A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

About the Book

Book Cover Purchase Book
Table of Contents
Sample
Reader Reviews
Media Reviews

The mounting onslaught of email pitches for porn, pills, and penis enlargement has some techno-pundits declaring that spam is on the verge of destroying the Internet. In Spam Kings, author and investigative journalist Brian McWilliams delivers a compelling account of the cat-and-mouse game played by spam entrepreneurs (including the notorious Davis Wolfgang Hawke, "Dr. Fatburn," and Scott Richter) in search of easy fortunes and the cyber-vigilantes who are trying to stop them.

More

« Send-Safe is back under a new name | Main | FTC goes easy on broke spammers »

May 10, 2005

More on the Telewest blacklisting

The mainstream media, led by the BBC, have taken interest in the Spews blacklisting of Telewest's Blueyonder broadband service.

Unfortunately, these reports universally fail to note that Blueyonder's mail servers are NOT among the nearly one million IP addresses on the Spews blacklist. As a result, there should be little practical impact on Blueyonder users' ability to send and receive email using the service.

In other words, the only collateral damage from this blockade is the negative PR for Telewest's zombie problem.

The IPs listed by Spews are assigned to client systems and would only be affected if the machines attempted to send out email through mailservers outside Blueyonder that were using the Spews blacklist. (Typical zombie behavior.)

If Blueyonder wanted to take control of the situation (and get itself off Spews), it could simply begin blocking outbound port 25.

We mentioned this fact in our own report on the issue last week. But it's a point worth repeating, since many people tend to get hysterical about blacklists and Spews in particular.

Posted by brian at May 10, 2005 10:18 AM

Comments

The assertion that the SPEWS blacklist only traps email sent from Telewest users who are using remote mail servers seems false to me.

My father uses Telewest as his ISP and I find his email gets flagged as spam by Spampal because of the SPEWS listing. He is not using any external mail server as far as I can tell... but the service he has goes under the name "blueyonder"... so I suspect that that is why he is caught. (I think it is one of those deals where his original ISP was cableinet and then became blueyonder and is operated by telewest: http://www.blueyonder.co.uk/blueyonder/getContent.jspx?page=aboutus)

Here is an example of the headers from a mail from him - I replaced some strings with "xxxx" to partially anonomize it:

From - Thu Jun 09 04:42:31 2005
X-UIDL: _nu.2xtpCB.mta05.mx
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Envelope-From: xxxx@blueyonder.co.uk
Received: from smtp-out5.blueyonder.co.uk (smtp-out5.blueyonder.co.uk [195.188.213.8])
by mta05.mx.cix.co.uk (8.13.4/CIX/8.13.4) with ESMTP id j58BsTbp002978
for ; Wed, 8 Jun 2005 12:54:29 +0100
Received: from [192.168.123.103] ([82.40.180.51]) by smtp-out5.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713);
Wed, 8 Jun 2005 12:55:09 +0100
Message-ID:
Date: Wed, 08 Jun 2005 12:53:23 +0100
From: XXXX
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: xxxx@cix.co.uk
CC: xxxx@gol.com
Subject: **SPAM** Re: HSBC strike again
References:
In-Reply-To:
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 08 Jun 2005 11:55:09.0926 (UTC) FILETIME=[EBB61860:01C56C20]
X-Envelope-To: xxxx@cixcouk.cix.co.uk
X-UIDL: _nu.2xtpCB.mta05.mx
X-Antivirus: AVG for E-mail 7.0.323 [267.6.4]
X-RegEx-Score: -149.4
X-RegEx: [-49.8] USER_AGENT_MOZILLA_UA User-Agent header indicates a non-spam MUA (Mozilla)
X-RegEx: [-49.8] REFERENCES Has a valid-looking References header
X-RegEx: [-49.8] IN_REP_TO Has a In-Reply-To header
X-RegEx: [0.0] X_ACCEPT_LANG Has a X-Accept-Language header
X-SpamPal: SPAM SPEWS 82.40.180.51

Posted by: O.Skelton at June 8, 2005 6:05 PM

Here's my understanding of what's happening. Your dad's IP address (82.40.180.51) is among the wide swath of Telewest IPs on the SPEWS blacklist. However, the mail server he uses (195.188.213.8) is not listed on SPEWS. (See http://www.spews.org/ask.cgi?x=195.188.213.8 )

As a zombie-fighting effort, this is as it should be. But for some reason, SpamPal, which apparently uses SPEWS data, isn't precise enough about how it parses the message headers.

Fortunately, SpamPal has a whitelist feature, so you can prevent your dad's messages from being binned. Anyway, thanks for pointing this out. /Brian

Posted by: Brian at June 8, 2005 9:34 PM

Posted by: O.Skelton at June 9, 2005 10:32 AM

 

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: