Spam: The last crusade

Spam: The last crusade

Summary: What annoys Josh Mehlman even more than spam are self-styled anti-spam vigilantes. These groups' anti-spam lists are open to serious question about how they're compiled and managed.

TOPICS: Security
Nobody really likes spam. But what do you do when the cure is worse than the disease?

If last month's column taught me anything, it's never to question people's religious beliefs. Apparently, if I disagree with someone's opinions--especially about something that attracts as much fundamentalist devotion as Linux--then I can't write, am stupid, can't use a slide rule let alone a computer, don't understand logic, and wear women's underwear. (I'm as stumped as you are about that last one.)

On the other hand, I'm a slow learner.

Aside from its occasional amusement value, spam is just plain annoying. Who wouldn't be interested in making money without leaving the house, helping out Nigerian ex-ministers, giving themselves an extra three inches, or seeing the photos of 18-year-old Vicki's recent sleep-over at her girlfriends' place?

But what annoys me even more than spam are self-styled anti-spam vigilantes.

A Perth-based company called T3 Direct recently sued a man who the company claims dobbed it in to an anti-spam blacklist called SPEWS (spam prevention early warning system). The details of the case are complicated, to say the least, but it highlights some important issues.

Organizations like SPEWS, ORDB (open relay database), and MAPS (mail abuse prevention system) build lists of mail server IP addresses that they claim are known to send spam. The idea being, organizations wishing to reduce spam need only subscribe to these lists, and configure their mail servers not to accept any mail from the IP addresses listed.

Sounds good, if these lists were compiled and managed in an open, transparent, and accountable manner. But they're not. Not even close. How does an IP address get on the list in the first place? How do the list organizers prove the owner of the IP address is actually sending spam? Can companies sue for lost income if falsely accused? Is there an appeals system? And how do IP addresses get removed? In answering the first two questions, these groups claim they have rigorous technical criteria. You can't just dob in a spammer, they pronounce. I wonder how true this claim is; after all, dobbing in a spammer is what T3's lawsuit is all about.

But T3 is suing the person who tipped off the list's organizers, not the list itself. By operating in secret, SPEWS' organizers hope to avoid the lawsuits that have shut down other anti-spam groups. (Like all vigilantes, they would like to think of themselves as above the law, in any case.)

Most importantly, how do you appeal the decision, or get IP addresses off the lists?

You can't. Organizations who have tried have discovered the anti-spammers don't respond to e-mail and of course don't list their phone numbers or postal addresses.

SPEWS' attitude is indicative. In answer to the question "How do I get off the list?", SPEWS' FAQ answers "Sorry, SPEWS is a list of known spammers, spamming operations, and spam supporters, if you fit the criteria there's a good chance you will be listed and stay listed. If you are a spammer, may we suggest you get a real job?" In other words, if we say you're a spammer, you're a spammer. Forever. And if you're not a spammer?

Aside from the incredible leeway for political censorship, corporate sabotage, and just plain pigheadedness this situation creates, it ignores the fact that IP addresses change quite often. When the ACT Brumbies rugby club inherited a set of IP addresses from a company that was on SPEWS' blacklist, the club found it easier to get Telstra to change the IP addresses than to get the addresses removed from SPEWS' list. Knowing how bureaucratic Telstra can be gives you an idea of how intractable the anti-spam zealots are.

Religious fervor tends to blind people to subtleties; they tend to see everything in black and white, good and evil. Anti-spam vigilantes view spam as evil, therefore everything they do to combat spam is good. But this sort of arrogant zeal makes it all too easy to ignore the complexities and responsibilities of the real world.

May I suggest to the anti-spammers to take their own advice: get a real job, folks. Or treat spam prevention as a real job, not a crusade; do it professionally, openly, and most of all, fairly--you could even make some money that way.

Have you been happy with the likes of MAPS, SPEWS, and ORDB? TalkBack below or e-mail us with your thoughts.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • RE: Spam: The last crusade

    I, too, find that these "groups" operate out of both sides of their mouths. I believe that they take any business or organization with mailing lists and subject them to their criteria. Then when we get phished or forged, they just put us deeper into their spam listings. NO WAY OUT!