SPEWS:
Spam Prevention Early Warning System, is a Black List (BL), a list of
denied and banned IPs addresses, used by great ISPs.
Who's behind the acronym SPEWS? Nobody you can know, they say only that
somebody reads and posts about spews on the newsgroup nanae
(news.admin.net-abuse.email). It's clearly true since their BLs are
modified by considering the posts on this newsgroup, but for the rest
there's no e-mail address, no website, no recipient. The spews.org website is said to belong to
them but it's registered under an alias and on the website they declare
not to be SPEWS.
An introduction to
SPEWS policies can be read in the updated encyclopedia wikipedia (Keep it in mind that
everybody can modify this information on wikipedia, so read with
caution).
Once spews.org was in Siberia, registered in Irkutsk, now in Australia.
On the website you can read that american and european companies with
wide economic and legal availabilities have less hopes to sue the spews
crew this way.
Spews delivering systems are different and independent but one speaks
only about a list of IP addresses anyway, the ISPs that use spews can
ignore some listings at their discretion, or a priori guarantee that
certain entities won't be blocked if spews decided to ban them. For
this purpose they use White Lists mainly based upon the e-mails of
their own customers.
Furio Ercolessi, an outstanding representative of the antispam italian
world, states the way of working of the administrators that use SPEWS.
In his opinion this is the usual way for anybody who runs an antispam
system or uses SPEWS or other lists: "The lists only just provide a
default, then everyone decides what to throw away or locally add".
Ercolessi goes on speaking about his way of working: "As for us, we
never refused a whitelisting to anybody who got in touch with us after
a SPEWS block of regular mail".
Secondly there are two attention's levels for the spam you get, two
distinct lists so that every entity that goes into level 1 (the one
commonly used in order to block) has usually already passed much time
in level 2. This allows the sys admin a flexible and personal
management.
From the ISPs that host spammers or have spam problems, their network's
presence in level 2 and not in level 1 is a warning sign that shows a
risk situation and can often last for months. This allows both SPEWS
users and the "victims", who don't read their abuse@ boxes, to identify
the warning situations weeks or months before level 1 turns on.
On the website spin.it, a commercial
reality of Internet services where Ercolessi works, they operatively
deal with the methods spin uses to filter mail, various BLs and their
using ways are examined. The manifesto of their antispam policy can be
read in these foreword sentences:
"Every e-mail that from outside goes into the Spin
web, is subjected to a chain of filters in order to check the incoming
spam, before being distributed to the user. All the filters exclusively
work at SMTP level on the basis of the message's source or, seldom, of
"signatures" found in the headers".
"No antispam system's filter tests the message's content. We think that
the filters based on the content are a wrong method to face the spam
problem, as they are subject to errors and false alarms, need much
maintenance and, most of all, don't strike the problem at the root: a
direct pressure on the sources and on spam's vehicles is necessary to
fight the phenomenon on full scale. By exposing themselves and by
siding in the front line against the spam, Spin clearly wants to
declare this idea: marketing methods, which are based on unsolicited
bulk delivered e-mail, are highly harmful for the future of the
electronic communications among people and companies".
How many are the mail boxes whose incoming mail is filtered by SPEWS?
One speaks about 10^8, around 100 million boxes. How many IPs are
banned? How many are the servers present in
SPEWS BLs?
On nanae somebody said:
Well, not that this is a very meaningful test,
but SPEWS is blocking about 0.15% of the 32bit IP space.
$ perl -e 'while(<>) { $t += 2**(32-$1) if (m!^[\d.]+/(\d+) !); }
print "$t ", $t/(2**32)*100, "%\n";' spews_list_level1.txt
6280997 0.146240857429802%
So they speak about percentages around one per thousand of all the IPs.
These data aren't especially significant as there's no correspondence
between IP number and the mailserver, anyway it gives an idea.
And now the most recurrent question: Why does SPEWS take the liberty of
banning national ISPs or Yahoo! or AT&T or my server smtp? The
answer is: because the Internet users confide in it.
We are going to see the long reply to this interesting controversy,
this short essay was really caused only by this wish: to explain SPEWS
policy.
It's basic to understand that the Black Lists are public and
downloadable on the Internet, the SPEWS one is present in several sites.
The administrators download and use it with other lists for the
customers' mail, so the sys admin trust SPEWS Black Lists, a person who
chooses these services indirectly confides in SPEWS.
If you wonder why many system's administrators choose these Lists, you
should consider that the Web is anarchic, cooperative, punishes those
who don't follow the netiquette, is based on computer scientists or
technophiles and Linux or *nix systems are greatly present. For all
these reasons we can say that the sys admin are people close to the
Hacker's ethics and culture.
SPEWS represents all these things, this is surely policy, but
technophiles' policy, a policy whose roots are in the Web's correct
working. By summing up SPEWS policy is an effective practical picture
of the Hacker culture.
Let's see SPEWS policy (from Collinelli's italian site):
First of all the provider who finds his own netblock
in Spews must solve the problem (i.e. to get rid of his spammers, to
arrange his open-relay servers, to delete trojans, ecc. and to run the
abuse desk), then if this cleaning work is complete and convincing, the
listing will be taken away at the right time and according to the shown
antispam task.
It's evident that if the spammer isn't banned by the provider at once,
that netblock will be destined to remain listed at length,
indifference's cases can take it to be banned for very long times and
then cause the so-called "netblock escalation". As spam continues the
SPEWS listed block will rise in dimensions (Of course everything
happens in the sphere of IP space that's under the responsibility of
the same provider).
The evidence files, readable on Spews website, often show these
escalation's cases: at the beginning few IPs, that get directly
involved in some spam, are usually listed, but after some time all the
"/24" (i.e. 255 adjacent addresses) can be listed according to the
cases, then if the spam goes on and the addresses' holding provider is
left inactive, the listed blocks become greater and greater (for
instance "/20" or "/19"). These escalations often end by including IPs
addresses, used by provider's customers that have nothing to do with
the spam.
This is the discussed point, the one that several sites' onwers on
spammers hosting provider don't like. In this way every sort of
commercial interest is struck. There are Verio-hosted companies whose
e-mail is blocked, Yahoo! whose egroups are useless, important Chinese
Internet access providers put in the SPEWS Black Lists.
However Spews has got good reasons to do this: for instance to prevent
the provider from avoiding the Black List by moving the spammer on yet
unlisted addresses that belong to it anyway, or by using other
customers as a kind of "human shields". Moreover, as the spam problem
is largely economic-natured, only an economic reason can lead some
providers to give up spammers' money (for instance the fact that
non-spammer customers go elsewhere).
It seems that SPEWS has some spam-traps, i.e. unused mailboxes that act
as spam-traps, besides this there are spam-cataloguing websites. Anyway
intercepted spam's consequence is that the provider's abuse desk is
warned that there is a spam source from an IP which belongs to it, the
message isn't signed by SPEWS but by regular users: this is how it
should work.
If the abuse doesn't act at once or worse the abuse desk isn't working,
the IP is put in the BL and in due time the pressure begins with
netblock extension in BL so much that the entire provider is obscured
and a note appears declaring the IP provider's spamming will. You can
follow the timing of this process on nanae, by focusing the single
cases that cooperate or not, with completely different BL times.
I still remember that it takes many weeks or months to switch from
level 2 to level 1, the one generally
used by the providers, therefore terms like "they suddenly blocked our
e-mail" are, by blacklisted ISPs, as much usual as uncalled-for and
indicative of carelessness, indifference or even bad faith.
Even if I've said many times that SPEWS bans several servers, it's
actually false as SPEWS confines itself to listing. If a sys admin
considers it as a believable list, it will use this list to block with
the attentions described by Ercolessi.
We can put it this way: if it were merely arbitrary, nobody would use
it and even if I have no data, SPEWS seems to be the second or third
more used listing, after SBL and MAPS.
The political relapses caused by this way of SPEWS operating are
various: besides those already seen, the BLs are a kind of economic
compensation that adds expenses to the spam-friendly ISPs, and
therefore favours the whitehats that refuse profitable business
with the spammers and must keep up costs that the others don't, for
instance human staff behind the abuse desk, to worry that spam doesn't
start from their own network, ecc. ecc.
A side of the ISPs responsibleness is that sometimes these aren't
interested in leaving the spammers, if the provider is an important
national administrator, the consequence is an obscuration of parts of a
nation, like the Chinese case. Yet the most informed users can always
use services far from spamming logics and still about China Ercolessi
said:"And in fact there are well administrated Chinese ISPs that don't
certainly enter SPEWS (like Chinanet-Jiangsu for instance), though
belonging to the same geographic area as the great spam-friendly ISPs".
The website spews.org/bounce
describes how to behave if your e-mail has been bounced, in the
explanatory page they say:
"Many people find this website after they receive a
bounced email telling them that their original email was rejected..."
"If you bothered coming to this page, you are probably an innocent
email user who's email has bounced."
"We know that, as a user of the Internet, email and other connectivity
is important to you. We also know that unsolicited bulk email (spam) is
bad. We encourage you to ask your Internet Service Provider (ISP) to
fix the problem which has resulted in your mail bouncing or whatever
other effects of being listed in SPEWS you may be experiencing."
Spews.org provides a service to understand the reasons of your e-mail
bouncing: at this link,
by
filling in the form on high (a small box to fill up) with the IP number
of your mailserver (a number like 100.99.101.98), you will get
explanations.
I thank Furio Ercolessi and Cataldo Cigliola for their
precious
information and the interesting conversation via ng that allowed me to
add different points to the discussion.
Links:
SPEWS website,
if spews website is off line you can get information about spews on wikipedia,
Ercolessi recommends the reading of Jeffrey Race's
essay in .pdf, "that focuses the question very clearly".
The most famous, hated, under attack
and hacker spammers' Black List at the moment, SPEWS: Spam Prevention
Early Warning System.
