Spam Wars: The Battle History

Preface: Anti-Spam Rules of Engagement
Books:
  Spam Wars
  Building a DNSBL

Projects:
  Global WHOIS
  DNSBL Scan
  TTBL
  RBL Registry

General:
  NANAE Advice
  Network Tools
  Humour

Login



Forgot Password?

The only constant in the Great Spam War is change.

Perhaps now we (tinw) will see street corner dealers selling/hawking/pushing monthly Bullet Proof Hosting to those hooked on spamming, a known and destructive addictive behaviour.

-- Sun Tsu - The Art of War

The Rules of Engagement: spam/abuse source networks

By way of example: suppose I detect incoming spam from 1.2.3.4.
Who is responsible for that spam?

  1. the owner of the system(s) at 1.2.3.4
  2. the owner of the network of which (1) is part
  3. the owner of the ASN of which (2) is part

I haven't mentioned whether 1.2.3.4 was a spam origination source, or an open relay, or an open proxy, or a zombie, or something else.

That's deliberate: I don't care. I'm not (1) (2) or (3) so it's not my problem: it's theirs.

I also haven't mentioned the spammer who's actually sending it or the spamvertized web site or anything else.

Also deliberate: I still don't care. It came from 1.2.3.4: therefore it's their problem.

I also haven't mentioned whether the sender-part, the domain-part, or both, are forged or not.

Still deliberate: and I still don't care. It really doesn't matter: it might matter to the keepers of 1.2.3.4. It's also still their problem.

How are they supposed to know this is happening?

<shrug> Well, I know about it. I know about it because I observed it. I observed it because it was entering my systems/networks, and because I was looking for it. Therefore (1) (2) and (3) can surely see it leaving theirs...if they only bother to look.

I have spamtraps. They can have spamtraps. I read. They can read. I use sources of information. They can use the same sources.

Therefore:

If spam comes from X's network then it's X's spam. Not Ralsky's. Not Richter's. Not some 419'er's or pirate software gang's. X's.

If you are X: expect to be held 100% accountable for it. If this is an unpleasant prospect for you, then join spam-l (or other mailing lists where experts on the topic can be found), explain your problem, get some help, and FIX IT. If you can't or won't do this: don't be surprised when you wake up one day and find your ability to comunicate with other more responsible operations has been diminished. And no whining either: you are expected to run your network responsibly or disconnect it from the rest of the Internet. If you can't live up to that basic requirement, you're in the wrong business.

The Rules of Engagement: spam/abuse support networks

SMTP spam is just one form of spam; and all forms of spam combined are just one form of abuse. We are now seeing a proliferation of related abuses: SMS spam, spim, spit, adware/spyware, worms/viruses, drive-by downloads, "unblockable" pop-ups/pop-unders, proxy hijacking, and so on.

None of these exist in a vacuum: they rely on peering, routing, web sites, DNS, mailboxes, and other infrastructure to work. These are being provided in profusion by many ISPs who cynically proclaim their "anti-spam" and "anti-abuse" policies but fail to enforce them in any meaningful way.

We are now a decade past the time when "...but the spam isn't coming from our network" and "...but they'll just move somewhere else" were acceptable excuses for inaction.

If you are providing any services of any kind to any spammer/abuser: expect to be held 100% accountable for it. If this is an unpleasant prospect for you, then find out which spammers/abusers you're supporting, excise them from your operation and ban them for life. And again, if you need assistance, it's available in profusion -- so there are no excuses for any failure on your part to take immediate advantage of it.

"Free speech" and other specious claims

Free speech: Spam and other forms of abuse are not speech, just as a brick with an attached note thrown through a window is not publication. Spam/abuse are forms of conduct and should be treated as such.

Can't terminate: If your AUP/TOS doesn't specify instant suspension with conversion to permanent termination upon conclusion of investigation, then your AUP/TOS is broken, it's your fault, and you need to fix it.

Takes time: If you have crippled your own processes so that you can't move fast enough to prevent someone on your network from abusing the entire rest of the Internet, then you need to fix them.

Don't know: Make sure your RFC 2142 mailboxes ("postmaster", "abuse") are working and read by clueful people. The bigger you are, the more often they need to be dealt with. There are a lot of people out there doing your job for you, for free, and trying to donate the results of their work to you: you should be listening.

Bottom line

Spam/abuse exists for two reasons:

  1. Fundamental underlying security problems at the operating system and network level
  2. inaction on the part of ISPs who are required to act.
ISPs may not be in a position to do much about (1) immediately, but it's clear that (2) is fully under their control.
Make it happen.

Source: Rich Kulawiec - SPAM-L, Feb 2005