Postini And The On-Again, Off-Again Spam List

By Jim Wagner | Nov 14, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3564071/Postini-And-The-OnAgain-OffAgain-Spam-List.htm

Anti-spam vendor Postini has looked at spam from both sides now.

The Spamhaus Project, a popular U.K.-based organization that maintains a database of spamming activity, placed two of the San Carlos, Calif., company's IP addresses on its Spamhaus Block List (SBL) last week after receiving numerous complaints of unsolicited e-mail from the company.

While the IP addresses were removed from the list the following day, the brief listing highlights the tensions that exist between the different entities that make up the anti-spam community.

Andrew Lochart, senior director of marketing at Postini, said the episode with Spamhaus is a tempest in a teapot. He said the incident demonstrates how real-time blackhole lists (RBL) (define) are a failed technology. Someone, he said, received a legitimate opt-in e-mail and had mistakenly labeled it spam, which led to the temporary listing.

Lochart said the company does generate its e-mail address list from interested people at events like trade shows or through forms on its Web site, but doesn't go out and get e-mail addresses illegitimately.

"We don't go out buying lists, these are people that volunteer their information to us," he said. "Every e-mail in our database that we send e-mail to comes to us that way and, unfortunately, the nature of the beast is people very often forget that they've done that."

The SBL is a DNS-based Blackhole List (DNSBL), a controversial method for ISPs and e-mail server administrators to reduce the amount of spam that hits their servers. The term is commonly referred to as an RBL. The first DNSBL created by the Mail Abuse Prevention System (MAPS) was in the mid-1990s.

A DNSBL contains a list of IP addresses coming from spam operations. This list can then be accessed by e-mail administrators who subscribe to the service and use it to reject or flag any incoming messages from the IP addresses listed.

Postini's inclusion on the SBL wasn't a case of people forgetting they opted into Postini's e-mail list, contends Steve Linford, Spamhaus CEO. Spamhaus received quite a few complaints, he said, from reliable well-known sources like ISP system administrators and postmasters who said Postini was sending them unsolicited advertisements.

"Postini is not a spam outfit by any stretch and we certainly don't want a Postini IP address on the SBL," he wrote in an e-mail interview. "We intended the brief listing to be a simple jolt to stress that spam is against our policy and that we are expected by the community to enforce our policy."

A DNSBL can be a very effective method to cut down on the amount of spam. A popular list like Spamhaus' SBL can stop a large amount of spam from hitting e-mail user inboxes. According to the Spamhaus Web site, the SBL is protecting more than 427 million users around the world.

The method has frustrated some members of the businesses world for years, primarily because of the number of false positives that accompany DNSBLs. Web hosters know that the inclusion of their IP addresses on an DNSBL can shut down all its customers, not just the spammer who prompted the block in the first place. On the other hand, the e-mail marketers and e-mail list managers who deliver legitimate opt-in messages have found themselves on a DNSBL after getting a complaint.

Critics say the subjective nature of some DNSBLs make it a flawed mechanism. Competitors can conceivably put rivals on the list to shut them out, or people who forgot or unknowingly opted into an e-mail marketing list can add the IP address to the DNSBL.

Trevor Hughes, executive director of the E-mail Service Provider Coalition (ESPC), said there are fundamental concerns with RBLs. He said that while the intent and motive behind the mainly volunteer-run RBLs are laudable, it inevitably leads to false positives. What's more, he said, because these lists are mainly self-referential, updates to one database might not happen on another for some time.

There are a lack of clear standards for getting placed on or off the RBL, Hughes maintains, as well as a lack of responsiveness on the part of some maintainers to remove false positives from the list of offending IP addresses.

"The folks who get hurt by [RBLs] are legitimate companies that get caught inappropriately in that web," he said. "Spammers, if they get caught, have a very simple solution and that is to start sending e-mail through another IP address.

"They do it all the time and spammers have become very sophisticated and very good about dancing across IP addresses," Hughes continued. "Legitimate businesses can't move because they're accountable for their practices and visible."

Black lists have caused problems for its maintainers in the past.

MAPS had numerous run-ins with Web marketers like 24/7 Media and Harris Interactive, while in 2002, officials at the city of Battle Creek, Mich., filed an injunction against the maintainer of ORBZ, a popular DNSBL at the time, who subsequently shut down the service. The city withdrew the charges 30 hours later, belatedly realizing the owner wasn't a hacker.

However, not everyone believes DNSBLs are at best a temporary stopgap between the surge of spam and the vendors creating new technologies to stop it from spreading.

In June, security vendor Trend Micro bought Kelkea, the parent company of MAPS, to integrate the MAPS threat analysis team with its own technology.

Together they created the Trend Micro Threat Prevention Network and sell the RBL+ service, a reputation-based service based on their collection of 1.6 billion rated IP addresses.

Dave Rand is the chief technologist for Internet content security at Trend Micro. He is also one of the founders and creators of MAPS and the RBL, which he said is trademarked to avoid confusion between his RBL and the other black list operators who commonly use the term.

He said any claim that RBL is a failed technology doesn't take into account what is actually happening with Trend Micro users, who block literally billions of spam messages every day.

Regarding the charge of false positives, Rand said reputable blocking operators like Spamhaus have defined policies in place so that e-mail senders know exactly what they did wrong and how they can get removed from the DNSBL.

"It's more likely that when someone is placed on a black list of any form that there's a failure to communicate," he said. "In other words, they didn't respond to the notifications, they didn't take care of the problem in the first place -- all of these things are directly as a result of sending spam, and that's how you get listed on most reputable black lists."

Article courtesy of internetnews.com