when it became apparent that open relays were being abused by spammers,
we took steps to limit the ability of spammers to use cs.utk.edu in this
way. in effect, we limited the number of non-local recipients to which
any one IP address could send in any 24 hour period. we did this because
we had legitimate users who needed to send mail from random locations
in the Internet without having to reconfigure their user agents each time.
these measures were in fact effective - which is not to say that we
relayed no spam at all, but the number of messages relayed was limited
to a few in any one day...and yes, we monitored the number of messages
blocked to see that this was the case. our goal was to make it easier
to send the spam directly than through us, and we succeeded.
however, multiple blacklists insisted that we were running an open relay,
and a number of sites believed them and used those blacklists as an excuse
to block legitimate mail. eventually we were directed by higher ups
(who had no appreciation of the technical issues) to close our relay
entirely, thus impairing our legitimate users.
A not uncommon story, unfortunately. There are all sorts of ways to block spam
relay effectively but blacklists are a crude tool at best for assessing this
level of effectiveness.
Another common case is that of setups where spam is blocked but not immediately
during the SMTP dialogue. Some blacklists only check as far as the RCPT TO
being successful, and incorrectly believe such sites are open to relay.
Yet another potentially abusive case is blacklisting because you're on an
address assumed to be associated with dialup users.
Another common case is where it took one or even no incident to get on a
blacklist, but even after the "problem" was fixed it took a week or more to get
off.
These things can get totally out of hand. One time I received a threatening
note saying I was going to be blacklisted not because I was an open relay -- I
wasn't -- but because I was listed as providing secondary name service for a
domain which contained one system that was acting as an open relay. I responded
explaining how important geographically distributed secondaries are to the
proper functioning of the Internet and how little this had to do with email.
The response in turn was that I should be more careful about who I chose to
provide secondary services for. (The domain with the open relay -- which of
course was quickly fixed -- belonged to the Oklahoma Regents of Higher
Education -- a real hotbed of intentionally open relays, I'm sure.)
this is why I term the blacklists as a distributed denial of service
attack based on disinformation - because it's exactly what they are.
Unfortunately I've seen this happen in many other cases -- too many cases to
ignore.
In this case the attackers were naive
about the likely good that it would do and about the harm that would
result.
Experince says they were naive only insofar as they underestimated the
good, and overestimated the bad effects.
My experience says exactly the opposite.
So does mine. Admittedly my experience is biased towards the cases where
blacklists were a problem rather than a solution to anything, but to imply that
the harm done is always minimal just isn't right. The situation, as usual, is
more complex than that.
Ned