Should You Trust MAPS?

patrick42 asks: "Recently, my co-location facility was hit by a massive blacklist by an over-zealous 'investigator' at MAPS. 180,210 IP addresses in total are included in the blacklist -- and all because of a few spam complaints that weren't dealt with quickly enough. To make matters worse, they put this in effect either late Friday night, or early Saturday morning -- hours during which MAPS is not available for contact! (Mon-Fri, 9-5 only) How do people deal with MAPS and other RBL services who will not cooperate or be reasonable? And on a broader front, are you really prepared to trust a company like Kelkea, Inc. (owners of MAPS) to decide what emails gets to you without really knowing how they operate and deal with resolution processes?"

"I spent all weekend long trying to get a hold of the people at MAPS, as they don't bother telling you when they are open. When I finally got a hold of someone on Monday morning (not an easy task, mind you!), they told me that they are not open on the weekend, so it would have been *impossible* to resolve this issue quickly. And because I was only a customer of the company who owns these IPs, they would not unblock my subset of IPs. Despite the problem originating from a handful of IP addresses, MAPS saw it appropriate to block over 180,000 IP addresses just before the weekend! I had already made several phone calls and emails to my co-location facility, and they told me they were doing their best to get a hold of someone there. Several emails had been sent, and just as I first experienced, they could not reach anyone at MAPS by phone. When I finally talked to someone at MAPS, he told me that he would not be proactive in the matter by actually phoning my co-locator to work this out.

These people at MAPS thinks themselves quite high and holy, and in some ways they are: many ISPs and the like will bounce emails just because MAPS tells them to. (I've since removed MAPS from my list of RBL servers to check.) As a small-business owner, MAPS can be very hurtful to a business and very uncooperative in helping resolve the issue. I gave them a couple subnets of mine to unblock, but they would not, even though my IPs were not involved in the original complaint.

This experience has certainly made me think twice about who I trust to decide the fate of my incoming email."

No.

Nobody should trust maps, as they might be out of date, or insecure and flawed.

Re:No.

RBL's are a terrible idea. I wouldn't say they are outdated though, mostly because they were always a terrible idea.

There is nothing easier for a spammer to defeat then a RBL; they just set up a server in their closet and run their own SMTP server. Most DSL and cable connections use temporary IP addresses and you can't RBL Verizon. No spammer is going to co-lo a server to send spam from.

Spam complaints are often ridiculous due to user ignorance. I used to work for a company that send a plain text newsletter to a 100% opt-in mailing list once a month. To receive a mailing a user either had to sign up on the website or via a piece of paper on the front desk. They still would get spam complaints both to themselves and to their ISP.

Half the time they were from people that specifically signed up to get mailings. It wasn't as if we were mailing previous customers or anything, you had to say "please send me your newsletter". Evidently these people either forgot or changed their mind and couldn't be bothered to click the opt-out link at the bottom of the email. Somehow, 9 out of 10 of these people were AOL users, Funny.

The other half they were even more crazy. One time the guy was not even in the mailing list database; we weren't sending him mailings. We even checked with him to see if he had a second address that could be forwarding mail to the one in question but he claimed he had no such mailbox. There was simply no way for us to remove him from the list because he wasn't on it in the first place. Another time, we deduced that someone else had signed up the person in question (the person's last name was recorded in the database as "Assface"). Evidently someone didn't like them very much and had signed them up for every mailing list they could find. Kinda a good method of getting back at someone I suppose. (everyone that has ever flamed anyone on /. and posted an email address cringes)

Laws, RBLs, regulations... all these things are both ineffective and erode our freedom. If you don't want spam there are three things to do: 1) Don't post your email address on the web, use a PHP mailer instead. 2) Don't give out your personal address, use a a "spam" address. My Dad once gave his real address to one of those "win a Segway" things at the mall (he must have been drunk or something), he now gets about 200 spams a day, up from zero. 3) Use an email filter. The good ones don't even use blacklists and work great.

And well... 4) Don't piss someone off that knows your email address.

Re:No.

Another time, we deduced that someone else had signed up the person in question (the person's last name was recorded in the database as "Assface").

You obviously didn't have a confirmed opt-in system in place then...if you had, the address in question wouldn't have gotten on the list, he would have gotten one email asking him to confirm his subscription, and nothing else if he didn't reply to it.

Re:No.

In this day and age, anyone with any sense who has a legitimate need to run a mail server on a dynamic address also relays through their ISP's mail servers and bypasses blocks like that anyway.

Except that doing that takes away one of the big advantages of running your own mail server, a lack of limits on outgoing attachments. Now, depending on ISP, this may or may not be a big deal, but in 2005, a 2MB attachment limit is rather small.

I personally like running my own e-mail server for several reasons, one IMAP + webmail if I want.

Two, I don't have to change my e-mail address every time I move from college back home for the winter, or when I transferred colleges or go on to Grad School, or change my parents e-mail when we changed ISP's last year or just today to DSL.

Three, buy using my own PC, I can use the free dydns service to have a practically unlimited mailbox size (well 50GB, but...) unlimited e-mail addresses, aliases etc for free as opposed to paying for hosting monthly.

Also, in terms of flat out buying e-mail service, I've found running my own server to be either the equal or better in terms of reliability. For free to me, as I have the PC and net connection regardless of the third party e-mail service.

I personally hate the blocks that spammers and others are forcing on us ligitimate users who want to actually use their PC for stuff. VNC blocks piss me off, because the resnet staff tell me it's a security vulnerability. Well, VNC is free for me to use, I can't afford, nor do I have any desire to pollute my system with the shit of PC Anywhere. I also don't believe PC Anywhere has a Java client you can use from any PC like TightVNC does.

They started blocking things like TOR. FTPS, SSH. I tried to explain to them that SSH is far from unsecure/unauthenticated. I said if they allowed SSH I could then tunnel VNC over that and it wouldn't bother anyone.

They even block IRC Chat! Not just DCC, but you can't even chat. Now DCC has legitmate reasons to be blocked, but chatting? Let me tell you that you can get more info from IRC than you ever could from yahoo (which they allow).

And if you are an astalavista.net member, you can't even use the Java IRC Client.

Anyways, I really get pissed off over the thought that we NEED to have companies being the server to us clients. I think P2P has shown that people are capabile of being PEERS in the internet, like it was designed to be.

And moreso, they(the resnet, or ISPs) consider that users should be second class citizens for whatever reason. Heck, most of the listed "servers" wouldn't touch the bandwidth usage of Kazaa or Bittorrent.

A sword that cuts both ways

Whereas I have sympathy for the innocent bystander (as the poster appears to be), and whereas I agree that uncompromising behaviour can be frustrating, the SPAM black hole servers are somewhere between a rock and a hard place...

They can't just block small sections of netblocks (because a spam-happy ISP will just allocate new IP's to their paying spammer customer) - the only way they can police the offence is to ban the block.

They can't just add people back in when they've been blocked either - there has to have been some resolution of the problem, and that has to come from the ISP, at least IMHO. A customer running a website will say anything (especially if they're a scum-of-the-earth-spammer-type customer) to get back online. AN ISP who lies knows their next block will be more permanent...

OTOH, Being unavailable out of hours is ... frustrating. In the end, that will reduce the value of the service, and perhaps MAPS will be overtaken by someone who perhaps charges a fee, but is in some what accredited and responsible for their actions.

The real problem though isn't MAPS and their attitude, it's the spammers. Get rid of the spammers and you get rid of the need for MAPS. These lowlife internet-scum are where any ire ought to be directed, again IMHO.

A Sony NDA I once signed said that in the event of disclosure of anything under NDA, Sony would seek damages, and that financial reparation may not be sufficient penalty. The point being that the penalty *ought* to have teeth, and atm, the spam penalties do not. If you want less spam on the 'net, you're going to have to accept more regulation of the 'net. Another double-edged sword...

Simon

Re:A sword that cuts both ways

They can't just block small sections of netblocks (because a spam-happy ISP will just allocate new IP's to their paying spammer customer) - the only way they can police the offence is to ban the block.

Doesn't this suggest that the MAPS approach might be the wrong one to take? i.e. Have you ever tried swatting a fly with a shotgun? You could chase it around all day, and all you're likely to do is destroy your own house.

Re:A sword that cuts both ways

Uhmm, wouldn't blocking an entire block of 180,000 IPs be more akin to swatting a fly with a square mile sheet than a firing at it with a shotgun?

Re:A sword that cuts both ways

Well, let's say it's a very large fly, with a profile of 1 cm^2. And let's assume it represents 1 IP. Then the fly swatter would only have to be 18 m^2. This is roughly 140,000 times smaller than a square mile sheet.

Re:A sword that cuts both ways

Have you ever tried swatting a fly with a shotgun?

Yes, but I'm that kind of person [honeypot.net].

Re:A sword that cuts both ways

>"Projectile" is a Crosman 760B Pumpmaster Air Rifle

You throw your gun at them?

Re:A sword that cuts both ways

Godwin's law and all that...but your analogy is flawed. We're not trying to kill a fly. If we were, someone would have built a flyswatter by now.

Rather, what we're engaged in is the unconditional surrender of Nazi Germany. Sure, all we REALLY needed to do in WW II was fire a single bullet into the brain of Der Fuhrer, but getting to that point required the invasion and destruction of much of Europe. Once the menace was gone, the Continent was rebuilt.

The rather scary part of this analogy, of course, is that the subsequent peace on the continent was secured by the decades-long occupation of the continent by a foreign army (ie the Americans). THAT is my concern in the anti-spam wars. The cure may be worse than the disease. (See other comments in this thread about increased government regulation.)

It is unfortunate that geeks aren't better at forcing other people to play nice.

Re:A sword that cuts both ways

Why was it scary? America isn't trying to take over the world. I know thats what certain slashdotters like to think but its not true. Who would you rather have occupying Europe, the Soviet Union? I think what should REALLY be scary is that Europe was unable for so long to police itself, not that someone else had to.

Re:A sword that cuts both ways

It's not the spammers who are really getting hurt here. The collateral damage caused by MAPS' brain-dead sledgehammer approach is not justified.

You mentioned an operation similar to MAPS that could charge a fee. Who would pay this? The spammer, or the victim, or the person signing up for the service? That sounds so open to abuse and extortion if it's the victim who has to pay to be unblocked.

I've had to deal with other RBLs and they're a holy pain in the arse. They're not worth the service they provide. They might save a couple of people from recieving some spam, but they're costing others time, money and stress in the process. To make it worse they invariabley have a terrible attitude. They're no better than vigilantes in most cases, and are normally a good demonstration of why vigilantes aren't tolerated in the real world.

Re:A sword that cuts both ways

I run a mail server at home to service a few domains I have. I subscribe to multiple RBLs and they help an immensely to cut down on the spam.

Honestly I don't care it you are an "innocent victim" of an RBL. My use of RBLs is completely voluntary. If you send me mail and I don't get it I don't see how it harms you at all. I am presuming of course that your email was so great and useful that it caused me tons of money not to have read it.

BTW my mail server has a bounce message that says you were in a blackhole. If you know me then you also know my gmail account and email me there so I can put you on my while list. Hell you could just call me too.

If I sent an email to a business and it bounced I would probably call them and ask them if there were alternative methods.

So sorry, no tears from me. My RBL list blocks hundreds of emails every day for that I am grateful.

Re:A sword that cuts both ways

The client is an idiot for making their business dependent on the reliability of public data networks and SMTP. If the information is that valuable, they can afford to invest in hardware, software and redundant communications channels to guarantee delivery of their inventory reports.

Re:A sword that cuts both ways

"Running a legitimate business online on a spam-friendly ISP is like opening a fancy restaurant in the ghetto."

The point is it doesn't have to be a spam friendly ISP. All it takes is some server at the colo getting cracked and used for spam. Or some idiot setting up an open relay at the colo because they don't know what they are doing.
It can also be because some jackass at the company decided to send an unsolicited "email blast" to their address book. Believe me there are plenty of sales and marketing types who have NO CLUE why this would be wrong.
So along comes MAPS and jumps on it with gusto, blotting out the whole range of ips including hundreds of companies who haven't done a thing because of a the stupidity of a single person.
Consequently, you have a bunch of people at those companies running around and trying to figure why the hell their email no longer works. Which impacts business and costs money. It can also be extremely damaging to reputation for people trying to get customer service via email.
You're right people should call the company, and I'd like to think most will - but any kind of hassle a customer has to go through impacts their perception of the company in a negative manner.
SO sure you can switch ISPs. Of course this takes time, labor and may involve getting out of existing contracts which can cost money.

Re:A sword that cuts both ways

The point is it doesn't have to be a spam friendly ISP. All it takes is some server at the colo getting cracked and used for spam. Or some idiot setting up an open relay at the colo because they don't know what they are doing.

Bullshit.

MAPS (and almost every other RBL) won't blacklist an entire ISP for one machine.

They start with one machine (the one sending the spam), and if the ISP does nothing about it, the block starts growing.

See, read the article - they were blocked because of repeated complaints. This is not just one machine.

Re:A sword that cuts both ways

I use DNS blocklists for the simple reason that they work, and they work with a lot less CPU time than content analysis filters such as SpamAssassin.

I don't use MAPS, but my experience with the ones I do use, such as SPEWS and Spamhaus is that it blocks around 90% of my incoming spam with very few false positives. While they continue to produce these results, I will continue to use these filters to manage my incoming mail.

I use SpamAssassin on the remaining 10% of the spam, and it catches most of the rest of them. I could use it on all of them, but it would take too long to check my email if I did that.

Re:A sword that cuts both ways

something like MAPS can't ever work without the occasional listing of a block that doesn't belong there, and the shittier the management of the list the shittier the service you get from it. being unavailable at some hours, ANY HOURS, and pretending to keep a list(that thousands of emails depend on) current is a joke.

on way to react to this is to not take any action at all - a spam prevention system with high number of false positives is an useless one(you may need to explain it to your customers though and direct them to complain to the appropriate person - the one who decided to use maps on some server). if you can't send email to somebody.. use gmail/hotmail or whatever to mail them posing as a customer and telling that you don't like maps and that they just lost a sale because of it... if you don't like them complaining to their nonexistant support is not likely to help you - complain to the people who use their services and think it's pretty cool, at least then there's a possibility of them dumping maps as a way.

the whole way how an address gets to the list is of suspect anyhow:
***************
"After you have read our Guidelines for Reporting Email Abuse and have completed the research necessary, you are ready to submit a nomination to MAPS to have an IP address included on the MAPS RBL.

Start your message with a brief, one paragraph narrative with the details summarized:

"I am nominating a site for listing on the MAPS RBL. I received this spam... I reported it they ignored my report... I confirmed the relay... I called them, and they said... "

Include in-line, all related phone conversation transcripts, copies of the spam with full headers, the abuse report, the response or auto-ack and any other correspondence you received. Additional information should include further documentation of the spam problem, webpage source code, or other necessary information.

An Investigator will review your nomination and contact the owner of the IP address to see if we can resolve the issue. If no response is received, or the responsible parties are unwilling or unable to rectify the problem, a nomination to the MAPS RBL is made. The Investigator creates a nomination that documents the entire Investigation and Notification process. The nomination is entered into the MAPS RBL for certification and approval by Management.

This certification process verifies that the information in the nomination is accurate, and that a reasonable effort to contact responsible parties has been made.
"
***********

even if you DO answer to the accusations it's your word against the accusers and they got NO WAY to find out for sure - it's impossible to tell if you're a spammer or just some guy that some idiot is trying to frame, if you are a real spammer who really owns that ip you're likely to deny it anyhow.

Re:A sword that cuts both ways

MAPS can't do any harm on their own. The real problem is people who use MAPS' braindead advice as part of their policy.

Re:A sword that cuts both ways

Indeed. Anyone who uses MAPS to blackhole mail is an idiot, and should have their root privs taken away. Seriously. These sorts of lists are GREAT for greylisting -- increase your spamassasin score by a few points, or something like that.

But anyone who uses MAPS to blackhole servers is lazy and incompetant.

Get real

A rock and a hard place? Nobody's twisting anybody's arms and saying, "Go out and blacklist people!" These are net vigilantes on a power trip, and they're making life difficult for a lot of innocent people who have nothing to do with spam. Those are the people caught between a rock and a hard place.

No, YOU get real (Was: Re:Get real)

When Al Qaeda flew 737s into the world trade towers

No-one ever flew 737s into the world trade towers. ITYM 767s. The ones that landed in the pentagon and the paddock were 757s.

And anyway, WTF does any of this have to do with terrorism? It's a ridiculous link - a way to invoke Godwin without actually mentioning the 'n' word perhaps?

RBLs are advisory. RBLs do not block email. Which parts of this are y'all having so much damn trouble with. The operators of about 8 different RBL lists advise me (in response to a request for information that I initiate) that the MTA that has just contacted me is coming from an IP address that is known to have been used recently by a spammer. I choose to refuse to accept the proposed email delivery from that source on the strength of advice from one or more RBLs. (eight different ones, as it happens, on my home postfix server. It takes a full fifteen seconds for my smtp daemon to answer when you connect 'cos of all the lookups!!!).

Why is it so damn hard to grasp? Realtime Blackhole Lists do not block spam . Administrators and their policies block spam, and they've every right to choose what arrives on their boxes and what doesn't!

The original poster (article) has no right to get upset at anyone for my decision not to accept email from him. All he gets to do is F.O.A.D. Getting his royal whinge frontpage on slashdot is nice for him, but it's not a right or a guarantee.

Re:No, YOU get real (Was: Re:Get real)

Hilarious. Godwin, Godwin, Godwin. Is that all you can refer to is how the Nazi's operated when thinking of blocklists?

I have an email server. I like to get mail. I don't like to get spam. I consult several lists of known IPs that have sourced spam when a machine connects to my server to decide whether I maintain the connection and receive the mail or not.

Note one key operative phrase throughout that last paragraph: "My server." My personal property. I'll run it any damned way I please, thank you. The blocklist you don't want to get on is my private one, the one that works on the same basis as many Ronco products: "Set it.. and FORGET IT!!"

If you find yourself on a blocklist and unable to communicate with me via email, I have several suggestions:

Consult whois for my domain. There's a working email address, snail mail address, and telephone number. Call me. Drop me a line. Arrange to have your mail sent from a service that is not blocklisted.

I'm not really a prick in real life. Unfortunately, spammers have ruined the experience when it comes to email. If you're into righteous anger, I suggest you aim it in the right direction:

If it weren't for the damned spammers, none of this would be necessary.

Re:A sword that cuts both ways

This is a myth.

I'm sorry, but the idea that only blocking known offenders is unworkable has been proven wrong over and over.

I use a combination of greylisting, SPF and a small number of blacklists which have strict non-collateral damage policies.

Today, as an example, on a small personal system I've actively rejected 2576 connections, and allowed 228 messages. Of those 228, 75 were then identified as spam by SpamAssassin. A 97% success rate on a VERY low-bandwidth / CPU first-pass is more than acceptable for almost any application, given that you have a second pass (e.g. SA) which further improves your results to about the 99.9+% level.

The trap that people end up in is thinking that they need their first-pass to be as effective as a stand-along spam filter. Not true. You only need it to be effective enough to reduce the burden on your network and hardware by skimming off most of the incoming spam before it has a chance to consume those resources. If you're a VERY large ISP, then you might need to adopt additional measures (and while I despise the way AOL has done it, for example, I understand their reasons). If you're not one of the 10 largest ISPs in the world, then you are kidding yourself.

I have one user who asked me if mail was broken when I first deployed this. He was concerned because he'd come to think of the steady trickle of spam as a sort of heartbeat.

MAPS are assholes

They are a big pain in the ass for us providers to deal with. But they are also a necessary evil too sometimes. Personally I like the Spamhaus lists much better. And Spamhaus isn't a bunch of assholes so that gets them the cookie in my book.

RBLs are a failure

There was a time that I supported RBLs wholeheartedly. In theory, they're a great way to approach the spam issue as a community. And for awhile, they even worked that way. RBLs were very effective in the fight against spam.

But in practice, the RBL community has been a bust. The maintainers are often militant and, IMHO, too emotionally attached to the problem. They don't provide a service anymore--they provide a surgeon with a chainsaw. While it's extremely easy to get a site on an RBL, it's often difficult or impossible to get off one. There are exceptions of course, but in general you are a designated spammer until some random magic happens and you manage to get yourself off. (yes, there are procedures, usually on a website, but often removal requests will go unreplied to, and in some cases will error. Sometimes removal works and often it doesn't) And Goddess help you if the previous owner of your IP address was a spammer. (And no, I've never run an open relay.)

I hate spam, but I don't use RBLs anymore. It's too bad, really. They were a great idea, but have been poorly managed. I'm sure someone will post links to the "good" ones, but using them is like reaching for the few good apples in a barrel of rotten ones.

Mox

Re:RBLs are a failure

I absolutely agree. My past run-ins with the MAPS people have been extremely unpleasant. "Militant" is exactly the right word. "Self righteous jerks" would also apply.

A while ago, when the MAPS DUL virus first began to spread, my dad began to have problems delivering his mail from his Linux system on a cable modem. So I contacted MAPS and told them about what I naively assumed they would agree was unintentional collateral damage. Not only did they refuse to take his IP address off the list, they were spiteful enough to contact my dad's ISP and register a complaint about his "unauthorized" server!

It goes without saying that my dad is not a spammer. And we both see to it that his system is properly maintained and configured. All we ever wanted was to exchange email email without depending on his ISP's slow and unreliable mail servers.

MAPS and other spam vigilantes are actually far worse than the spammers they claim to be fighting. No spammer has never prevented me from sending or receiving wanted email. MAPS often does so, and they have to go away. Since they're unlikely to do so on their own accord, our only alternative is to educate the ISPs to not use their services. Openly boycot any ISP who subscribes to the MAPS, and tell them we simply don't want their "help" in blocking email. Patronize the more enlightened ISPs that give you a choice as to how or whether your mail will be spam-filtered.

Re:RBLs are a failure

The maintainers are often militant and, IMHO, too emotionally attached to the problem.

Once upon a time, I monitored the SMTP traffic on one of my systems very carefully. I wrote a special-purpose demon that pretended to be an SMTP server, which logged attempts at sending email, but still passed email to postmaster and from specific people (just like the RFCs say it must).

One day, I found a series of attempts at routing email through my server. A whole series of email with RCPT TO's that were off-site. I reported this to the abuse addresses that were responsible for the IP address that was the source.

Now, I expected one of two things to happen: they'd ignore the problem report, or I'd get a "thanks" for pointing out the problem. What I GOT was a cranky response from an anti-spammer telling me it was his GOD GIVEN RIGHT to hammer on my server in any way he saw fit, and a listing for the entire ORGANIZATION in one of the RBL-like listings as "uncooperative". All because I caught him testing my system and reported it.

Needless to say, I no longer bother reporting the routing attempts to anyone. If reporting spam relay tests gets me labelled a spammer and included in blocking lists, fuck it.

You're wrong

MAPS saw it appropriate to block over 180,000 IP addresses just before the weekend.

MAPS didn't block you.

MAPS added you to a blacklist.

Some admins have decided to block you based on you being in the MAPS list.

That may or may not be a good decision on the part of the admins.

Its easy to get angry with MAPS, but they're just publishing a list.

Re:You're wrong

I know you sound a little flamy, but it's the truth. Administrators who use MAPS are willingly allowing a third-party to choose for themselves and their users what they can and can't see.

You need to let the users know however you can (on your website?) that their administrators may be blocking their e-mail without their knowledge and let the users handle the rest. It's their problem.

In my case I got quite upset when my ISP chose to bounce e-mail about the Blaster worm from my Bugtraq subscription without letting me know or giving me a means to opt out of the filtering. It would be the same thing if I was waiting on an important e-mail that never arrived because they chose to drop it on the floor for me. The users aren't being given an option to choose, and that's the real problem.

MAPS very flawed...

First, they want you to pay for the service. They will consider free usage occasionally, but take it from someone who has submitted five (5) applications for that kind of consideration - and have been flat out ignored - they are not a valid solution anymore, and are just looking to make money with the least amount of effort.

Woe Is You

180,000 addresses is roughly equivalent to only three Class B blocks. It looks like a big number, but it's a fairly narrow target. It's all of 0.004% of the theoretical IP address space.

You've discovered the joys of running a site on the modern Internet. These kinds of things will happen; there is very, very little you can do to prevent it. Your best defense against this sort of thing is a general outage contingency plan; whether by thunderstorm, fire, hardware failure, power outage, vengeful backhoe, blacklisting, or stupid admin trick, an extended service outage is an eventuality, not a possibility.

My advice to you? Take some time to lay out an outage response plan, or learn to be satisfied with three nines availability. Don't waste your time getting 'em in a bunch over MAPS and prepare for the next time something like this hits.

Re:Woe Is You

The only people who won't get your mail are the people who CHOSE to use a particular RBL.

Ah ha!! You just hit the nail on the head, so to speak. The supposed recipient's provider/administrator is the one that is causing the blockage, no one else.

You will notice that there are two points of view in this story's comments. Those that are viamately opposed to RBL's and those that are in favor of them.

The people that are for them, such as yourself, are the network operators that are tired of dealing with the constant onslaught of spam and the complaints that it generates, not to mention the resources that it consumes.

The ones that are opposed to RBL's are the "site operators" and business owners. They are upset because their business critical emails and "news letters" are blocked, supposedly unreasonably. They fail to realize that regardless of the fact that they feel their emails and "news letters" are of critical importance, they are in fact only important to them. Everyone else, including their beloved customers, thinks those emails are spam! They are the reason that the other group started using an RBL!

For those senders of emails to people who actually subscribed to their lists, I pose a challenge. Every three months, send a message to your subscribers telling them that they will be unsubcribed and that they must opt-in again to continue to receive the "all important news letters". Most of you will never do this. But, if you did, you probably won't be surprised to find that your subscriber list shrinks drastically. Hey CNN, give it a shot!

I for one am probably going to block the entire countries of croatia, hungary, china, and korea pretty soon.

Most of my US customers have a list of country domains that are blocked. It works very well for them. in fact, I have only had one customer where this was a problem because .de was being blocked.

show resistance to these authoritarians

maybe a form of passive protest is in order here. Since you've been black-balled by these Lords of Spam, you might as well dive into the Spam business. Make whatever money you can selling viagara, cialis soft tabs and penile ejection units, might as well.. around town everybody knows you as the hero-cum-spammer.

When they take you off the list, stop spamming.

Re:MAPS is better than SPAM

Actually, no, that's not what I'm admitting. My co-location provider had some customers that were the problem. And when I talked to them, they said those problem customers were terminated before the blacklist even happened. They didn't respond to MAPS in time, and MAPS took it upon themselves to blacklist 180,000 IPs, affecting innocent people like myself all over the world.

Re:MAPS is better than SPAM

Then your co-lo provider is clueless and you should find another. If they offer 99.9% reliability, you should ask them for a refund for the month.

Re:MAPS is better than SPAM

So you admit, that you were relaying SPAM No, read the guy's story again. A) He was not sending spam. B) Someone else at his ISP did send spam through the IPs they get from the ISP. C) His ISP did not respond 'fast enough' for MAPS. What is not clear is what is 'fast enough'. D) MAPS blacklisted him.

It beats some of the others

which offer no way to contact them and no way to get off. Others are private lists run by telcos that offer no acknowledgement of the BL or how to get off it. Not an easy task.

MAPS has made some big bloopers over time. They've also done a heck of a lot of good. The founders have had to endure all sorts of attacks, threats on their lives, etc.. and they perservered with their vision.

Are they perfect? Far from it. IMHO, if you weigh the good they've done against the harm they've caused, my view is they are overwhelmingly good.

As for Kelkea, I have no opinion.

Re:on the other hand...

" My ISP responded quickly and sufficiently, and it still took MAPS several more hours to remove the blacklist."

The blacklists you need to worry about are the ones that don't tell you that you are on them - the multiple small ones that quietly shut off access to their mail servers, or send email from certain net blocks to /dev/null and never check to see if the spam has stopped. You will never know how many of these your co-lo's spamming customers have annoyed to the extent they just flipped the switch.

Spam has been a big problem for long enough, and the various blackhole lists have been in action long enough, that your ISP or co-lo or whatever should have been aware of the consequences of harboring spammers. One of the " rules of the internet" is that I can refuse to accept email from any domain I don't feel like accepting email from. If I choose to accept the recommendations of MAPS, it's my right to do so ... you and your ISP have no right to tell me I must or must not listen to MAPS or even Fluffy.

If i remember correctly...

We stopped using some blacklist when I was working at netmar [netmar.com] a couple of years ago. I remember it being a huge pain for customers.

Of course, we had been saving all our spam since like 1997, and when we fed all the spam (30,000 messages?) into a bayesian filter, it caught most spam. Also, we still used ORDB, as they tend to only target specific kinds of problems (obviously, Open Relay Data Base). That caught a lot, also.

Really, it goes back to the eternal tradeoff for any computer system - ease of use traded for security. Always.

Strike a compromise - don't be overzealous, but take reasonable precautions.

~Will

The only thing worse than a spammer is an RBL scam

What do you do when you find out that a domain that gets used is blacklisted by someone for no reason, and they won't take you off the list unless you give them $250?

Standardization?

There should be some kind of standardization as to why IP ranges are blacklisted.

Not like, "They said they were neo-Nazi's and we've chosen to ban their entire ISP for not removing their page, because we're offended by Nazi's." which could very well happen now.

But more like, "We've received over 500 unique spam complaints about IPs in this range. Company hasn't responded in 5 business days. IP range is now blacklisted until they do something about it and contact us."

Of course, the larger the ISP, the more attempts to contact them could be made. Like maybe two weeks for a large ISP and a week for a smaller or ISP that's in some backwater country.

DNSBLs are a mixed bag

Some are well maintained, and even automatically maintained. spamhaus [spamhaus.org] and spamcop [spamcop.net] come to mind. One of the less desirable ones that comes to mind is SORBS [sorbs.net], where if they list you in one category you've got to donate $50 to charity [sorbs.net], per message, to be delisted. You're an ISP providing smtp to your customers, and you're listed again? Tough.

Similar thing...

happened to my girlfriend's work, a charity, operating a clear, double-opt-in newsletter service about their ongoing work... some moron who clearly subscribed to their newsletter decided it was easier to use an automated "report as spam to ORBS" tool then it was to simply reply to the e-mail, click the "unsubscribe now" link, or re-visit the web site and opt-out via the very prominent, very obvious opt-out tool.

ORBS, in turns, blacklisted their mail server as an open relay, and then had the unbelievable nerve to tell my girlfriend that they would lift the ban in exchange for a "donation" so that they could continue to run their service.

While this isn't criminal, it's morally repugnant.

Bottom line, "blacklist" services like ORBS/MAPS are a horrible, misguided and idiotic idea. Case study after research project after real-life experience can attest to this.

Re:Similar thing...

The only people who use the phrase "double opt-in" are spammers.

Oh, bullshit. Consider this scenario:

Customer: I need some more memory, my computer is running low.

Clerk: What sort of memory do you need? PC133, maybe?

Customer: I need a couple more RAMs, I'm running out of space to store my files.

Clerk: Ah, so you need a bigger hard drive!

Customer: Right, some more memory, like I said.

The customer knows what he needs (more storage space for his files), he just isn't sure which term to use. And why should he? He isn't in the computer business, so nobody expects him to be familiar with all of the lingo. That doesn't mean he's an idiot.

Legitimate mass mailers talk about "confirmed opt-in."

No, professional mass mailers should be using this phrase if they want to appear reputable in their field. Jane Public, who operates a charity and not a mass mailing company, might describe her mailing list as "double opt-in" and might ask the computer store for "more memory" when her disk is filling up.

NO!

You should never trust any RBL, but if you must, you should pick one which defines a VERY narrow criteria with NO collateral damage.

Time and time again, I see people trying to enforce someone else's terms of service (usually poorly, and without room for any exception), getting blacklisted for non-spam activities (e.g. using a provider that hosts a spammer willingly), etc, etc.

These are attacks on the nature of the Internet as a network of peers.

Spamhaus does a very good job with XBL of listing just systems that are known zombies, relays, etc.

Combined with a decent offender-only list of bulk spam sources (I use dnsbl.antispam.or.id), you get excellent results, with few (none that I've been able to discover through analysis) false positives.

SpamAssassin, of course, makes this a moot point by combining and weighting several sources. I've never seen a false positive from SA as a result of bad blacklist handling (other tests, sure, but not it's DNSBLs). However, you may need some pre-filtering at SMTP time to reduce the load on your spam-filtering system, and that's where the above strategy comes back into play.

Story has valid complaint.

1. MAPS finds problem, discovers hosting by co-loc, bans entire co-loc.
2. Very shortly after ban, MAPS is unavailable for contact for 48+ hours.
3. MAPS refuses to unban innocent bystander.
4. MAPS refuses bystander's plea to contact co-loc.

Seems to me that MAPS has several problem. Aside from procedural issues, perceived arrogance, negligence, incompetence. Submitter is right. Overzealous, for sure.

I sure wish they were better. It hurts the users.

Missing critical information

The poster goes to pains to point out that a massive 180,210 IPs (that is such a strange number. Where did it come from?) have been blocks, but goes to equal pain to avoid identifying either the ISP or the specific netblock(s) which were blocked.

If we go thru the history if the ISP and netblock in question, we may find that an infamous spammer has been using it for the last 6 months with no attempt by the ISP to resolv the problem despite many warnings from MAPS and other anti-spam organizations -- or we may find that MAPS went on a wildcat strike.

Given the very vague real data about this dispute, I'd be inclined to tell the complainant that he's probably the customer of a hardened spam provider, and he may be best to find another provider (as unpleasant as the move will be). If we get more than generic information, I may be able to giver more than a generic suggestion.

Usually Usenet death penalties are a last resort. MAPS may seem like they're assholes, but my guess is that they're finding themselves dealing with some assoles of their own (i.e. the offending ISP). In the moment, they can't tell the difference between you, and the offending spammer(s) who triggered this showdown. (( I'll presume, for the sake of argument, that you're not a spammer yourself )).
They're not willing to deal with you because their beef is with the ISP, and that's the only place where the problem can be resolved. They're iconveniencing you because it's probably one of the few tools left that they have to push your ISP to stop inconveniencing the entire internet.

Is this rhetorical?

Should You Trust MAPS?

On behalf of many members of the male gender I would say no. We don't trust those lying overpriced pieces of paper. And we don't ask for directions. We rely on our innate sense of direction.

One time, I even made it to Mexico without consulting a map. It took me days but I got there. I learned a lot that I didn't expect from that road trip. Like it's so cold in Mexico that there's moose everywhere. Also the Mexicans tend to pronounce things a bit differently. Like "about" is pronounced more like "aboot". And they tend to say "eh?" a lot. It's far different than the Mexico I read about as a kid.

overall comment

I find it stunning to see all of these complaints about RBLs from people who apparently consider internet email access vital to their business processes, but have service from only one ISP. Have these people never heard of redundancy????

Welcome to ISP email administration - Level 2

It doesn't matter if it's MAPS, ORBS, SPEWS, Spamhaus, or even AOL; if you administer outbound email, you are likely to be affected by someone protecting their email systems from spam. It is usually not your fault, but if others don't normally get listed frequently, there has to be some reason (unresponsive upstream ISP, something one of your customers or users is doing, a preventable misunderstanding about mailing lists) that got you listed.

If one RBL service has too many false positives, ISPs usually stop using them. MAPS is still in business, so their false positive rate probably isn't absurdly high.

Here are some tips to help email administrators keep their email flowing:

1. Negotiate ahead of time to get your servers whitelisted or registered as a "good" server. This means setting up proper forward/reverse DNS, configuring SPF, possibly registering with one or more "bonded sender" programs, looking at the AOL postmaster FAQ and getting into their whitelist system, etc.

2. Lease yourself a shared or dedicated server (think $25/mo -$60/mo) at another colocation facility that you can use to configure to be a mail relay for your primary mail servers. If delivery fails enough from your primary server, it should requeue the message to go out via your relay, perhaps after you've diagnosed the cause of the blocking complaint.

3. Setup test scripts to periodically poll major DNS RBLs for the status of your IP address and alert you when you're listed. (Perhaps tie this in to automatically activate your relay server in #2).

4. Ask your ISP what their spam policies are and assess your risk to getting mixed up in their other customers' problems. If they aren't vehemently anti-SPAM themselves, consider another provider for your outbound mail. By "vehemently", I mean: They have their own enformcement policies and 24-hour contact escallation policies with each customer, and will shut down customers that are not responsive to handling complaints.

5. If you manage mailing lists, make sure each and every message at the bottom has a link to the proof about how the recipient opted in for the message. (PS: Stop using email to distribute content! It's so, like, 20th-century. If your content is any good, they'll access it regularly via the web or RSS it into their portal.)

-ez

(Disclaimer: I'm the the inventor of DNS RBL. Your misery is partly my fault. Mua ha ha ha.)

Karma: Whore (you look at your score after posting)

Re:Welcome to ISP email administration - Level 2

1. Negotiate ahead of time to get your servers whitelisted or registered as a "good" server. This means setting up proper forward/reverse DNS, configuring SPF, possibly registering with one or more "bonded sender" programs, looking at the AOL postmaster FAQ and getting into their whitelist system, etc.

Well that is all well and good, but AOL doesn't whitelist. IF you can prove you are for real and a valid mailling list server etc, they will take that into account when looking at the volume of complaints coming from said IP, but it isn't a guarenteed whitelist. At least what I can find in dealing with their Postmaster.info stuff. Couple that and with their Brain dead users and the report as spam button, we finally made a rule that you can nolonger forward mail from our Virt Servers to your AOL account. Since AOL decides who do blacklist based on the last server that the mail came through before it got to them. So if one of my 40K or so customers forwards xxx@domiain to yyy@aol, every time they hit the report as spam button (which I am told is very close to the delete button), I get a nasty gram, and if they do it enough, you get the AOL report card, that says we have concerns about your ability to send e-mail to us since your complaint level has hit zz%. THe other fun part of that, is that users think anything they don't like is spam, or they aim with the mouse isn't quite good enough to hit the correct button, as we get copies of Private notes responding to a message from an AOL user, stuff between friends. People responding back to a note from their mothers,etc... Me personally could care less if I can send e-mail to AOL, but if my mail clusters get blacklisted , I have a lot of very uspet customers, and it costs us a lot of money to fix.

ok Rant mode off..

spamcop beatings

Our small ISP has had to struggle repeatedly with SpamCop. I will say that once we finally got some dialog going with SpamCop (which was not very easy to do...) they were very nice and fairly helpful. And the apologised each time and explained what happened (it involves one of our customers, who run their own mail server, with us as a backup MX, actually being a SpamCop customer, and not having configured his account properly, and thus the spam they reported which was delivered through us caused us to get black listed. Yes, he managed to blacklist his own ISP...!)... This happened several times. Several of our customers noticed the blacklisting and were not happy campers.

This is particularly difficult for small ISPs which have to struggle enough already to hang on to our niche.

And it is especially sad for long established ISP such as ourselves, who have been in the business since practically the beginning of the commercially available internet.

The DDoS attacks we've suffered once or twice in the past have not hurt so much as being blacklisted by SpamCop. Being smacked down by "friendly fire" really makes one dispair.

No matter how nice and helpful they were once we finally got them to talk to us, I can't say I will ever be able to trust them.

Previous to that SORBS black listed us several times. Their security scanner for some reason believed that one of our Zope ftp servers, on a non-standard port, was a compromised machine.

We've been innocence each and every one of these times.

I have to admit in some of my emails to SpamCop I was a little bitter. In one I suggested, tongue in cheek, that I was going to start a blacklist blacklist and have their blacklist blacklisted.

In another I couldn't help but must wonder if they aren't some sort of anti-terrorist terrorists...

I don't know the answer. But It's clear from the overwhelmingly negative response here that the issue of innocent victims being blacklisting is widespread, and extremely aggravating.

But no doubt just as spammers will continue to exist, the blacklists, right or wrong, will continue to think they are fighting the good fight. And sysadmins who haven't yet experienced the helpless sinking feeling of being innocently blacklisted themselves will continue to see the blacklist services as an quick and easy answer to one of the biggest and most difficult problems on the internet.

There is a reason vigilante systems got a bad name

It's hard to figure out the right way to do justice. But the reason that "vigilante" is a bad word is not because ad-hoc or public systems of justice can't do things right. It's because we've learned, the very hard way, that all systems of justice need accountability and checks and balances built into them. Built into them _hard_, from the very start, and impossible to remove. And even then, people find ways to remove them.

The vigilance committees start with the best of intentions. And often they do good, and help the problem. But history knows it doesn't always go that way, and when there are no checks and balances, you pay the price.

Of course, it's not impossible to set up a private justice system that has the right safeguards. But the safeguards are expensive. They deliberately... deliberately are designed to let many guilty people go unpunished. This frustrates people (especially in the spam wars, amazingly.) So people rarely stick to the safeguards.

This is why many people were worried about blacklists like these from the very start, even when they had nothing but the best laid plans.

Spamhaus

And on a broader front, are you really prepared to trust a company like Kelkea, Inc. (owners of MAPS) to decide what emails gets to you without really knowing how they operate and deal with resolution processes?

There's a reason I stick to Spamhaus as the sole RBL at work (and at home) - professionalism. They spell out criteria and rationale clearly on their website. They list only IPs, rather than blindly blocking entire netblocks or domains. The delisting policy is incredibly liberal by default, but temper that by tracking repeat offenders. And (this is where a _lot_ of lists fall down) they assign a TTL to every entry and automatically expire the entries even if the owner doesn't report a resolution.

We block millions of messages a day based on the SBL/XBL lists and have, to date, recieved only one query from a client about why a particular message was blocked, and it turned out the recipient had a worm outbreak that got them places on the XBL. The block had been lifted before it even made it to our support team.

Educate those using it

I had a server blocked by some really dumb anti spam site a while back, there was an open formmail on some customer's site, we recieved a complaint, we found it, we deleted it, I think in all we got 2 spamcop complaints and one complaint from a person so obviously there wasn't -that- much spam sent before we were notified and nuked the formmailer.

Time between us recieving the -first- complaint and the script being nuked from the server? Minutes, not even half an hour. It's not like we ignored the problem and allowed it to fester.

Well we ended up on some spam list that (get this) requires you to make a $50 donation to some charity to get off the list! Oh and it gets better, they listed 3 charities, 2 of them didn't work because they wanted NOTHING to do with this spam list after they were dossed, attacked, hounded, and overall just harassed for these bozos listing them on their site. The 3rd charity? Some legal defense fund, via PAYPAL for... the owner of the site!!

Well the -1- server blocking email because of that list I just contacted them and pointed them at this podunk little anti spam site and they quit using them and email went through and all was well.

Months later, 4 or more, we're STILL listed on that damned spam site. I could care less.

Spews and maps are just making it so any serious sysadmin/network/provider can NOT use them for RBL blocking, they're just overzealous.

I use spamcop, ordb, blitzed, and spamhaus quite regularly on a variety of servers, the "false positives" are low, and I rarely hear of someone legitimately not able to send email to anyone I host.

Spanked

"Recently, my co-location facility was hit by a massive blacklist by an over-zealous 'investigator' at MAPS. 180,210 IP addresses in total are included in the blacklist -- and all because of a few spam complaints that weren't dealt with quickly enough.

Define "quickly enough". If it's been more than 48 hours and the spammers are still there, that's too slow.

To make matters worse, they put this in effect either late Friday night, or early Saturday morning -- hours during which MAPS is not available for contact! (Mon-Fri, 9-5 only) How do people deal with MAPS and other RBL services who will not cooperate or be reasonable?

By not having a spam/virus transmisison problem. Works for me.

And on a broader front, are you really prepared to trust a company like Kelkea, Inc. (owners of MAPS) to decide what emails gets to you without really knowing how they operate and deal with resolution processes?"

Yes.

"I spent all weekend long trying to get a hold of the people at MAPS, as they don't bother telling you when they are open.

Their web forms [mail-abuse.net] are always open.

When I finally got a hold of someone on Monday morning (not an easy task, mind you!), they told me that they are not open on the weekend, so it would have been *impossible* to resolve this issue quickly.

Impossible without using their web forms, that is.

And because I was only a customer of the company who owns these IPs, they would not unblock my subset of IPs.

Lets see, you are a customer of the people with the problem, you are not in the loop with your ISP as to exactly what actions have been taken, you don't know exactly what customers were involved, nor any of the sensitive details someone is going to want to know when there has been a massive spam run. Gee, that's too bad poor baby.

Despite the problem originating from a handful of IP addresses, MAPS saw it appropriate to block over 180,000 IP addresses just before the weekend!

Never heard of snowshoe spamming? You live in a cave? News flash, many responsible systems admins block far more than just a /19. Many block /7's and /6's on private block lists.

I had already made several phone calls and emails to my co-location facility, and they told me they were doing their best to get a hold of someone there. Several emails had been sent, and just as I first experienced, they could not reach anyone at MAPS by phone.

See link to web form above.

When I finally talked to someone at MAPS, he told me that he would not be proactive in the matter by actually phoning my co-locator to work this out.

See above about having "standing".

These people at MAPS thinks themselves quite high and holy, and in some ways they are: many ISPs and the like will bounce emails just because MAPS tells them to. (I've since removed MAPS from my list of RBL servers to check.) As a small-business owner, MAPS can be very hurtful to a business and very uncooperative in helping resolve the issue.

If you are a business owner and fail to understand exactly why email is not a garenteed delevery system, and your business depends on email, then you are very stupid and deserve to go broke.

I gave them a couple subnets of mine to unblock, but they would not, even though my IPs were not involved in the original complaint.

And spammers NEVER lie. They NEVER pose as someone else. They ALWAYS tell everybody what IP ranges they intend to use in their spam run two weeks before thay use it.

This experience has certainly made me think twice about who I trust to decide the fate of my incoming email."

Good for you. Now, when you get finished thinking about that, think about how you can make your small business profitible when you can't use email. It's obvious to me that you fail to understand what we

Reality check!

MAPS isn't doing anything wrong, they simply gather findings and make them available to their subscribers. They exist to serve the interests of those subscribers, not the interests of some random nobodies who wish to send mail to those subscribers. MAPS is under no obligation to provide 24/7 assistance to the ``unfairly'' blacklisted domains. What exactly would be the business case for doing that? Who would pay those operators who wake up at 3:30 a.m. on a Saturday to service a complain?

MAPS subscribers are aware of its limitations and problems and, guess what, they don't care and use the blacklist anyway! A MAPS user doesn't care that some random nobody sometimes gets ``unfairly'' blacklisted and is unable to contact them for an entire weekend. They care most about not getting spam and are glad that MAPS is so strict. In other words, the subscribers share the same values as the MAPS operators! If MAPS were to change the way it operates, those users might well switch to some other service that follows the original policies. MAPS users even accept that sometimes they won't be able to talk to other MAPS users because of the same problem you are having. Yet they remain MAPS users. Therefore, they will hardly be sympathetic to your case.

So basically, your complaint boils down to the existence of difficult people who have very particular rules about being talked to because they don't want to be bothered. The system by which they share those rules with each other isn't what's standing in your way here.

Re:Customer service vs customer service.

Yeah, except it sounds like the submitters IP was not involved in the spam complaint. Its difficult to respond to something you never recieve.

If hunting spammers was legal this wouldnt be a problem at all.. Uh. unless someone thinks you sent them spam due to faked headers etc..

At the very least it should be reasonable to punch someone who buys something from spam. The main problem is the vast and bountiful supply of idiots that make it worthwhile for the spammer bastards to carry on as they do.

Re:Customer service vs customer service.

Uh, that helps absolutely none in this particular case. If you'd bother to read the text, and it wasn't even a full article, some OTHER company/person was responsible for 180,000 IPs getting blocked, including his subnets which had ABSOLUTELY NOTHING to do with it.... His company's customer service had squat to do with it. Neither did his ISP's really...

Re:Not anymore

Well, I think it's pretty damn irresponsible for RBLs to be blocking entire subnet, as tempting as that might be. We had RoadRunner do that to our /23 address space, and we couldn't even find anyone who could do anything about it. I eventually said "Screw you" and refused delivery of anything with "rr.com" on the end of it. A few months ago, the block simply disappeared.

TCP/IP Elitism [was Re:Not anymore]

Why is an IP address not just an IP address? Stop being so elitist. IP didn't have a NOBLEMAN/SERF bit in every header last time I checked.

It's lazy ISPs' faults that spammers aren't shut down quickly, thus these blacklists have to take out whole blocks, causing collatoral damage like the original article describes.

The internet was designed to allow PEERS to talk to ther PEERS. It's an equal-opportunity protocol stack, by design. Too bad some people no longer believe in this principle.

Re:Not anymore

I agree, my first real negative experience with them, was when I was attempting to be proactive. I was setting up an email server and wanted to find out what holes came in the base configuration. I feed it an IP plugged the in-progress server to get back a report, and found my IP address automatically blocked. This address belonged to an active server that was already properly configured but the client didn't have any extra IPs for me to use. There server was down the entire weekend, plus three workdays, before I could get them to remove the ban. Yet, they encourage techs to test a machine and receive a report of security holes. After that, I pretty much put out the word to never use their service to test a machine that's being built.

I hate spam, but their methods pretty much demand a new approach to fighting spam, creating blacklist, and even just testing servers. Their support is horrible and while it guarantees it will hurt a spammer here or there, that's pretty much like shooting in a crowd then stating well at least I killed a bad guy.