Zombie Spam Blacklists Return From The Dead To Make A Point

from the if-your-mail-isn't-getting-through... dept

Tue, Oct 20th 2009 12:20am — Mike Masnick

I have to admit that I don't follow the "spam" world as closely as I used to, but I remember back around 2003, one of the hot topics was whether or not the various spam blacklists went too far at times. The anti-spam fighters behind those lists would often take a rather... inclusive attitude to putting IP addresses and address ranges into their lists, and plenty of giant ISPs relied on the judgment of those spam fighters by simply plugging in their lists. This often resulted in significant collateral damage, as perfectly legitimate emails would get blocked as coming from a "spam IP." Of course, those lists needed to change frequently, but at times, they would just suddenly disappear. That last link was about a popular anti-spam blacklist from Osirusoft that was shut down -- with its owners changing the settings to include all addresses. The idea was to make it clear to ISPs who didn't pay attention, to stop using the list, but in the meantime, think of all the damage?

It looks like that same sort of thing may be happening six years later. Michael Scott points us to the news of another long-abandoned blackhole list, called blackholes.us, that was abandoned a couple years ago -- but which some ISPs still rely on. However, whoever now controls the nameservers where blackholes.us used to be, apparently decided to set up a new "list" that (again) includes the entire range of IP addresses -- so every query is returned as being a spammer IP.

Again, the idea is to force ISPs to stop using that blacklist -- and perhaps you can make the argument that (unlike the Osirusoft situation) these ISPs have had two years to stop relying on the "zombie" blacklist, but it still seems unwise to create so much collateral damage, just to force the issue.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blackholes.us, blacklist, spam

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Rose M. Welch (profile), 20 Oct 2009 @ 12:01am

Disagree.
Nope, makes sense to me. I think the damage is acceptable in this case.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2009 @ 10:41am
  
  Re: Disagree.
  I agree.
  [ link to this | view in chronology ]
Michael Vilain, 20 Oct 2009 @ 1:24am

I've seen both sides of this
I contribute daily to SPAMCOP, a user-contributed blocklist. Anyone can add emails they consider spam to the block list which is parsed with Baysian and IP filters. The resulting list is used to filter email processed by SPAMCOP and some ISPs use it as a block list as well. Oftentimes, some spammer gets all cartoony in the support forums threatening to sue for being put on the blocklist. 48 hours later, if no more spam comes from that ISP, it drops off. But if there's a spammer on the ISP, more spam will be reported and the wait is longer.

The other side of this is I administer a members-only listserv which sometimes gets flagged as spam by various ISPs. Everyone on this list has to personally send me an email and I verify them to be a dues-paying member of a professional organization. Roadrunner is the latest SPAM Nazi to blacklist the ISP serving the list and their support people have no clue why. It left the members using that ISP no access to the list until they moved to Gmail or just left. For many of the older members, Gmail is to much for them to fathom (really, I'm not kidding).

I'm all for spam block lists, but I warn members to avoid ISPs that act unilaterally by denying stuff rather than just categorizing emails and putting them in a SPAM folder. Comcast and Hotmail also do weird things but they seem to be transient mistakes rather than anything permanent. And I still report spam to SPAMCOP.
[ link to this | view in chronology ]
Cynix, 20 Oct 2009 @ 2:03am

Yahoo has blocked email alerts from various legitimate forums and refuse to remove it when advised of their error from users and the forum admins. Muppets.
[ link to this | view in chronology ]
Pangolin, 20 Oct 2009 @ 4:50am

I don't get it
Why not just remove the data?
[ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2009 @ 5:20am
  
  Re: I don't get it
  Judging from the story, they removed the blacklist two years ago. But ISPs were still sending requests to the address (using bandwidth - which of course is not free). Maybe they sent requests to the ISPs to stop, maybe not, it is not clear from the story.
  
  New owners were sick of getting hit with the constant traffic, so decided to make the ISPs wake up.
  
  Perfectly acceptable to me, so long as they tried to contact the ISPs first.
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2009 @ 5:24am
  
  Re: I don't get it
  Because that is not nearly as much fun now is it?
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2009 @ 7:28am
  
  Re: I don't get it
  Because then the use of the zombie blacklist would continue without consequence, and a HUGE amount of traffic would continue to flow through the servers of whoever owns it now.
  [ link to this | view in chronology ]
Rich Kulawiec, 20 Oct 2009 @ 5:36am

There's much more here than meets the eye
For starters, any mail system administrator that's not paying attention to their own logs is incompetent and fully deserves all the pain that things like this cause. Unfortunately, "incompetent" easily covers 90% of all mail system administrators these days, which is part of the reason why we have the problem set we do.
More to the point, there exists a BCP document for DNSBLs that covers what to do in the case of DNSBL shutdown. Please see: "Guidelines for Management of DNSBLs for Email" which may be found at http://tools.ietf.org/html/draft-irtf-asrg-bcp-blacklists-05.
Unfortunately, in this particular case, the procedure outlined in that document won't work because the new holders of the address space don't have control over DNS for the old domain. Alternate solutions are being pursued, and it appears that Chris Lewis (one of the authors of that document and one of the handful of people who's been working in the anti-spam arena as long as I have) is aware of it and in communication with those folks, so I have some hope that a reasonable course should be followed.
Incidentally, the terribly misguided suggestion (upthread) that mail should be quarantined "in a spam folder" or equivalent should be ignored. It's a very bad idea and quite amateurish to use any kind of quarantine: all mail should either be accepted or rejected outright during the SMTP conversation. I've explained why at considerable length on the "mailop" list (see the archives) but the gist is that quarantines create far more problems than they solve, some of which are non-obvious.
[ link to this | view in chronology ]
- nasch (profile), 20 Oct 2009 @ 8:19pm
  
  Re: There's much more here than meets the eye
  It's a very bad idea and quite amateurish to use any kind of quarantine: all mail should either be accepted or rejected outright during the SMTP conversation.
  
  When you make a spam filter that is perfect, go ahead and reject all the spam. Until then, if the two choices are putting everything in my inbox or sending suspected spam to a spam box, I'll take the latter, thanks. Fortunately, mail providers are free to offer that service, and users are free to take it or leave it.
  [ link to this | view in chronology ]
  - Robert A. Rosenberg, 20 Oct 2009 @ 8:52pm
    
    Re: Re: There's much more here than meets the eye
    When you make a spam filter that is perfect, go ahead and reject all the spam. Until then, if the two choices are putting everything in my inbox or sending suspected spam to a spam box ...
    
    There is a 3rd option - Put everything into the Inbox BUT flag the suspected spam so the user can see that you feel the message is spam. IOW: Any message that would be directed to the spam folder is still sent to the inbox but altered to show it would have been directed to the spam folder.
    [ link to this | view in chronology ]
  - Rich Kulawiec, 21 Oct 2009 @ 5:08am
    
    Re: Re: There's much more here than meets the eye
    Of course no spam filter is perfect: that's why quarantines are a very bad idea. Like I said; the issue is non-obvious, which is anyone who hasn't studied it in depth is unlikely to even be aware of the many serious drawbacks.
    I direct your attention to the archives of the "mailop" list, where several people (including me) have contributed our expertise to the discussion.
    [ link to this | view in chronology ]
    - Lina Inverse, 21 Oct 2009 @ 9:44am
      
      About quarantines and that "mailop" list
      Rich Kulawiec: Given that the mailop list's archives are only accessible to list members, perhaps you could point us somewhere else?
      
      I'm certainly willing to believe quarantines are not ideal, maybe even bad, e.g. while searching for your name +quarantines etc. I found your argument WRT to plishing (users are very bad at detecting it, and I'll admit that only extreme paranoia plus the low hit rate problem (I have only two bank accounts or credit cards) has steered me clear), but "very bad"?
      
      I've always used systems with quarantines and/or suspicion marking and a pure "spam or not?" system would never satisfy me. Either too much genuine traffic gets scored as spam or too little (and I prefer the quarantine approach myself).
      [ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2009 @ 7:01am

Think about it from a datacenter point of view. There is unwanted traffic still going to that (those) IP(s). So this is a drastic but very effective method of making that traffic stop, so they can then re-lease the IP to someone else without all that unwanted traffic, simply because some lazy IT guy didn't feel like updating his 1 spam line in his mail config. I'm with them all the way and would have done the same thing.
[ link to this | view in chronology ]
- Ilfar, 20 Oct 2009 @ 9:08am
  
  Re:
  Agreed! Sometimes the only way to make people listen is to thump them on the head with a large stick.
  
  I've always enjoyed watching people get thumped with large sticks ^_^
  [ link to this | view in chronology ]
Pangolin, 20 Oct 2009 @ 8:34am

Not buying
I'm not buying this. The blacklist was accessed by NAME not by direct IP address. Just remove the DNS entry. All is now well.
[ link to this | view in chronology ]
- Rich Kulawiec, 20 Oct 2009 @ 2:22pm
  
  Re: Not buying
  As I said upthread, this is not as simple as it appears. If you will take the time required to familiarize yourself with the details of this particular case, you will find, as I said above, that the new holders of the address space don't have control over DNS for the old domain, thus they cannot do what you are you recommending.
  This matter has been discussed extensively in Usenet's news.admin.net-abuse.email, where a considerable number of further details are available. I would suggest that anyone considering a solution read the relevant articles in full before advancing their suggestion, as any number have already been put forth and summarily shown to be unworkable.
  [ link to this | view in chronology ]
Dez (profile), 20 Oct 2009 @ 10:42am

Strange series of events
Not a real comment... but it makes today's dilbert cartoon all the more relevant:

http://dilbert.com/strips/comic/2009-10-20/
[ link to this | view in chronology ]
Eric, 20 Oct 2009 @ 3:08pm

Small correction
Just a small correction to this summary. Blackholes.us was never a 'spam' blocklist. Its lists consisted of countries and providers regardless if they were spam senders or not. So if someone wanted to block all chinese or russian addresses, or block all of level3 or comcast, they were able to.
[ link to this | view in chronology ]