The Spamhaus Project
BETA

blog

Blackhats and Grayhats

From a discussion in a private anti-abuse industry workgroup list in November 2007 regarding the need for extensive restructuring of e-mail systems due to spam; reproduced with permission...

by The Spamhaus TeamFebruary 15, 20084 minutes reading time
Service Providers
Deliverability
Spam

(From a discussion in a private anti-abuse industry workgroup list in November 2007 regarding the need for extensive restructuring of e-mail systems due to spam; reproduced with permission...)

Someone Else wrote:

*>And that is entirely due to the f_____s who are abusing the s__t

out of the net right now, not sys admins who are trying desperately

to hold up their end of the bargain. The responsibility lies entirely

and squarely on them. Beyond their arrest I would love to see them

literally keel hauled. Repeatedly.*

Quentin Jenkins answered: I share your sentiments on the arrest and dissolution of the criminals. But I'm afraid that when it comes to the good and righteous sys admins of the world, and anyone else who treads the Internet, I find plenty of shades of gray. If you don't want to read the rant, the executive summary is Edmund Burke's "All that is necessary for the triumph of evil is that good men do nothing."

Now, I don't mean to come down on anyone on this list personally. This is a very special group and we're all doing the best we can against spam and abuse. And indeed the problem isn't so much at the level of individuals as it is at corporations, networks, institutions, bureaus and organizations which take on a life of their own. But still, the people on this list touch on many of those larger entities which are tolerating the problem. The bad guys are right there in front of us and we're letting them stay there.

Who's doing that, you ask? Well, again my aim isn't to point fingers, so any names are purely exemplary and there are others which could take their place. But, as a short list to illustrate the problems, there is/are:

Anyone who transits traffic for Intercage/Atrivo, Hostfresh, ZBYD, Newspeed or a variety of other fully evil networks. (hi, those which peer with them; hi, networks which don't promptly null out rogue Chinese IDCs or other criminal lairs.) Backbones which knowingly allow abuse downstream of them. Anyone who says that they're so big they can't possibly run a clean ship, I've heard that Level3 is now the world's largest carrier, and they can do it: http://www.spamhaus.org/sbl/listings.lasso?isp=level3.net (zero SBLs!)

Hosting companies who neglect to monitor abuse@, who think that warning dedicated spammers will stop them, and who to this day say "but it wasn't sent from my network..." (etc.)

Consumer connectivity providers who won't block port 25, who can't keep up with the support needs of an infected user base, who so far have been none too hasty to implement walled gardens, and who allow known hard-core abusers to retain broadband connectivity for years ...as long as their actual spam is committed via other networks. (heard that one before?)

Registrars which won't establish minimal rules of accountability and legitimate use. (don't even start on ICANN.)

Senders -- good, legitimate, clean whitehats -- who, when it comes time to write down best practices as an industry standard document, refuse to come to terms with their own acquisition demons and say in the clearest possible terms, "OPT IN ONLY".

The Mondo-Eyeball corporations which make free services available to spammers, then can't be bothered with all that pesky work of enforcement that others who sell similar services find necessary.

Software vendors with inadequate security controls. 'Nuf said.

End users who haven't bothered to learn basic survival skills. Educators who don't make the survival lessons accessible enough.

Legislators, executives, judiciary and bureaucrats who pander to special interests and ignore public interests, industry experts and even their own specialist departments such as DHS CERT. Lobbyists, industry groups and any of the electorate who isn't constantly pestering their representatives to enforce existing laws and create better, stronger ones. (I'm guilty.)

Law enforcement, particularly at Attorney General and high bureaucracy levels, which is waiting for the perfect case and not willing to take any risk on the politics or precedents to get bad guys into court. (Why's Ralsky sleeping at home?)

I'm sure there are plenty more, and if I've gone too soft on myself, mea culpa. If anyone here is feeling personally skewered, I'm sorry, that wasn't my intent, but how about doing something to change the reason for it? The whole point is that we know these holes exist, we know they breed pestilence, so what are we doing about it?