Great Circle Associates List-Managers
(January 1999)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Yet another virus alert
From: "Ronald F. Guilmette" <rfg @ monkeys . com>
Date: Wed, 27 Jan 1999 11:37:01 -0800
To: List-Managers @ GreatCircle . COM
In-reply-to: Your message of Tue, 26 Jan 1999 10:18:17 +0100. <v04003a20b2d337bed0a0 @ [195 . 40 . 150 . 140]>

In message <v04003a20b2d337bed0a0 @
 [195 .
 40 .
 150 .
 140]>, 
Ivan Pope <ivan @
 netnames .
 com> wrote:

>We were put on the Paul Vixie black list system and had all traffic from
>our mailservers blocked into the US by a US ISP that used the list as a
>reference. This had a major effect on our service, as the ISP was the
>supplier into the US for our ISP.
>What was our crime? Someone used one of our client addresses as a _return_
>address on a piece of spam.

I was rather suspicious of Ivan Pope's claims of total innocence in this
case, so I did some research on his case.  Specifically, I _asked_ him
to tell me THE REST OF THE STORY.

One thing needs to be clarified here... Neither Paul Vixie nor the other
people who maintain the MAPS RBL anti-spam system *ever* put anyone on
the MAPS Realtime Blackhole List just because some spammer out there is
forging their domain name into the return address of some spams that were
sent.  That just does not happen.  If it did, Hotmail and *all* of the other
free E-mail services would be *permanently* in the MAPS RBL... but if you
check, you will find that NONE OF THEM ARE.  So this part of Mr. Pope's
interpretation, at least, clearly does not ring true.

Nor do the MAPS RBL folks EVER put anyone onto the RBL without trying, re-
peatedly if necessary, to contact them and to try to get them to correct
whatever the problem is on their end.  It is only when an ISP absolutely
REFUSES to continue to communicate with the MAPS RBL team that the ISP may
get RBL'd.  (The MAPS RBL project is well know for its conservatism and
it careful RELUCTANCE to place people on their list willy-nilly or without
giving the party in question an ample chance to respond.)

The truth, in the case of Netnames.Com, seems to be that Mr. Pope was, either
knowingly or unknowingly, hosting one or more so-called ``spammer drop box''
E-mail accounts, and he was (apparently) refusing to take any action to
prevent the relevant spammer from making an illicit profit via that E-mail
drop-box, which was hosted by Netnames.  (His correspondance to me made it
altogether clear that (a) he and his company did not delete this account
until AFTER they have been RBL'd and that (b) he and his company were,
apparently, making a profit, indirectly, from the spammer and his/her
spamming in this case, specifically via the fees that they were charging
the spammer for hosting the relevant drop-box account.  Unlike Hotmail,
Yahoomail, and the many other such free E-mail services now available on
the net, it appears that spammer drop-boxes on hosted by Netnames are _not_
free of charge.  I infer this from the fact that Mr. Pope's letter to me
clearly indicated that Netnames decided NOT to give the spammer ``a refund''
once they finally did take action to delete the relevant E-mail drop-box
account.)

The use of drop-box E-mail accounts by spammers is, by this time, a pretty
well-known and well-established technique, as is the practice of spamming
from one ISP while maintaining a spammed-for web site on a different ISP.
The idea in either case is to use the actual spam-sending ISP account as
a sort of ``throw away'' sacraficial lamb.  The spammer usually pays
little or nothing for these ``throw away'' accounts, and doesn't even care
if they get canceled (by the relevant ISP) the next day, so long as their
``permanent'' Reply-To drop-box accounts or their spammed-for web site
account (where they are _actually_ making their ill-gotten gains) remain
intact and undisturbed on some _other_ ISP's network.

This spammer ``dodge the bullet'' game has been going on for quite some time
now, and few people who are actually in the Internet services business are
still unaware of it.  Certainly Hotmail, Bigfoot, and other suppliers of
various type of E-mail services are _not_ unaware of it.  Mr. Pope _may_
have been unaware of it, but it now seems quite clear that the MAPS RBL
folks tried to explain it to him, and that he reached the conclusion that
it was not in the best interests of his own bottom line to either listen
or to care.

In short, Mr. Pope doth protest too much.  It now appears that his state-
ment that ``Someone used one of our client addresses as a _return_ address
on a piece of spam'' may not in fact have conveyed a complete picture of
what really happened.  When I asked him about this incident, he provided
me with *no* evidence that would even vaguely suggest that the spammer in
this case was anyone other than the very same customer of his who was,
apparently, paying him for the Reply-To drop-box in question.  Nor did
he even hint that he himself had any particular reason to believe that
this was, in reality, a frame-up job against his customer.

He did however express his clear displeasure at having been called to task,
and/or in some way held accountable for his actions (or lack thereof).  And
this seems to be consistant with his other statements, which make it clear
that he really would prefer to play a game of semantics when it comes to the
spamming issue and, like the spammers themselves, he wouldn't mind at all
employing the old shell game if that means that he too could ``dodge the
bullet'' and continue to enjoy his own share of the ill-gotten gains gene-
rated by spamming.

I quote:

>In essence, the story was: you agree to our definition of acceptable
>behaviour in the world or we will destroy your business.

(Mr. Pope, it seems, would much prefer it if the world used _his_ narrow
definition of spamming... a definition which DOES NOT recognize the obvious
fact that spammers are using E-mail drop-boxes and ``throw away'' accounts
on other providers as a sort-of shell game to preserve their ability to
make their ill-gotten profits while ernestly claiming ``Yes, but I didn't
spam FROM HERE!'')

>I felt we had no choice but to accept. However, I generally find
>fundamentalism of any stripe to be unpleasant, and I don't see that I
>should be forced to accept the arbitary standards of any private individual.

Translation:  I'm not happy that there is someone out there who is going to
act to prevent _me_ from getting _my_ piece of the spamming pie too.

>Of course, you will say that any ISP is entitled to impose any rules it
>wants - and in the main you would be right. But, these rules are arbitary
>and we are now adhereing to them out of fear rather than belief.

So is AGIS.  Whatever works Mr. Pope.  If you lack the _internal_ ethics
necessary to understand or to care about the long term effects of your
business and/or your policies on the Internet community as a whole, then
other people have every right to protect _their_ system and _their_ networks
from the deleterious effects of you and your company's policies.

On the other hand, if you somehow begin to recognize that hosting spammer
drop-boxes is *directly* contribiting to the spam problem, and that you
ought not to be in that business, then you probably won't have a problem
with the MAPS RBL folks, or with anyone else on the net for that matter.

-- Ron Guilmette, Roseville, California ---------- E-Scrub Technologies, Inc.
-- Deadbolt(tm) Personal E-Mail Filter demo: http://www.e-scrub.com/deadbolt/
-- Wpoison (web harvester poisoning) - demo: http://www.e-scrub.com/wpoison/

    "Ping can be used offensively, and it's shipped with every windows CD"
                                                  -- Steve Atkins


Follow-Ups:
References:
Indexed By Date Previous: Re: How do AOL's spam filters work?
From: Alan Thew <Alan . Thew @ liverpool . ac . uk>
Next: Re: Egroups
From: Cyndi Norman <cnorman @ best . com>
Indexed By Thread Previous: Re: Yet another virus alert
From: Ivan Pope <ivan @ netnames . com>
Next: Re: Yet another virus alert
From: "David W. Tamkin" <dattier @ Mcs . Net>

Google
 
Search Internet Search www.greatcircle.com