Ask Slashdot: Dealing With Anti-Spam Service Extortion? 279
An anonymous reader writes "I work for a European ISP, and lately we're receiving quite a few complaints from customers about not being able to send emails because of UCEProtect's listings. After checking with their site, we found out that our whole AS (!) was blacklisted. Their 'immediate removal policy' asks for money, around 90 euros Per IP for end users and 300 euros for ISPs, and their site has bold statements like
'YOU ARE LOSING YOUR RIGHT TO EXPRESSDELIST YOUR IP IF YOU ARE STUPID AND CLAIMING THIS WOULD BE BLACKMAIL...'
Could this be considered extortion-blackmail ? Has anyone else on Slashdot dealt with this service before?"
Excessive smiley faces (Score:5, Insightful)
Maybe it's the language barrier, but that seems like a lot of smiley faces and profanity for a professional organization.
Their revenue model seems odd as well - it's almost like they're set up just to extract money from senders.
My instinct is don't pay them, figure out why you got listed, and stop whatever triggered the listing.
If the customers are complaining excessively, consider the unblock fee - once. Definitely terminate the accounts of the spammers.
Re:Wel you got enough guns (Score:3, Insightful)
Some Suggestions (Score:5, Insightful)
Firstly, as Pamela Jones over at Groklaw would tell you in a heartbeat, convince someone at your company to take legal advice. If your company is contemplating action of any kind in response to what has happened, it is critically important that you understand that your intended steps will not undermine you at some later date. Only a legal professional can tell you that. So please, get proper legal advice.
Secondly, thinking about the relationship between yourself and the party you believe to be performing the blocking/spam filtering. Is the issue between your company and the third party, or your *clients* and the third party? I can understand that you are coming under fire from your clients, but please refer back to the first point, above.
Third, go get familiar with the relevant legal frameworks. Your legal support, when you hire, them, is going to start asking legal questions. You understand the tech, but take the time to familiarise yourself with the law. Start with: RIPA (the Regulation of Investigatory Powers, which, IIRC, makes it illegal to intercept any communication between two parties), PEC (the Privacy in Electronic Communications Act [2003]), and take a quick look at the DPA (Data Protection Act [1998]) inasmuch as the data being generated and acted upon by the third party [email addresses] was created for the express purpose of *routing email traffic*, not *filtering* email traffic. There may be an argument that the filtering is inappropriate. See how a lawyer (I'm not one) can help you here???
Fourth, are there any professional trade bodies or organisations that both your company and the third party subscribe to (i.e. a UK Association of ISPs) that may have a dispute handling process? Are the two parties able to sit down with an arbitrator? If so, this might be a free service that you could try?
Fifth, if all of the above fail, then use of the Internet in the UK is regulated by various Government departments and Quango Regulators, such as the ICO (Information Commissioner's Office) and Ofcom (the Communications Watchdog). As above if you have taken proper legal advice from a law firm with expertise in this area, they should advise you on the best method of engagement.
I understand that you want to help your clients, but in this case it's critically important that any steps you take don't make it worse. Legal advice must be step 1.
Hope this helps...
Re:People still use blacklists??? (Score:2, Insightful)
Indeed. We use a similar blacklist on our systems and it eliminated a massive chunk of spam from bots trying to reach out and touch you directly.
There just isn't any good reason to be operating a SMTP server on a residential connection; the user either needs to go through their ISP or they need to move to proper hosting in a datacenter (more uptime, static IPs, clearly not an end-user system).
Re:Flip side.... (Score:4, Insightful)
There are two kinds of false positives: The individual email kind and the netblock kind. Users care about individual email. They want to receive legitimate email even if it comes from an IP address that belongs to a spam-friendly ISP. Blacklists are more concerned with netblocks. They don't rate individual messages. They rate ISPs. The submitter is affiliated with a hosting cooperative. They're probably not openly spam friendly, but cooperatives are usually short on manpower, so their monitoring and their response times may not make them sufficiently "tough on spam" for some tastes.
If UCEProtect is run properly, then they have evidence of spam coming from that netblock, and if their listing and delisting policies are well defined and implemented, then they are well within their rights to require compensation if an ISP wants them to manually check that they've cleaned up their act and expedite delisting. If UCEProtect is much too trigger happy, then wrongfully accused ISPs should complain to the recipients' ISPs who use UCEProtect to block email and get them to remove or reduce the influence in the scoring. A rogue DNSBL has no power if nobody uses them.
Re:Excessive smiley faces (Score:4, Insightful)
We feel sorry for you :-) but it appears that you sent SPAM to the wrong people :-)
Re:NEVER trust and AC (Score:3, Insightful)
It isn't necessarily about their delisting policy, more about their listing policy. UCEProtect also run Backscatterer, which lists based on if you send out of office/bouncebacks to spam mail. This will often bleed over into their 'main' block list.
At the end of the day, if you're blocking people for having the courtesy to set a message that states "I'm out of the office", then you shouldn't be taken seriously as a block list provider.
There is a reason you are listed. (Score:5, Insightful)
There is a reason you are listed:
* You have spam originating from your system for too long of a time.
* You are unresponsive to reports.
So, your entire network range is listed. Everyone is bouncing emails. Everyone is complaining to you, and you've noticed. You've been forwarded the site, and you're contemplating just paying them off... except that it just won't work. You'll be relisted again, and with reason -- someone on your network spammed and nobody's listening.
Thus:
* If you haven't done so, open up abuse@ and point it to somebody with the power to diagnose, disable, and close accounts.
* If the guy behind abuse@ doesn't have said above power, GIVE IT TO HIM.
* If the guy behind abuse@ does, but doesn't use it, FIRE HIM.
* If you haven't done so, disable outbound port 25 at your border router with the exception of an out-bound SMTP server.
* Put an outbound spam filter in place.
If you are unwilling to do the above, then there is one last thing you will eventually do: CLOSE SHOP.
Re:NEVER trust and AC (Score:5, Insightful)
I have the questionable pleasure of experiencing a deluge of backscatter since the rise of the Festi botnet, and I must say that I find the lack of sanity checks on automated replies appalling. It is not a courtesy to autorespond to spam by sending the spam "back" to a person who didn't send it in the first place and gave you all the information you need to clearly and easily establish that fact (Domainkeys / SPF).
There is only one place for automatically sending a message back to the original sender, and that's before accepting the mail in the first place. The sender sends the address information first. Reject the email then and there and include your out of office information with the bounce. Once you've accepted the mail, don't autorespond.
I agree about companies needing to push SPF and the like more. Sure, it still can cause some headache supporting.. but it helps address the problem.
As for the second bit, you've got to be joking. First, putting the out of office in the bounceback does nothing to mitigate the issue. You're still receiving an email for each and every bounced email. Second, millions of people have email that is hosted through another company. They realistically cannot set up individual bouncebacks for every single customer.
Re:Flip side.... (Score:5, Insightful)
"Spam is a problem where false positives generally cost less than false negatives"
This may be true if you are a basement dwelling slashdotter but out in the real world a single false positive is one too many. Try explaining your position to a client or executive who missed a million dollar inquiry due to your overly aggressive spam filters.
Re:People still use blacklists??? (Score:2, Insightful)
There just isn't any good reason to be operating a SMTP server on a residential connection
And this philosophy is what brought Europe down and is killing the U.S. It isn't up to you to decide if what I want to do is a good idea.
I run my own mail server. At home. And here's one good reason why.
All my personal contacts, emails, etc. that sync to my smartphone... don't go through Google, Apple or Microsoft. Essentially I run my own cloud.
Is privacy and wanting control of our data/contacts, at least keeping the nexus away from the corporate giants, not a "good reason"? Who are you to unilaterally decide "no"?
Re:And with spam that is a real problem (Score:4, Insightful)
And since anti-spam blacklist maintainers are fanatics who only get more fanatical, they do tend towards blocking /0 as their endgame.
Stop sending spam then. (Score:5, Insightful)
I've seen this story several times before with people complaining about "blackmail" with different blacklists and filters, and in all cases I have ever seen there has been some sort of real problem. Remember that there are different levels of blacklisting, from the lowly backscatter blacklisting which hits a lot of legitimate organisations, up to Level 3 (which indicates that you've been informed of a problem for a long time but basically don't give a fuck), up to the next step which is de-peering or permanent widespread blacklisting. OP is clearly drinking in the last-chance saloon on this one.
Top tip: running an ISP is harder than it looks. Not managing abuse of your systems will eventually cause major problems, and in the worst cases will drive you out of business and have law enforcement forcing their way into you server rooms to take your kit. Don't assume that YOU are the innocent party and the the complainers are just making it up if you want to remain in the ISP business..
But...but... (Score:4, Insightful)
"Frankly there are so many alternatives to sending mass mail from your own system, only highly suspicious people want to go around this."
I am a journalist, and I know what the laws are around email, subpoenas, (lack of any) protections under the (US) law, and the cost of lawsuits. I keep my own server, on my own premises, and keep logs only long enough for diagnostic purposes. All email is deleted after 2 weeks unless it is specifically moved to a location meant to be saved for the same reasons. I have been doing this, or parts of it, since before my ISP offered mail services, over 20 years now FWIW. Some people call me paranoid, I point to things like MegaUpload and call them ignorant. I guess that I would be considered "highly suspicious" according to many government agencies.
So there you go, there is at least one good reason to do the above, although I rarely send out mass mailings, probably less than one a year.
As for the rest of your points, I totally agree. Thanks for trying to stop the spam.
-Charlie
Re:Someone is full of himself (Score:5, Insightful)
Hola, thanks for pointing out this to the AC above. I'm the current maintainer of the AHBL, Brielle.
After a while of maintaining a DNSbl, you start to refine your policies and how you handle things - unfortunately, with the amount of douchebags and assholes who operate mail servers and networks out there, those policies tend to get more restrictive and locked down to prevent abuse.
We used to offer a whitelisting service, where responsible ISPs could register to avoid auto-listing of their blocks. Had to nuke that due to being lied to and threatened (big surprise there). I used to provide free consulting to smaller ISPs who got listed to assist them in cleaning up their networks, securing their servers, etc. Had to nuke that program too - you can thank GoDaddy for that.
These ISPs, the ones that whine about being listed, usually have a good reason why they are listed. They won't publicly admit it obviously, but the almighty buck tends to override the common sense that you need to properly control and manage your own networks. If you are willing to allow your customers to spam, abuse, and just be downright shitheads from your IP space in exchange for money, then you need to be willing to accept the consequences.
The only reason why things are the way they are today, is because people don't know how to behave and be a good online neighbor. In other words...
"This is why we can't have nice things!"
Time to get rid of mail bounces (Score:4, Insightful)
For traditional reasons dating back to the dial-up UUCP era, most email systems are store and forward. That's really no longer necessary. In an "always-on" era, mail should be synchronous. When an SMTP server receives a mail that it needs to forward (presumably only to a known address) it should, while holding the incoming connection open, send the appropriate outgoing mail. If the outgoing send succeeds, the SMTP server should reply to the its client with success. If not, it replies with a failure code. No "bounce" messages are ever sent. So there's no possibility of sending a "bounce" message to a faked address. "Joe jobs" become completely ineffective.
Any non-success status from the outgoing send gets passed back to the incoming connection. If the destination server is down, the SMTP 450 status (Requested mail action not taken: mailbox unavailable) should be returned. For 4xx statuses, most mailers will resend, so the first mailer in the chain will handle retransmission. If the first mailer is a user SMTP client (rare today), the person sending will get an immediate fail, indicating that the mail was not received.
A simplified SMTP server like that would be appropriate for machines that only handle mail as a sideline and forward it somewhere else, like most web servers.