The world gets wiser. That invisible hand worked fast, and it took very little time for SPAM marketers to be sending out massive bulk e-mails. Soon, ISP's had to respond and began to stop the mass mailing tactics, asking their customers not to use their services for such commercial activities. And indeed, it still was considered a commercial activity, although no ISP really wanted to host that sort of activity, and it was quickly incorporated into acceptable use policies giving some recourse to the bandwidth providers to manage and monitor their customers.

Open relays. The invisible hand is powerful... and your ISP's polite request to cease and desist was certainly not enough incentive to stop a hugely profitable activity. But you could no longer legitimately send out massive lots of email without triggering the the attention of your ISP. But the internet was young and mail relays, largely built on an internet of trust, were open. What is an open relay? In a nutshell, all mail is delivered around the internet by MTA's, or Mail Transfer Agents. These servers listen, by protocol on port 25, for two things. First, they listen for other servers connecting to them to deliver mail for a domain that it handles. Secondly, it listens for clients connecting and asking it to deliver mail to some foreign address. The vast majority of MTA's did not distinguish between local customers and outsiders. The MTA's were designed to listen on port 25 and do their job, whether delivering or receiving  hopefully efficiently.

So now the SPAMMERS had a new way to send mail. Just use someone else's mail server! In fact, you could use all sorts of mail servers spread out all around the world! SPAM was alive and well, and had infinite ways to get delivered. Just find a list of mail servers, and use them as your sending server. Lists popped up, connecting was easy, spamming went on. But this was only round 1.....

The birth of the blackhole list. Round 2 brought some interesting sparring. As easy as it was to list open servers, ostensibly for personal use and convenience, it would be just as easy to list them for purposes of denying access to those servers! The idea was fairly radical for the time. The very first blacklist was called RBL (for Real-time Blackhole List) created by Paul Vixie in 1997. Paul encouraged users the Sendmail, by far the most common MTA in use, to use the list to deny access to any servers listed on his list. Soon after his creation, others began to develop similar ideas. The biggest was Alan Brown's Open Relay Behavior-modification System (ORBS). This list used automated testing of mail servers to determine if they were open. If they were, they were notified and listed, and anyone using the list

would then refuse to talk to those servers. Of course, if the reformed and closed the relay, then they were de-listed. Quite a way modify behavior!

The system fed itself. The more mail administrators used the system, the more reason there was for others to behave and close any open relays, for fear that the rest of the world might blackhole communications from them! And customers would certainly not be happy about that. But the whole idea and implementation was controversial, as several major providers (such as CompuServe) felt that it was appropriate to have open servers so that their customers could connect from other locations. There was also great debate around the validity of automated testing and subsequent blacklisting.

Although ORBS eventually fell under the pressure of lawsuits, the idea was born and many other services providing blacklists were developed, and even Sendmail itself soon supported the ability to natively check and deny access to any server listed in any particular blacklist. While the lawsuits and denial of service attacks have continued on the list providers, they are well established now as a valid means of blocking open mail servers. Even CompuServe closed its relays... Round 2 was over...

Spammers get creative, blacklists adapt. Now that relays were effectively closed, spammers had a problem. How to send out the mail? The first two solutions the spammers came to was to use quick and free accounts from services like AOL and Yahoo. They would spam until they were closed down, then open up another one! This was fairly quickly dealt with by those (and other services) limiting in some fashion the number of emails that could be sent by one account. Certainly your average Mom and Pop account would not need to send many hundreds of emails an hour....

The other system was to sign up with friendly ISP's, or even create your own! This worked pretty well, until the blacklist simply began listing those ISP's entire ip ranges (to their immediate, loud and righteous protests). Legal battles ensued... notably against MAPS RBL. And the lists began to pay real attention to the detail of their policies and publish their clear legal standing. Similarly, for those that ran their own mail servers, those IP's as well simply got added.

Finally, the spammers resorted to other open systems. Proxy's being the most vulnerable, and exploited those as much as possible. But the lists simply responded by listing those too. The doors were closing on the spammers... end of round 3...

Distributed spamming. The spammers seem to keep losing up to this point, but the referee has a long way to go to call the fight. Too much prize money at stake! The spammers are now learning from the virus community. If they can, somehow, use virus type tactics to install trojans onto home computers, then those computers can act as individual mail servers, usually without the owner even knowing! The only way to deal with this new onslaught is to blacklist all dynamically assigned ip addresses. Many ISP's have volunteered the ip ranges for customers of cable and dsl modems. These, theoretically, should never be sending mail directly to the internet, and

Necessarily, content scanning is subtle and tricky. SpamAssassin has made a great attempt at becoming good at this art. Heuristically scoring a myriad of characteristics that make SPAM what it is. But the formulas and scores and well known to the spammers as well, and they quickly massage their email content, or disguise it, to fool the scoring engine. And it works. They can create remote content and deliver that in an email with little for the scanning engine to look at. This is one reason so many of the internet and technology purists are very much against html mail in general. But that is a whole 'nother discussion!

In conclusion, the fight has come a long way, and the spammers are far from giving up. And they are not beaten. SPAM still makes up the majority of incoming mail on many servers (and certainly the servers I have worked with) and so remains a very real problem. But the delivery and content creation for SPAM has changed and it is clear the internet and mail delivery must adapt and change to deal with this.

In the next article, see Why The Do-Not-Spam List Cannot Work for the reasons why this new legislation is misguided and simply cannot accomplish what the (clearly non-technical) congress hopes it will.

Back>>