Spam and Block Lists Update
Monday, August 30, 2004
Posted by: Charles Oriez
Optinrealbig, a Colorado-based organization identified by Spamhaus as the world's second most prolific spammer, sued the Spamcop database operators in Federal District Court in California seeking to bar them from forwarding spam complaints to various ISPs. After hearing arguments, Judge Saundra Armstrong denied their request for a preliminary injunction (PI), ruling that Optin stood little chance of winning on the merits, had asked for some relief that was too vague to be enforceable, and had failed to show that Spamcop had done anything wrong. She also ruled that Spamcop, in forwarding complaints from its users, is protected from suit under the Communications Decency Act. Spamcop has just filed a motion for dismissal with attorney fees and costs under the California anti-SLAPP statute. The Strategic Litigation Against Public Participation (SLAPP) suits are aimed at silencing defendants' first amendment right to free speech. California law permits expedited hearings and recovery of costs and fees under those circumstances. Previous federal cases in California have ruled that this state law applies to federal proceedings. A hearing on the SLAPP motion is set for July 13, but Optinrealbig is opposing the motion on procedural grounds.
Spamcop has also won the early stages of a case in Ohio filed by Buckeye Communications, when a judge there granted a temporary restraining order that left out the meat of what Buckeye sought, and then vacated the order entirely. It appears that after Buckeye made some technical changes to its systems the primary reason for the suit became moot. That suit should soon be dismissed.
Meanwhile, spammers are also losing cases where they were the ones being sued. Jason Heckel has to ante up $100,000 for violations of Washington state's anti-spam law after he was convicted of sending unsolicited bulk email (UBE) to residents there. The Appeals Court found unpersuasive his argument that he didn't know that the recipients were Washington state residents because he hadn't bothered to check their registry of residents who didn't want UBE before sending his mail.
Richter and Optinrealbig have also claimed to have reached a settlement with New York and Microsoft, with the agreement only "awaiting a judge's signature." A spokesperson for New York Attorney General Eliot Spitzer declined to confirm that claim. Updates on that and other spam-related cases will be posted to the AITP spam forum as information becomes available.
Also in New York, a Buffalo area spammer got jail time for his scam. Howard Carmack began serving a 3-1/2 to 7 year term in May. A jury convicted him in March of forgery, identity theft and falsifying business records. When he gets out, he has a $16 million dollar debt to Earthlink to pay off, having lost a civil case to them on the same issues. They claimed that he used 343 Earthlink accounts to send multiple millions of spam e-mails.
Massachusetts filed a suit on July 1, charging William Carson, an alleged spammer from Florida, with violating various provisions of the Federal Can-SPAM and state anti-fraud statutes. Among his alleged violations was the use of a supposedly fraudulent business address in Massachusetts in the spam. An attorney in an unrelated New York spam case said that use of an address in a state, even if fake, is adequate to create jurisdiction in that state. Massachusetts did not seek, or apparently did not obtain, a temporary restraining order immediately barring Carson from spamming while the case went forward, but may still obtain an injunction at the hearing.
The legal attacks on anti-spam databases such as Spamcop would seem to demonstrate that they are proving effective. The Massachusetts decision not to obtain an immediate restraining order, permitting Carson to continue spamming for two more weeks, and the ongoing spam from Optinrealbig while they litigate with New York and Microsoft, shows that legal action tends to work somewhat more slowly than the anti-spam databases do.
However, which database is most effective as a spam indicator? There are more than 400 free databases out there that can be queried by an e-mail server to determine the likelihood that a given piece of e-mail is spam. The receiving server determines the Internet Protocol Address (IPA) of the server attempting to connect to it, queries one or more of the databases to determine the likelihood that the connecting server is a spam source, and will either refuse the connection or tag the mail with a warning of some sort for a positive response. Different databases use different criteria. Spamcop reports addresses that produced user reports of spam runs in the last 48 hours. SPEWS reports progressively larger blocks of address space from ISPs that fail to react to spam reports. Other databases list entire countries, like China or Argentina, or entire ISPs such as uu.net or verio. Some will list addresses that have been compromised by a trojan or other security breech, or addresses that are in dynamic dial-up address pools. Each of them is based on IPAs, the dotted quad numerical address of the sending mail server that is in the format 126.96.36.199, since that is one of the few things impossible for a spammer to forge. In selecting what to add to your defenses, it is up to the administrator to determine what works best for him based on your unique local needs. Use databases whose rules are too aggressive, and you block mail that you want to receive. Use those that are slow to list, and too much spam gets through. Use too many, and your mail delivery slows down.
The San Diego Super Computer Center (sdsc.edu) at UCSD publishes a weekly log showing how much of the e-mail that it receives came from servers that were listed on the various anti-spam databases. Although they only use five databases there to identify spam (Spamhaus, Sorbs, Spamcop, RFC-Ignorant, and DSBL) for their own blocking purposes, they query each of 173 or so free databases and publish a results table every Saturday morning. Their results tables are available back to the summer of 2001. Most recently, SDSC has been getting mail from 26-28K unique IPAs per week. More aggressive listers such as FiveTen and BLARS flag about 60 percent of the traffic as spam. Spamhaus, SORBS, and Spamcop are all hovering around 40 percent. Curiously, SPEWS, which raises the hackles of people it blocks more than most other lists, identifies traffic as "spammish" only about 10 percent of the time. Of databases that are used to block based on country of origination, Chinese or Korean sources are found for about 10 percent of their traffic, each. Argentina and Brazil, which used to be consistent sources of spam, seem to have fallen into disuse recently. Perhaps ISPs in those countries have finally started to be more responsible in quickly terminating spammers using their services, or their spammers have alternatively converted to using stolen resources elsewhere to send their mail.
I use approximately the same mix of databases on the servers I protect as SDSC does and get about the same results on a percentage basis as SDSC reports week to week. It should be noted that the same source IPA will appear on multiple databases found in the SDSC report. You can review their complete report, including historical data, at http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html. Jeff Mackey at SDSC also recommends local anti-spam rules to further block traffic, most importantly refusing traffic where reverse dns lookup fails. Another local anti-spam rule that many have implemented is to refuse traffic from Comcast's dialup pool of IPAs. This is because Comcast, while prohibiting its users from running servers on dynamic IPAs, has noticed that 700 of the 800 million e-mails that they transmit every day come from servers that probably are on compromised customer machines in their dial-up pools. At its peak, that was accounting for 25 percent of the spam I was blocking daily. However, Comcast has implemented some technical procedures recently to resolve that problem, and most systems administrators are reporting a significant reduction in spam coming through Comcast customer machines. My own experience, with a recent 90 percent reduction in Comcast spam hitting my servers, is consistent with the reports of others.
Choose your databases wisely. If you are running a server for a local company with no overseas business, blocking all traffic from China, Korea, and other spam-friendly countries makes sense. If your business has significant overseas trade, though, that same decision could cost you valuable business. In my own experience, which seems to match the decision of the SDSC administrator, SORBS, Spamhaus and Spamcop tend to yield reliable results. Avoid FiveTen and Blars as they both yield too many false positives. If you want to join the boycott of traffic from ISPs that persist in hosting spammers and refusing to terminate them, then SPEWS is the database to use. However, expect complaints from people who use those ISPs to transmit their own traffic, since SPEWS has listed, for example, large swathes of MCI (uu.net) space. And monitor your results in your log files. Make adjustments as the pattern of spam reveals itself on your servers. Be prepared to whitelist local clients or vendors who had the misfortune to sign a contract with a spam-friendly ISP who are not themselves spammers. Today, there is no reason why the inboxes of your users can't be virtually spam free if your mail systems administrator has been given the tools and the authority to implement spam blocking.