War on spam hits e-mail of the innocents

Blacklists: Sweeping tactic rejects vulnerable ISPs, affecting unsuspecting users.

January 30, 2003|By Kevin Washington | Kevin Washington,SUN STAFF

A funny thing happened when Charles Williams e-mailed his accountant recently. His messages bounced back like basketballs.

Williams, a Lutherville investment banker, eventually learned there was nothing wrong with his computer. He had become an unsuspecting victim in a guerrilla war against spam - and of a tactic that became notorious during the 1950s.

He had been blacklisted. Or, rather, the Internet address of the server that handles his company's e-mail had been placed on two spammer lists created by volunteers trying to dam the flood of pornography pitches, pyramid schemes, chain letters and loan offers that now make up at least one-third of the Internet's mail traffic.

While critics say the anti-spammers have a point, there's a growing feeling that their methods have become too draconian and wound too many innocent victims such as Williams.

Here's how it works: The list operators, volunteers who sometimes keep their identities secret, maintain Web sites that contain the Internet addresses of e-mail servers that are used to transmit spam.

While some blacklists use very specific criteria to target individual mailers, others cast a wider net. They sometimes target an entire range of IP addresses offered by Internet service providers who may allow their systems to be used by mass e-mailers, even inadvertently.

The system works because many other ISPs, corporate and even a few government e-mail administrators direct their incoming mail servers to reject any messages from the blacklisted addresses.

In Williams' case, the company that provided his address, Qwest Communications, has had several of its IP addresses appear on blacklists. As a result, customers like Williams have been affected, even though they're not spammers.

That's just what some anti-spammers want. They operate under the theory that innocent customers whose e-mail gets bounced will scream loudly enough to pressure their ISPs to crack down on spammers.

Williams, for example, has never sent spam from his Internet address, nor is there any indication that the specific address that came with his Qwest Communications DSL line was ever used for that purpose. But his address falls within the blacklisted range.

John Mozena, co-founder and vice president of the Coalition Against Unsolicited Commercial E-mail, said his Internet-based nonprofit organization has warned that these sorts of problems would spring up without national anti-spam laws.

Mike Sasso, owner of MeTaData Inc. in College Park, performs technical consulting for Williams and said he has found the experience exasperating. He tried to contact SPEWS.com, which created one of the blacklists on which Williams' IP address is listed. Eventually, he managed to reach Carl Byington, of Lake Arrowhead, Calif., who created his own list.

Byington, reached this week, said that he maintains a list of servers whose e-mail his system refuses but that he doesn't recommend anyone else use his blacklist. He said he rejects e-mail from Qwest-issued IP addresses because the company has failed to curtail spam coming from its system.

James Nash of Innovative Exchange, the Harford County ISP that provides Williams' accountant's address, said his system doesn't use third-party blacklists but instead has a subscription service that filters e-mail.

Sasso said he examined the headers of Williams' bounced e-mail and found evidence that it was rejected somewhere in the process because his IP address appeared on a blacklist available at Relays.Osirusoft.Com.

"There needs to be a public discussion of what's happening," a frustrated Sasso said.

The blacklists have raised hackles since they first became popular three years ago. The Federal Trade Commission has come under fire for testing spam filtering with third-party blacklists since August.

"What we have is an arbitrary and unverified list of addresses, from which people aren't permitted to communicate with a government agency," said Lee Tien, a senior staff attorney for the Electronic Frontier Foundation. "If the federal government is using this kind of list, there ought to be some sort of accountability."

FTC spokesman Stephen Warren said the agency's counsel advised that e-mail messages bounced back to users on a blacklist should offer alternatives to reaching the FTC, such as the agency's mailing address and telephone number, so that people can communicate with the agency.

In the private sector, owners of banned addresses have accused the blacklisters of restraint of trade and libel.

Mail Abuse Prevention System (mail-abuse.com), which created one of the original blacklists, has been sued often but its original approach to spam was more educational than combative, said Mozena.

"MAPS would go to the company, write them, call them, e-mail them and say, `Look, you've got problems, here is our evidence, here are some fixes,' " he said. "Only when someone didn't respond to that did they go on the blacklist."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.