TELECOM Digest OnLine - Sorted: Re: Getting Serious About the War on Spam

Re: Getting Serious About the War on Spam

Robert Bonomi (
Sun, 17 Apr 2005 22:01:04 -0000

In article <>,
John Levine <> wrote:

>> Ok, this guy contracted for high speed internet connectivity from
>> someone or another.

> That would be MCI.

>> Why did anyone else accept any packets from this organization?

> Good question. They're consistently #1 on the Spamhaus hit parade.

> [TELECOM Digest Editor's Note: Then why are they not getting cut off
> from the rest of the world until they make an effort to get rid of
> their spam traffic? Is it possibly because your superiors at ICANN
> and their mouthpiece Vint Cerf are so well funded by MCI that they do
> not allow (by heavy pressure or otherwise) anyone to put a permanent
> halt on MCI's traffic? Why is ICANN so silent on the volumes of spam
> the rest of the net has to endure day after day? Is it because ICANN
> and Vint Cerf are actually more interested in appeasing the spammers
> and commercial interests rather than the vast majority of the netizens?

Nope. it's because it is, quite simply, *NOT* ICANN's job to do so.

Of the various organizations (ICANN, IAB, IETF, etc.) that are the
'authority' for specific functionalities of the greater Internet,
_none_ of them have any authority with regard to the 'content' of

And *nobody* on the 'net wants it any other way. (Well, except for
folks like the government of mainland China, that is.)

Not to mention that there is _nothing_ that ICANN can actually _do_
that would affect matters. They can't revoke the IP addresses MCI
uses, those addresses were issued by ICANN to ARIN. They can't revoke
the domain-name(s) MCI uses, those names are part of
properly-executed _contracts_ between MCI and the domain registry
operator. And the operator's contract (with ICANN, or the appropriate
'national' authorizing authority) requires _them_ (the registry
operator) to publish *all* properly contracted domains.

Those are the *only* aspects of the Internet that fall under ICANN's
'area of responsibility'.

> John, instead of answering a question with the statement 'good question'
> why is no one (in authority on the net) actually, physically cutting
> off MCI by refusing to accept any or all of their traffic until the
> spam stops? PAT]

Because: (a) there is *NO*ONE* 'in authority'. The net runs by anarchy.
(b) some people _do_ block all MCI traffic. Unfortunately
they are personal/'vanity' networks.
(c) last I knew, MCI had something like a _40%_ share of the U.S.
Internet market. It simply isn't practical for any
'significant' player to write off that big a chunk of
the potential customer base.
(d) in general, anybody doing 'broad brush' blocking of MCI ends
up hurting *themselves* worse than they hurt MCI.
Unfortunate, but _true_.

This is reality. One can "wish" that things were different, but you still
have to deal with reality.

In article <>, John Schmerold
<> wrote:

> No one likes spam, however, there are great solutions they are all
> available without cost due to the opensource movement. Looking at my
> own statistics, since 4/1, I've received 5,607 emails, of which 1,177
> were forwarded to my inbox, of these 169 were SPAM. All of the 169
> could have been eliminated if I chose to use TDMA which whitelists
> good senders.

> So, long story short, quit belly aching and do something about your
> spam problem.

> John Schmerold

> [TELECOM Digest Editor's Note: But I cannot run a white list here
> unless I want to turn this Digest/newsgroup into a very exclusive
> place for _me and my friends_ . I like to get _legitimate_ mail from
> legitimate users. I do not like the idea of excluding new users just
> because they have not met some arbitrary standard on the messages I
> will accept. PAT]

There are various ways of "coping" effectively:

You can use _different_ e-mail addresses for different functions
(e.g., one for the newsgroup moderator 'submission' address,
a different one for submission "acks", another one for
outgoing Telecom-Digest mailings, and yet another one for
"personal" communications.)
You can then apply _different_ rules for each address. e.g.:
You can whitelist everybody that is subscribed to Digest mailing-list.
You can auto-accept any message that is a "reply" to a newsgroup posting.
You can whitelist other "known" correspondents.
You can auto-accept any message that has a certain "magic word" at the
beginning of the subject line.
You can then, fairly safely, _reject_ messages that lack the 'magic word'
in the subject line, *with* a notice telling the sender that the
magic word (and what it is) is required for message acceptance.

Doing these things 'right' requires some fairly close integration with the
mail-server itself.

BUT, when done right, can be _very_ effective.

I've been running a custom-developed system (along the above lines)
for roughly the last year. In that time, I've had mail from _three_
people get "erroneously" rejected (one required filter revisions --
*too* paranoid;, one was a family member with multiple accounts,
including one at Netscape, and got their mail-client "confused", so
that it was sending messages with a from of "", but going
through the cable-company's mail- server to do so; the third was
somebody I haven't heard from in years, who apparently found my
address from USENET postings, and tried to mail -- and apparently
couldn't read the error message telling them how to send mail that
would go through, no real loss), and a grand total of _eight_ pieces
of spam get to my inbox.

I have a few domains (e.g., AOL, Yahoo, HotMail) for which I accept
mail _only_ from servers in their domain.
I have a few (right now 3) overseas freemail providers that are totally
blocked -- they account for less than 1% of (pre-rejection) message
volume, however
I have one address-range blocked -- A space allocated to Nigeria.
I have one persistent spammer blocked by domain-name. they _do_ send
consistently from their own server, and identify properly, so it's
effective against this particular idjiot.
I have several forms of remote mail-server identity 'forgery' blocked
(e.g. if they HELO with _my_ IP address as _their_ identity. :)
I have blocks for headers indicating a couple of specific mail-sending
programs that are routinely abused by spammers, and that do not
provide enough information to back-track.
I have a _handful_ of content-based filters that catch things:
HTML-only email is not allowed
messages in character-sets I can't deal with -- most notably Pacific
Rim ones -- are not allowed.
I have a batch of body-content filters (about 50), *NONE* of which have
caught anything in the last 6 months.
Anything with what even "looks like" an MS-executable or 'zipfile'
attachment is not allowed, except by special arrangement. (This
one is permanent -- eliminates any need for the overhead of
Any of various URLs or mention of a few specific drugs, etc.

NOTE: I see a fair number of virus-delivery attempts _every_ day, but
they all fail earlier checks _before_ getting to the 'executable'
detector. The situation is probably similar with the other body-
check filters, but it's much harder to tell. I'm probably going
to remove all those 'non-executable' checks, cuz they don't seem
to do any good -- no sense wasting CPU cycles. <grin>

I 'whitelist' some mailing-lists I'm on, and the 'moderator' address
of some moderated newsgroups.

Now, admittedly, the rulesets here are tailored for the needs of _my_
users, but they *are* effective. I post to this newsgroup (and a number
of others) with an valid,_unmunged_, "reply-able" address. Not a _single_
piece of spam has been delivered to that address in the last year.

For those who remember Dave Hayes, I may not have a psychic newsreader;
but I've got the next best thing to a 'psychic mail-server'! :) It can
tell -- with _very_high_ reliability -- whether a mail message was composed
inside a newsreader or not. It's not absolutely perfect -- a couple of
people who were curious _how_ it worked, did some experimenting and figured
it out. Regardless, it's demonstrably "good enough" for the real world.

[TELECOM Digest Editor's Note: There is far, far too much stated above
to even begin responding. I will just address one point of yours,
which was 'how cutting off MCI would really hurt the rest of the net.'
Oh, boo hoo, let me cry about it tomorrow or whenever I get more
time. And you say, a net that is presently 80-85 percent spam is going
to be irreparibly damaged by calling their bluff and cutting them off
until they are willing to talk seriously about the spam issue? Gee,
that's really something. Seems to me if nothing else it would clean up
the spam problem a lot. Let's test it out and see: John Levine, since
you run the alias, do me a favor please. Block any
and all traffic via MCI coming here. Let's see if tomorrow and the
next day I don't have just as many messages as I do now, but far less
spam to deal with. Just cut it all, return to sender or whatever you

People also told me regards the bunch of crooks in New Jersey I should
not tell people to withhold their monthly payments, 'that by doing so
I would cause the people to get sued'; remember that? That was a big
laugh also; no one got sued and the Attornies General in many states
made the leasing companies back off. So my suggestion this month is
do yourself and the rest of the net a big favor: start refusing
traffic from MCI, as I just now above asked John Levine to do for me.
Check with me in a few days and I will let you know how much I miss
getting all those fabulous offers in Spam and all those viruses. PAT]

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Tony P.: "Re: Getting Serious About the War on Spam"
Go to Previous message: "Re: Can I Substitute a NiMH Battery for NiCd in a Cordless Phone?"
May be in reply to: Lisa Minter: "Getting Serious About the War on Spam"
Next in thread: Tony P.: "Re: Getting Serious About the War on Spam"
TELECOM Digest: Home Page