Spam Prevention Early Warning System
Encyclopedia
The Spam Prevention Early Warning System (SPEWS) was an anonymous service which maintained a list of IP address
ranges belonging to Internet service provider
s (ISPs) which host spammers and show little action to prevent their abuse of other networks' resources. It could be used by Internet sites, as an additional source of information about the senders of unsolicited bulk email, better known as spam
.
SPEWS is no longer active. A successor, the Anonymous Postmaster Early Warning System (APEWS), appeared in January 2007.
containing its listings, and operated a database
where users could query the reasons for a listing. Users of SPEWS could reprocess these data into formats usable by software for anti-spam techniques.
For instance, many mail sites used the SPEWS data provided at spews.relays.osirusoft.com. All DNSBL
s hosted by Osirusoft were shut down on August 27, 2003 after several weeks of denial of service attacks. A number of other mirrors
existed based on the SPEWS data, which remained accessible to the public. SORBS
, for example, provided a mirror of SPEWS data until early 2007.
There was a certain degree of controversy regarding SPEWS' anonymity and its methods. By remaining anonymous, the SPEWS admins presumably wanted to avoid harassment and lawsuits of the sort which have hampered other anti-spam services such as the MAPS RBL and ORBS.
Some ISP clients whose providers were listed on SPEWS took umbrage that their own IP addresses were associated with spamming, and that their mail might be blocked by users of the SPEWS data. Sometimes, the only solution was to leave the blacklisted provider, as there was no way for either the customer or the provider to contact SPEWS.
The SPEWS database has not been updated since August 24, 2006; dnsbl.com lists its status as dead. Since SPEWS became inactive, the Anonymous Postmaster Early Warning System (APEWS) has taken its place, using similar listing criteria and a nearly identical web page.
SPEWS seemed to collect some information from honeypot
s—mail servers or single email addresses to which no legitimate mail is received. These may be dummy addresses which have never sent any email (and therefore could not have requested to be subscribed to any legitimate mailing list). They may also be placed as bait in the header
of a Usenet
post or on a Web page, where a spammer might discover them and choose to spam them.
The SPEWS Web site makes clear that when spam was received, the operators filed a complaint with the ISP or other site responsible for the spam source. Only if the spam continued after this complaint was the source listed. However, SPEWS is anonymous—when these complaints were sent, they are not marked as being from SPEWS, and the site was not told that ignoring the complaint would result in a listing. This had the effect of determining the ISP's response to a normal user's spam complaint, and also discouraged listwashing—continuing to spam, but with the complaining address removed from the target list.
If the spam did not stop over time, SPEWS increased the size of the address range listed through a process referred to as "escalation". This process was repeated, conceivably until the entire netblock owned by the offending service provider was listed or the block is large enough that the service provider is encouraged to take action by the complaints of its paying customers.
service to a domain mentioned in a piece of e-mail spam
, even if the messages weren't sent from said provider's mail servers.
of the Internet.
Supporters of SPEWS often point to the claim that SPEWS "blocks" email from sites as a misconception. A SPEWS listing only causes mail to be refused if the recipient of the email (or their ISP) chooses to block based on the SPEWS IP list.
This counter argument has been criticized on the grounds that SPEWS is spreading information in a way conducive for blocking and in the knowledge that people are using it to block. According to this criticism, SPEWS should then be considered partly responsible for any blocking that happens and can be legitimately blamed if the blocking is inappropriate. In this view, the claims that lists such as SPEWS are advisory and that SPEWS itself does not block are seen as attempts to evade responsibility for SPEWS's own actions.
It is believed that the operators read certain Usenet
newsgroups related to spam and email abuse. However, no poster has claimed to be a SPEWS operator and no regular of the newsgroups claims to know their identity. By the accounts of many of those regulars, SPEWS can detect automatically when such support stops, but this was not supported by any information in the SPEWS FAQ.
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
ranges belonging to Internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s (ISPs) which host spammers and show little action to prevent their abuse of other networks' resources. It could be used by Internet sites, as an additional source of information about the senders of unsolicited bulk email, better known as spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
.
SPEWS is no longer active. A successor, the Anonymous Postmaster Early Warning System (APEWS), appeared in January 2007.
Overview
SPEWS itself published a large text fileText file
A text file is a kind of computer file that is structured as a sequence of lines of electronic text. A text file exists within a computer file system...
containing its listings, and operated a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
where users could query the reasons for a listing. Users of SPEWS could reprocess these data into formats usable by software for anti-spam techniques.
For instance, many mail sites used the SPEWS data provided at spews.relays.osirusoft.com. All DNSBL
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s hosted by Osirusoft were shut down on August 27, 2003 after several weeks of denial of service attacks. A number of other mirrors
Mirror (computing)
In computing, a mirror is an exact copy of a data set. On the Internet, a mirror site is an exact copy of another Internet site.Mirror sites are most commonly used to provide multiple sources of the same information, and are of particular value as a way of providing reliable access to large downloads...
existed based on the SPEWS data, which remained accessible to the public. SORBS
Sorbs
Sorbs are a Western Slavic people of Central Europe living predominantly in Lusatia, a region on the territory of Germany and Poland. In Germany they live in the states of Brandenburg and Saxony. They speak the Sorbian languages - closely related to Polish and Czech - officially recognized and...
, for example, provided a mirror of SPEWS data until early 2007.
There was a certain degree of controversy regarding SPEWS' anonymity and its methods. By remaining anonymous, the SPEWS admins presumably wanted to avoid harassment and lawsuits of the sort which have hampered other anti-spam services such as the MAPS RBL and ORBS.
Some ISP clients whose providers were listed on SPEWS took umbrage that their own IP addresses were associated with spamming, and that their mail might be blocked by users of the SPEWS data. Sometimes, the only solution was to leave the blacklisted provider, as there was no way for either the customer or the provider to contact SPEWS.
The SPEWS database has not been updated since August 24, 2006; dnsbl.com lists its status as dead. Since SPEWS became inactive, the Anonymous Postmaster Early Warning System (APEWS) has taken its place, using similar listing criteria and a nearly identical web page.
Process
The precise process by which SPEWS gathered data about spam sources is unknown to the public, and it is likely that its operators used multiple techniques.SPEWS seemed to collect some information from honeypot
Honeypot
Honeypot or honeytrap may refer to:* A pot used to store honey* Espionage recruitment involving sexual seduction in** reality** fiction* A type of sting operation such as a** Bait car...
s—mail servers or single email addresses to which no legitimate mail is received. These may be dummy addresses which have never sent any email (and therefore could not have requested to be subscribed to any legitimate mailing list). They may also be placed as bait in the header
Header
Header may refer to: Computers and engineering* Header , supplemental data at the beginning of a data block** E-mail header** HTTP header* Header file, a text file used in computer programming...
of a Usenet
Usenet
Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980...
post or on a Web page, where a spammer might discover them and choose to spam them.
The SPEWS Web site makes clear that when spam was received, the operators filed a complaint with the ISP or other site responsible for the spam source. Only if the spam continued after this complaint was the source listed. However, SPEWS is anonymous—when these complaints were sent, they are not marked as being from SPEWS, and the site was not told that ignoring the complaint would result in a listing. This had the effect of determining the ISP's response to a normal user's spam complaint, and also discouraged listwashing—continuing to spam, but with the complaining address removed from the target list.
If the spam did not stop over time, SPEWS increased the size of the address range listed through a process referred to as "escalation". This process was repeated, conceivably until the entire netblock owned by the offending service provider was listed or the block is large enough that the service provider is encouraged to take action by the complaints of its paying customers.
Criteria for listing
SPEWS criteria was based on "spam support"; That means that when a network operation provides any services to the identified spammers, the resources involved were listed. For instance, part of an ISP's network may have been listed in SPEWS for providing DNSDomain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
service to a domain mentioned in a piece of e-mail spam
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
, even if the messages weren't sent from said provider's mail servers.
Listing data or evidence files
IP addresses listed in SPEWS are mentioned in "evidence files". Those are plain text files which upon inspection appear edited by hand, where those IP addresses along with the technical evidence backing the listing, is depicted. The contents of those evidence files may seem rather cryptic to readers who are not intimately familiar with the technical jargonJargon
Jargon is terminology which is especially defined in relationship to a specific activity, profession, group, or event. The philosophe Condillac observed in 1782 that "Every science requires a special language because every science has its own ideas." As a rationalist member of the Enlightenment he...
of the Internet.
Criticism of SPEWS
No one knows how many service providers use the SPEWS list to reject mail.Contacting SPEWS
One common criticism is that there is no way to contact SPEWS. According to the SPEWS FAQ: "Q41: How does one contact SPEWS? A41: One does not..." Having no way to contact SPEWS is seen as a way for SPEWS to avoid having to deal with complaints—even if they are legitimate—and to be immune from many consequences of mistakes, bad policies, or other problems. This caused SPEWS itself to be listed on some other DNSBLs such as those maintained at rfc-ignorant.org.Criticism
SPEWS critics claim it blocks sites and does so for reasons they consider unfair. Critics argue that an ordinary customer of an ISP should not be held responsible for the actions of other customers of that ISP.Counter argument
Supporters respond that SPEWS is a list of ISPs with spam problems. It is the ISP that's listed, not the customers. This is often argued with an analogy of pizza delivery companies who will not deliver to high crime areas. It's a bad situation for someone "stuck" in a bad area, but supporters argue that this also provides encouragement for a good citizen to unstick themselves and move to an ISP without a spam problem. The bad ISP loses revenue and the good ISP gets more customers, further encouraging bad ISPs to clean up.Supporters of SPEWS often point to the claim that SPEWS "blocks" email from sites as a misconception. A SPEWS listing only causes mail to be refused if the recipient of the email (or their ISP) chooses to block based on the SPEWS IP list.
This counter argument has been criticized on the grounds that SPEWS is spreading information in a way conducive for blocking and in the knowledge that people are using it to block. According to this criticism, SPEWS should then be considered partly responsible for any blocking that happens and can be legitimately blamed if the blocking is inappropriate. In this view, the claims that lists such as SPEWS are advisory and that SPEWS itself does not block are seen as attempts to evade responsibility for SPEWS's own actions.
Delisting
According to the SPEWS FAQ, listings were removed when the spam or spam-support has stopped. Just as they did not solicit nominations for listings, the SPEWS operators did not solicit requests for delistings. There was no contact information published on the SPEWS Web site. There was no spews.org mail server, and the operators of SPEWS did not receive email under the SPEWS name.It is believed that the operators read certain Usenet
Usenet
Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980...
newsgroups related to spam and email abuse. However, no poster has claimed to be a SPEWS operator and no regular of the newsgroups claims to know their identity. By the accounts of many of those regulars, SPEWS can detect automatically when such support stops, but this was not supported by any information in the SPEWS FAQ.
External links
FAQ links
- First Post To NANAE Newsgroup
- Address munging FAQ
- List of terms found in NANAE
- Dave the Resurrector FAQ
(Sometimes posts mysteriously disappear from NANAE. The program Dave the ResurrectorDave the ResurrectorDave the Resurrector was a so-called "resurrector bot" that responded to any attempts at canceling a message on the usenet newsgroup news.admin.net-abuse by re-posting the message. It was written by Chris Lewis....
usually recovers these posts.)