SPEWS Memorial Day?

I see a very strange thing today (August 30th). APEWS, an "anonymous" anti-spam blacklist (whose listing policies are very broad and of questionable accuracy) has taken down their home page. When you go to www.apews.org, what you find today is a memorial message.

The message pays tribute to the administrator supposedly behind the previous SPEWS blacklist. It's true that SPEWS website and blacklist data stopped being updated approximately a year ago. However, here's no indication beyond this message that somebody actually passed away, or that a single person that somebody knew was actually previously maintaining the SPEWS data.

Here's a copy of the message found on the APEWS website, in case it's changed back by the time you look for yourself:

Today our website and our mailservers are not available, because it is 30. August - SPEWS MEMORY DAY

Our beloved SPEWS operator got hit by a truck and died 30. August 2006. One of his dreams was to make the world a spam free place. As long as spam exists we therefore recommend all of you to shutdown all mailservers at every 30. August for 24 hours.

Be creative to make today a black day for all spammers and spam supporters and a day without mail and spam.

It is just one day in the year so it will not hurt you nor your company, but it will set a wideley visible sign if enough people do so.

Our blacklists are online, but we will not display reasons for listings nor do any removals by today. We will be back by tomorrow. APEWS - Anonymous Postmasters Early Warning System.

An open letter to DNSStuff

Over on DNSBL.com, you'll find my open letter to DNSStuff, where I take them to task for providing incorrect and out-of-date information in their blacklist lookup tool results, even after being warned (and not just by me). Click here to read more.

An open letter to DNSStuff

Dear DNSStuff,

You call your site “the center of the DNS universe” and position yourselves as experts on DNS, but it's time for me to question the DNSBL data and advice you hand out.

On multiple occasions, you've portrayed blacklisting issues as significant by returning blacklist results for certain DNSBLs, even though those lists don't drive any significant blocking issues (or don't block any spam) because they're dead or severely broken.

I've been around the block long enough to know that not every blacklist hit means there's an issue you need to worry about. Some lists have been dead for many months, and others list half the earth. In both of those instances, they're not really blacklists any more as much as historical artifacts waiting to be shut down and carted away.

If DNSStuff is going to continue to provide a widely used blacklist lookup tool, it's time to refine that tool so that it's actively maintained, and change the process so that DNSBL experts are actually involved in its upkeep. I'm not angling for a job here; I've already got one. But clearly, this section of your website needs more direct and active oversight, including involvement from people with significant DNSBL expertise.

Why? Well, let's start with a recap of how that whole APEWS restriction/ transition was handled by DNSStuff.

I contacted Kristina O'Connell, DNSStuff's VP of Marketing, on August 18, 2007. In that email I explained to her how because DNSStuff is incorrectly telling the whole entire world that it is listed on APEWS. UCEProtect had revoked its hosting of the APEWS zones five days previous and subsequently decided to replace the zone with a wildcard entry, to nudge sites to stop using the zone. As this is how DNSStuff was checking APEWS, it was returning data that was scaring email administrators unnecessarily.

She forwarded that email to Kevin Hutchins from DNSStuff support, who responded to me two days later, on August 20, 2007. Kevin explained that DNSStuff is already aware of the issue, and that they had to ask UCEProtect to put in a special text entry to “buy [DNSStuff] some time” to update their DNSBL tool and that they hoped to fix the problem sometime that week. He also went on at length about their responsibility to not judge a list and how they should continue to show all public DNSBLs, to provide a full picture of the space.

All fine and good – except that's not only what they're doing. They're also showing broken lists (APEWS) and dead lists (SPEWS). Leaving them in place produces a myriad of false positives, especially in the case of the UCEProtect APEWS zone.

Kevin also indicated that I was definitely not the only person to raise this issue to them recently.

This has been resolved – finally. I don't know exactly when, but they do seem to be querying APEWS directly now. It was only broken for days.

But wait – maybe it's not all fine and good. APEWS has blacklisted the IP address of DNSStuff's web server. Why? Does DNSStuff send spam? Or is APEWS an overly aggressive, broken list that shouldn't be relied upon?

And then there is SPEWS. Just the other day, I ran across this thread on the DNSStuff Discussion Boards, a paying DNSStuff user points out how the SPEWS blacklist has been dead for more than a year. He's right: It's dead and gone. The website still sits there, and who knows, maybe it could come back someday. But for now, it's frozen and not usable. The SPEWS data files are empty.

Kevin's answer in this thread is that they'll consider adding another asterisk of “not to be used.” As opposed to “doesn't exist,” or removing it because it no longer exists. In my opinion, that's not good enough. It doesn't stop the poor souls, who are not DNS experts, from thinking they have an issue, from running around asking for help, trying to solve an issue that doesn't actually exist.

As a long-time participant in various usenet newsgroups relating to spam fighting, I'm one of a multitude of first hand observers who've watched as system administrators come to these newsgroups begging for assistance. Why? Not because they saw a piece of mail being blocked; not because they've got a reject message in hand linking them to a specific DNSBL, but because they put their IP address into a webform on DNSStuff.com and were informed that they were blacklisted, because DNSStuff told them that they were.

For DNSStuff to continue to show SPEWS in lookup results is laughable. It's the exact opposite of expertise. Please, fix it. Please, bring actual DNSBL experts in to help you build a better tool.

I know you read my site – as you've reached out to me, looking for my help in the past. So I know you'll see this letter. I hope you'll heed this wakeup call.

Regards,
Al Iverson
SpamResource.com and DNSBL.com

Blowback sucks

I hate blowback. Or call it backscatter, or outscatter, if you prefer. Either way, it's no fun.

If your mail server sends it, you're contributing to a growing problem.

I don't know what's worse:
  1. All the blocked messages from the poorly designed Barracuda anti-spam filtering devices out there in the wild. (Accept-then-reject spam filtering is so 1998.)

  2. All the random "Confirm your YahooGroups signup request" emails. (Allowing email signup requests to be originated via email is so 1998.)

  3. All the rest of it I get (bounces from spams forging my domains, etc.).
Actually, I do know which is worse. Consider that list ranked in order of my personal annoyance.

MAPS Blacklisted? It's True!

If this isn't proof that it can happen to anyone, I don't know what is: Apparently MAPS has a compromised computer, found to be sending spam, and that IP address is now blacklisted.

A recent post to the SPAM-L discussion list tipped me off. Someone there noted hits in their maillog from August 15th, suggesting that 168.61.10.155 connected to their mail server, forged an unrelated domain in the envelope sender, and tried to send a message with a subject of “Movie-quality e-card.” Reliable sources suggest that this is an indication of a “Storm” infected desktop.

Secure Computing's TrustedSource Research Portal indicates that traffic from this IP address was first seen back in March. According to that site, the current reputation of this IP address is “Malicious.”

The EmailStuff DNSBL lookup indicates that this IP address is listed on the following blacklists as of August 19th, 2007: CBL, Spamhaus XBL, and SORBS web.

The IP address 168.61.10.155 maps to the FQDN (fully qualified domain name) SJC-Office-DHCP-155.Mail-Abuse.ORG, suggesting that this is a DHCP-assigned IP address in a San Jose office of MAPS (the Mail Abuse Protection System).

Way back about a hundred years ago (okay, about seven years ago), I worked for MAPS. Back then, they were the most feared anti-spam blacklist around. Find yourself on the wrong end of the listing, and 40% of your mail would likely be rejected, because so many internet mail servers around the world utilized the MAPS blacklists.

Since then, many things have changed. The MAPS lists went from free to for-pay usage. MAPS itself went through layoffs and multiple asset transfers. Nowadays, the MAPS data seems to be components of commercial products available from Trend Micro.

Division of Permission

Chad White breaks it down for Email Insider.

Question: When is it okay to start emailing people info about company Y, after they signed up for emails from company X?
Answer: It's not.

It doesn't matter that they both have the same parent company, or that it's perfectly legal. It dilutes your list. You lose relevancy and focus. And you create deliverability issues.

Chad highlights good and bad practices -- how to do it properly, and examples of companies you may not want to emulate if you're looking for email success.