Spam blacklisting: Its dark side

(GPL vs. BSD II will be posted in January)

No, I don’t want to see pictures of your sexy body, “Tanya”. Not interested in transferring a huge amount of money for you from some Arabian country, “Khaled”, sorry. To “Mr. lawyer Smith”: I understand that you’re pressed for time to find somebody who can claim the wealth, but I’m not a remote relative of the late “Mr. Anderson”. Oh, while we’re at it: I don’t buy blue pills, pal. And no Rolex watches at cheap prices on special offer for me, either…

SpamSpamSpam

Everybody who is using email today is familiar with the phenomenon of unsolicited mails commonly called “spam” today. That it originally meant a meat product and how the term evolved is a story on its own – a story that few people care for when they want to read their mails and are frustrated to find their inbox flooded with useless gibberish.

The rise of spam has been a major factor in ending the days of the once so innocent Internet. You want to run an email server at home? Forget it – or get a static IP from your ISP. No sane person configures any mail server or mail relay server to accept mail from an IP known to belong to the dynamic range of any ISP. Why? Because that would be spammer’s heaven. And we certainly don’t want that to happen. Matters are just bad enough the way they are.

Fighting spam

Spam messages are a major annoyance. They can in fact be vexing enough to motivate people to search for means to end the onslaught of hostile messages (or at least limit it somewhat). Smart people have invented and implemented spam filtering. The filter e.g. checks all incoming emails for certain keywords and calculates the likelihood of it being spam. This is not a solution for the problem, of course. It’s more of an ongoing fight: Programmers improve and tune their filters, spammers think of new methods to trick those filters into believing that a spam message is not spam.

Another method is to use blacklists with IPs of known spammers. This is actually a pretty powerful and effective method to counter spam. In fact it is a major step in putting a stop to the spammer’s game! Just about everybody who sets up a mail server today will check against one or several spam blacklists and reject any mail that comes in from a suspicious IP. Great! Well, not so much actually…

Highwaymen

Think about starting your own blacklist business for a moment. You build your infrastructure and happily start providing a list of evil IPs. Once a lot of companies and institutions start using your list, you have tremendous power at your hands! Put some IP on there (for whatever reason) and someone will de-facto be unable to mail to a lot of people. You could press money from that person. And that’s what some of them try to do. Take a look at “UCE protect” for example. They charge about 100 EUR (!!) for immediately removing a single IP from their blacklist and even threat to pillory people who “dare” to try to take legal action against those thugs. No, that site is not a joke unfortunately and they obviously run a profitable business by robbing people…

Sure, these are the black sheep. A lot of the spam blacklist providers out there are reputable and reliable organizations. If you ever need to mail someone who uses blacklists like the one from “UCE protect” (e.g. the city of Munich), resort to paper and snail-mail. They probably prefer email because it’s easier to work with. Be sure to tell them that you would have simply sent an email but you won’t since they work together with more-than-dubious blacklist providers.

I never had anything to do with said blacklist service so far, but they are target to a lot of jokes among IT people in my country. During my vocational training I was asked to take a look at their website and have a good laugh. And it was certainly shocking enough to stick in my memory to this day.

Overacting

But let’s get to the reputable services – and the actual problem. A while ago the company that I work for ran into trouble with a big blacklist provider (that we’ve been using ourselves ironically). While their goal of reducing spam is just and noble, they are unfortunately crossing the line and abusing their power. What has happened?

There’s this customer of ours who hosts a humble web shop with us. Nothing fancy. Probably even on the contrary. Now the big blacklist provider chose to block the IP for that shop. No problem so far. We notified our customer – and nothing happened for a while. Then the blacklist provider blocked all IPs of that server. Annoying but not tragic. Why? Because the server doesn’t even do mails! Again we tried to get in contact with our customer and over the back-and-forth time passed by.

But then the unthinkable happened: The blacklist provider threatened to block the entire /24 subnet (and would without doubt increase the blocked range beyond that, eventually swallowing all of our IP addresses)! Sounds like our problem, right? We should have reacted earlier and kicked the spammer off. Unfortunately… There was no spamming involved in this case! The shop that is hosted on our servers is mentioned in spam mails that originate from around the world, but not from our network. Still the blacklist provider is effectively blackmailing us and holding all of our customers hostage – their businesses depend on being able to send mail and if our whole network was blocked that would in fact mean threatening the existence of several companies!

What to do?

That’s the point where I feel that the “good guys” with all their commendable intentions have turned into criminals themselves. And in fact much worse criminals than the average spammer. While the latter is “only” a nuisance, the spamlist provider has become a real threat to business.

At first glance it’s clear what to do: Throw that customer out and eat humble pie, begging the spamlist provider for forgiveness. Even that isn’t so easy, however. While the spamlist provider may operate from a country where such cowboy means are acceptable, we aren’t. You cannot just throw out a customer. We are bound by a valid service agreement and since he insists on being innocent, we cannot just terminate the contract at will since we have no proof of illegal actions. If we did terminate the contract, we’d be in legal trouble and the former customer would definitely win the court case (which would mean the loss of a lot of money for us). If we didn’t, we would put the whole company at risk.

But that’s only the business part of it. Honestly: What if the customer is right and in fact is innocent? It could very well be a competitor trying to ruin his business (and obviously successfully so). And what annoys me the most: This only happens because our customer is a small fish. What would happen if somebody started a spam campaign promoting whitehouse.gov? The same thing? You decide for yourself.

No solution?

I would imagine that this is a problem that others have been facing, too. While I wasn’t directly involved in this case (and I’m certainly happy that I’m just a simple admin who doesn’t have to make any such decisions) the whole incident totally violated my sense of justice. I wrote most of this post a few months ago and decided to wait some time to calm down before publishing it. However that hasn’t happened. I’m still upset when thinking about it.

What could be done about things like this? I don’t know. Probably the only way would be setting up a site like “blacklist watchers” where people can share that they have been held at gunpoint by some service provider. Then people who use blacklists could decide if a service is operating decently or resorting to wild-west means (“I’ll keep thrashing your grandma till you give in!”). That could be abused, too, though. But what other means of self-defence are possible? Comments are of course very welcome.

The actual problem is hard to solve: There’s too much power in the wrong hands. And even more gross: The blacklist people actually want to achieve something good. There’s a German saying that fits very well in this case. It roughly translates to “The opposite of well done is not done badly. It’s well-intentioned“.