SPEWS?

Let me clarify, then.

If the offending ISP does not respond, and you have exhausted all avenues
available to you to get the ISP to get its customer to stop spamming -
whether by TOS'ing the customer, education or whatever - then escalation
may work if the collateral damage caused by escalation is enough to get
the spammers' neighbors to complain to the ISP.

This principle is based on the fact that an ISP is more likely to listen
to its paying customers than to outsiders.

And I don't think this is a potential solution only for spam; it is
appropriate (IMESHO) in other abusive situations too.

I don't advocate doing it unless you have tried all other reasonable
methods to get in touch with the ISP and ask them to disconnect or
otherwise educate their customer.

I'd have no respect for people who do it just to get attention.

> I fail to see how blacklisting neighboring subnets (not associated with
> the organization in question) instead of just the offending one is "in
> order".

Let me clarify, then.

If the offending ISP does not respond, and you have exhausted all avenues
available to you to get the ISP to get its customer to stop spamming -
whether by TOS'ing the customer, education or whatever - then escalation
may work if the collateral damage caused by escalation is enough to get
the spammers' neighbors to complain to the ISP.

And I don't think this is a potential solution only for spam; it is
appropriate (IMESHO) in other abusive situations too.

    Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat
counter-productive. SPAM prevents people from reading their email by a)
filling up mail server queues b) filling up user mailboxes (and/or quotas)
c) increased message count causes more time to be spent hitting delete, than
searching for operational or important communications.

    This all boils down to more or less the user missing/not receiving an
important email. So by blacklisting a netblock which originated SPAM, and
more importantly, its neighbors (or in SPEWS case, the entire AS and
netblocks announced from it), you are preventing valid emails from being
delivered. So SPEWS is just as guilty of depriving people of their mail as
spammers are IMO.

    Regarding your last comment, when tracking down and filtering a DoS, do
you filter just the offending IP space, or ALL netblocks announced by that
AS?

Andy Johnson wrote:

> Let me clarify, then.
>
> If the offending ISP does not respond, and you have exhausted all avenues
> available to you to get the ISP to get its customer to stop spamming -
> whether by TOS'ing the customer, education or whatever -

... and you've waited a reasonable time ...

Then the ISP is obviously either incompetent or deliberately aiding the
spammers. Why should you even consider anything less than blacklisting
every netblock the ISP has?

> then escalation may work if the collateral damage caused by escalation
> is enough to get the spammers' neighbors to complain to the ISP.

The objective isn't just to stop that spammer. If the ISP is clearly
acting irresponsibly and not dealing with a spam problem, getting them
to wake up is more important than the individual spammer.

> And I don't think this is a potential solution only for spam; it is
> appropriate (IMESHO) in other abusive situations too.
>

    Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat
counter-productive. ...

Not if its the only way to wake up that ISP.

Of course, this sort of block must be a last desparate measure. At
a minimum, the spammer's been at it for weeks and you've mailed abuse@,
postmaster@ and the whois contacts without eliciting a response from
the ISP, before you even consider it.

Even then, you should likely try phoning the ISP and/or browsing
their website for other contact addresses before taking such a
drastic action.

But if drastic action seems the only way, don't stop at half
measures. Blackhole every netblock they have, and for all
packet types, not just email.

    Doesn't anyone see the irony here? Fighting abuse with abuse is somewhat
counter-productive.

*Spamming* or launching a DoS attack in response to spam is definitely
abusive. I understand your point here. I don't think it's an invalid one.
I do believe that whether escalations are abusive is a question that is
open to debate. Indeed, I believe the question *should* be debated.

    This all boils down to more or less the user missing/not receiving an
important email. So by blacklisting a netblock which originated SPAM, and
more importantly, its neighbors (or in SPEWS case, the entire AS and
netblocks announced from it), you are preventing valid emails from being
delivered. So SPEWS is just as guilty of depriving people of their mail as
spammers are IMO.

Which is more important? The right to express yourself or the right for
a property owner to protect his property? I've always claimed that
property rights trump free-speech rights, and where spam is concerned,
the courts have agreed with me (e.g. the AOL case and the CompuServe
case against Sanford Wallace back in the mid-1990's).

Now, the big question with blocking is whether or not your users are aware
of the blocking happening. In a service-provider environment, a good
network admin will make his customers aware of the blockage and either
have them agree to it or allow them to turn it off. But that is not a
moral or ethical issue. That's a contractual issue. If the provider is
arbitraily blocking stuff without telling his customers, yes, that can
be said to be a moral or ethical issue, but I make the assumption, for
the sake of this particular thread, that the customers know what's going
on.

As to whether it's counter-productive, again, whether or not it is is
based in large part on whether or not the customers have agreed to it.
My opinion is that the end-users *must* always have final say over what is
blocked or not blocked.

    Regarding your last comment, when tracking down and filtering a DoS, do
you filter just the offending IP space, or ALL netblocks announced by that
AS?

Neither; I don't run any devices that need to speak BGP. If I did, I'd
start by filtering the offending IPs only. If I still saw attacks coming
from elsewhere in the ISP's netspace I would broaden the range of the
blocks.

If the offending ISP does not respond, and you have exhausted all avenues
available to you to get the ISP to get its customer to stop spamming -
whether by TOS'ing the customer, education or whatever - then escalation
may work if the collateral damage caused by escalation is enough to get
the spammers' neighbors to complain to the ISP.

This principle is based on the fact that an ISP is more likely to listen
to its paying customers than to outsiders.

Fair enough. I agree with the idea in spirit. However, care must be
taken to define acceptable criteria. I think the concerns here (at
least my concerns) are that a) some organizations do it before exhausting
other avenues, and b) the avenues for removal from such listings can
be difficult to nonexistent (as is the case with SPEWS, from the sound
of it).

As for specific criteria, I think this is probably where the most
debate lies. If an ISP is a haven for a significant (yes, that is
a subjective term, but humor me) number of spammers, or if they have
either actively refused to solve the problem or allowed a spammer to
evade filtering by renumbering into a new block, then I'd say this
is a reasonable action to take against them. However, if it is only
one or two problem customers, and they are not being evasive, renumbering,
etc then I'm not so sure the end justifies the means. After all, you
do have the means to avoid receiving the spam (such as listing them
on a blackhole list).

I think one must be cautious to avoid seeking vengeance on something
whose mere existence bothers them, independent of whether it actually
affects them or not. It's easy to make such a decision, but most
people fail to account for the other side of that "collateral damage".
One cannot assume that all of the non-spamming customers of an ISP
can afford to be blackholed in order to facilitate one's own moral
victory.

Unfortunately, this discussion provides an avenue to the age-old
thread about blackhole lists with political agendas, which imho is
not the point of this thread.

And I don't think this is a potential solution only for spam; it is
appropriate (IMESHO) in other abusive situations too.

Agreed.

I don't advocate doing it unless you have tried all other reasonable
methods to get in touch with the ISP and ask them to disconnect or
otherwise educate their customer.

Agreed. However, my impression from the initial post(s) in this thread
is that the specific list(s) in question have not been doing this.

-c

Fair enough. I agree with the idea in spirit. However, care must be
taken to define acceptable criteria.

Oh, absolutely. Escalation is not something that should be taken lightly.
e.g. for MAPS, escalation was (is?) only used as a last resort.

I think the concerns here (at
least my concerns) are that a) some organizations do it before exhausting
other avenues, and b) the avenues for removal from such listings can
be difficult to nonexistent (as is the case with SPEWS, from the sound
of it).

Agreed.

I think one must be cautious to avoid seeking vengeance on something
whose mere existence bothers them,

Yes. There are well-documented cases of people getting into trouble when
they let their personal opinions and emotions get in the way of running
such a list.

Agreed. However, my impression from the initial post(s) in this thread
is that the specific list(s) in question have not been doing this.

Yup. I think we have to be careful not to let this thread go completely
off-topic. I think I'm going to do a little more research before posting
further on the topic, though. As I said, I've never been in a situation
where I have to ask SPEWS to delist me.

Steven J. Sobol wrote (on Jun 20):

If the offending ISP does not respond, and you have exhausted all avenues
available to you to get the ISP to get its customer to stop spamming -
whether by TOS'ing the customer, education or whatever - then escalation
may work if the collateral damage caused by escalation is enough to get
the spammers' neighbors to complain to the ISP.

Can't find the terrorists you're looking for so start killing bystanders
until someone submits? Sounds militia to me.

The service providers are not the enemies. If you treat them like enemies
then enemies they will become.

Perhaps we should move mail transfer to a peering model. You wanna send
email to my SMTP server? Where's the peering contract? BGP-equivalent for
SMTP anyone?

-C
(tired of getting bounces for email I never sent!)

Paul Vixie has been talking about mail peering for years. Unlike him I
personally do not believe exact equivalent of BGP peering for mail
is a solution and will ever happen.

But there is intermediate altenative - create organization with all isps
as its members (kind of like ARIN/APNIC/RIPE for mail service providers)
and have all downstream corporate customers be required to either also be
member of this organization or relay email through its isp. Do note that
right now already many new isp customers relay mail as well as all
dialups, but actually making this work for number of large corporate
customers is a problem but if we really want this to happen, we can!

What do you do if the ISP says "We want to turn them off, but they've managed
to get a restraining order preventing us"? We've seen THAT before....

> > > If the offending ISP does not respond, and you have exhausted all avenues
> > > available to you to get the ISP to get its customer to stop spamming -
> > > whether by TOS'ing the customer, education or whatever -
>
> ... and you've waited a reasonable time ...
>
> Then the ISP is obviously either incompetent or deliberately aiding the
> spammers. Why should you even consider anything less than blacklisting
> every netblock the ISP has?

What do you do if the ISP says "We want to turn them off, but they've managed
to get a restraining order preventing us"? We've seen THAT before....

Then the part above about

> > > If the offending ISP does not respond, ...

obviously does not apply. They are responding. You clearly do not even consider
blacklisting them.

You might ask them for help in blacklisting exactly the spammer's addresses.

I'll probably get flamed for saying this, but the fact of the matter
is, if SPEWS behavior is abusive towards a network, that network does
have a limited recourse: null-route SPEWS. Thus, the more providers
they anger, the less network they can reach. Some users may complain,
but if SPEWS is abusing your customer base, I think it's a valid
response. It's a powerful threat, and incentive for SPEWs to play
fair.

I'v had similar problems as Alex with SPEW and also got the same reaction.
They have serious attitude problem. And no, SBC is not using SPEW, I
think they have their own blacklist based on actual incidents and I think
they are smart enough not to put themselve under legal risks for using SPEW.

Can't find the terrorists you're looking for so start killing bystanders
until someone submits? Sounds militia to me.

And your suggested alternatives are...?

The service providers are not the enemies.

You'll never convince me of that fact as a generality... Many aren't. Some
simply don't care what happens on their network. For example, @Home, which
(in my direct experience) tried to actively discourage abuse reports.

Then the ISP shouldn't be punished just because they wrote a bad contract.
In such a case I would say that escalation is *not* appropriate, since we
have prima facie evidence that the ISP is trying to do the right thing.

william@elan.net wrote (on Jun 20):

Paul Vixie has been talking about mail peering for years. Unlike him I
personally do not believe exact equivalent of BGP peering for mail
is a solution and will ever happen.

Never say never. :slight_smile: As blandly as stated it would be unworkable,
though. Though I recall people saying similar about ipv6.

But there is intermediate altenative - create organization with all isps
as its members (kind of like ARIN/APNIC/RIPE for mail service providers)
and have all downstream corporate customers be required to either also be
member of this organization or relay email through its isp. Do note that

I'm not sure this helps. In the same way that being an LIR of, say,
RIPE doesn't in fact mean you have any clue how the Internet is put
together at the BGP level, so joining a club that lets you run a mail-
relay doesn't mean anything about you ability to do so in a clean way.

If you mean I can grass up a relay for sending naughty messages, then
the beaurocracy of ARIN/RIPE I can do without. Nothing gets resolved
quickly and the issue will remain until it is.

The attractiveness of the "peering" idea is that I, representative of
my network have some direct legal recourse against someone who breaks
the rules. No 3rd parties required. I can pinpoint the offenders. I don't
need to shutdown the peering, but I have legal means with which to
raise the issue - assuming of course it went into the agreement.

The details beyond this gets messy and way OT, but it does have
aspects that appeal, though with a lot of work.

-C

I'm *sure* that our connectivity provider will want us to forward us
several million pieces of email a day, just so they can forward it
along, if we decided to not join. So we have our choices of joining
(probably with a membership fee), letting a provider that probably doesn't
want our load relay our mail (and that will cost *them* money for a mail
server hefty enough to do it), or filter port 25 because we didn't pay...

Looks like a good candidate for getting sued via RICO. "An offer you can't
refused". Hmm...

> But there is intermediate altenative - create organization with all isps
> as its members (kind of like ARIN/APNIC/RIPE for mail service providers)
> and have all downstream corporate customers be required to either also be
> member of this organization or relay email through its isp. Do note that

I'm *sure* that our connectivity provider will want us to forward us
several million pieces of email a day, just so they can forward it
along, if we decided to not join. So we have our choices of joining
(probably with a membership fee), letting a provider that probably doesn't
want our load relay our mail (and that will cost *them* money for a mail
server hefty enough to do it), or filter port 25 because we didn't pay...

Actually I was thinking more along the lines of autentication with using
SSL certicates for authentication of mail servers from member.Administering
large list is a nightmare so its easier that initial or direct member get
certicare from root organization and then members can themselve issue
(and revoke) a certificate to large enough customers with a backroute
that if mailserver does not accept your certificate, you can send email
through upstream.

Looks like a good candidate for getting sued via RICO. "An offer you can't
refused". Hmm...

This one I agree, serious legal problems that will arise due to large
marketing houses and some free-speach groups will need to be worked out.
But if there are anti-SPAM laws on country-level on majority of the world
and most isps agree that to some kind of mediation organization, this can
be overcome.

Because they're desperate. Everyone is, these days.

  Death of the net predicted, etc etc.

actually, i think Valdis was alluding to the Paetec fiasco with Monsterhut.
in that particular case, the contract was ok, but Monsterhut lied to the
court about the source of their addresses in order to try and weasel out of
being terminated.

the whole mess took a year or so to wend its way through the NY court
system. bleah.

richard
   ("spammers lie? i'm shocked!")