SPEWS: Spam Prevention Early Warning System, is a Black List (BL), a list of denied and banned IPs addresses, used by great ISPs.

Who's behind the acronym SPEWS? Nobody you can know, they say only that somebody reads and posts about spews on the newsgroup nanae (news.admin.net-abuse.email). It's clearly true since their BLs are modified by considering the posts on this newsgroup, but for the rest there's no e-mail address, no website, no recipient. The spews.org website is said to belong to them but it's registered under an alias and on the website they declare not to be SPEWS.

An introduction to SPEWS policies can be read in the updated encyclopedia wikipedia (Keep it in mind that everybody can modify this information on wikipedia, so read with caution).

Once spews.org was in Siberia, registered in Irkutsk, now in Australia. On the website you can read that american and european companies with wide economic and legal availabilities have less hopes to sue the spews crew this way.

Spews delivering systems are different and independent but one speaks only about a list of IP addresses anyway, the ISPs that use spews can ignore some listings at their discretion, or a priori guarantee that certain entities won't be blocked if spews decided to ban them. For this purpose they use White Lists mainly based upon the e-mails of their own customers.

Furio Ercolessi, an outstanding representative of the antispam italian world, states the way of working of the administrators that use SPEWS.

In his opinion this is the usual way for anybody who runs an antispam system or uses SPEWS or other lists: "The lists only just provide a default, then everyone decides what to throw away or locally add". Ercolessi goes on speaking about his way of working: "As for us, we never refused a whitelisting to anybody who got in touch with us after a SPEWS block of regular mail".

Secondly there are two attention's levels for the spam you get, two distinct lists so that every entity that goes into level 1 (the one commonly used in order to block) has usually already passed much time in level 2. This allows the sys admin a flexible and personal management.

From the ISPs that host spammers or have spam problems, their network's presence in level 2 and not in level 1 is a warning sign that shows a risk situation and can often last for months. This allows both SPEWS users and the "victims", who don't read their abuse@ boxes, to identify the warning situations weeks or months before level 1 turns on.

On the website spin.it, a commercial reality of Internet services where Ercolessi works, they operatively deal with the methods spin uses to filter mail, various BLs and their using ways are examined. The manifesto of their antispam policy can be read in these foreword sentences:
"Every e-mail that from outside goes into the Spin web, is subjected to a chain of filters in order to check the incoming spam, before being distributed to the user. All the filters exclusively work at SMTP level on the basis of the message's source or, seldom, of "signatures" found in the headers".

"No antispam system's filter tests the message's content. We think that the filters based on the content are a wrong method to face the spam problem, as they are subject to errors and false alarms, need much maintenance and, most of all, don't strike the problem at the root: a direct pressure on the sources and on spam's vehicles is necessary to fight the phenomenon on full scale. By exposing themselves and by siding in the front line against the spam, Spin clearly wants to declare this idea: marketing methods, which are based on unsolicited bulk delivered e-mail, are highly harmful for the future of the electronic communications among people and companies".
How many are the mail boxes whose incoming mail is filtered by SPEWS? One speaks about 10^8, around 100 million boxes.  How many IPs are banned? How many are the servers present in SPEWS BLs?

On nanae somebody said:
Well, not that this is a very meaningful test, but SPEWS is blocking about 0.15% of the 32bit IP space.

$ perl -e 'while(<>) { $t += 2**(32-$1) if (m!^[\d.]+/(\d+) !); }
print "$t ", $t/(2**32)*100, "%\n";' spews_list_level1.txt
6280997 0.146240857429802%
So they speak about percentages around one per thousand of all the IPs. These data aren't especially significant as there's no correspondence between IP number and the mailserver, anyway it gives an idea.

And now the most recurrent question: Why does SPEWS take the liberty of banning national ISPs or Yahoo! or AT&T or my server smtp? The answer is: because the Internet users confide in it.

We are going to see the long reply to this interesting controversy, this short essay was really caused only by this wish: to explain SPEWS policy.

It's basic to understand that the Black Lists are public and downloadable on the Internet, the SPEWS one is present in several sites.
The administrators download and use it with other lists for the customers' mail, so the sys admin trust SPEWS Black Lists, a person who chooses these services indirectly confides in SPEWS.

If you wonder why many system's administrators choose these Lists, you should consider that the Web is anarchic, cooperative, punishes those who don't follow the netiquette, is based on computer scientists or technophiles and Linux or *nix systems are greatly present. For all these reasons we can say that the sys admin are people close to the Hacker's ethics and culture.

SPEWS represents all these things, this is surely policy, but technophiles' policy, a policy whose roots are in the Web's correct working. By summing up SPEWS policy is an effective practical picture of the Hacker culture.

Let's see SPEWS policy (from Collinelli's italian site):
First of all the provider who finds his own netblock in Spews must solve the problem (i.e. to get rid of his spammers, to arrange his open-relay servers, to delete trojans, ecc. and to run the abuse desk), then if this cleaning work is complete and convincing, the listing will be taken away at the right time and according to the shown antispam task.

It's evident that if the spammer isn't banned by the provider at once, that netblock will be destined to remain listed at length, indifference's cases can take it to be banned for very long times and then cause the so-called "netblock escalation". As spam continues the SPEWS listed block will rise in dimensions (Of course everything happens in the sphere of IP space that's under the responsibility of the same provider).

The evidence files, readable on Spews website, often show these escalation's cases: at the beginning few IPs, that get directly involved in some spam, are usually listed, but after some time all the "/24" (i.e. 255 adjacent addresses) can be listed according to the cases, then if the spam goes on and the addresses' holding provider is left inactive, the listed blocks become greater and greater (for instance "/20" or "/19"). These escalations often end by including IPs addresses, used by provider's customers that have nothing to do with the spam.
This is the discussed point, the one that several sites' onwers on spammers hosting provider don't like. In this way every sort of commercial interest is struck. There are Verio-hosted companies whose e-mail is blocked, Yahoo! whose egroups are useless, important Chinese Internet access providers put in the SPEWS Black Lists.

However Spews has got good reasons to do this: for instance to prevent the provider from avoiding the Black List by moving the spammer on yet unlisted addresses that belong to it anyway, or by using other customers as a kind of "human shields". Moreover, as the spam problem is largely economic-natured, only an economic reason can lead some providers to give up spammers' money (for instance the fact that non-spammer customers go elsewhere).

It seems that SPEWS has some spam-traps, i.e. unused mailboxes that act as spam-traps, besides this there are spam-cataloguing websites. Anyway intercepted spam's consequence is that the provider's abuse desk is warned that there is a spam source from an IP which belongs to it, the message isn't signed by SPEWS but by regular users: this is how it should work.

If the abuse doesn't act at once or worse the abuse desk isn't working, the IP is put in the BL and in due time the pressure begins with netblock extension in BL so much that the entire provider is obscured and a note appears declaring the IP provider's spamming will. You can follow the timing of this process on nanae, by focusing the single cases that cooperate or not, with completely different BL times.

I still remember that it takes many weeks or months to switch from level 2 to level 1, the one generally
used by the providers, therefore terms like "they suddenly blocked our e-mail" are, by blacklisted ISPs, as much usual as uncalled-for and indicative of carelessness, indifference or even bad faith.

Even if I've said many times that SPEWS bans several servers, it's actually false as SPEWS confines itself to listing. If a sys admin considers it as a believable list, it will use this list to block with the attentions described by Ercolessi.

We can put it this way: if it were merely arbitrary, nobody would use it and even if I have no data, SPEWS seems to be the second or third more used listing, after SBL and MAPS.

The political relapses caused by this way of SPEWS operating are various: besides those already seen, the BLs are a kind of economic compensation that adds expenses to the spam-friendly ISPs, and therefore favours the whitehats that refuse profitable business with the spammers and must keep up costs that the others don't, for instance human staff behind the abuse desk, to worry that spam doesn't start from their own network, ecc. ecc.

A side of the ISPs responsibleness is that sometimes these aren't interested in leaving the spammers, if the provider is an important national administrator, the consequence is an obscuration of parts of a nation, like the Chinese case. Yet the most informed users can always use services far from spamming logics and still about China Ercolessi said:"And in fact there are well administrated Chinese ISPs that don't certainly enter SPEWS (like Chinanet-Jiangsu for instance), though
belonging to the same geographic area as the great spam-friendly ISPs".

The website spews.org/bounce describes how to behave if your e-mail has been bounced, in the explanatory page they say:
"Many people find this website after they receive a bounced email telling them that their original email was rejected..."

"If you bothered coming to this page, you are probably an innocent email user who's email has bounced."

"We know that, as a user of the Internet, email and other connectivity is important to you. We also know that unsolicited bulk email (spam) is bad. We encourage you to ask your Internet Service Provider (ISP) to fix the problem which has resulted in your mail bouncing or whatever other effects of being listed in SPEWS you may be experiencing."
Spews.org provides a service to understand the reasons of your e-mail bouncing: at this link, by
filling in the form on high (a small box to fill up) with the IP number of your mailserver (a number like, you will get explanations.

I thank Furio Ercolessi and Cataldo Cigliola for their precious information and the interesting conversation via ng that allowed me to add different points to the discussion.


SPEWS website,
if spews website is off line you can get information about spews on wikipedia,
Ercolessi recommends the reading of Jeffrey Race's essay in .pdf, "that focuses the question very clearly".

The most famous, hated, under attack and hacker spammers' Black List at the moment, SPEWS: Spam Prevention Early Warning System.