Date: Sun, 3 Aug 2003 15:37:32 -0700
Sender: Spam Prevention Discussion List <[EMAIL PROTECTED]>
From: "Ronald F. Guilmette" <[EMAIL PROTECTED]>
Subject: BLOCK: ANNOUNCE: Major Policy Change for the Monkeys.com UPL
X-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-Declude-Sender: [EMAIL PROTECTED] [209.119.0.109]
X-Spam-Tests-Failed: Whitelisted [0]
X-Note: Total spam weight of this E-mail is 0.
X-Country-Chain: UNITED STATES->destination
X-RCPT-TO: <[EMAIL PROTECTED]>
The listing policy and criteria for the Monkeys.Com Unsecured Proxies
List has been revised and updated. The new listing policy may be
inspected here:
http://www.monkeys.com/upl/listing-policy.html
The major policy change now being adopted is that from now on, the
UPL will list both unsecured proxies, and also the IP address blocks
of Internet service providers (specifically web hosting companies, in
almost all cases) which have substantial and significant open proxy
hijacking activity that appears, based on data from my own extensive
open proxy honeypot network, to be originating from the IP address
blocks of the relevant provider(s).
(Please note that this policy change will actually take effect as of
Midnight, Pacific Daylight Time, Tuesday August 5th, 2003.)
As many of you may have noticed, I have in recent weeks been publish-
ing detailed ranking information regarding the specific /24 IP address
blocks that the data from my proxy honeypot network indicate are the
worst offenders with regards to open proxy hijacking. The publication
of that information, along with my numerous e-mailed notifications to
the specific service providers associated with these "worst offender"
IP address blocks has already resulted in the termination of several
large-scale spammers and open proxy hijackers by their respective ser-
vice providers, together with a significant associated reduction in
proxy-hijack spam throughout the Internet.
In general, I have found that service providers (which are almost ex-
clusively web hosting companies in these cases) _are_ willing and able
to take effective action to terminate proxy hijacking from their net-
works, when and if they are informed of it. But I have also found
numerous exceptions to that general rule, i.e. service providers that
completely refuse to take any action whatsoever (not even blocking
outbound connects to known abusable proxy ports) to stop the criminal
activity from their networks. Based on these cases, it now appears
completely clear that many service providers lack any real motivation
whatsoever to end the practice of criminal proxy hijacking from their
respective networks. For them, the hosting of criminal open proxy hi-
jackers has essentially NO downside whatsoever, and on the upside it
seems likely that such hosting arrangements can be VERY lucrative for
the service providers involved. The present change to the UPL listing
criteria is designed to change this equation, and to provide at least
some motivation to service providers to take appropriate action, as
needed, to effectively address the problem of criminal conduct origina-
ting from their respective networks. I fully and firmly believe that
in most of these cases, it will only take a gentle nudge (to be provided
by the UPL) in order to get the providers to Do The Right Thing with
respect to criminal open proxy hijacking.
Having said all that, I am most acutely aware of the fact that many
current and prospective users of the UPL will have legitimate concerns
about this significant policy change. Many may worry that the current
100% objective listing criteria for the UPL may become subjective to
the point where ongoing use of the UPL becomes hard to defend or justify.
Many will certainly also worry that this change will necessarily mean
a significantly increased ``loss'' of legitimate incoming e-mail. I
believe that all such concerns will in fact prove to be totally unfounded.
In fact, I sincerely believe that within just two weeks after the present
UPL policy change goes into effect, UPL users and others will actually
see an overall DECLINE in the numbers of incoming e-mails being rejected
due to any and all open proxy DNSbl lists being used at any given site,
and thus an overall REDUCTION in the probability that any specific e-mail
rejection may result in the ``loss'' of legitimate non-spam e-mail.
When discussing the delicate issue of the possible ``loss'' of legitimate
e-mail, it is important for current and future users of the UPL to fully
appreciate that even the use of the UPL as it stands today, and with its
current operating policies, may occasionally result in the bounce-back
(not really ``loss'') of some perfectly legitimate non-spam incoming
e-mails. The trade-off between that possibility and the benefits of
avoiding the reception of large amounts of spam is one that users of
UPL, by and large, already appreciate and understand. It should not
therefore require any large shift in thinking to understand that (a) even
with the present change of policy, the probability of rejecting any
legitimate non-spam e-mail will remain infinitesimally small, and also
that (b) the overall benefit, i.e. the resulting reduction in spam,
still makes it a good and sensible trade-off to continue using the
UPL, even with the new operating policies.
Having said that, I do nonetheless know that this policy change will
trouble many current UPL users, and that some will be concerned enough
to seriously consider dropping the UPL as part of their site's spam
defenses. I implore all such UPL users to give the new operating
policies a fair trial, say for two weeks, before reaching any final
decision about whether to continue to use the UPL at your site. I
think that you will be very glad that you did so, because the ultra
low complaint rate associated with your use of the UPL will STAY low,
even under the new policies, and yet you will start to receive a lot
less spam, in particular a lot less spam that's sent to you through
open proxies that haven't even been cataloged in the UPL yet, but that
ARE already known, and that ARE already being abused by the spammers.
The new UPL operating policies will, at long last, allow me to start
going after the real root of the open proxy spam problem, i.e. the
proxy hijackers themselves and their pink contracts with their spam-
friendly providers. (There are actually only a handful of such pro-
viders that are responsible for proving bandwidth for in excess of 80%
of all of the net's proxy-hijack spam at the present time.)
Once the service providers that are supporting the proxy hijackers
realize that hosting proxy hijackers is no longer a cost-free activity
for them... which I am sure they will all figure out within a matter of
two or three days after they have been listed on the UPL... then we will
surely see them dropping their criminal proxy-hijacking customers like
hot potatoes, and that will surely happen fast enough to make one's head
spin. After that, of course, those providers will be very quickly re-
moved from the UPL, and life will quickly return to normal for all UPL
users, except for the fact that the proxy hijackers will no longer have
connectivity, and thus, they will be unable to plague and annoy any of
us further.
In short, although the addition to the UPL of listings for providers
that are knowingly hosting open proxy hijackers may at first be a bit
worrisome to some loyal long-term UPL users, I really do think that
the strategy I have in mind now for attacking the open proxy hijacking
problem will in fact work, work fast, and cause only at most an ex-
traordinarily small amount of collateral damage, and even then, only
for exceptionally brief periods of time, e.g. a few days, at most, in
each case. I again urge you to stick with me, and give these new poli-
cies a fair trial, e.g. for two weeks at least. If we stick together,
and work together, I am confident that we can make proxy-hijack spam
essentially a thing of the past in very short order. All we must do,
in the final analysis, is to make our disapproval of this criminal
practice known, in clear and unambiguous terms, to the actual decision
makers at the relevant service provider companies. I am confident that
the problem will completely disappear very soon thereafter.
One final note... If you haven't already seen any of my `Top 40' list
postings that show the companies that are hosting most of the net's
big-time proxy-hijacking spammers, then please look for those now.
Copies may be found in GoogleGroups in the news.admin.net-abuse.email
newsgroup archives. If you look closely, you will note that with the
exception of Level3, essentially every company on these lists has been
a ``hosting provider'', i.e. a company whose primary business is pro-
viding web hosting and/or server collocation services, as opposed to
companies whose primary business is selling connectivity to end-users,
e.g. AOL, MSN, Earthlink, and so on. In fact, with the exception of
the occasional listing of a /24 IP address block belonging to the
occasional broadband provider (e.g. Cox, attbb.com), there are NO
companies on my various Top 40 lists that are primarily in the business
of selling connectivity to large numbers of Internet end-users. This
is actually very good news, in a sense, because it means that when some
of these hosting providers get some or all of their IP address space
added to the UPL, that should really have a minimal impact on UPL
user sites. UPL user sites will NOT be cutoff from receiving e-mail
from any actually sizable base of users... only from the dramatically
smaller sets of web site operators that are hosted by listed hosting
companies. I should also mention that I'll only be adding the worst
60 /24 blocks to the UPL, based on daily tabulations of actual open
proxy hijacking activity. In some difficult cases, escalation invol-
ving listings of other assets of the same company (e.g. the company's
corporate outgoing mail servers) may be undertaken, but I will work
to limit and reduce the collateral damage in all such cases to the
bare minimum necessary to send a clear message to the relevant provider.
Let's put and end to proxy hijack spam in our lifetimes. Working to-
geather, I believe that we can.
