Help! APEWS blocked the World!

127 views
Skip to first unread message

Steve Linford

unread,
Aug 1, 2007, 8:31:18 AM8/1/07
to
Considering that APEWS is only used by a handful of cluebies running
mail servers in their attics for 5 family friends and 3 cats, does
anyone besides the NANAE peanut gallery actually think the game of
pretending people are blocked and must do things to 'get off' APEWS is
anything but a game of lying to try to rope other people into the fight?

Some of this newsgroup and some of the NANAE group live in Kookland.
Responding to endless poor suckers by telling them things they need to
do in order to get removed from APEWS, pretending APEWS listings are
probably linked to other DNSBL listings elsewhere in the /16s which the
suckers need to somehow get fixed, all without telling them that in fact
nothing's blocked at all and any blocking or mail problems they *think*
they're experiencing because of an APEWS 'red alert' they saw on
DNSstuff.com are *entirely in their imagination*.

Some of the NANAE group go beyond outright lying and even tell them that
if they don't do what APEWS wants "things will only get worse",
obviously hoping to waste as much of these peoples time as possible,
getting them to call up their ISPs, even trying to get them to switch
ISPs to get around imaginary APEWS blockings.

It is very simply a game of lying to gullible people and it totally
sucks to the rest of the anti-spam community.

--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

Andrzej Adam Filip

unread,
Aug 1, 2007, 9:48:26 AM8/1/07
to
Steve Linford <lin...@spamhaus.org> writes:

Publish your opinion about APEWS.org and `APEWS on NANAE/NANAB' on some
web page. I may *consider* appending *the link* to my `APEWS replies'.

Doing anything more than appending such link would mean assuming that
NANAE and NANAB should be treated as `lamers gatherings'.

--
[pl>en: Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
http://anfi.homeunix.org/spamcop-top200/2007/2007-07-31.html
http://anfi.homeunix.org/spamcop-top200/last/latest.html

Stephen Satchell

unread,
Aug 1, 2007, 1:29:02 PM8/1/07
to
Steve Linford wrote:
> Considering that APEWS is only used by a handful of cluebies running
> mail servers in their attics for 5 family friends and 3 cats, does

Can you show proof of this? I have a person insisting that a number of
small operators and SOHOs have taken up APEWS as a spam-fighting
measure, and this person claims he has actual bounces. (I haven't seen
them yet. "Show me the bounces!" Silence.)

I reviewed APEWS and decided it was too aggressive and, in a sense,
arbitrary to use for scoring, let alone blocking...but that was my choice.

Chris Bintz

unread,
Aug 1, 2007, 1:28:05 PM8/1/07
to
Steve Linford wrote:
>
> Some of the NANAE group go beyond outright lying and even tell them that
> if they don't do what APEWS wants "things will only get worse",
> obviously hoping to waste as much of these peoples time as possible,
> getting them to call up their ISPs, even trying to get them to switch
> ISPs to get around imaginary APEWS blockings.
>

Maybe this is what its good for. Companies and admins are getting
alerted who they give their money. And they alert their upstreams and
put pressure on them. Dont know if it works, but at least some are
getting aware of their neighborhood.

--
mfg Chris
http://www.citosoft.com
MSI Zubehör und Ersatzteile

Hal Murray

unread,
Aug 1, 2007, 1:41:50 PM8/1/07
to

>Can you show proof of this? I have a person insisting that a number of
>small operators and SOHOs have taken up APEWS as a spam-fighting
>measure, and this person claims he has actual bounces. (I haven't seen
>them yet. "Show me the bounces!" Silence.)

A hard bounce actually showed up in NANAE recently.


--
These are my opinions, not necessarily my employer's. I hate spam.

Steve Linford

unread,
Aug 1, 2007, 3:07:17 PM8/1/07
to
In article <1rOdndzm6s0HTi3b...@megapath.net>,
hal-u...@ip-64-139-1-69.sjc.megapath.net (Hal Murray) wrote:

> >Can you show proof of this? I have a person insisting that a number of
> >small operators and SOHOs have taken up APEWS as a spam-fighting
> >measure, and this person claims he has actual bounces. (I haven't seen
> >them yet. "Show me the bounces!" Silence.)
>
> A hard bounce actually showed up in NANAE recently.

Whoopie, a bounce from the home mail server of a complete cluebie
who had no clue what he was using or why. If you can stretch that to
pretend maybe the cluebie is the tip of an invisible cluebie iceberg,
then maybe it's worth stretching it further to pretending there are
actual networks using it which could justify telling the suckers that
come in here that they have to do things to get unblocked...

--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org

--

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 1, 2007, 8:18:47 PM8/1/07
to
Steve Linford wrote:
> Considering that APEWS is only used by a handful of
> cluebies running mail servers in their attics for 5
> family friends and 3 cats,

I heard there was a dog involved somewhere too.
{However that is only a rumor.}


I don't see APEWS responses any significantly different
than those for BLARS, SPEWS, ... (most DNSbls)
Most people point out elsewhere it is listed, &/or
other info they see about that netspace / ISP
(the OP already knows about the info in whatever list
they mentioned).


--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

Mark Roberts

unread,
Aug 1, 2007, 8:17:43 PM8/1/07
to
Steve Linford wrote:

<snip>

Well first of all, I agree with what you say about it being wrong for
people to stoke unreasonable fear amongst those listed by APEWS. It's
really an unpleasant and extreme version of the FUD tactic.

And I think it's also pretty unnecessary. Those listed seem concerned
about the listing even before they receive the responses postulating
dire consequences if they're not removed.

Really, the beauty of APEWS is precisely that it *isn't* used by a
significant number of mail admins. The listings I've seen all have
been genuinely "dirty" IP space *under APEWS' published criteria* (and
under my criteria, to be honest, not that that means I'd block it
all). The result is a "block" list that doesn't block yet which does
alert people when they're on a network that supports spammers. If we'd
leave it at that rather than stoking hysteria it ought to be enough.
In fact, judging by the people who come here asking for removal, it
really *is* enough: Most of them seem to be upset at just the *idea*
of "being on a block list" or that their mail *might* be blocked. Yes,
it's irrational but irrationality isn't in short supply these days.

So rather than fanning the flames, why not just tell APEWS listees:
1 - You needn't worry because almost no one uses APEWS
2 - You aren't listed, it's your provider
3 - Your provider is listed because they support spammers
4 - If you really, really, really insist on trying to change the
listing you need to contact your provider and pressure them to dump
their spammers
5 - Step 4 probably won't work but it doesn't matter because of #1

I get the feeling most of the types who come here looking for removal
would wring their hands and fret just as much no matter what they're
told. It isn't *necessary* to sully the image of the anti-spam
movement by exaggerating and fanning the flames of irrational fears.

By being honest about the impact of APEWS and civil about how we state
it -- even in the face of obnoxious complainers -- we might just get a
few listees to complain to their spam-friendly providers. That may not
help but it isn't a bad thing. (Think of it as an anti-spam version of
Arlo Guthrie's "Anti-Massacree Movement")


--
Mark Roberts Photography & Multimedia
www.robertstech.com
412-687-2835

NPG

unread,
Aug 1, 2007, 8:18:01 PM8/1/07
to
* Steve Linford wrote:
> Considering that APEWS is only used by a handful of cluebies running
> mail servers in their attics for 5 family friends and 3 cats, does
> anyone besides the NANAE peanut gallery actually think the game of
> pretending people are blocked and must do things to 'get off' APEWS is
> anything but a game of lying to try to rope other people into the fight?
>
> Some of this newsgroup and some of the NANAE group live in Kookland.
> Responding to endless poor suckers by telling them things they need to
> do in order to get removed from APEWS, pretending APEWS listings are
> probably linked to other DNSBL listings elsewhere in the /16s which the
> suckers need to somehow get fixed, all without telling them that in fact
> nothing's blocked at all and any blocking or mail problems they *think*
> they're experiencing because of an APEWS 'red alert' they saw on
> DNSstuff.com are *entirely in their imagination*.
>
> Some of the NANAE group go beyond outright lying and even tell them that
> if they don't do what APEWS wants "things will only get worse",
> obviously hoping to waste as much of these peoples time as possible,
> getting them to call up their ISPs, even trying to get them to switch
> ISPs to get around imaginary APEWS blockings.
>
> It is very simply a game of lying to gullible people and it totally
> sucks to the rest of the anti-spam community.
>
Yeah, tell em Steve

IMHO A blocklist should be wielded like an ice pick, not a sledgehammer.

Message has been deleted

DevilsPGD

unread,
Aug 2, 2007, 8:12:18 AM8/2/07
to
In message <GT8si.54613$5j1....@newssvr21.news.prodigy.net> E-Mail
Sent to this address will be added to the BlackLists
<Nu...@BlackList.Anitech-Systems.invalid> wrote:

>I don't see APEWS responses any significantly different
> than those for BLARS, SPEWS, ... (most DNSbls)
> Most people point out elsewhere it is listed, &/or
> other info they see about that netspace / ISP
> (the OP already knows about the info in whatever list
> they mentioned).

BLARS responses always made it clear the DNSBL was a joke. SPEWS had a
nack for picking out spammers that APEWS has failed to obtain, yet the
responses are more suited to SPEWS then to APEWS.

--
Americans couldn't be any more self-absorbed if they were made from equal
parts water and papertowel.
-- Dennis Miller

Hal Murray

unread,
Aug 2, 2007, 8:17:20 AM8/2/07
to

>That is, in many cases, an absolute crock of shit. Huge chunks of clean
>networks - softlayer, for example, have been listed in apews for a very long
>time with absolutely zero supporting evidence. It is precisely this type of
>listing, of which apews is absolutely riddled with, that has made apews
>completely worthless.

I'm not a great APEWS fan, but you picked a bad example.
softlayer has hit me 5 times. google-groups has samples in NANAS.

softlayer may be a good guys, but "absolutely zero" is far from
what I see. (and I'm not a big target)

--
These are my opinions, not necessarily my employer's. I hate spam.

--

bealoid

unread,
Aug 2, 2007, 8:23:17 AM8/2/07
to
Steve Linford <lin...@spamhaus.org> wrote in news:linford-
5AC04C.130...@news.supernews.com:

> Considering that APEWS is only used by a handful of cluebies running
> mail servers in their attics for 5 family friends and 3 cats,

[snip]

> saw on DNSstuff.com

DNSstuff lists APEWS. People trust dnsstuff. People then trust APEWS,
even though they know nothing about it and don't know if it's used or not.

[snip]

> It is very simply a game of lying to gullible people and it totally
> sucks to the rest of the anti-spam community.

I agree. When this group started I didn't think I'd have to killfile
anyone here, but now? There's a few who've been kf'd.

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 2, 2007, 9:29:45 AM8/2/07
to
BFS wrote:
> Huge chunks of clean networks - softlayer, for example,
> have been listed in apews

(Shrug)

I see SpamTrap hits , C/R Spam & BackScatter from AS36351
66.228.112.0/20 , 74.86.0.0/17 , 75.126.0.0/16 , 208.101.0.0/18

So, what classifies softlayer as "clean"?

... or was that supposed to be "cleaner" than some other ISPs?


--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>
will be added to the BlackLists.

Shmuel (Seymour J.) Metz

unread,
Aug 2, 2007, 10:13:17 AM8/2/07
to
In <dfn1b3hsiirfdncca...@4ax.com>, on 08/02/2007

at 12:17 AM, Mark Roberts <ma...@robertstech.com> said:

>So rather than fanning the flames, why not just tell APEWS listees:
>1 - You needn't worry because almost no one uses APEWS

Because I have no data to support that claim.

>2 - You aren't listed, it's your provider
>3 - Your provider is listed because they support spammers 4 - If you
>really, really, really insist on trying to change the listing you
>need to contact your provider and pressure them to dump their
>spammers

We (TINW) *do* tell them that.

>5 - Step 4 probably won't work but it doesn't matter because of #1

Because we can't honestly tell them the second part in the absence of
supporting data.

>It isn't *necessary* to sully the image of the anti-spam movement by
>exaggerating and fanning the flames of irrational fears.

Nor is it necessary to claim exaggeration where there is none.

>By being honest about the impact of APEWS and civil about how we
>state it

PKB. Being honest includes not presenting unsubstantiated opinions as
facts and not presenting legitimate disagreements as lies.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

Hal Murray

unread,
Aug 2, 2007, 12:35:30 PM8/2/07
to

>BLARS responses always made it clear the DNSBL was a joke. SPEWS had a
>nack for picking out spammers that APEWS has failed to obtain, yet the
>responses are more suited to SPEWS then to APEWS.

SPEWS' web page also provided much better information, especially
for an escalation. It was easy for somebody to get a feel for how
bad the listed neighborhood was and/or which ISPs were hosting
nasty spammers.

--
These are my opinions, not necessarily my employer's. I hate spam.

--

huey.c...@gmail.com

unread,
Aug 2, 2007, 3:22:16 PM8/2/07
to
Steve Linford <lin...@spamhaus.org> wrote:
> hal-u...@ip-64-139-1-69.sjc.megapath.net (Hal Murray) wrote:
> > >Can you show proof of this? I have a person insisting that a
> > >number of small operators and SOHOs have taken up APEWS as a
> > >spam-fighting measure, and this person claims he has actual
> > >bounces. (I haven't seen them yet. "Show me the bounces!"
> > >Silence.)
> > A hard bounce actually showed up in NANAE recently.
> Whoopie, a bounce from the home mail server of a complete cluebie who
> had no clue what he was using or why. If you can stretch that to
> pretend maybe the cluebie is the tip of an invisible cluebie iceberg,
> then maybe it's worth stretching it further to pretending there are
> actual networks using it which could justify telling the suckers that
> come in here that they have to do things to get unblocked...

Indeed. In fact, not finding any hard bounces would actually be more of
an indictment, because it'd mean that even the guy who created the thing
knew better than to use it.

--
Huey

Mark Roberts

unread,
Aug 2, 2007, 4:04:41 PM8/2/07
to
Shmuel (Seymour J.) Metz wrote:

>In <dfn1b3hsiirfdncca...@4ax.com>, on 08/02/2007
> at 12:17 AM, Mark Roberts <ma...@robertstech.com> said:
>
>>So rather than fanning the flames, why not just tell APEWS listees:
>>1 - You needn't worry because almost no one uses APEWS
>
>Because I have no data to support that claim.

Neither do I, but I'm quite willing to accept the expert opinion of
Steve Linford, who is one of the most respected authorities on both
spam and blocklists.

BTW: Though Steve has a point about some people who are stirring the
pot, I think what's missing is the person *most* responsible: The
person who's sending complainants to NANAB and NANAE in the first
place. It's clear from the posts that many of the people using the
newsgroups to request delisting haven't read the APEWS FAQ. Which
raises the question of how they got the idea of posting in the
newsgroup in the first place. And since almost no one asking for list
removal is posting actual rejected emails, it seems likely that
they're only find out that they're listed because someone is
contacting than and telling them so. It is not unreasonable to assume
that whoever is "helpfully" informing people that their IP address is
listed is also the person instructing them to post to the newsgroups
for list removal. Someone who is, in effect, doing a manual,
labor-intensive version of a Hipcrime newsgroup flood. This is the
person really to blame.



--
Mark Roberts Photography & Multimedia
www.robertstech.com
412-687-2835

--

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 2, 2007, 5:53:20 PM8/2/07
to
Mark Roberts wrote:
> ... since almost no one asking for list removal is

> posting actual rejected emails,
> it seems likely that they're only find out that they're
> listed because someone is contacting than and telling them so.

I think many are DNSstuff alert subscribers (or something like that).

--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>


will be added to the BlackLists.

--

1urk3r

unread,
Aug 2, 2007, 10:35:23 PM8/2/07
to
On Aug 1, 8:48 am, Andrzej Adam Filip <a...@poczta.onet.pl> wrote:

well, when i went through the torture
of establishing this newsgroup, i didn't
intend it to become another "lamers gathering."

in fact, my intent was quite the opposite.
unfortunately, though, i proposed excellent,
fair-minded moderators, who persist in
approving posts solely based on their
conformance with the charter, which means
that, yes: you *are* permitted to post here.


adam

--
"Give a man a fish, and you feed him for one day.
Teach him to fish, and he'll drink beer and tell
lies for the rest of his life."


======================================= MODERATOR'S COMMENT:

can this thread please get wrapped up? :-)
/this mod

John Doe

unread,
Aug 3, 2007, 9:57:55 AM8/3/07
to
On Thu, 02 Aug 2007 19:22:16 +0000, huey.callison wrote:

> Indeed. In fact, not finding any hard bounces would actually be more of
> an indictment, because it'd mean that even the guy who created the thing
> knew better than to use it.

Not necessarily.

It could well be that the GWCTT has no reason to expoect legitimate mail
from areas that he listed. No legitimate mail expected from those areas
would translate into no SMTP rejects (not bounces, please).

--
The e-mail address in the From: header of this post is valid.
Add [spammerssuck] to the Subject: of any correspondence or said
correspondence will be deleted unread.

Claus v. Wolfhausen

unread,
Aug 3, 2007, 2:57:20 PM8/3/07
to
In article <linford-5AC04C...@news.supernews.com>,
lin...@spamhaus.org says...

>Considering that APEWS is only used by a handful of cluebies running
>mail servers in their attics for 5 family friends and 3 cats, does
>anyone besides the NANAE peanut gallery actually think the game of
>pretending people are blocked and must do things to 'get off' APEWS is
>anything but a game of lying to try to rope other people into the fight?

First let me say that i would have expected such an subject and that content
from M.Ciprut, but not from the SPAMHAUS operator.

Really strange to see you are claiming your private opinions as facts here.
You have no prove how many systems are using the APEWS lists and for what
reasons. You do not run their mirrors.

Even if you would be right, and nobody would use that lists you should be
glad about every user calling his provider and complaining about spammers,
shouldn't you?

There is nothing which can do an equivalent pressure to providers than
angry customers calling them and having clue about their provider is the
source of their problems.

I've learned this within the 6 weeks i maintain the UCEPROTECT blocklists now.

Most providers panic if lots of customers are complaining because of spammers
exists in the same netblock and they begin realizing to be just a bunch of
IP's away to get a complete /16 escalated up to UCEPROTECT-Level 3.

I can see this every day looking into the tickets they open and begging to
not get escalated / making promises that they will terminate spammers faster
next time / telling what measures they are planning to install.

It does not matter users are really at risk to get blocked or just got that
imagination. What matters is the result only:

They will call their providers and complain about the spammers.

Real spamfighters should appreciate that, because it is helpfull to eliminate
the spam problem.

The question is therfore: What is your problem with APEWS?

It seems to me you worry about who will pay you tomorrow, if APEWS
would be sucessfull and spam disappear.

>Some of this newsgroup and some of the NANAE group live in Kookland.
>Responding to endless poor suckers by telling them things they need to
>do in order to get removed from APEWS, pretending APEWS listings are
>probably linked to other DNSBL listings elsewhere in the /16s which the
>suckers need to somehow get fixed,

It is a fact that APEWS is using other DNSBL's searching spam sources.
I got a mail from Al Iverson, he also noticed that there are sometimes ranges
listed by APEWS shortly after they were seen on the UCEPROTECT blocklists.

Investigating i found that our lists are indeed also downloadet by APEWS.
I've also seen APEWS sometimes pointing to ROSKO listings.

Why do you deny the facts that there are for sure links to other DNSBL
listings?

>all without telling them that in fact nothing's blocked at all and any

Why don't you tell people the facts that you would never list the worlds
most abusive big providers in your blocklist?
Let's call them COMCASTBUSINESS, TIMEWARNER, ATT, VERIZON.

I guess you are not doing so because you have (good or bad) reasons.
Those not sharing your opinions on APEWS have better reasons.

>blocking or mail problems they *think* they're experiencing because of an
>APEWS 'red alert' they saw on DNSstuff.com are *entirely in their
>imagination*.

Dnsstuff does not send alerts on lists they flagged as "SHOULD NOT BE USED".



>Some of the NANAE group go beyond outright lying and even tell them that
>if they don't do what APEWS wants "things will only get worse",
>obviously hoping to waste as much of these peoples time as possible,
>getting them to call up their ISPs, even trying to get them to switch
>ISPs to get around imaginary APEWS blockings.
>It is very simply a game of lying to gullible people and it totally
>sucks to the rest of the anti-spam community.

Are you asking me to get rude? Here you are:

Who did authorize you to speak for the "rest of the anti-spam community"?

If you would be a real spamfighter, you would not knowingly ignore the worst
spamsewers, you would appreciate what APEWS does instead.

SORBS and UCEPROTECT would not mirror zones which "sucks".
That does not mean i recommend using APEWS for blocking.

In my opinion the APEWS lists are excellent as an advisory or to be used in
scoring systems.

For this reason i continued to mirror the zones and additional made them public
available for rsync.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

Steve Linford

unread,
Aug 3, 2007, 4:11:47 PM8/3/07
to
In article <f8vht6$920$1...@ulm.shuttle.de>,

use-reply-...@remove-this.com (Claus v. Wolfhausen) wrote:

> In article <linford-5AC04C...@news.supernews.com>,
> lin...@spamhaus.org says...
>
> >Considering that APEWS is only used by a handful of cluebies running
> >mail servers in their attics for 5 family friends and 3 cats, does
> >anyone besides the NANAE peanut gallery actually think the game of
> >pretending people are blocked and must do things to 'get off' APEWS is
> >anything but a game of lying to try to rope other people into the fight?
>
> First let me say that i would have expected such an subject and that content
> from M.Ciprut, but not from the SPAMHAUS operator.

> Even if you would be right, and nobody would use that lists you should be

> glad about every user calling his provider and complaining about spammers,
> shouldn't you?

No. People calling ISPs and saying "I want to complain of some spammers,
I don't know where but they're somewhere in your /12 and no I have no
proof" simply makes ISPs think "what a bunch of nutjob timewasters".

> There is nothing which can do an equivalent pressure to providers than
> angry customers calling them and having clue about their provider is the
> source of their problems.

What "clue" and what "problems", imaginary ones you pretend exist?

> It does not matter users are really at risk to get blocked or just got that
> imagination. What matters is the result only:
>
> They will call their providers and complain about the spammers.
>
> Real spamfighters should appreciate that, because it is helpfull to eliminate
> the spam problem.

This is not any form of spam-fighting I understand, this is simply
bullshitting to the public and bullshitting to ISPs and making a bad
name for spam-fighters.

--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org

--

Karl-Henry Martinsson

unread,
Aug 3, 2007, 5:35:27 PM8/3/07
to

"Claus v. Wolfhausen" <use-reply-...@remove-this.com> wrote in
message news:f8vht6$920$1...@ulm.shuttle.de...

> In article <linford-5AC04C...@news.supernews.com>,
> lin...@spamhaus.org says...
>
>>Considering that APEWS is only used by a handful of cluebies running
>>mail servers in their attics for 5 family friends and 3 cats, does
>>anyone besides the NANAE peanut gallery actually think the game of
>>pretending people are blocked and must do things to 'get off' APEWS is
>>anything but a game of lying to try to rope other people into the fight?
>
> Even if you would be right, and nobody would use that lists you should be
> glad about every user calling his provider and complaining about spammers,
> shouldn't you?
>
> There is nothing which can do an equivalent pressure to providers than
> angry customers calling them and having clue about their provider is the
> source of their problems.
>
> I've learned this within the 6 weeks i maintain the UCEPROTECT blocklists
> now.
>
> Most providers panic if lots of customers are complaining because of
> spammers
> exists in the same netblock and they begin realizing to be just a bunch of
> IP's away to get a complete /16 escalated up to UCEPROTECT-Level 3.
>

I think additional pressure on spam-friendly ISPs are great. Sure, it can be
considered "scare tactics" or FUD, but that is how many other things work in
society; People are scared of going to jail for stealing, so (most) they
don't steal. We know that some thieves do not go to jail, but the
possibility of being caught scare most people into not stealing.

I think it is a good thing that customers of spam-friendly ISPs get
notified, and complain to the ISP, and that it perhaps makes the ISP change.
I remember when SPEWS first launched, it got many previously dirty ISPs to
change and start cleaning up their act.

And what better way to scare people that to create a list that nobody really
uses? No mail is actually lost, but customers and ISPs get scared, wondeing
"when will my IP:s be blocked by a list that is widely used?".

On the other hand, it seems from some postings I seen that APEWS are
sometimes listing a little bit too wide blocks, and the documentation on
escalations and evidence is very weak. I liked the SPEWS model much better,
in that regard.

Personally, I do not use APEWS. I used SPEWS and was happy with it, and I
use the Spamhaus lists as well. Steve, thanks for a great job there, by the
way.

> Why don't you tell people the facts that you would never list the worlds
> most abusive big providers in your blocklist?
> Let's call them COMCASTBUSINESS, TIMEWARNER, ATT, VERIZON.

I would use blackholes.us for that, why duplicate lists that already exists?
You also have to remember that the Spamhaus lists are widely used, and if it
block too much legitimate mail, the users would drop it, and it would be
less effective.
It is a fine balance Steve has to walk, between blocking spam and not
blocking too much, where an excess to either side would result in fewer
users.

However, I would like to hear more from Steve on how the work is going with
the "worst" ISPs on the list, if there currently is a constructive dialog
going on with Verizon, ATT, etc.

/Karl

Matthew Sullivan

unread,
Aug 3, 2007, 9:11:28 PM8/3/07
to
Claus v. Wolfhausen wrote:
>
> SORBS and UCEPROTECT would not mirror zones which "sucks".
> That does not mean i recommend using APEWS for blocking.


I mirror the zone because I was asked and it seemed sane at the time.

I'm continuing to mirror it because I started to mirror it and people
*might* be using it. I don't mirror it because it does or doesn't suck,
and to be honest if APEWS uses me as an endorsement on it's quality,
it'll get a rude shock when I drop it without warning or notice.

I do not *endorse* *any* DNSbl or anti-spam service.

That said in addition to SORBS (safe.dnsbl.sorbs.net) I do use:

CBL
NJABL
DSBL
The hijacked and bogon's lists from completewhois.

... on all the mail servers I administer (which accounts for > 100k
mailboxes)

I am currently mirroring and testing ASPEWS and I have no complaints so far.

For SpamAssassin scoring I use spam.dnsbl.sorbs.net in addition to the
above DNSbls.

I do not use APEWS at all.

I do not use SPEWS now either (I used to use it for scoring).

> In my opinion the APEWS lists are excellent as an advisory or to be used in
> scoring systems.

I don't, but that's my opinion.

Regards,

Mat

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 3, 2007, 9:10:07 PM8/3/07
to
Karl-Henry Martinsson wrote:
> On the other hand, it seems from some postings I seen that
> APEWS are sometimes listing a little bit too wide blocks,

Stopping at the RIR -> LIR direct allocation CIDR would be nice.

> and the documentation on escalations and evidence is very
> weak. I liked the SPEWS model much better, in that regard.

Yes.

--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

--

Seth

unread,
Aug 3, 2007, 10:20:21 PM8/3/07
to
In article <linford-383BB2...@news.supernews.com>,

Steve Linford <lin...@spamhaus.org> wrote:
>In article <f8vht6$920$1...@ulm.shuttle.de>,
> use-reply-...@remove-this.com (Claus v. Wolfhausen) wrote:

>> Even if you would be right, and nobody would use that lists you should be
>> glad about every user calling his provider and complaining about spammers,
>> shouldn't you?
>
>No. People calling ISPs and saying "I want to complain of some spammers,
>I don't know where but they're somewhere in your /12 and no I have no
>proof" simply makes ISPs think "what a bunch of nutjob timewasters".

Does that happen?

I haven't read most of the APEWS threads on NANAE, but typically when
someone complains about a listing, plenty of evidence (from NANAS or
even Spamhaus) is provided.

>> There is nothing which can do an equivalent pressure to providers than
>> angry customers calling them and having clue about their provider is the
>> source of their problems.
>
>What "clue" and what "problems", imaginary ones you pretend exist?

Assuming the APEWS listing is correct (that there is really spam
coming from the listed space), the problem is that spam. The clue is
that the provider is responsible.

>> They will call their providers and complain about the spammers.
>>
>> Real spamfighters should appreciate that, because it is helpfull to eliminate
>> the spam problem.
>
>This is not any form of spam-fighting I understand,

Getting customers to leave spam-friendly providers is a very effective
form of spam-fighting (when it works). Seen much spam from AGIS lately?

Seth

Claus v. Wolfhausen

unread,
Aug 4, 2007, 1:55:04 PM8/4/07
to
In article <linford-383BB2...@news.supernews.com>,
lin...@spamhaus.org says...

>> Even if you would be right, and nobody would use that lists you should be
>> glad about every user calling his provider and complaining about spammers,
>> shouldn't you?
>
>No. People calling ISPs and saying "I want to complain of some spammers,
>I don't know where but they're somewhere in your /12 and no I have no
>proof" simply makes ISPs think "what a bunch of nutjob timewasters".

People which came to nanae and got shown some evidences as IP's listed by
the CBL or UCEPROTECT or even got told about ROSKO spammers will not call
the provider and just tell "you have a spammer somewhere in your /12".

I have to wonder again that you seem to think all others are just idiots.

I guess those users which got detailed informations what the problem is
will be no longer clueless and they will also tell details when they call
their providers.

>> There is nothing which can do an equivalent pressure to providers than
>> angry customers calling them and having clue about their provider is the
>> source of their problems.
>
>What "clue" and what "problems", imaginary ones you pretend exist?

That was nothing specific for APEWS, it will always do pressure to an provider
if multiple customers (knowingly the provider is hosting spammers, and
therefore their mail was rejected) are complaining about being impacted by
*any* blocklist.

>> It does not matter users are really at risk to get blocked or just got that
>> imagination. What matters is the result only:
>>
>> They will call their providers and complain about the spammers.
>>
>> Real spamfighters should appreciate that, because it is helpfull to
eliminate
>> the spam problem.
>
>This is not any form of spam-fighting I understand, this is simply
>bullshitting to the public and bullshitting to ISPs and making a bad
>name for spam-fighters.

What do you think how many people giving money to a spamsewer having a clue
their provider is actively providing support to spammers?

Most people hate spam. They would not give their money to such an blackhat
if they would know the facts in first place.

Lists as UCEPROTECT or APEWS are opening their eyes, and most of those
users are indeed shocked about the truth, some can not even believe it.

What you call "bullshitting" is one of the most effective strategies getting
providers change and booting their spammers.

I guess you are maintaining SPAMHAUS since 1998?
You behave like you would be the only person able to maintain a blocklist.
If your strategies were sucessfull spam should be history meanwhile.

The facts that it gets more worse every year shows that there is a need for
a more drastic approach.

Bad for the spam-fighters are blocklist operators tying to discredit users of
other bloclkist naming them "a handful of cluebies running mail servers in

their attics for 5 family friends and 3 cats"

--

Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--

1urk3r

unread,
Aug 4, 2007, 1:50:34 PM8/4/07
to
On Aug 3, 8:11 pm, Matthew Sullivan <usenet-n...@sorbs.net> wrote:
> Claus v. Wolfhausen wrote:
>
> >
>
> > SORBS and UCEPROTECT would not mirror zones which "sucks".
> > That does not mean i recommend using APEWS for blocking.
>
> I mirror the zone because I was asked and it seemed sane at the time.
>
> I'm continuing to mirror it because I started to mirror it and people
> *might* be using it. I don't mirror it because it does or doesn't suck,
> and to be honest if APEWS uses me as an endorsement on it's quality,
> it'll get a rude shock when I drop it without warning or notice.
>

unless you accept the fiction that
uceprotect & wolfhausen are not
responsible for the thing (and i know
you've seen very convincing evidence
debunking that fiction) that's exactly
what they *are* doing, Mat.


adam

--

Shmuel (Seymour J.) Metz

unread,
Aug 4, 2007, 9:02:18 PM8/4/07
to
In <OsMsi.47245$YL5....@newssvr29.news.prodigy.net>, on 08/03/2007

at 09:35 PM, "Karl-Henry Martinsson" <na...@martinsson.us> said:

>I would use blackholes.us for that, why duplicate lists that already
>exists? You also have to remember that the Spamhaus lists are widely
>used, and if it block too much legitimate mail, the users would drop
>it, and it would be less effective.

Spamhas only blocks mail going through its servers. Should spamhaus
list the "too big to block" sewers in such a fashion[1] that the users
could decide whether to take advantage of the data, the change would
not cause any users to drop it.

[1] E.g., different DNS server, different code in the A record.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

Matthew Sullivan

unread,
Aug 5, 2007, 10:15:33 AM8/5/07
to
1urk3r wrote:
> On Aug 3, 8:11 pm, Matthew Sullivan <usenet-n...@sorbs.net> wrote:
>> Claus v. Wolfhausen wrote:
>>
>> >
>>
>>> SORBS and UCEPROTECT would not mirror zones which "sucks".
>>> That does not mean i recommend using APEWS for blocking.
>> I mirror the zone because I was asked and it seemed sane at the time.
>>
>> I'm continuing to mirror it because I started to mirror it and people
>> *might* be using it. I don't mirror it because it does or doesn't suck,
>> and to be honest if APEWS uses me as an endorsement on it's quality,
>> it'll get a rude shock when I drop it without warning or notice.
>>
>
> unless you accept the fiction that
> uceprotect & wolfhausen are not
> responsible for the thing (and i know

Well that's the thing - I know who *was* responsible for APEWS, and at
the time it was *not* Wolfhausen, if that has changed then my previous
mail serves as a warning.

Regards,

Mat

Larry M. Smith

unread,
Aug 5, 2007, 10:15:05 AM8/5/07
to
Claus v. Wolfhausen wrote:
(snip)
> Most people hate spam.

I think the real issue is that most people *like* email, and that spam
is a problem that prevents email from functioning as the user expects...
There is an ever so slight difference than "most people hate spam"

Most people also hate over-zealous anti-spam solutions that stop as much
legitimate mail as the spam, as it also prevents email from functioning
as the user expects.

> They would not give their money to such an blackhat
> if they would know the facts in first place.
>

Most users don't care, they want their Internet, telephone, television,
and automobile to just work. The don't want to know how it works, or
have endless discussions over the pros and cons of PAL -vs- SECAM -vs-
NTSC, the just want it to work for them. Nor do they really care what
kind of shenanigans the sales department of channel-15 might be up to.


SgtChains

Greg R. Broderick

unread,
Aug 5, 2007, 9:42:10 PM8/5/07
to
use-reply-...@remove-this.com (Claus v. Wolfhausen) wrote in
news:f90r4o$f8v$1...@ulm.shuttle.de:

> What do you think how many people giving money to a spamsewer having a
> clue their provider is actively providing support to spammers?


Okay, I'm convinced. Please provide me a list of ISPs that don't "provide
support to" spammers. This should include:


* absolutely NO exploited / virus / malware-infested end-luser hosts spewing
spam, EVER!

* no providing hosting, DNS, to spammers' web sites (of course)

* absolutely no IPs within their IP address space listed by any of the DNSBLs
(not even the most rabid ones)

* no hosting of email drop-boxes for spammers

* no providing connectivity to anyone who spams, or to anyone whose customers
spam, or to anyone whose customers customers spam


In other words, I'm looking for ISPs that are entirely clean, not those who
clean up after their occasional incidents, but those who never have those
occasional spews to begin with. I eagerly await your response, so that I
will know whom I should be paying my internet access fees.

I expect that this list will be empty - that you will not be able to
enumerate even one Internet Service Provider whose hands are entirely clean
of spam.

So why don't you have all of the others listed in APEWS? They all are, to
some degree or another, "spam supporters".


Regards
GRB

--
---------------------------------------------------------------------
Greg R. Broderick usenet...@blackholio.dyndns.org

A. Top posters.
Q. What is the most annoying thing on Usenet?
---------------------------------------------------------------------

Claus v. Wolfhausen

unread,
Aug 6, 2007, 8:23:16 AM8/6/07
to
In article <1186194650....@e9g2000prf.googlegroups.com>,
adamb...@gmail.com says...

>
>unless you accept the fiction that
>uceprotect & wolfhausen are not
>responsible for the thing (and i know
>you've seen very convincing evidence
>debunking that fiction) that's exactly
>what they *are* doing, Mat.

You are joking, aren't you?
I took over the UCEPROTECT blocklist 6 weeks ago.
How can i be responsible for the APEWS blocklist
which started January 2007?

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--

Claus v. Wolfhausen

unread,
Aug 6, 2007, 8:47:28 AM8/6/07
to
In article <46b4ed23$0$3151$ae4e...@news.nationwide.net>,
SgtChains-...@FahQ2.com says...

>
>Claus v. Wolfhausen wrote:
>(snip)
>> Most people hate spam.
>
>I think the real issue is that most people *like* email, and that spam
>is a problem that prevents email from functioning as the user expects...
> There is an ever so slight difference than "most people hate spam"

If people wouldn't hate spam, they would not use anti-spam solutions.

>Most people also hate over-zealous anti-spam solutions that stop as much
>legitimate mail as the spam, as it also prevents email from functioning
>as the user expects.

That was the reason i cleaned up the UCEPROTECT blocklists.

>> They would not give their money to such an blackhat
>> if they would know the facts in first place.
>>
>
>Most users don't care, they want their Internet, telephone, television,
>and automobile to just work. The don't want to know how it works, or
>have endless discussions over the pros and cons of PAL -vs- SECAM -vs-
>NTSC, the just want it to work for them. Nor do they really care what
>kind of shenanigans the sales department of channel-15 might be up to.

Indeed, but if they learn from their friends that mail just works at one
provider while it doesn't at another provider they might decide to change.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--

Claus v. Wolfhausen

unread,
Aug 6, 2007, 8:49:03 AM8/6/07
to
In article <f931k0$905$1...@nemesis.sorbs.net>, usene...@sorbs.net says...

>
>Well that's the thing - I know who *was* responsible for APEWS, and at
>the time it was *not* Wolfhausen, if that has changed then my previous
>mail serves as a warning.

It isn't hard to figure out who is responsible for APEWS.
You can safely assume that hasn't changed.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--

Claus v. Wolfhausen

unread,
Aug 6, 2007, 9:29:16 AM8/6/07
to
In article <Xns99838BC399304tn...@io.blackholio.dyndns.org>,
usenet...@blackholio.dyndns.org says...

>Okay, I'm convinced. Please provide me a list of ISPs that don't "provide
>support to" spammers. This should include:

<snip>

It is safe to assume there will be *no* provider which had *never* such issues.
The question is: Did they learn from those problems?

Providers port 25 blocking their dialups, rate limiting their smarthosts,
scanning customers mailservers for open relays / proxys / vulnerable scripts
are seldom to be found in blocklists.

That are the ones i'd recommend.

>So why don't you have all of the others listed in APEWS? They all are, to
>some degree or another, "spam supporters".

You should ask the APEWS maintainers.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--

Larry M. Smith

unread,
Aug 6, 2007, 12:17:13 PM8/6/07
to
Claus v. Wolfhausen wrote:
> In article <46b4ed23$0$3151$ae4e...@news.nationwide.net>,
> SgtChains-...@FahQ2.com says...
>> Claus v. Wolfhausen wrote:
>> (snip)
>>> Most people hate spam.
>> I think the real issue is that most people *like* email, and that spam
>> is a problem that prevents email from functioning as the user expects...
>> There is an ever so slight difference than "most people hate spam"
>
> If people wouldn't hate spam, they would not use anti-spam solutions.
>

You have missed the point completely.

People *like* email a heck of a lot more than they hate spam. Because
if they didn't, they would simply abandon email.

>> Most people also hate over-zealous anti-spam solutions that stop as much
>> legitimate mail as the spam, as it also prevents email from functioning
>> as the user expects.
>
> That was the reason i cleaned up the UCEPROTECT blocklists.
>

Yet you still think that APEWS is a valid anti-spam solution... This
puzzles me.

>>> They would not give their money to such an blackhat
>>> if they would know the facts in first place.
>>>
>> Most users don't care, they want their Internet, telephone, television,
>> and automobile to just work. The don't want to know how it works, or
>> have endless discussions over the pros and cons of PAL -vs- SECAM -vs-
>> NTSC, the just want it to work for them. Nor do they really care what
>> kind of shenanigans the sales department of channel-15 might be up to.
>
> Indeed, but if they learn from their friends that mail just works at one
> provider while it doesn't at another provider they might decide to change.
>

Riiiight.


SgtChains

Claus v. Wolfhausen

unread,
Aug 7, 2007, 10:43:33 AM8/7/07
to
In article <46b750b1$0$3157$ae4e...@news.nationwide.net>,
SgtChains-...@FahQ2.com says...

>You have missed the point completely.
>
>People *like* email a heck of a lot more than they hate spam. Because
>if they didn't, they would simply abandon email.

I guess that is not true.
People like *clean* email and still hoping that at least *one* valid mail
might be in their inbox.

Having a business one expects you to have an email address.

That might be the only reason email is still used.

>>> Most people also hate over-zealous anti-spam solutions that stop as much
>>> legitimate mail as the spam, as it also prevents email from functioning
>>> as the user expects.
>>
>> That was the reason i cleaned up the UCEPROTECT blocklists.
>>
>
>Yet you still think that APEWS is a valid anti-spam solution... This
>puzzles me.

Wrong. I said it might be usable in a scoring system or as an advisory.

No blocklist is nor will ever be a valid anti-spam solution itself.

Even Steve Linford is known to screwup from time to time.

You could also have lost valid emails from nic.at if you had used SPAMHAUS
for blocking not so long ago.

Just google for "spamhaus + nic.at" if you do not believe me.

Any valid anti-spam solution is therefore a combination of independant
measures installed to make decisions based on.

You should at least have a whitelist with those you expect mail from
using *any* blocklist.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--

Jay Chandler

unread,
Aug 7, 2007, 6:25:16 PM8/7/07
to
On Thu, 02 Aug 2007 21:53:20 +0000, E-Mail Sent to this address will be
added to the BlackLists wrote:

> Mark Roberts wrote:
>> ... since almost no one asking for list removal is
>> posting actual rejected emails,
>> it seems likely that they're only find out that they're
>> listed because someone is contacting than and telling them so.
>
> I think many are DNSstuff alert subscribers (or something like that).

Actually, DNSStuff stopped including APEWS in the RBLAlert service a
couple months back. It still displays on their RBL lookup, though.

--
Jay Chandler
Systems Exorcist

1urk3r

unread,
Aug 7, 2007, 9:35:16 PM8/7/07
to
On Aug 7, 9:43 am, use-reply-to-mail...@remove-this.com (Claus v.
Wolfhausen) wrote:
> In article <46b750b1$0$3157$ae4e5...@news.nationwide.net>,
> SgtChains-usenet2...@FahQ2.com says...

>
> >You have missed the point completely.
>
> >People *like* email a heck of a lot more than they hate spam. Because
> >if they didn't, they would simply abandon email.
>
> I guess that is not true.
> People like *clean* email and still hoping that at least *one* valid mail
> might be in their inbox.
>
> Having a business one expects you to have an email address.
>
> That might be the only reason email is still used.
>
> >>> Most people also hate over-zealous anti-spam solutions that stop as much
> >>> legitimate mail as the spam, as it also prevents email from functioning
> >>> as the user expects.
>
> >> That was the reason i cleaned up the UCEPROTECT blocklists.
>

but it took you a very long time, johan, and
you're still sullying the whole enterprise
with your "apews" hoax..

> >Yet you still think that APEWS is a valid anti-spam solution... This
> >puzzles me.
>
> Wrong. I said it might be usable in a scoring system or as an advisory.
>
> No blocklist is nor will ever be a valid anti-spam solution itself.
>
> Even Steve Linford is known to screwup from time to time.
>
> You could also have lost valid emails from nic.at if you had used SPAMHAUS
> for blocking not so long ago.
>
> Just google for "spamhaus + nic.at" if you do not believe me.
>

aha! at last i understand your hostility to
spamhaus & steve linford. johan, you've
been drinking the teutonic koolaid. maybe
steve linford "screwed up" in your own
opinion, but outside of german-speaking countries,
there wasn't much outrage over that flap.

in fact, nic.at was rightly listed as a spam
support service, in my own opinion (and of many
others) in spite of the lock-step marching
of the german press on the subject. further,
nic.at's excuse ("we only follow the law")
is utter baloney. they "follow the law" when
it suits them, but not every german speaker
is fooled:

http://tinyurl.com/2naxkj

read the article entitled:

"TIWAG für den Versuch, einen Kritiker mundtot zu machen"

so it seems that law nic.at is so
devoted to can be set aside when the
money is right.

chris at mcafee expressed a much
more realistic viewpoint, to which you
were perhaps not exposed in the
german-speaking press. here's
a handy hyperlink:

http://tinyurl.com/3dvzen

> Any valid anti-spam solution is therefore a combination of independant
> measures installed to make decisions based on.
>
> You should at least have a whitelist with those you expect mail from
> using *any* blocklist.

that's obvious, of course.


adam

--

Larry M. Smith

unread,
Aug 7, 2007, 10:40:33 PM8/7/07
to
Claus v. Wolfhausen wrote:
> In article <46b750b1$0$3157$ae4e...@news.nationwide.net>,
> SgtChains-...@FahQ2.com says...
(snip)

>> Yet you still think that APEWS is a valid anti-spam solution... This
>> puzzles me.
>
> Wrong. I said it might be usable in a scoring system or as an advisory.
>

Actually, what you said in <f8vht6$920$1...@ulm.shuttle.de> was; "In my


opinion the APEWS lists are excellent as an advisory or to be used in

scoring systems." I'm not parsing your original words as you are
attempting to portray them now, but I really don't care enough to push
the issue.

I have no idea now you would intend to use APEWS as an advisory, but
as for scoring, you can not fix a broken DNSBL by simply scoring it.


An example;

In another thread (Worth of a DNSBL) I suggested that we can apply
math to the issue and suggested a formula;

( percent_true_positives - (percent_false_positives * 10 )) *
( spam_score / threshold) = value

Note: Work in progress. The value of 10 here that is multiplied
against percent_false_positives might change, but it is more likely to
be more than less in the finished formula.

If we use nofalsenegative.stopspam.samspade.org (lists all of IPv4) to
block the result is;
( 100 - ( 100 * 10 )) * ( 1 / 1 ) = -900

If we set our spam threshold to 5, and use nofalsenegative with a
value of 1 the result is;
( 100 - ( 100 * 10 )) * ( 1 / 5 ) = -180 ( one fifth of -900 )

Not as bad right? Wrong, its still just as bad.

Let's say that we have some others lists that we are using;

IPv4.fahq2.com
relays.osirusoft.com
more-spews-than-thou.lumbercartel.us
blocked.secnap.net

They each have more or less the same [broken] policy, and list all of
IPv4... This results in;
( 100 - ( 100 * 10 )) * ( 1 / 5 ) + ( 100 - ( 100 * 10 )) * ( 1 / 5 )
+
( 100 - ( 100 * 10 )) * ( 1 / 5 ) + ( 100 - ( 100 * 10 )) * ( 1 / 5 )
+
( 100 - ( 100 * 10 )) * ( 1 / 5 ) = -900

Scoring a broken DNSBL does not fix the problems with its policy, or
the number of false positives it has. It only masks the problem
making it less obvious as to just how broken the thing really is.

> No blocklist is nor will ever be a valid anti-spam solution itself.
>

Some come pretty darn close, and most don't make the situation worse
than it already is.

> Even Steve Linford is known to screwup from time to time.
>
> You could also have lost valid emails from nic.at if you had used SPAMHAUS
> for blocking not so long ago.
>

Steve Linford and Spamhaus are known to screwup a heck of a lot less
than UCEProtect and its evil twin APEWS.


SgtChains

Andrew - Supernews

unread,
Aug 8, 2007, 11:30:08 AM8/8/07
to
On 2007-08-03, Claus v. Wolfhausen <use-reply-...@remove-this.com>
wrote:

> First let me say that i would have expected such an subject and that content
> from M.Ciprut, but not from the SPAMHAUS operator.

It's hardly an opinion unique to Spamhaus.

> Really strange to see you are claiming your private opinions as facts here.
> You have no prove how many systems are using the APEWS lists and for what
> reasons. You do not run their mirrors.

The evidence of the non-use of APEWS is everywhere, from the fact that
almost no one complaining of a listing can produce a bounce message, to
the fact that the participants of large high-profile mailing lists don't
complain about (or even notice) the fact that the listserver is listed on
APEWS.

> Even if you would be right, and nobody would use that lists you should be
> glad about every user calling his provider and complaining about spammers,
> shouldn't you?

Only if:

a) the provider actually does have spammers
b) the user calling the provider can actually supply usable information
about who or where those spammers are
c) the provider hadn't already taken all necessary steps themselves

Unless _all three_ of those conditions are met, it's not helpful for the
users to complain, is it?

Let's take an example. The /20 block that contains my home (static) DSL is
listed in APEWS, this block also contains the provider's smarthost. The
listing says nothing more than the usual "One or more bots in ASN / CIDR,
unprofessional / negligent owner" garbage.

There is exactly one recent hit in .sightings for that range (not from the
smarthost). This is clearly from an infected machine.

There are no current CBL listings for that range.

There are no hits for it in any of the spamtraps I have access to.

Historical data suggests that there have been about four CBL listings over
that /20 in the past three months. (For comparison, the not-quite-/19
netblock that contains unimatrix.admins.ws has more than five times that
number of listings over the same period, and repeated hits in our spamtraps.)

None of this indicates any deficiency on the part of the provider. There is
no reasonable complaint I can make to them (there's no sign of ongoing spam,
or repeated incidents from the same customer). There's no point in me moving
to another provider, because every other one I could use is either already
listed in APEWS too, or is almost certain to become listed based on the
observed behaviour. (The fact that, as I posted elsewhere, APEWS is currently
listing 38% of all routable IP space makes it clear that trying to avoid
being listed will always be a losing proposition; by comparison, SPEWS never
listed more than about 2% of active IP space.)

So the listing is serving no purpose other than helping to guarantee that
nobody will ever use APEWS.

> Most providers panic if lots of customers are complaining because of spammers
> exists in the same netblock and they begin realizing to be just a bunch of
> IP's away to get a complete /16 escalated up to UCEPROTECT-Level 3.

What's the point in escalating to a /16 when so often it'll end up crossing
an allocation boundary and catching entirely unrelated ISPs?

> It does not matter users are really at risk to get blocked or just got that
> imagination. What matters is the result only:
>
> They will call their providers and complain about the spammers.

In other words your purpose is simply to harass every ISP in the world,
regardless of whether they are keeping a clean network or not?

> Real spamfighters should appreciate that, because it is helpfull to eliminate
> the spam problem.

Real spamfighters know how to tell the difference between clean and dirty
networks.

> The question is therfore: What is your problem with APEWS?

The problem is not that they exist, or even their listing policy. The _only_
problem is this dishonest attempt to get users to complain to ISPs _even_
when the ISP is doing their job well, plus the noise generated in these
groups as a result.

> It seems to me you worry about who will pay you tomorrow, if APEWS
> would be sucessfull and spam disappear.

This is the logical fallacy known as "ad hominem circumstantial".

_I_ don't get paid anything at all for fighting spam.

> It is a fact that APEWS is using other DNSBL's searching spam sources.
> I got a mail from Al Iverson, he also noticed that there are sometimes ranges
> listed by APEWS shortly after they were seen on the UCEPROTECT blocklists.
>
> Investigating i found that our lists are indeed also downloadet by APEWS.

If I were you I'd stop that. Your defense of the stupidity of APEWS will
quite quickly undo all your attempts to reverse the damage done to your
own reputation by your former spokesman Mr. Steigenburger.

It's also a fact that APEWS is _misusing_ other sources of data. The people
at SANS have repeatedly complained about abuse of their data with no apparent
effect (see http://isc.sans.org/diary.html?storyid=3189 for details).

> If you would be a real spamfighter, you would not knowingly ignore the worst
> spamsewers, you would appreciate what APEWS does instead.

Fortunately you don't get to decide who is a "real" spamfighter or not.

> SORBS and UCEPROTECT would not mirror zones which "sucks".

Matthew has already answered that one for SORBS. As for why uceprotect would
choose to mirror a zone whose creation they were obviously closely involved
in starting, well, that doesn't take much imagination to figure out.

> That does not mean i recommend using APEWS for blocking.
>
> In my opinion the APEWS lists are excellent as an advisory or to be used in
> scoring systems.

Well, for something to be useful in a scoring system, it needs to have some
positive predictive power. That is, the probability that the mail is spam,
given that you know it is from a listed IP, must be higher than the
probability it was spam before you looked up the listing.

When the false-positive rate of a test is as high as its hit rate, then there
is no predictive power. Obviously, it's hard to measure the FP rate with any
accuracy, and it will differ significantly between users, but my analysis of
my personal mail and our support mail suggests that the real FP rate of APEWS
is _much higher_ than the figures from Al Iverson's analysis (which is biased
towards bulk sources).

--
Andrew, Supernews
http://www.supernews.com - individual and corporate NNTP services

Tim Skirvin

unread,
Aug 8, 2007, 11:53:11 AM8/8/07
to
Andrew - Supernews <andrew...@supernews.net> writes:

> It's also a fact that APEWS is _misusing_ other sources of data. The people
> at SANS have repeatedly complained about abuse of their data with no apparent
> effect (see http://isc.sans.org/diary.html?storyid=3189 for details).

I've complained as well, also to no effect. At the very least,
I'd like to have news.admin.net-abuse.sightings remain uncited in their
reports.

- Tim Skirvin (tski...@killfile.org)
Moderator, much of news.admin.net-abuse.*
--
http://www.killfile.org/~tskirvin/nana/ news.admin.net-abuse.*
http://www.killfile.org/donations.html killfile.org donations

Seth

unread,
Aug 8, 2007, 5:41:46 PM8/8/07
to
In article <tskirvin.20070808164710$01...@cairo.ks.uiuc.edu>,
Tim Skirvin <tski...@killfile.org> wrote:

> I've complained as well, also to no effect. At the very least,
>I'd like to have news.admin.net-abuse.sightings remain uncited in their
>reports.

The reason that I post to nanas is to make the spam public. I want it
cited to the responsible party as much as possible.

Seth

Seth

unread,
Aug 8, 2007, 6:08:05 PM8/8/07
to
In article <1186544088.2...@g12g2000prg.googlegroups.com>,

Larry M. Smith <SgtC...@gmail.com> wrote:

>I have no idea now you would intend to use APEWS as an advisory, but
>as for scoring, you can not fix a broken DNSBL by simply scoring it.

It is quite possible that a DNSBL is worthless for blocking purposes
(too many false positives), but quite useful for scoring: when
including it in scoring, the number of true positives increases, and
the number of false positives doesn't (or even drops). That's clearly
possible if I define the DNSBL retroactively (base it on my corpus and
its existing scores in order to prove my point), therefore it's
possible for a DNSBL defined some other way.

Seth

Tim Skirvin

unread,
Aug 8, 2007, 7:57:12 PM8/8/07
to
se...@panix.com (Seth) writes:

>> I've complained as well, also to no effect. At the very least,
>> I'd like to have news.admin.net-abuse.sightings remain uncited in their
>> reports.

> The reason that I post to nanas is to make the spam public. I want it
> cited to the responsible party as much as possible.

Well, fine, do that, but don't just say "you were cited in NANAS
so you're a spammer" - or, if you *do* have to do that, at least point at
the Message-IDs. And make sure you reiterate the disclaimer - the
moderator(s) haven't vetted the submissions, so please don't contact them
(me) if you have any problems.

- Tim Skirvin (tski...@killfile.org)
Moderator, much of news.admin.net-abuse.*
--
http://www.killfile.org/~tskirvin/nana/ news.admin.net-abuse.*
http://www.killfile.org/donations.html killfile.org donations

--

Matthias Leisi

unread,
Aug 9, 2007, 7:19:33 AM8/9/07
to
Tim Skirvin wrote:

> se...@panix.com (Seth) writes:
>
>> The reason that I post to nanas is to make the spam public. I want it
>> cited to the responsible party as much as possible.
>
> Well, fine, do that, but don't just say "you were cited in NANAS
> so you're a spammer" - or, if you *do* have to do that, at least point at
> the Message-IDs. And make sure you reiterate the disclaimer - the

I'll have to second Seth on that. NANAS is a valuable resource in order
to verify submissions to dnswl.org, although the postings have to be
taken with at least two grains of salt.

Most hits are due to faked From: or Received: lines which have no value,
but those that *do* point to the real source are helpful. However, it's
sometimes difficult to differentiate between fake and real, since the
reader can not know the poster's setup.

It would hence be nice if the posters put some sort of summary at the
top of their NANAS postings, citing the IP address and hostname of the
source and possibly spamvertized websites, nameservers etc.

I don't need it in a machine-parseable format, but others may, so a
unified format may make sense.

-- Matthias

--
http://www.dnswl.org/ - Protect against false positives

Detox

unread,
Aug 9, 2007, 11:59:31 AM8/9/07
to
On Aug 9, 7:19 am, Matthias Leisi <matth...@leisi.net> wrote:
> Tim Skirvin wrote:
> > se...@panix.com (Seth) writes:
>
> >> The reason that I post to nanas is to make the spam public. I want it
> >> cited to the responsible party as much as possible.
>
> > Well, fine, do that, but don't just say "you were cited in NANAS
> > so you're a spammer" - or, if you *do* have to do that, at least point at
> > the Message-IDs. And make sure you reiterate the disclaimer - the
>
> I'll have to second Seth on that. NANAS is a valuable resource in order
> to verify submissions to dnswl.org, although the postings have to be
> taken with at least two grains of salt.
>
> Most hits are due to faked From: or Received: lines which have no value,
> but those that *do* point to the real source are helpful. However, it's
> sometimes difficult to differentiate between fake and real, since the
> reader can not know the poster's setup.
>
> It would hence be nice if the posters put some sort of summary at the
> top of their NANAS postings, citing the IP address and hostname of the
> source and possibly spamvertized websites, nameservers etc.

This is an interesting format...at least it seems to do what you want
are asking for:

http://tinyurl.com/2zwnxr

Regards,
Detox

Andrzej Adam Filip

unread,
Aug 9, 2007, 1:17:50 PM8/9/07
to
Andrew - Supernews <andrew...@supernews.net> writes:
>[...]

> Real spamfighters know how to tell the difference between clean and
> dirty networks.

The evidence is always `incomplete' and frequently `inconclusive'.

Anyway I share your opinion that justification of listing big nets
should not be so incredibly brief/laconic if anyone wants to be taken
seriously.

About 40% listed: I would be ready to use (somehow) even a list listing
half of Internet with good and detailed justification :-)

*The combination* of big coverage and too brief/laconic justifications
is deadly (IMHO).

> [...]

--
[pl>en: Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
Homesite of Andrzej Filip http://anfi.homeunix.net/
http://anfi.homeunix.org/spamcop-top200/2007/2007-08-09.html
http://anfi.homeunix.org/spamcop-top200/last/latest.html

Seth

unread,
Aug 9, 2007, 4:55:36 PM8/9/07
to
In article <tskirvin.20070809003924$33...@cairo.ks.uiuc.edu>,

Tim Skirvin <tski...@killfile.org> wrote:
>se...@panix.com (Seth) writes:
>
>>> I've complained as well, also to no effect. At the very least,
>>> I'd like to have news.admin.net-abuse.sightings remain uncited in their
>>> reports.
>
>> The reason that I post to nanas is to make the spam public. I want it
>> cited to the responsible party as much as possible.
>
> Well, fine, do that, but don't just say "you were cited in NANAS
>so you're a spammer" - or, if you *do* have to do that, at least point at
>the Message-IDs.

I see the issue: sure, the citations should be _specific_. Merely
saying "grepping NANAS for you wasn't empty therefore . . ." is rather
meaningless. It also isn't citing my (or any specific) articles.
Saying "These 10 articles in NANAS show spam emanating from your
network this week" is useful.

Seth

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 9, 2007, 8:08:17 PM8/9/07
to
Andrzej Adam Filip wrote:
> About 40% listed: I would be ready to use (somehow) even
> a list listing half of Internet with good and detailed
> justification :-)

Well, if it was a list of all IPs, that were not running
ISP authorized mail servers (either ISP provided,
or AUP permitted on CIDR SWIPs or enduser static IPs),
it seems likely almost everyone might be interested in
using it, no matter what the % of assigned IPs that
should not be sending messages is.

When the Spamhaus PBL gets close to listing all IPs
that should not be sending messages, what % of the
internet will it likely cover?

--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

Shmuel (Seymour J.) Metz

unread,
Aug 10, 2007, 10:00:23 AM8/10/07
to
In <46b750b1$0$3157$ae4e...@news.nationwide.net>, on 08/06/2007
at 04:17 PM, "Larry M. Smith" <SgtChains-...@FahQ2.com>
said:

>People *like* email a heck of a lot more than they hate spam.
>Because if they didn't, they would simply abandon email.

Some *have* completely abandoned e-mail.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

Just Another UBE Reporter

unread,
Aug 10, 2007, 10:09:19 AM8/10/07
to
Detox <deto...@hotmail.com> wrote in
news:1186678406.6...@x40g2000prg.googlegroups.com:
> This is an interesting format...at least it seems to do what you want
> are asking for:
>
> http://tinyurl.com/2zwnxr
>
> Regards,
> Detox
>

When I first started posting spam to NANAS in 2004, the charter I had
found at the time indicated the following headers should be present (with
the body of the spam appearing at the end after a line consisting of -
and a space):

Abuse-spotted-in:
Abuse-Subject:
Type-of-abuse:
Description:

I have since abandoned this format since its not required by the robo-
moderator, but perhaps I could start doing it again.

--
Not a sysadmin, but an end user who dislikes spam.
.htaccess is my friend.

Shmuel (Seymour J.) Metz

unread,
Aug 12, 2007, 7:17:05 PM8/12/07
to
In <5hvuo8F...@mid.individual.net>, on 08/09/2007

at 11:19 AM, Matthias Leisi <matt...@leisi.net> said:

>I don't need it in a machine-parseable format, but others may, so a
>unified format may make sense.

The obvious candidate is ARF, built on top of RFC 3462:

The Multipart/Report Content Type
for the Reporting of
Mail System Administrative Messages

I'd like to see more structure, but it's a start.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

Reply all
Reply to author
Forward
0 new messages