APEWS News and Commentary Roundup

APEWS, the Anonymous Postmasters Early Warning System, is an “anonymous” blocking list that claims to run in the style of SPEWS. That is to say, its goal is to be an “early warning system,” catching and stopping spam before other lists or filters have the opportunity to do so.

The APEWS blocking list was first announced by way of an anonymous posting to the newsgroup news.admin.net-abuse.blocklisting on January 12, 2007. Though this newsgroup post originated from the IP address 149.9.0.57 (registered to US provider PSI/Cogent), the list is widely believed to be run from Germany.

If you are listed on APEWS and wondering what to do, visit this page for my suggestions.

Accuracy

A quick review of the past thirteen weeks of my own stats.dnsbl.com data shows that the list has been ramping up in aggressiveness the entire time that I've been tracking it. What was barely a 20% effectiveness rate against spam eleven weeks ago is up to 80+ percent on a week-by-week basis. However, false positives have risen similarly.

The rising spam match rate is based on what I would characterize as the “stopped clock is right twice a day” principle. List enough IP addresses, and eventually you're going to stop some spam. The side effect is that you're going to block legitimate mail (and lots of it) at the same time. Against my personal hamtrap data, APEWS blocks two out of ten of every legitimate piece of newsletter or list mail that I've signed up for.

I'm not kidding about "listing enough IP addresses," either. As of today (August 11, 2007), APEWS lists just about 1.8 billion IP addresses - by the raw numbers alone, this is 42% of the entire IP4 networking space. Much of the IP space listed isn't even routable; suggesting little attention is being paid to what IP addresses are actually able to transmit traffic (email or otherwise). Also, APEWS has been growing at a very fast rate. From July 20th through today, they have added an additional 7.5 million IP addresses. These are data points that, in my opinion, suggest that the list is bloated, questionably targeted, and inaccurate.

09/30/2007 update: Click here to read about how I can similarly block around 60% of spam just by arbitrarily listing 42% of the internet.

Based on this data, and the recommendations of other trusted blocklist operators and anti-abuse folks, I personally would not use APEWS to filter incoming mail.

Controversy and Commentary

The blocklist is considered controversial by many other blocklist operators, ISP abuse staff, and anti-spam advocates.

• Matthew Sullivan, SORBS maintainer, indicates that as of August 9, 2007, SORBS will no longer be publishing the APEWS blocklist zones via DNS.

• Claus V. Wolfhausen, maintainer of UCEPROTECT, another German-run blocklist, indicates that UCEPROTECT will no longer publish the APEWS blocklist zones. (Previously: Claus warned that unless APEWS were to make immediate, significant changes to its policies, UCEPROTECT will no longer publish the APEWS blocklist zones.)

• Suresh Ramasubramanian, respected anti-abuse manager for large mailbox provider Outblaze, categorizes APEWS as “meant to be used by fools.”

• Steve Linford, Spamhaus maintainer, has suggested numerous times on newsgroups and elsewhere that APEWS is poorly run and is not widely used.

• Kevin Liston and others from the Internet Storm Center have indicated that APEWS is using the ISC "top source" data to support blocklist entries, in violation of the data's license, and against the wishes of those who provide this data. ISC says that the data "is not supposed to be used as a blocklist as it is bound to include false positives" and that "APEWS may be a useful 'anti-spam" list if you do not mind losing a lot of valid e-mail as well."

Misplaced Newsgroup Discussion

If you read either of the two popular anti-spam newsgroups (news.admin.net-abuse.blocklisting and news.admin.net-abuse.email), you already know that both groups are often overrun with requests (example) from people who find that they are listed by APEWS. I find over 2,000 messages on these groups relating to APEWS remove requests, which is a high number considering that the blocklist is less than a year old. The blocklist group is run “anonymously.” Question 41 of the APEWS FAQ asks how one contacts APEWS. The answer includes the following: One does not. APEWS does not accept removal request by email, fax, voicemail or letters.” [...] “General blocklist related issues can be discussed in the public forums mentioned above. The newsgroups news.admin.net-abuse.blocklisting (NANABL) and news.admin.net-abuse.email (NANAE) are good choices.

This is likely why many administrators post to these newsgroups, asking for assistance, when finding their IP addresses are listed. The FAQ does warn that “abusing these newsgroups & lists by posting removal request you will make a fool of yourself,” but that doesn't seem to be a deterrent. I would theorize that this is because a lot of the people on the wrong side of listings do not understand why they are listed and do not now how to “fix” whatever issue led to the listing, as the listings are often broad and vague.

ISP Perspective

Vincent Schönau, an ISP abuse adminstrator, has related his APEWS experiences to me in email, and given me permission to share them here.

Other blacklists have employed the 'escalations' strategy in the past, but APEWS has taken it to a whole new level; a few spams from a providers ip ranges will cause all or most of the providers ip space to be listed in APEWS, with comments such as 'unprofessional / negligent provider'. What this means is that if your provider is a noticeable source of e-mail, sooner or later, it's going to get listed. Several providers of 'blacklist checks','blacklist comparisons', 'e-mail reputation checks' and include APEWS data. Apparently this is causing systems administrators who are desperate to reduce the amount of spam they're receiving to think that using it might work - perhaps because not all of those sources include the data on false positives for the blacklists. In practice, this means that several times a week, I'm spending time explaining to my users how they should work around the e-mail delivery-problems they're seeing which may or may not be related to APEWS. I could be spending this time taking action against compromised hosts in our network instead. This hurts providers who do take action against the abuse from their network more than providers who didn't care in the first place.

Others have related similar stories to me, of how long after spammers were booted, that a listing still persists. In one instance, a provider had a compromised machine, which was identified and disconnected within two hours of sending spam. Three days later APEWS listed it, and six weeks later, the listing persists, even though the issue is long since addressed.

If you are listed on APEWS and wondering what to do, visit this page for my suggestions.

Status of lbl.lagengymnastik.dk: DEAD

The DNSBL lbl.lagengymnastik.dk is no longer active. It ceased operation back in 2003 or 2004.

In January 2007, Henrik, the operator of this DNSBL, indicated that his bandwidth is still being greatly consumed by DNS queries against his list. Because of this, he has implemented a “wildcard listing strategy” to force sites to stop using the list.

In a wildcard listing strategy, a DNSBL lists all IP addresses in the world. That means that anybody using this list will no longer be able to receive any mail at all. This controversial “last resort” is done as a wake-up call for sites using the list. Suddenly they stop receiving all inbound mail, and hopefully they soon realize what’s going on and resolve it.

If you find your mail bouncing with a reference to the lbl.lagengymnastik.dk list, contact the site that blocked your mail. I assume you’ll have to do that via telephone, since mail to them will not go through. Inform them that the list is no longer around. Direct them to this site or recommend they do a Google search to learn more.

For more information, visit the LBL website, and this posting to the usenet newsgroup news.admin.net-abuse.blocklisting. (Note that “the Osirusoft solution” refers to a wildcard listing strategy.)

What to do if you're listed on SPEWS

The newsgroup news.admin.net-abuse.blocklisting (NANAB) regularly plays host to blocklist removal requests. Most of those requests seem to be aimed at SPEWS (the Spam Prevention Early Warning System). The SPEWS FAQ says that “general blocklist related issues can be discussed in the public forums” including NANAB. The end result is that lots of folks post to NANAB, asking that their IP address(es) be removed from SPEWS. Those folks get lots of responses, and only some of them are helpful. Because (as of January, 2007) SPEWS seems to have been frozen in time for many months, I’m sharing this information on my site to help affected folks get the facts on what’s going on, and provide suggestions on how to handle the situation.

Note: This isn’t guidance on how to avoid getting listed or sidestep anti-spam groups. This is information regarding how to address an issue with a now-defunct blocklist, where there’s nobody at the group to contact to request delisting.

If you’re listed on the SPEWS blocking list, as confirmed by checking their website, then I’m of the opinion that the following steps are probably what you should take to deal with the issue.

1. Check the status of SPEWS here. If it’s long out of date, proceed with the steps below. If it’s been updated recently, read the SPEWS website for information on how to proceed.
2. Assuming that SPEWS has not been updated in months, your next step should be a review your bounce data. Does it contain bounce data that references a SPEWS block?
3. If no, don’t worry about it. You just determined that you’re not having blocking issues that you can trace back to SPEWS. It’s annoying that you’re listed on the website, but there’s little easy recourse available to you to address that. However, if your bounce data does indicate blocking that you can trace to a SPEWS listing, proceed with the following steps.
4. If you have a spam issue, resolve it. Just because SPEWS may be gone, doesn’t mean that your spam blocking issues are going to magically going to go away. If SPEWS is listing you, other blocklists or ISPs are probably blocking your mail. Make sure you’re doing everything possible to comply with best practices, and remember that complying with the law just isn’t enough. I realize that this guidance is pretty brief and high level. Reach out to an email service provider (ESP) or email deliverability/reputation consultant for further assistance, as appropriate.
5. Contact the site bouncing your mail. Show them that SPEWS is out of date and is no longer updating. Feel free to point them at this site. You should be able to demonstrate to them that you do not spam. Be polite. ISPs and companies are perfectly free to block your mail. Attempts to strong-arm a site into accepting your mail are legally and ethically questionable, and will cause far more problems than realize.
6. Read the bounce to see if you can determine who is serving up the SPEWS blocklist. SPEWS doesn’t publish the data as a blocklist themselves; they leave that to others. As of February 1, 2007, Matthew Sullivan of SORBS has stopped serving the stale SPEWS data. I assume that other sites serve it up as well. If you find that a site is serving up this outdated info from SPEWS, contact them and let them know that the information they’re sharing is out of date. Feel free to point them toward this site. Recommend they follow Matthew's example with regard to nulling out the listings until (if) SPEWS returns.

I hope you find this information helpful. Please feel free to contact me with your comments or feedback. But, please note that I'm unable to consult with you regarding your specific situation -- I've already got a full time day job, and I'm not looking for consulting clients.