SPEWS is a lightning rod for much controversy the world over, both for its anonymous, untraceable, impossible to contact nature, and for its complete lack of tact or even tolerance in dealing with collateral damage.
The standard SPEWS response to a person who claims (or is known) to not be sending spam but whose site is hosted by a provider that's blacklisted is "switch to another provider" followed by silence if the person just goes away, or a spectacular flamewar if he dares question news.admin.net-abuse.email further.
This delightfully tacky method of operation results in an organization that has several effects, positive and negative, on the internet community as a whole:
- SPEWS is not popular or well regarded among spammers. Oh darn. This is an intended effect; get listed in SPEWS for spamming, and until you switch netblocks (not always easy), your spam isn't delivered to a sizeable chunk of the internet.
- SPEWS is quite unpopular with ISPs, good and bad. Yes, total anonymity is usually a good thing, but complete inaccessibility is not appropriate for a group like this. For ISPs that willingly and knowingly host spammers, this is just fine. For ISPs that try to stop spammers, though, this is not acceptable. It's hard enough trying to stop spammers, but having to deal with overzealous anti-spam people on top of that is nearly impossible.
- Companies, big and small, tend to ignore SPEWS. Any kind of communication, apart from obsequious begging in nanae, will either be ignored or result in a flamewar. Even asking assistance of the group, in the polite form of "One of our servers is listed in SPEWS; since noticing this I've patched sendmail to the newest release, and plugged the potential open relay. Could somebody please re-test it to verify it's not an open relay anymore and unlist it?" will bring nothing but insulting comments from the SPEWS elite. When reasonable communication with a spam-fighting group is impossible, a company's most likely response is to ignore said group completely, neither using its blacklist nor responding to its demands.
- Some spam probably gets blocked, too. Lest we forget SPEWS' purpose, yes, it probably does stop some spam. Honestly, I doubt it stops huge amounts of the stuff -- spammers tend to mail in bursts; SPEWS may stop a burst, but the spammer will just move on.
SPEWS will undoubtedly continue its efforts until one of two things happens -- either spam will be conquered on the internet, or SPEWS' members will collectively get sick of/be stopped from running it any longer. The SPEWS membership is clearly rabid, and as such I do not believe they'll ever just "give up" (and I certainly hope they never do). There are reasons, though, why SPEWS will some day be stopped:
- SPEWS' anonymity isn't guaranteed. Yes, we've all heard SPEWS brag about how its members are anonymous and how it can't be sued. Daring to speak the words "you can't sue me!" in this world stems from the kind of arrogance that most later regret having. Sure -- right now, nobody's ever successfully sued SPEWS, partly because it's hard to figure out who's behind the curtain making the big scary wizard projection work. This will not (and can not) last forever. To use SPEWS' lists, one must know where to obtain them. The DNS servers in use are well-known. Sure, the name can be moved from address to address pretty easily, and the domain name can technically be registered with false information, but someone (a company, a group, or an individual) owns the real box that answers SPEWS lookup requests, and some actual person owns the domain involved. Annoy a big enough company, and eventually SPEWS will go the way of the dodo, because:
- SPEWS' approach works both ways. SPEWS' main method of operation is to blacklist known spammers and their netblocks, both to stop the specific instance of spam from reaching its users, and to induce innocent victims (affectionately called collateral damage) of this blacklisting to pressure their providers into compliance by complaining, or by switching to another, not-blacklisted provider. This might work, or it might not. It will surely work against SPEWS when a company with deep pockets and lots of lawyers decides to use the same trick -- make it painful to host the SPEWS blacklists via lawsuits, denial-of-service attacks, or by convincing an uplink provider to unplug it. Providers tend not to like "lightning rods", and don't need much pressure to take them offline. It's entirely plausible to sue a company for using the SPEWS list, too. Sure, it's your machine, and you can make it use whatever lists you want, but it's your responsibility to deal with the consequences. The angered company may never even find the individuals responsible for SPEWS, but by making it impossible to keep the lists online for an extended period of time, the attacker will quickly render SPEWS useless. Even if this approach takes awhile, other attacks will be equally effective -- education/propaganda in the form of "don't use SPEWS to filter your mail!" (companies aren't islands; they talk to each other), internal policies like "administrators shall not use SPEWS to filter mail, offenders will be disciplined", and so on. Yes, I've seen, firsthand, two companies make this decision. They're still in business.
- The "hey, it's free speech, man!" argument will not hold up in court, at least not for very long. First, it's only even remotely valid in countries like the United States of America where a core government document or tenet actually provides a "freedom of speech" concept to its citizens. The USA's first amendment does this, for example. However, SPEWS members have long bragged that they're widely distributed, implying this is a global, not national, effort. Good luck to the SPEWS member who's actually found out and lives in business-friendly countries where libel and slander are easier to prove and more harshly punished than in the US. Even in the US, a court is unlikely to be friendly to SPEWS given its hardline attitude and behavior, and it will quickly grow tired of first amendment arguments. Free speech arguments have always centered around "where do we draw the line?" It is generally held that hate speech, shouting "fire" in a crowded theater, and other abusive forms of speech are not protected. Because SPEWS doesn't just list spammers (but also lists larger address blocks assigned to ISPs, who are frequently willing to cooperate to be removed from a list), it exposes itself to lots of good arguments that its "speech" isn't protected. Besides, if SPEWS ever does successfully test its free-speech argument in court, SPEWS-unfriendly ISPs can make the same arguments (successfully) to say "hey, our choosing not to route packets to and from SPEWS' blacklist is protected free speech!"
- SPEWS' hardline approach angers people who don't actually deserve to be on the blacklist. The standard "don't want to be listed? Not spamming? Switch providers!" answer isn't feasible for everyone. Sure, the average joe may be able to switch dialup providers quickly, but keep in mind this isn't free -- there may be an activation fee involved, and the user gets to make all sorts of configuration changes and gets to tell everyone s/he knows about the new e-mail address. For someone hosting a popular website that gobbles up lots of bandwidth, merely "switching providers" can mean breaking a contract, finding a new provider, and handling a time-consuming migration. These are officially not cheap prospects, particularly when signing a one or two year commitment with a provider is needed to get decent rates on bandwidth. Guess those sites don't matter; killing spam is all-consuming, all-important, eh? The animosity created by this hardline attitude doesn't just vanish, and not everybody affected by SPEWS negatively are (or will remain) powerless to respond.
It probably sounds like I'm not a fan of SPEWS; admittedly, I'm not. I've worked for companies (not spamhauses) victimized by the group and while getting listed is easy, getting de-listed is a real pain in the ass.
I do appreciate what SPEWS tries to do; but not the way SPEWS goes about actually doing it. Spam is evil and nasty, but self-destructing isn't the right way to stop it. SPEWS is essentially a glorified mail filter with an anonymous group behind the scenes plugging in values. Unfortunately, for a mail filter, it's got a very high rate of false positives. And unlike any other mail filter, trying to "adjust" SPEWS' list involves either kissing ass or tolerating abuse from a group of people very much in need of some ego deflation.
In the war on spam, there are extremists, and more level-headed people in the middle. Spammers, who actually have the balls to stand up in public and argue loudly for their right to spam, sit firmly on one end of the extreme. SPEWS, who actually have the nerve to shoot off the internet's feet to stop spam, are planted firmly at the other end.
The view from the sidelines should be spectacular.
Thanks to arieh for pointing out SPEWS does not actively scan and list open relays. That's done by open relay blacklisting services, not by SPEWS.