Acronym: The Spam   Prevention   Early-Warning   System.

In the late 1990s the proliferation of spam became epidemic. People found themselves unable to use their inboxes. Realtime blocklists were tried (such as MAPS), but were largely unsuccessful, partly because they had to go through a series of warnings and checks before they would list a spammer, by which time he may have sent millions of UBE around the world.

What was needed was a system that would list known spammers before they sent spam, and block new spammers in seconds.

Against this background SPEWS came about. First conceived in May 2000 and going public beta in July 2001, SPEWS is a realtime blocklist that published IP ranges of spammers. Using email filters such as procmail, it's possible to filter out any mail originating on the SPEWS list.

But SPEWS goes much further. The problem is not just the spammers themselves, but also the spamhausen that help them spam, and the bigger ISPs who allow them connectivity and freedom to ignore their AUPs.

If an ISP fails to act on spam, SPEWS will list parts of their internet presence; they have listed Class C networks and bigger. This has an impact on a lot of innocent people, and a small ISP downstream of bigger, spam-friendly ISP may find itself totally blackholed for the action of another small ISP which is spam-friendly. But this is what SPEWS wants. The complaints of all these customers should make the big ISP sit up and notice, and nuke its spammers. This is what the anti-spam community calls "collateral damage".

A quick note: SPEWS is therefore not an open relay blocklist, nor a list of spammers, but rather a list of netblocks designed to both block spam and force the spammers off mainstream networks.

SPEWS is anonymous and uncontactable. Nobody knows how they build their lists. Though it's implied that the system is largely automated, there is some evidence that the maintainers - and there must be a few - do a lot of manual work too. The evidence files against each blocklisting are drawn from public sources.

If you want to speak to SPEWS, you can't; no phone, no email (not even an MX record on spews.org), and an address in Irtutsk, Russia. All inquiries are directed to news.admin.net-abuse.email or news.admin.net-abuse.blocklisting on usenet, where politeness is everything. The locals don't take too kindly to the request:

Remove the following netblocks from SPEWS: xxx.xxx.xxx.xxx/24

etc. Try it, and watch the flames start coming in.

It's assumed that the SPEWS admins monitor nanae heavily. Certainly when an ISP really does boot their spammers, their listing can disappear in hours; I've seen it happen. However, a number of ISPs complain about out-of-date SPEWS listings.

There are often threats in nanae from people threatening to sue SPEWS for listing. They never do, for good reasons:

  • SPEWS only publishes a list, other people have to use it to block anything. It'd make more sense to try and sue the company actually doing the blocking.
  • SPEWS listing constitutes an opinion, protected by the USA's First Amendment.
  • There is no legal right to be able to send email.
  • Anyone can reject email or any connection for any reason they want, or no reason at all.
  • It's hard to sue an anonymous, secret, unregistered organisation with no assets.
  • The people threatening to sue are spammers, and spammers always lie.

SPEWS has 2 levels of listing; Level 1 is what most people block at, which at first targets individual IPs or infested /24s, but expands if nothing is done about the spammers. Level 2 listings are 'wait and see' status. It's possible to block at Level 2, but not recommended as it can cause too much collateral damage. There's also a Level 0 for former blocks that have been removed. It's impossible to block at level 0.

Of course, these blocklists are only effective if they are widely used. SPEWS listings tend to upset people, so the SPEWS list must be fairly widely used, mainly by medium and large corporations, and quangos probably. One estimate is that about 1/3 of the Internet uses the SPEWS blocklist, though I'm not sure how they measure this one.

The blocklist is distributed by Relays.Osirusoft.com and myrealbox.com provide a free SPEWS-protected email/webmail service from myrealbox.com.

See also www.spews.org.

SPEWS is a lightning rod for much controversy the world over, both for its anonymous, untraceable, impossible to contact nature, and for its complete lack of tact or even tolerance in dealing with collateral damage.

The standard SPEWS response to a person who claims (or is known) to not be sending spam but whose site is hosted by a provider that's blacklisted is "switch to another provider" followed by silence if the person just goes away, or a spectacular flamewar if he dares question news.admin.net-abuse.email further.

This delightfully tacky method of operation results in an organization that has several effects, positive and negative, on the internet community as a whole:

  1. SPEWS is not popular or well regarded among spammers. Oh darn. This is an intended effect; get listed in SPEWS for spamming, and until you switch netblocks (not always easy), your spam isn't delivered to a sizeable chunk of the internet.
  2. SPEWS is quite unpopular with ISPs, good and bad. Yes, total anonymity is usually a good thing, but complete inaccessibility is not appropriate for a group like this. For ISPs that willingly and knowingly host spammers, this is just fine. For ISPs that try to stop spammers, though, this is not acceptable. It's hard enough trying to stop spammers, but having to deal with overzealous anti-spam people on top of that is nearly impossible.
  3. Companies, big and small, tend to ignore SPEWS. Any kind of communication, apart from obsequious begging in nanae, will either be ignored or result in a flamewar. Even asking assistance of the group, in the polite form of "One of our servers is listed in SPEWS; since noticing this I've patched sendmail to the newest release, and plugged the potential open relay. Could somebody please re-test it to verify it's not an open relay anymore and unlist it?" will bring nothing but insulting comments from the SPEWS elite. When reasonable communication with a spam-fighting group is impossible, a company's most likely response is to ignore said group completely, neither using its blacklist nor responding to its demands.
  4. Some spam probably gets blocked, too. Lest we forget SPEWS' purpose, yes, it probably does stop some spam. Honestly, I doubt it stops huge amounts of the stuff -- spammers tend to mail in bursts; SPEWS may stop a burst, but the spammer will just move on.

SPEWS will undoubtedly continue its efforts until one of two things happens -- either spam will be conquered on the internet, or SPEWS' members will collectively get sick of/be stopped from running it any longer. The SPEWS membership is clearly rabid, and as such I do not believe they'll ever just "give up" (and I certainly hope they never do). There are reasons, though, why SPEWS will some day be stopped:

  1. SPEWS' anonymity isn't guaranteed. Yes, we've all heard SPEWS brag about how its members are anonymous and how it can't be sued. Daring to speak the words "you can't sue me!" in this world stems from the kind of arrogance that most later regret having. Sure -- right now, nobody's ever successfully sued SPEWS, partly because it's hard to figure out who's behind the curtain making the big scary wizard projection work. This will not (and can not) last forever. To use SPEWS' lists, one must know where to obtain them. The DNS servers in use are well-known. Sure, the name can be moved from address to address pretty easily, and the domain name can technically be registered with false information, but someone (a company, a group, or an individual) owns the real box that answers SPEWS lookup requests, and some actual person owns the domain involved. Annoy a big enough company, and eventually SPEWS will go the way of the dodo, because:
  2. SPEWS' approach works both ways. SPEWS' main method of operation is to blacklist known spammers and their netblocks, both to stop the specific instance of spam from reaching its users, and to induce innocent victims (affectionately called collateral damage) of this blacklisting to pressure their providers into compliance by complaining, or by switching to another, not-blacklisted provider. This might work, or it might not. It will surely work against SPEWS when a company with deep pockets and lots of lawyers decides to use the same trick -- make it painful to host the SPEWS blacklists via lawsuits, denial-of-service attacks, or by convincing an uplink provider to unplug it. Providers tend not to like "lightning rods", and don't need much pressure to take them offline. It's entirely plausible to sue a company for using the SPEWS list, too. Sure, it's your machine, and you can make it use whatever lists you want, but it's your responsibility to deal with the consequences. The angered company may never even find the individuals responsible for SPEWS, but by making it impossible to keep the lists online for an extended period of time, the attacker will quickly render SPEWS useless. Even if this approach takes awhile, other attacks will be equally effective -- education/propaganda in the form of "don't use SPEWS to filter your mail!" (companies aren't islands; they talk to each other), internal policies like "administrators shall not use SPEWS to filter mail, offenders will be disciplined", and so on. Yes, I've seen, firsthand, two companies make this decision. They're still in business.
  3. The "hey, it's free speech, man!" argument will not hold up in court, at least not for very long. First, it's only even remotely valid in countries like the United States of America where a core government document or tenet actually provides a "freedom of speech" concept to its citizens. The USA's first amendment does this, for example. However, SPEWS members have long bragged that they're widely distributed, implying this is a global, not national, effort. Good luck to the SPEWS member who's actually found out and lives in business-friendly countries where libel and slander are easier to prove and more harshly punished than in the US. Even in the US, a court is unlikely to be friendly to SPEWS given its hardline attitude and behavior, and it will quickly grow tired of first amendment arguments. Free speech arguments have always centered around "where do we draw the line?" It is generally held that hate speech, shouting "fire" in a crowded theater, and other abusive forms of speech are not protected. Because SPEWS doesn't just list spammers (but also lists larger address blocks assigned to ISPs, who are frequently willing to cooperate to be removed from a list), it exposes itself to lots of good arguments that its "speech" isn't protected. Besides, if SPEWS ever does successfully test its free-speech argument in court, SPEWS-unfriendly ISPs can make the same arguments (successfully) to say "hey, our choosing not to route packets to and from SPEWS' blacklist is protected free speech!"
  4. SPEWS' hardline approach angers people who don't actually deserve to be on the blacklist. The standard "don't want to be listed? Not spamming? Switch providers!" answer isn't feasible for everyone. Sure, the average joe may be able to switch dialup providers quickly, but keep in mind this isn't free -- there may be an activation fee involved, and the user gets to make all sorts of configuration changes and gets to tell everyone s/he knows about the new e-mail address. For someone hosting a popular website that gobbles up lots of bandwidth, merely "switching providers" can mean breaking a contract, finding a new provider, and handling a time-consuming migration. These are officially not cheap prospects, particularly when signing a one or two year commitment with a provider is needed to get decent rates on bandwidth. Guess those sites don't matter; killing spam is all-consuming, all-important, eh? The animosity created by this hardline attitude doesn't just vanish, and not everybody affected by SPEWS negatively are (or will remain) powerless to respond.

It probably sounds like I'm not a fan of SPEWS; admittedly, I'm not. I've worked for companies (not spamhauses) victimized by the group and while getting listed is easy, getting de-listed is a real pain in the ass.

I do appreciate what SPEWS tries to do; but not the way SPEWS goes about actually doing it. Spam is evil and nasty, but self-destructing isn't the right way to stop it. SPEWS is essentially a glorified mail filter with an anonymous group behind the scenes plugging in values. Unfortunately, for a mail filter, it's got a very high rate of false positives. And unlike any other mail filter, trying to "adjust" SPEWS' list involves either kissing ass or tolerating abuse from a group of people very much in need of some ego deflation.

In the war on spam, there are extremists, and more level-headed people in the middle. Spammers, who actually have the balls to stand up in public and argue loudly for their right to spam, sit firmly on one end of the extreme. SPEWS, who actually have the nerve to shoot off the internet's feet to stop spam, are planted firmly at the other end.

The view from the sidelines should be spectacular.

Thanks to arieh for pointing out SPEWS does not actively scan and list open relays. That's done by open relay blacklisting services, not by SPEWS.

Log in or registerto write something here or to contact authors.