For the past 6 months or so, I have been lurking on a Usenet newsgroup called news.admin.net-abuse.email (NANAE). It is one of a cluster of similar groups handling various aspects of what most experts think of as Internet abuse. This group is unmoderated, so just about anything goes. There's a core of about a dozen regulars, most of whom are administrators of one or more networks. They represent several different nations. Their level of civility varies, but they are easily among the highest level of experts in the SMTP protocol, among other things. They also have their regular trolls, and any number of occasional posters. God only knows how many others lurk as I do, seldom or never posting anything. For those interested in learning about spam, email administration, and Internet technology in general, it's a good place to find information.
Regardless of their vast collective expertise, perfection is not theirs to claim. While only a few are obsessive and obnoxious, most are clearly hostile to spammers and their spam. This is easy to understand when you consider that, if the average home user sees a dozen or so messages daily slip past their ISP's filters, these people see tons of it. They are the ones who have to run those filters for all the clients. They see literally hundreds, or even thousands, of spams every day. They are the ones who have to find ways to keep this stuff from loading up the harddrive space reserved for client inboxes. They are the ones facing complaints from whining clients whenever they fail. Far too many clients act as if they are the only one getting this stuff, or that there is no excuse for even one unwanted message to get through. When these admins do well, no one knows what they go through.
Early in the game of fighting spam, these admins discovered various tools for the battle. There were filters long ago for picking out subject lines with advertising. Spammers quit making it that obvious, and filtering based on the content of the message was added. Spammers began using creative spelling, or avoiding certain keywords. There's also filtering on the headers, based on spammer habits. And so it goes: each time a new filtration technique is added, spammers seek ways to get around it. All this takes up processing power. Often the mere fact the messages were received on the server will encourage the spammers. One technique to minimize that is simply configure the mail server to refuse a connection from certain addresses on the Internet. Not too long ago, programming mail servers to actually check the identity of the sending machine was considered a new idea. By rejecting the connections, the admins were able to save a good bit of processing power and time, and it served to discourage some spammers. They knew their sending server was blocked, and attempting a connection was pointless. There was also an added benefit to blocking. If the blocking was based on IP addresses, it would prevent mail from every user of that IP, not just the spammer. When legitimate users find themselves blocked from certain recipients, they tend to complain to their service provider. That service provider then faces pressure from their users to negotiate removing the block.
This IP blocking has become one the strongest and most effective tools. It's fairly useful to the admin for a large system with many users; it's even more effective if several such admins band together and share their blocklists. These admins learned some time ago that certain service providers would not respond to complaints about spam. It's one thing if an ISP sells a new account to someone secretly intending to spam. If these ISPs act to disconnect such users after they are notified, no one is going to hold them fully responsible. Even those with rather loose registration requirements, if they act rather quickly to terminate abusers, will find a grudging acceptance with these activist anti-spam admins. If they are slow to act, they will face some ill will. If these ISPs simply don't act, they will face blocking. If they are actively hostile to complaints -- some are -- they are smeared on every forum that mentions spam, and face long term blocking on every IP they control. They find that their IP addresses are listed on most, if not all, the various blocklist services out there.
On NANAE the lingo includes the terms "white-hat" and "black-hat" with the obvious connotation drawn from early TV Westerns, with all the bad guys wearing the latter. Reading the list of article titles on the newsgroup you might find references to "hat-checks" -- is this or that ISP good or bad or somewhere in between? The message is a request for anyone reading to warn if they have had to fight much with that ISP over spam and spammers. There are a handful of large corporations that clearly deserve their designation as black-hats. The reasons are numerous. Perhaps they simply reject the accepted practices by which the Internet is voluntarily held together, such as China's government-owned ISPs. Their only concern is profit. As long as no government agency actually forces them to adopt certain standards, they will do what makes money. Some are simply ignorant of the standards, and can't be bothered to learn them, nor pay someone to keep them in compliance, such as any ISP that doesn't have a legitimate "abuse@" address. There are a bunch that simply won't commit enough resources to the job of policing their clients, and react very slowly, or very inaccurately, such as Yahoo!. A few are just too new to the whole business and haven't figured it out. They understand business and ethics, but are completely out of their element.
Those that get a clue are often noted as having improved, or having "turned around." Like most things in the real world, it's easy to lose a good reputation, and hard to remove a bad one. Furthermore, endorsements of white-hats are few, and denunciations of black-hats are many. A portion of the regulars on NANAE will be fair and ethical in their pronouncements, and are quite civil. Some are obsessive zealots, unforgiving of the most minor mistake. The regulars know which is which. However, those who dislike the spamming business are not the only readers of that newsgroup. Spammers read it too, and a few comment from time to time, with varying degrees of honesty. Spammers also note which are the white-hat and which are the black-hat ISPs. As you might expect, they are drawn to the black-hats. If an ISP is pronounced a black-hat (or a "spamhaus"), spammers know they are welcome there. It's a form of perverse advertising. Given the growing blocking of known black-hats, spammers are always on the lookout for new conduits for their spew.
As with any such business, which involves investigation via often highly technical means, it's always possible the judges can misjudge. Some of those denounced have been known to debate the postings with their own postings. Most of this centers around defining what is acceptable, and black-hats so-called seldom change their minds or their practices. Sometimes a spamhaus will replace their leadership or technicians with someone willing to do right, and they post contrite apologies and request guidance for removing their listings. Anyone daring to argue that their listing is unjust will find their posts receiving a blizzard of hateful responses. The few who dare to file a lawsuit over the listing are the subject of the harshest vilification. Oddly, the regulars rarely apologize for getting it wrong. Yet inevitably they will. In fact, I have yet to see any regular poster appeal to the others on behalf of an innocent victim of mistaken blocklisting. I have read a few postings calling for caution, saying some other activist is jumping the gun, but never a reconsideration of an established listing. Getting off a list requires confession to wrong first, then appealing for absolution based on verifiable repentance.
I am convinced one such case of false accusation exists. There is a couple, Daniel and Maria Walls, who have been in the ISP business since about the time the dot-com boom went bust. Bad timing for their investment nearly bankrupted them, it seems. Worse, they were completely new to the Internet business. So when an infamous spammer, Alan Ralsky, came to them for connectivity, they were blind-sided. As soon as they got complaints, they cut him off. This spammer often sends one of his employees, operating in his or her own name, so they were abused by this big-time spammer off and on for awhile. By the time they got a handle on things, and were consistently rejecting this fellow's inquiries, they had already been listed as black-hats. Not knowing the accepted procedure for de-listing, their pleas were rejected, their messages requesting info were ignored. In the meantime, other spammers took note and flocked to them, aggravating things. The Walls recently attempted to explain the situation. Naturally they were rebuffed for failing to be sufficiently contrite.
At one point, I had tried to warn regarding what I felt was the hypocrisy in some of the procedure these activists follow. There seems to be an unwritten requirement that you research their particular lore of Internet ethics before daring to invest in computer equipment and connections from a major provider. There's little mercy for anyone who does not yet know it as they know it, unless you engage in figurative foot-kissing. I was frankly waiting for this to happen. The Walls did not ask the regulars to remove them from the block lists, only that the list operators cease from associating them with Alan Ralsky. Their last contact with him was four years ago. They also asked for a chance to prove their good faith effort. In the meantime, they hoped the regulars would stop posting about them for a time, so the spammers would stop coming to them. That perverse advertising effect made it nearly impossible to clean house. As I would have expected, their appeal was rejected by everyone who bothered to respond.
It's entirely possible the Walls are lying, but the sort of evidence possible on a newsgroup thread is hard to judge. Then again, the same could be said for the evidence against them. My effort to contact them directly for further comment brought no response. I suspect they have plenty to do without taking the time to indulge a disabled fellow like me with lots of time on his hands. On the one hand, the activists are entirely too public to prevent spammers using their complaints. On the other hand, they aren't public enough to warn entrepreneurs of the minefields in running an ISP. It's not as if they have conducted any kind of public service campaign, getting the attention of various Internet journals. They do spend a lot of time grousing to each other about this or that abuser. Thus, the unintended consequence is that a new ISP run by the non-initiate of their rites of passage gets the wrong kind of free advertising, but seldom any useful help.
[ Return to Home Page ]
[ <-- Part 3 ]
Ed Hurst
11 May 2004
COPYRIGHT NOTICE: People of honor need no copyright laws; they are only too happy to give credit where credit is due. Others will ignore copyright laws whenever they please. If you are of the latter, please note what Moses said about dishonorable behavior -- "be sure your sin will find you out" (Numbers 32:23)