Spam Prevention Early Warning System

Last updated

The Spam Prevention Early Warning System (SPEWS) was an anonymous service that maintained a list of IP address ranges belonging to internet service providers (ISPs) that host spammers and show little action to prevent their abuse of other networks' resources. It could be used by Internet sites as an additional source of information about the senders of unsolicited bulk email, better known as spam.

Contents

SPEWS is no longer active. A successor, the Anonymous Postmaster Early Warning System(APEWS), appeared in January 2007. [1]

Overview

SPEWS itself published a large text file containing its listings, and operated a database where web users could query the reasons for a listing. Users of SPEWS could access these data via DNS for use by software for DNSBL anti-spam techniques.

For instance, many mail sites used the SPEWS data provided at spews.relays.osirusoft.com. All DNSBLs hosted by Osirusoft were shut down on August 27, 2003 after several weeks of denial of service attacks. A number of other mirrors existed based on the SPEWS data, which remained accessible to the public. SORBS, for example, provided a mirror of SPEWS data until early 2007.

There was a certain degree of controversy regarding SPEWS' anonymity and its methods. By remaining anonymous, the SPEWS admins presumably wanted to avoid harassment and lawsuits of the sort which have hampered other anti-spam services such as the MAPS RBL and ORBS.

Some ISP clients whose providers were listed on SPEWS took umbrage that their own IP addresses were associated with spamming, and that their mail might be blocked by users of the SPEWS data; often they did not understand that it was their provider that was listed. Sometimes, the only solution was to leave the blacklisted provider, as SPEWS was not willing to cut holes in a listing for a clean user in an otherwise dirty IP block. There was no way for either the customer or the provider to contact SPEWS, and SPEWS claimed that the listings would be removed only when the associated abuse stopped.

The SPEWS database has not been updated since August 24, 2006; dnsbl.com lists its status as dead. [2] Since SPEWS became inactive, the Anonymous Postmaster Early Warning System (APEWS) has taken its place, using similar listing criteria and a nearly identical web page.

Process

The precise process by which SPEWS gathered data about spam sources is unknown to the public, and it is likely that its operators used multiple techniques.

SPEWS seemed to collect some information from honeypots—mail servers or single email addresses to which no legitimate mail is received. These may be dummy addresses which have never sent any email (and therefore could not have requested to be subscribed to any legitimate mailing list). They may also be placed as bait in the header of a Usenet post or on a Web page, where a spammer might discover them and choose to spam them.

The SPEWS Website made it clear that when spam was received, the operators filed a complaint with the ISP or other site responsible for the spam source. Only if the spam continued after this complaint was the source listed. However, SPEWS was anonymous—when these complaints were sent, they were not marked as being from SPEWS, and the site was not told that ignoring the complaint would result in a listing. This had the effect of determining the ISP's response to a normal user's spam complaint, and also discouraged listwashing—continuing to spam, but with the complaining address removed from the target list.

If the spam did not stop over time, SPEWS increased the size of the address range listed through a process referred to as "escalation". This process was repeated, conceivably until the entire netblock owned by the offending service provider was listed or the block was large enough that the service provider is encouraged to take action by the complaints of its paying customers.

Criteria for listing

SPEWS criteria were based on "spam support"; when a network operation provided any services to the identified spammers, the resources involved were listed. For instance, part of an ISP's network may have been listed in SPEWS for providing DNS service to a domain mentioned in a piece of e-mail spam, even if the messages weren't sent from said provider's mail servers.

Listing data or evidence files

IP addresses listed in SPEWS were mentioned in "evidence files". These were plain text files, which appeared to have been edited by hand, in which those IP addresses along with the technical evidence backing the listing, were shown. The contents of those evidence files might seem rather cryptic to readers who were not intimately familiar with the technical jargon of the Internet.

Criticism of SPEWS

No one knows how many service providers used the SPEWS list to reject mail.

Contacting SPEWS

One common criticism is that there was no way to contact SPEWS. According to the SPEWS FAQ: "Q41: How does one contact SPEWS? A41: One does not..." Having no way to contact SPEWS is seen as a way for SPEWS to avoid having to deal with complaints—even if they are legitimate—and to be immune from many consequences of mistakes, bad policies, or other problems. This caused SPEWS itself to be listed on some other DNSBLs such as those formerly maintained at RFC-Ignorant. [3]

A countervailing view is that SPEWS adopted the policy as a response to vexatious litigation against, e.g. MAPS RBL. There was nothing on the SPEWS web site to indicate that they did not care about legitimate issues, just that they didn't want to deal with specious complaints from spammers.

Criticism

SPEWS critics claimed it blocked sites for reasons they considered unfair. They argued that an ordinary customer of an ISP should not be held responsible for the actions of other customers of that ISP.

Counter argument

Supporters responded that SPEWS was a list of ISPs with spam problems. The ISP was listed, not the customers. This was often argued with an analogy of pizza delivery companies who will not deliver to high crime areas. It's a bad situation for someone "stuck" in a bad area, but supporters argue that this also provides encouragement for a good citizen to unstick themselves and move to an ISP without a spam problem. The bad ISP loses revenue and the good ISP gets more customers, further encouraging bad ISPs to clean up.

Supporters of SPEWS often pointed to the claim that SPEWS "blocked" email from sites as a misconception. A SPEWS listing only caused mail to be refused if the recipient of the email (or their ISP) chose to block based on the SPEWS IP list.

This counter argument has been criticized on the grounds that SPEWS spread information in a way conducive for blocking, with the knowledge that people are using it to block. According to this criticism, SPEWS should then have been considered partly responsible for any blocking that was done and could be legitimately blamed if the blocking was inappropriate. In this view, the claims that lists such as SPEWS are advisory and that SPEWS itself did not block were seen as attempts to evade responsibility for SPEWS's own actions.

Delisting

According to the SPEWS FAQ, listings were removed when the spam or spam-support has stopped. Just as they did not solicit nominations for listings, the SPEWS operators did not solicit requests for delistings. There was no contact information published on the SPEWS Website. There was no spews.org mail server, and the operators of SPEWS did not receive email under the SPEWS name.

It is believed that the operators read certain Usenet newsgroups related to spam and email abuse. However, no poster has claimed to be a SPEWS operator and no regular of the newsgroups claimed to know their identity. By the accounts of many of those regulars, SPEWS could detect automatically when such support stopped, but this was not supported by any information in the SPEWS FAQ.

See also

Related Research Articles

<span class="mw-page-title-main">Spamming</span> Unsolicited electronic messages, especially advertisements

Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, for any prohibited purpose, or simply repeatedly sending the same message to the same user. While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam. It is named after Spam, a luncheon meat, by way of a Monty Python sketch about a restaurant that has Spam in almost every dish in which Vikings annoyingly sing "Spam" repeatedly.

<span class="mw-page-title-main">Open mail relay</span>

An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular because of their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.

news.admin.net-abuse.email is a Usenet newsgroup devoted to discussion of the abuse of email systems, specifically through spam and similar attacks. According to a timeline compiled by Keith Lynch, news.admin.net-abuse.email was the first widely available electronic forum for discussing spam.

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by e-mail

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming).

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers.

Disposable email addressing, also known as DEA or dark mail, refers to an approach which involves a unique email address being used for every contact, entity, or for a limited number of times or uses. The benefit is that if anyone compromises the address or utilizes it in connection with email abuse, the address owner can easily cancel it without affecting any of their other contacts.

Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.

SORBS is a list of e-mail servers suspected of sending or relaying spam. It has been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.

Wayne Mansfield, of Perth, Western Australia, was the head of direct marketing business T3 Direct Marketing, operating under a series of two-dollar companies, and in 2005 became the first Australian to be prosecuted for email spamming.

Xtra was a brand used by New Zealand telecommunications provider Spark for its Internet service provider subsidiary from 1996 to 2008. At its inception, Xtra provided only dial-up Internet access, but began providing ADSL service in 1999.

The Abusive Hosts Blocking List (AHBL) was an internet abuse tracking and filtering system developed by The Summit Open Source Development Group, and based on the original Summit Blocking List (2000–2002). Its DNSBLs were shut down on Jan 1, 2015 and now appear to be blacklisting the entire Internet.

In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.

The Mail Abuse Prevention System (MAPS) is an organization that provides anti-spam support by maintaining a DNSBL. They provide five black lists, categorising why an address or an IP block is listed:

A Dial-up/Dynamic User List (DUL) is a type of DNSBL which contains the IP addresses an ISP assigns to its customer on a temporary basis, often using DHCP or similar protocols. Dynamically assigned IP addresses are contrasted with static IP addresses which do not change once they have been allocated by the service provider.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Since Internet users and system administrators have deployed a vast array of techniques to block, filter, or otherwise banish spam from users' mailboxes and almost all Internet service providers forbid the use of their services to send spam or to operate spam-support services, special techniques are employed to deliver spam emails. Both commercial firms and volunteers run subscriber services dedicated to blocking or filtering spam.

People tend to be much less bothered by spam slipping through filters into their mail box, than having desired e-mail ("ham") blocked. Trying to balance false negatives vs false positives is critical for a successful anti-spam system. As servers are not able to block all spam there are some tools for individual users to help control over this balance.

A mailbox provider, mail service provider or, somewhat improperly, email service provider is a provider of email hosting. It implements email servers to send, receive, accept, and store email for other organizations or end users, on their behalf.

References

SPEWS and APEWS websites

Advice by others