Savvis cancels spammers' accounts

Web hosting and connectivity company Savvis Communications on Wednesday confirmed that it has canceled about 40 accounts from businesses that were earmarked as spammers.

Savvis halted the accounts after antispam organizations notified the company that it was providing Web hosting services to known unsolicited bulk e-mailers. The spammers in question were listed on Spamhaus' Register of Known Spam Operations (Rokso), a blacklist used by many Internet services to curb spam volume on their systems.

Spam blacklists highlight one controversial front in the battle against unsolicited bulk e-mail. Blacklists are typically compiled by volunteer organizations that monitor alleged spammers, and many companies and Internet providers block those listed. These lists have come under scrutiny by critics who allege they block legitimate businesses that do not violate U.S. laws.

All Savvis customers listed on Rokso were longtime clients of Cable & Wireless' U.S. division, which the company acquired in March this year, CEO Robert McCormick said. Further distancing himself from these clients, McCormick said Savvis would have never allowed these alleged spammers onto their Web hosting service.

"This is not a problem we created," he said in an interview. "Not a single one of these contracts were signed by Savvis."

Savvis's move came shortly after internal memos were leaked onto the Web documenting a debate among executives over how to take action. In the documents, executives weighed the merits of canceling accounts to preserve its reputation, and whether the companies in question were violating any laws to warrant action.

"Without a good reputation as a secure and honorable provider, Savvis will soon start to lose it's ability to sell to upstanding corporations and business leaders, and instead fall to its own vision of providing service to spammers and other 'unwanted's,'" Kris Kistler, Savvis' director of InfoSec and abuse, wrote in a memo.

Many network administrators, including corporate clients, use these blacklists to block spam from their systems.

One executive speculated that canceling the 40-or-so customers could cost the company between $250,000 and $2 million a month in revenue. Savvis' McCormick said the monthly cost was closer to the $250,000 end, but declined to give a solid number.

"It's an insignificant amount of revenue," he said.

CNET News.com's Stefanie Olsen contributed to this report.

[hadaso]

Blacklists block no one! Nor do "blocklists"!

> These lists have come under scrutiny by
> critics who allege they block legitimate
> businesses that do not violate U.S. laws.

1. Blacklists ("blocklist") do not block anyone from sending email. They have no access to the sender's servers.

2. Blacklists do not block any server from receiving email by anyone. They only publish information. Email recipients may choose to consult this info and may choose to act upon this info in any way they like!

3. Blacklists have no commitment to publish only info about "businesses that breal laws". They provide info, and that's it. If someone publishes a list of known senders of bulk unsolicited commercial email, then that's what published, and NOT a list of violators of a given law. And any email recipient might choose to accept or not to accept email from those sources based on this info. For instance, SpamCop publishes a list of IP addresses that received a given amount of spam complaints in the past few days (according to a published formula). It doesn't claim that they did anything illegal. A recipient might choose to use this info as a factor in determining if a particular email message is worth keeping or if it is preferable to trash it automatically. There's nothing illegal in deciding not to read email from a source that receives a lot of complaints from recipients. Other organizations list IP addresses of open relays. An address on these lists might have never sent a single spam message, or did anything "illegal". Those are just lists of servers that can be used by anyone to send email, including spammers, so they represent a possible risk that some recipients may wish to avoid (for instance, they might be used in a distributed denial of service attack.) Other lists publish IPs related to certain geographical regions, or IPs that are leased to home subscribers by ISPs, and some people might not want to receive email from these sources, that is almost 100% viruses (Almost all users use their ISP servers to send email, and don't have servers running on their PCs).

4. Finaly, blocking email just because the source is listed in one list is not a good way to filter spam. This way one might block a lot of email one might want to receive. For instance, the SpamCop list clearly states in its homepage that the list is not fit for this purpose if one needs to receive email, and the proper way to use it is as part of an email filtering system. That is, one should use filtering software (such as SpamAssassin) that employs several tests, such as consulting several lists, scanning the content and subjecting it to statistical tests and more, and weighing all that info to decide how "spammy" a message is. A good example is the system employed by FastMail.FM, where the basic spam filters rejects email only from sources that are listed in very conservative lists, that contain only IP addresses from where it is extremely unlikely that legtimate email would come (i.e., open relays that serve only spammers. They pose a security risk in that they can serve as a platform to attack an email system). Then the "advanced" spam filtering system uses SpamAssassin to assign each message a "Spam Score", and finally the email is treated according to the users preferences based on the spamscore and other criteria, either by the user choosing a "level" of spam blocking, or the user customizing the actions of the spam blocking system to create a "custom level", or the user completely bypassing the spam filtering system and then using the spamscore in combination with any other header info in reject and filing rules to do whatever the user wishes.

The point is that the recipient has total freedom to decide what to do with received email, wether to trash it or read it, or even not to receive the complete message once the source is identified, based on any kind of info the recipient prefers to use. The individual user should be given the means to use such info, and the user certainly doesn't have any obligation to see hundreds and thousands of unwanted messages just because the sender might not have broken one law or another!