Best Practices for Being Permanently Added to the RBL

RBL Working Group Ben Black
INTERNET DRAFT Layer 8 Networks
Obsoletes: draft-ietf-rbl-selfdefense-00.txt

                                                           November 1998
                                                        Expires May 1999

         Best Practices for Being Permanently Added to the RBL
                 <draft-ietf-rbl-permanent-00.txt>

Status of this memo

   This document is an Internet-Draft. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as ``work in progress.''

   To view the entire list of current Internet-Drafts, please check the
   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), or ftp.isi.edu (US West Coast).

Abstract

   The Realtime Blackhole List (RBL) service from the Mail Abuse
   Protection System (MAPS) is a completely free and voluntary system
   for creating intentional network outages to limit the propogation
   of unwanted, unsolicited, mass e-mail (SPAM). Many purveyors of
   SPAM and SPAM-related services have had little trouble in getting
   themselves added to the MAPS RBL, but certain providers of web
   hosting services whose customers engage in SPAMMING have expressed
   concern that at some point in the future they may be removed from
   the MAPS RBL, exposing millions of innocent e-mail users to a
   barrage of SPAM. This document offers a description of the best
   current practices for guaranteeing that your company stays on the
   MAPS RBL.

1. Terminology

   Throughout this document, the words that are used to define the
   significance of particular requirements are capitalized. These words
   are:

      - "MUST"
         This word or the adjective "REQUIRED" means that the item is an
         absolute requirement of this specification.

      - "MUST NOT"
         This phrase means that the item is an absolute prohibition of
         this specification.

      - "SHOULD"
         This word or the adjective "RECOMMENDED" means that there may
         exist valid reasons in particular circumstances to ignore this
         item, but the full implications should be understood and the
         case carefully weighed before choosing a different course.

      - "SHOULD NOT"
         This phrase means that there may exist valid reasons in
         particular circumstances when the listed behavior is acceptable
         or even useful, but the full implications should be understood
         and the case carefully weighed before implementing any behavior
         described with this label.

      - "MAY"
         This word or the adjective "OPTIONAL" means that this item is
         truly optional. One vendor may choose to include the item
         because a particular marketplace requires it or because it
         enhances the product, for example; another vendor may omit the
         same item.

2. Best Practices

   Although there are many successful methods for achieving a lifetime
   membership in the RBL, the following have proven the simplest and most
   expedient.

2.1 Verbally Harassing the Maintainers of the RBL

   The maintainers of the MAPS RBL are all volunteers with an interest in
   making the Internet less of a haven for nefarious SPAM merchants.
   This is a fundamental technique which SHOULD be attempted by ALL service
   providers wishing to burn all possible bridges.

2.2 Sending SPAM Demanding Removal from the RBL

   Nothing says "Blackhole me!" like sending an unwanted mass mailing to
   potential subscribers of the MAPS RBL service. Service providers
   in the market for a new line of work unrelated to the Internet MUST
   SPAM as MANY other service providers as possible to maximize their
   chances at a coveted RBL Blackhole Lifetime Membership.

2.3 Threatening Lawsuits

   Even the most stalwart RBL maintainer may later have mercy later if
   only the suggestions in Sections 2.1 and 2.2 are followed. To avoid
   this eventuality, service providers SHOULD threaten to sue not only
   the RBL maintainers, but also all RBL subscribers.

   When responding to queries regarding the upcoming legal action,
   providers MUST NOT resort to the use of logic and common sense. Hard
   work definitely pays off in this area.

2.4 Proper CAPITALIZATION

   One of the keys to a successful SPAM demand or threat is proper
   capitalization. Unlike normal English usage, providers MUST randomly
   capitalize ENTIRE words for no APPARENT REASON. E-mail which
   follows this rule is certain to have a major impact on all readers.

3. Example of Advanced Techniques

   This outstanding example illustrates a complete mastery of all the
   tecniques listed above. The sender of this message is obviously
   highly motivated in his quest to remain on the RBL until the end of
   time.

-- start --

Oh dear, I let a little typo slip through (left as an exercise for the
reader). The corrected text can be found at:

http://www.layer8.net/~black/draft-ietf-rbl-permanent-00.txt

Enjoy.

Ben

Excellent!

It's sad but I should agree. From my point of view such systems make more
problems than solve them. RBL is not the worst example, through, ODBS (or what's exact name of this crazy system) is.

black@layer8.net (Ben Black) writes:

RBL Working Group Ben Black
INTERNET DRAFT Layer 8 Networks
Obsoletes: draft-ietf-rbl-selfdefense-00.txt

this draft is now available online at

  http://maps.vix.com/rbl/draft-ietf-rbl-selfdefense-00.txt

and yes, it has a link from

  http://maps.vix.com/rbl/

OK, given, this guy is a flaming moron, and the original message was
completely out of line. HOWEVER, it seems to me he raises at least one
valid objection. It seems to me, both from his allegations and from the
phraseology of the "Best Practices for Being Permanently Added to the
RBL", that web hosting services are being treated unfairly in the
following circumstance:

Company S(pam) has a web site, hosted on the servers of
web-presence-provider Company P(rovider). Company S uses the services of
Company X to send out massive loads of SPAM, with referencing the web
site and even e-mail addresses hosted by Company H. Now, if I'm hearing
what's being said on this list correctly, Company H is being expected to
pull the website they host for Company S (or else be blackholed), _even
though no illegal or spam-generating activity is being generated on
their network_.
Am I understanding this correctly?!?
By this philosophy, it would seem that if I were to host the web pages
of a company which engaged in unwelcome telemarketing (which I
personally find much more offensive than SPAM, and which is no more or
less illegal in most states), I would be under an obligation to cease
providing service to that company!

So, given the earlier threads about annoying UUNET marketing folks,
let's blackhole all mail that comes from UUNET. Oh, and also mail that
comes from anyone who peers with them. And of course any mail that has
to be transported over those evil people's networks.....wait a sec,
why's my inbox suddenly empty, where'd the internet go???

Maybe I'm misinterpeting the policies here, but I didn't hear anyone
disputing the actual complaints of this guy, which can only lead me to
believe that either A) This guy was actually treated unfairly, and has a
valid complaint, or B) Nobody cares enough to say "hey, wait a minute,
there's been a failure in communication, let's see if we can work this
out."

So, what's up, guys? I'd hate to think a great thing like the RBL is
being abused to squash people who we just happen to find annoying.

By this philosophy, it would seem that if I were to host the web pages
of a company which engaged in unwelcome telemarketing (which I
personally find much more offensive than SPAM, and which is no more or
less illegal in most states), I would be under an obligation to cease
providing service to that company!

Telemarketing is not network abuse. Spamming is network abuse. Moreover,
it's network abuse that can and often does directly impact the operations
of the site to which the spam is pointing. Moving from the realm of
philosophy to the hard, cold facts of contract law, you need to remember
that in drafting your usage agreement you are the master of the universe
created therein. You are not only within your rights to prohibit behavior
affecting your system integrity, some might say you are obligated by your
duty of diligence to your employer, clients, shareholders, partners, etc.
If the client doesn't like the contract, they can go elsewhere: the essence
of the free market. But if your contract doesn't give you the right to
terminate a spammer, then you need to find a new lawyer.

-Ray

-- ------------------------------------------------------------------
Ray Everett-Church (RE279) * More info: <http://www.everett.org>
Attorney/Internet Consultant * Opinion(REC) != Opinion(client(REC))
This mail isn't legal advice. * Outlaw Spam = <http://www.cauce.org>

Company S(pam) has a web site, hosted on the servers of
web-presence-provider Company P(rovider). Company S uses the services of
Company X to send out massive loads of SPAM, with referencing the web
site and even e-mail addresses hosted by Company H. Now, if I'm hearing
what's being said on this list correctly, Company H is being expected to
pull the website they host for Company S (or else be blackholed), _even
though no illegal or spam-generating activity is being generated on
their network_.
Am I understanding this correctly?!?
By this philosophy, it would seem that if I were to host the web pages
of a company which engaged in unwelcome telemarketing (which I
personally find much more offensive than SPAM, and which is no more or
less illegal in most states), I would be under an obligation to cease
providing service to that company!

Not to mention being the ultimate DoS: sending out loads of useless
SPAM that appears to come from a competitor, getting them kicked off
their Net.

phraseology of the "Best Practices for Being Permanently Added to the
RBL", that web hosting services are being treated unfairly in the
following circumstance:

First, nobody gets "permenantly added" to the RBL. There are well
documented methods for getting off the RBL once added to it.

Besides, the RBL is a service the users of which have asked for. i.e. it
is totally opt-in. If I choose to not communicate with networks/hosts
that the RBL maintainers deem unfavorable, that's my decision. At least
that's what we're assuming. I haven't seen any law saying I have to make
my network talk to any other network that happens to be connected to the
internet. If the RBL is found to be ilegal, what's next? Sprint's prefix
filters? If I'm connected to the net, and advertise a /32 via BGP, they
better see the advertisement and talk to me, or they're cutting their
entire network and their customers off from part of the net.

Company S(pam) has a web site, hosted on the servers of
web-presence-provider Company P(rovider). Company S uses the services of
Company X to send out massive loads of SPAM, with referencing the web
site and even e-mail addresses hosted by Company H. Now, if I'm hearing
what's being said on this list correctly, Company H is being expected to
pull the website they host for Company S (or else be blackholed), _even
though no illegal or spam-generating activity is being generated on
their network_.
Am I understanding this correctly?!?

Yes...but I think you messed up the lettering above and Company P =
Company H. Am I right? The reasoning for this is that in such cases, the
spammer is likely to use disposable spam accounts with numerous dialup
providers, and there is no effective way to go after them. Each provider
just closes the account when they get burried with complaints. Shutting
down the web site is akin to steaking out the home of a burgler. You
don't know where he'll strike next, so your odds of catching him in the
act are poor, so you nail him at home.

By this philosophy, it would seem that if I were to host the web pages
of a company which engaged in unwelcome telemarketing (which I
personally find much more offensive than SPAM, and which is no more or
less illegal in most states), I would be under an obligation to cease
providing service to that company!

Many providers against spam have things like the following in their AUP:

   _3.7a_ The account holder agrees to not, under any circumstances, send
   unsolicited mass emailings from any Internet account (at FDT or
   elsewhere), nor to use FDT services for the collection or distribution
   of address lists to be used for such purposes. The account holder
   agrees to not, under any circumstances, associate FDT with any such
   mass mailings.

This basically says, you can't spam period. If you do, from here or
anywhere else, we can terminate you.

believe that either A) This guy was actually treated unfairly, and has a
valid complaint, or B) Nobody cares enough to say "hey, wait a minute,
there's been a failure in communication, let's see if we can work this
out."

C) This guy is hosting the web site for a spammer, and doesn't care that
the company is spamming to advertise their site, so he's made to feel the
pain of others.

----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
Network Administrator | nestea'd...whatever it takes
Florida Digital Turnpike | to get the job done.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key________

That's right. It stops the practice of using a sacrificial account, from
AOL or netcom, to spam for a web-site that is otherwise protected. Does it
make a difference that they didn't spam from their own ISP? That customer
is *still* a spammer whether they did it from your site or not. Maybe
you're of the "It's alright as long as they don't do it here" crowd? Well,
that's one of the things that the RBL was built for. The rest of us don't
have to put up with your negligence.

I don't see it as "it's alright as long as they don't do it here". I see
it as "I have control over my network, but not over anyone elses". I have
an AUP that specifically states spamming is not allowed. I have kicked off
users who have spammed. However, I do not have an AUP that says "If you
ever spam anyone ever in the world on any network anywhere I will
disconnect whatever service you have". I don't control the entire
internet, just my little piece of it.

Sheryl Chapin
Senior Network Engineer
CommTel Internet 207.377.3508
Winthrop, Maine schapin@ctel.net

Sheryl Chapin wrote:

>That's right. It stops the practice of using a sacrificial account, from
>AOL or netcom, to spam for a web-site that is otherwise protected. Does it
>make a difference that they didn't spam from their own ISP? That customer
>is *still* a spammer whether they did it from your site or not. Maybe
>you're of the "It's alright as long as they don't do it here" crowd? Well,
>that's one of the things that the RBL was built for. The rest of us don't
>have to put up with your negligence.

I don't see it as "it's alright as long as they don't do it here". I see
it as "I have control over my network, but not over anyone elses". I have
an AUP that specifically states spamming is not allowed. I have kicked off
users who have spammed. However, I do not have an AUP that says "If you
ever spam anyone ever in the world on any network anywhere I will
disconnect whatever service you have". I don't control the entire
internet, just my little piece of it.

I see it as "Spammers are just not tolerated here.". Spamming is lame, and
allowing
spammers to use throw away name brand accounts to advertise sites on your
network is hostile to the spam recipients, and the name brand network they
abuse
to send the spam. I don't control the whole net either, but I do define the
acceptable
use of my network, and violators of my policies can find a new provider. It
is a
deterrent, it is not popular with spammers, and I'm glad I'm not the only
person
with this view. "The only way to win is not to spam."

Clearly the RBL is working, I now reject spam routinely, and I think the
lawsuit
threat is bullying hogwash. I choose to block spam, and I appreciate the
service that
Paul and the MAPS team provide to me.

Dan

Please allow me a moment to ask:

Does it make any difference whether your customer actually originated the
offending msgs?

Couldn't such a spamset come from one of their competitor?

Or a chat room hacker that got pissed off?

I understand AUP regarding what actually happens on an account.

Unless the "throwaway" account can be tied to your customer,
then I don't understand the justification for compromising
service.

(I personally don't find "it's generally true", or "it's too much trouble",
or "the end justifies the means" to be especially convincing arguments.)

keric@cyberiron.com (Eric Anderson) writes:

Not to mention being the ultimate DoS: sending out loads of useless
SPAM that appears to come from a competitor, getting them kicked off
their Net.

The RBL team has occasionally received and followed up on some spam,
traced it back through multiple providers, only to discover that it
was forged by a somebody's competitor. We blackholed the real source
in those cases, not the forged source. The telephone is a marvelous
tool for figuring out what really happened, and our use of the phone
is one of the things that makes the RBL so difficult to maintain.

That's right. It stops the practice of using a sacrificial account, from
AOL or netcom, to spam for a web-site that is otherwise protected. Does it
make a difference that they didn't spam from their own ISP?

Please allow me a moment to ask:

Does it make any difference whether your customer actually originated the
offending msgs?

Couldn't such a spamset come from one of their competitor?

Or a chat room hacker that got pissed off?

I understand AUP regarding what actually happens on an account.

Unless the "throwaway" account can be tied to your customer,
then I don't understand the justification for compromising
service.

Ah, but there's the problem and Karl D. is right. The *real* answer is to
do away with throw-away accounts. Yes, the provider of the throw-away
account knows exactly who the spammer is (I won't go any deeper than that),
they have a CC number. If that data matches our customer, that customer
becomes $1500US poorer and stops being our customer. Tracing a spam to a
particular dail-in port is not easy, but it's do-able. You then know who
the provider is/was.

(I personally don't find "it's generally true", or "it's too much trouble",
or "the end justifies the means" to be especially convincing arguments.)

I don't either.

It's actually not that hard for a smallish provider like NACS. I imagine
the big dialup wholesale outifts would have quite a bit more work to do,
though.

Actually, it is somewhat easier for them. I have it on good authority that
the mail admin at AOL gets regular detailed traces from SPAM-L and other
private sources. Many of the SPAM complaints not only come with detailed
headers, but traceroutes as well. NetCom also benefits from their users in
this way. All that is required is to verify the analysis as being valid,
check the logs, and move on from there.

Since the abuse folks have to verify that the analysis is
  valid, why even include the analysis?

  Personally, when dealing with complaints, I tend to ignore
  all "analysis" and other text except the forwarded message
  itself unless I'm at a loss as to figure out why it was sent
  to my abuse department.

  I've spoken to a number of other abuse leads who feel the
  same way.

Hey Sheryl - I was originally pretty vocal against this - I worked for an
isp that faced this issue but to tell you the truth I have definately
changed my tune - the account that was created on your network for
webservice was deliberately created with that in mind to be a listing add
in a spam from another ISP - this more than likely is the same person
who's account you just cancelled for spamming using your network - except
now s/he has gotten "smart" and think they've found a loophole. It's
better for all involved if you close the loophole. No one will be able to
act on her/him from the throw away isp's that s/he uses - they could care
less if that account gets nuked - but the site is the dealio - that is
their profit - so they sanitize it so that there is no excuse for nuking
it.

I would just modify your AUP to include a "spamvertised site" clause.