Great Circle Associates List-Managers
(April 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Blocking domains
From: Mike Nolan <nolan @ celery . tssi . com>
Date: Wed, 2 Apr 1997 12:28:52 -0600 (CST)
To: list-managers @ GreatCircle . com (List Managers)
Reply-to: nolan @ tssi . com

Lou Katz <lou @
 metron .
 com> wrote:

> In response to most spams, I immediately block the entire Class C
> set of netnumbers from which the spam originated. Since I can,
> I block ALL packets, which I just throw away, causing the offending
> site to timeout, rather than gettting a service refused response.
> This blocks DNS lookup, Finger, SMTP, etc. I believe that
> raising the pain threshold for sites that harbor spammers by making
> their services somewhat less useful for their legit customers (if any)
> is a useful and legitimate response.

A significant portion of the spam I receive comes from sites like AOL
and  Even though I could block traffic from these
sources, I'm not sure I would want to.  
> I also think that if each of us send a single, lengthy message to
> the sites involved for each spam received, the return traffic should
> also increase the pain on the source and its providers.

If our subscribers did this to one of our lists or our home site, most of 
us would be mad as hell.  I don't think we're better than the rest of the 
net community, and can come up with precious few instances where mailbombing
is a good idea.

But I do think that the list management community may need to come up with its 
own solution to the problem, since so far the net community as a whole hasn't.
In general, I see several different situtions, each of which may require 
a different response.

1.  The site management is an active and willing participant in the spamming.
    In this case, I think that some form of dire sanction needs to be applied,
    blocking the entire domain is OK by me.  I don't see where e-mail 
    bombing the site is likely to be effective, though, especially because 
    such a site might configure itself to ignore that kind of attack anyway.
    (I'm not an expert on this subject, but isn't it possible to block
    some forms of traffic in certain directions, which could include 
    e-mail bombs?)

2.  The site management is aware of the spamming, not an active participant
    but tolerant of it.  Blocking might be a solution here, and sending 
    e-mail bombs might actually be more effective than in the first case, 
    if that's what it takes to get their attention.

3.  The site management is unaware of the spamming, and possibly willing to
    take steps to deal with it once alerted.  Unless spam constitues a
    major portion of the traffic from this site, in which case it may more
    properly belong in one of the first two categories, I don't think that
    blocking is advisable, and mail bombing is likely to be less effective
    than a politely worded advisory and request for action.  The more 
    willing that the site management is to take action, the less likely I 
    am to want to block traffic from it.

4.  The site is an unwilling participant, through any of several security
    holes.  I could see blocking as a short-term fix until security is 
    improved.  I think that mail bombing just exacerbates the problem at 
    that site, though.

5.  The site isn't really involved, it's being spoofed or forged into 
    headers.  I'm getting out of my technical depth at this point, 
    spoofing may not be happening all that much in real life, but I'm 
    trying to come up with a fairly complete taxonomical breakdown, so 
    I needed to cover this variant.  In the event of either spoofing or 
    forging, neither blocking nor mail bombing is effective, it's not 
    even clear to me that alerting the site management would always help.

A further problem is the load on the net providers to the sites being 
affected.  In the long run, the most effective form of enforcement may
be for the IP community (the carriers) to refuse to do business with 
spammers, an updated and enforced version of the 'acceptable use' guidelines 
if you will.  Even that might not help entirely, anyone who has ever gotten 
a nasty message with instructions to call area code 809 might have 
discovered that the phone companies of the world mostly tolerate this abuse 
of their billing system.

The best solution to me is still some kind of authentication system, to
establish certainty as to both the origination and author of all messages.
which may be technically impossible and in violation of the US Government's
archaic encryption rules anyway.  And I'm not sure it couldn't be perverted
by willing spammers, too.  (And does this raise First Amendment concerns?)

If this could be tied into some kind of transfer of payments system, so that
unsolicited e-mail is paid for by the sender on a per-address basis rather
than $19.00 per month (or whatever), then spam mail could become a problem
of the past, except for bulk marketers who can afford it.  My e-mail box
becomes more like my postal mail box at that point, over half of the mail
I receive most days is bulk rate mail.  Thank heaven that isn't true for
my e-mail box, at least not yet.  And the ultimate transfer of payments
system would pay ME for receiving such mail, or at least credit my account
at my IP.  Hell, I might even read some of it at that point!
Mike Nolan

Indexed By Date Previous: SMTP Firewalls
From: Steve Manes <manes @ magpie . com>
Next: Re: Malicious mass subscriptions
From: Chuq Von Rospach <chuqui @ plaidworks . com>
Indexed By Thread Previous: Blocking domains
From: Lou Katz <lou @ metron . com>
Next: SMTP Firewalls
From: Steve Manes <manes @ magpie . com>

Search Internet Search