for DNSBLs that covers what to do in the case of DNSBL shutdown. Please see: "Guidelines for Management of DNSBLs for Email" which may be found at http://tools.ietf.org/html/draft-irtf-asrg-bcp-blacklists-05.

    Unfortunately, in this particular case, the procedure outlined in that document won't work because the new holders of the address space don't have control over DNS for the old domain. Alternate solutions are being pursued, and it appears that Chris Lewis (one of the authors of that document and one of the handful of people who's been working in the anti-spam arena as long as I have) is aware of it and in communication with those folks, so I have some hope that a reasonable course should be followed.

    Incidentally, the terribly misguided suggestion (upthread) that mail should be quarantined "in a spam folder" or equivalent should be ignored. It's a very bad idea and quite amateurish to use any kind of quarantine: all mail should either be accepted or rejected outright during the SMTP conversation. I've explained why at considerable length on the "mailop" list (see the archives) but the gist is that quarantines create far more problems than they solve, some of which are non-obvious.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Oct 20th, 2009 @ 7:01am

    Think about it from a datacenter point of view. There is unwanted traffic still going to that (those) IP(s). So this is a drastic but very effective method of making that traffic stop, so they can then re-lease the IP to someone else without all that unwanted traffic, simply because some lazy IT guy didn't feel like updating his 1 spam line in his mail config. I'm with them all the way and would have done the same thing.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Oct 20th, 2009 @ 7:28am

    Re: I don't get it

    Because then the use of the zombie blacklist would continue without consequence, and a HUGE amount of traffic would continue to flow through the servers of whoever owns it now.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Pangolin, Oct 20th, 2009 @ 8:34am

    Not buying

    I'm not buying this. The blacklist was accessed by NAME not by direct IP address. Just remove the DNS entry. All is now well.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Ilfar, Oct 20th, 2009 @ 9:08am

    Re:

    Agreed! Sometimes the only way to make people listen is to thump them on the head with a large stick.

    I've always enjoyed watching people get thumped with large sticks ^_^

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Oct 20th, 2009 @ 10:41am

    Re: Disagree.

    I agree.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Dez (profile), Oct 20th, 2009 @ 10:42am

    Strange series of events

    Not a real comment... but it makes today's dilbert cartoon all the more relevant:

    http://dilbert.com/strips/comic/2009-10-20/

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Rich Kulawiec, Oct 20th, 2009 @ 2:22pm

    Re: Not buying

    As I said upthread, this is not as simple as it appears. If you will take the time required to familiarize yourself with the details of this particular case, you will find, as I said above, that the new holders of the address space don't have control over DNS for the old domain, thus they cannot do what you are you recommending.

    This matter has been discussed extensively in Usenet's news.admin.net-abuse.email, where a considerable number of further details are available. I would suggest that anyone considering a solution read the relevant articles in full before advancing their suggestion, as any number have already been put forth and summarily shown to be unworkable.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Eric, Oct 20th, 2009 @ 3:08pm

    Small correction

    Just a small correction to this summary. Blackholes.us was never a 'spam' blocklist. Its lists consisted of countries and providers regardless if they were spam senders or not. So if someone wanted to block all chinese or russian addresses, or block all of level3 or comcast, they were able to.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    nasch (profile), Oct 20th, 2009 @ 8:19pm

    Re: There's much more here than meets the eye

    It's a very bad idea and quite amateurish to use any kind of quarantine: all mail should either be accepted or rejected outright during the SMTP conversation.

    When you make a spam filter that is perfect, go ahead and reject all the spam. Until then, if the two choices are putting everything in my inbox or sending suspected spam to a spam box, I'll take the latter, thanks. Fortunately, mail providers are free to offer that service, and users are free to take it or leave it.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Robert A. Rosenberg, Oct 20th, 2009 @ 8:52pm

    Re: Re: There's much more here than meets the eye

    When you make a spam filter that is perfect, go ahead and reject all the spam. Until then, if the two choices are putting everything in my inbox or sending suspected spam to a spam box ...

    There is a 3rd option - Put everything into the Inbox BUT flag the suspected spam so the user can see that you feel the message is spam. IOW: Any message that would be directed to the spam folder is still sent to the inbox but altered to show it would have been directed to the spam folder.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Rich Kulawiec, Oct 21st, 2009 @ 5:08am

    Re: Re: There's much more here than meets the eye

    Of course no spam filter is perfect: that's why quarantines are a very bad idea. Like I said; the issue is non-obvious, which is anyone who hasn't studied it in depth is unlikely to even be aware of the many serious drawbacks.
    I direct your attention to the archives of the "mailop" list, where several people (including me) have contributed our expertise to the discussion.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Lina Inverse, Oct 21st, 2009 @ 9:44am

    About quarantines and that "mailop" list

    Rich Kulawiec: Given that the mailop list's archives are only accessible to list members, perhaps you could point us somewhere else?

    I'm certainly willing to believe quarantines are not ideal, maybe even bad, e.g. while searching for your name +quarantines etc. I found your argument WRT to plishing (users are very bad at detecting it, and I'll admit that only extreme paranoia plus the low hit rate problem (I have only two bank accounts or credit cards) has steered me clear), but "very bad"?

    I've always used systems with quarantines and/or suspicion marking and a pure "spam or not?" system would never satisfy me. Either too much genuine traffic gets scored as spam or too little (and I prefer the quarantine approach myself).

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This