[EM] an example of how FA/DP democracy could solve a major problem: spam

[Abd ul-Rahman Lomax]

I'm going to start with a little example that got me fired up today. 
I sent a copy of some posts today to the author of the posts to which 
I was responding. I got back a bounce, the relevant part of which was:

>message that you sent could not be delivered to one or more of its
>recipients. This is a permanent error. The following address(es) failed:
>
>   jiri.rasanen at kolumbus.fi
>     SMTP error from remote mail server after MAIL 
> FROM:<abd at lomaxdesign.com> SIZE=16702:
>     host mx.kolumbus.fi [193.229.5.160]: 550 Your IP address 
> [69.93.71.146] is blocked (listed in l1.spews.dnsbl.sorbs.net). 
> Please contact your own ISP.

It appears that kolumbus.fi, or the domain host for kolumbis.fi, 
whoever is operating the mail server, is using the SPEWS DNS 
blacklist database, which is echoed as a convenience by SORBS. SORBS 
does not endorse this blacklist, and it appears that SPEWS is, shall 
we say, controversial in the antispam world, largely because one must 
apparently jump through hoops to get removed, even if one has never 
spammed at all. I did a search covering 143 DNSBLs. The only 
blacklist which listed my IP address (which is the address of one of 
my domain host servers) was SPEWS. If SPEWS had been directly used 
according to SPEWS instructions, I would have received specific 
instructions as to how to deal with the blacklisting. But kolumbus.fi 
is not using SPEWS directly, it is using the SORBS echo, which SORBS 
says it provides as a convenience. A search on SORBS itself and I did 
not find any blacklisting for my domain. In order to find the actual 
blacklist entry, I had to do a fair amount of research just to find 
SPEWS and to directly look up the domain there. It appears that some 
domain hosted by my host may have spammed somebody, or may have been 
incorrectly reported as spamming somebody, possibly several years 
ago. The blacklist information is not dated; but the report on the 
owner of the offending domain was a listing that expired a year ago. 
This is apparently very old data. And that is one of the complaints 
about SPEWS: once on the list, you have to go through a process, 
reported as harrowing by some, to prove you are not a spammer. Given 
that most mail service providers are not using the SPEWS list, since 
there are much better and safer ones, the occurrence of a problem 
would be rare, and thus I can infer that my domain host tech support 
may not even be aware of the continued listing, or they did not judge 
it worthwhile spending the effort to clear it. After all, they didn't 
necessarily do anything wrong; they may have had other reports 
regarding the alleged spammer and may have dumped him a long time ago.

I could complain to my domain host. However, frankly, it isn't worth 
the effort for me to do even that; I am far more concerned about process.

DNS blacklists are examples of *part* of how a Free Association of 
internet users would deal with spam. However, how the blacklist is 
operated is crucial; for such blacklists can easily do more harm than 
good. More accurately, they multiply the harm done by a spammer far 
beyond the initial impact of the spam. The argument behind this is 
that users whose mail gets blocked will complain to their service 
provider, forcing the service provider to dump the spammer. Indeed, 
so far so good. However, note that *many* innocent people may be 
dragged into the "war" against one spammer. (And sometimes it wasn't 
spam at all, perhaps somebody forgot that they subscribed -- or their 
wife subscribed -- to a mailing list that only occasionally mails. 
And that someone complained or took action.)

Personally, I asked my domain host to shut off their default DNSBL 
filter. The reason is that it had too many false positives, too many 
innocent users trying to contact our business; we don't want that to 
happen to anyone, much less an existing customer. So, instead of 
having our host prefilter our mail by checking the blacklists, which 
will catch about 90% of spam, I use Mailwasher, together with the 
blacklists, to filter the mail myself. It takes a minute or two a 
day. I scan down a display of From: and Subject: headers, and it is 
quite obvious, most of the time, what is spam and what is not. And if 
somehow I overlook a legitimate mail in the spam haystack (might 
happen some of the time), our order-taker also filters independently 
the same mail, and, further, if the user's mail is dumped because 
both of us missed it, they aren't permanently blacklisted, the next 
time they write they have just as much chance to get through. Since I 
started this system, actually, I don't think we have deleted a single 
legitimate mail. But we might have. Once we identify a legitimate 
sender, that sender goes on our Friends list, and will always get 
through from now on. Note that with DNSBLs, there is no way to use a 
Friends list except if the host provides the service, which is rare, I think.

What could be done better? Well, imagine that a user organization 
develops a program that functions through forwarding spam, with full 
headers, to a single address. At that address is a tool which 
analyzes received mail using a sophisticated spam tagger. I won't go 
into all the facilities at that address, devices to make the 
identification of an actual piece of spam and its actual source (not 
the spoofed source, frequently a completely innocent user), but 
rather at the user organization which will support it. Users who 
report spam to the list will be identified as legitimate through the 
DP network, which, we should remember, functions in both directions. 
Essentially to join this part of the organization, somebody actually 
talks to you on the phone.... the labor of this is widely 
distributed, and it serves other purposes as well, so it would not be a burden.

There are two modes in which this would function. The first is under 
present conditions, where there is a lot of spam. Under those 
conditions, most people, even members, might ignore most spam most of 
the time. Only those who have enough time or who are fired up by the 
outrageousness of a particular fraud attempt would actually take the 
time to forward it. Still, if the org is very large, spam would be 
*quickly* reported. And a source IP  will be what I call greylisted. 
Mail from that domain would be, through service providers who use the 
service, shunted aside and specially analyzed for spam 
characteristics before being allowed to pass through to the users. If 
necessary, a domain would be blacklisted, for automatic rejection, 
but this can cause substantial collateral damage.... If a domain *is* 
blacklisted, the service provider would have an *easy* way to confirm 
that they have cut off the spammer at the source. Ease of use is 
critical at all stages.

The idea is to collect the intelligence and labor of many people, 
just a little from each. Setting this up and sorting it all out would 
take a kind of organization that largely does not exist. The existing 
blacklists are what relatively isolated groups of motivated 
individuals can do, but those actions are quite limited. There has 
not been any news on the SPEWS home page for years. SPEWS is set up 
to require more than just a little work from a few people; it thus 
depends on just a few, and those few may not actually represent the 
welfare of the whole body of users.

I am fully aware that DNSBLs are free creations, that they have no 
power to stop spam by themselves; rather the actual stopping is done 
by domain hosts, according to their own decisions. However, some 
DNSBLs have, with this argument, abdicated all responsibility for 
what they do and the effect it can have on innocent users of email. 
If anyone is further interested in this particular question, I'd 
suggest looking at http://www.dslreports.com/shownews/37511

Spam and phishing and the Nigeria scam are public offenses, they take 
place in the commons. I mentioned above that the spam solution I'm 
recommending would function in two modes, the first being under 
present conditions where there is a lot of spam. I think that this 
solution would cut down drastically on the amount of spam being 
delivered, for the blacklisting process would be reliable by design, 
and there would be the intelligence of many thousands of 
knowledgeable people behind it (my design is merely a suggestion, one 
possibility).

The second mode would phase into existence as the first mode cuts 
back on spam to the point where successful spams, for the average 
user, become a manageable trickle rather than the present torrent 
that exists for anyone who doesn't have their mail prefiltered 
automatically. When spam becomes relatively rare, it will be reported 
much more quickly. If there are millions of members of the 
organization, a mass mailing may only reach a few thousand before 
somebody trusted reports it. Spam will start to be cut off within the 
first few messages sent (compared to the total). It will become quite 
uneconomical, since spamming generally results in the loss of domain 
privileges, and that costs money. Or uses a fraudulent credit card, a 
whole other problem that also needs mass support to be thoroughly 
solved. At the very least it takes human work to get through 
sophisticated domain hosts' processes. You can't just set a bot on 
it. (And, with millions of people supporting the effort, donations 
will be quite adequate, with nobody breaking a sweat, to hire 
programmers and other necessary workers to make the system work 
efficiently. Essentially, the user organization will be bigger and 
smarter than any of the spammers, for, being DP, it will be 
functioning as a superconscious intelligence. We might call it the 
wisdom of crowds on steroids....