Blog

  • OWASP EU – Day -1, the free day

    I got up nice and early again. 6.30 am. So so wrong. Alien Andrew has landed and it’s freaky time again.

    After breakfast, I retired to my room to work on my slides. Good move! They look great now.

    After lunch in my room, I felt a bit tired, so took a nap. Awesome sleep. Woke up just before I had to go out for dinner with Dave Wichers and a few others.

    We moved to The Troubadour and had a nice meal, followed by a trip to a nearby square and some more beer. Beeer! Around 11.30 pm I retired into the rain, and walked in the wrong direction. Leuven is a little town, so the cabs were hard to find. By the time I got one, I was thoroughly wet and cold.

    Got back to the hotel room – sore feet and wet and tired. Went to sleep straight away. Fantastic, productive day with friends, food and beer.

  • OWASP EU – Travel (MEL -> LHR so far, roughly 16000 km and 24 hours)

    I’m sitting in London Heathrow after a monumental flight. It’s so wrong. Even in business class there’s no avoiding the fact that it’s a long time to sit down. And as many of you know, I love a good sit down.

    After flying in business class to Europe for the first time, it’s definitely 1000% better than being in cattle class. The (hardish) seat folded down nearly flatly, or would have if it wasn’t designed for small women and children. My shoulders hit the sides of the capsule when my feet fit under the capsule in front of me. Now I know I’m a bit on the round side, but I doubt my shoulder girth will change if I ever become svelte. I’m not going to be less than 180 cm any time soon, so these seats need a little fine tuning. Even if the capsules had a soft side, it would be acceptable.

    After exhaustion set in, I took sleep where I could, and I must say I’m feeling much more awake and less tired than even the last time I travelled to Las Vegas.

    The flight was fun – we flew over many countries I’ve never set foot in – China, Tibet, bits of Nepal with the Himalayas in the distance with a fine dusting of snow, Russia (seemingly forever!) including flying near St Petersberg, Latvia (Riga), Ukraine, Finland, Denmark, Holland, Belgium (… I’ve been to those last two!). Unfortunately, although we flew during the day, it was clouds all the way from China through to landing with only a break or two when I bothered to open the blind.

    Landing in England brings back memories. Obviously, they laid the best English late spring weather on for us, with being 16 C and rainy. It was 17 C, sunny and fine on the day I left Melbourne, and that’s three days shy of winter proper. It’s going to be amusing if the weather doesn’t clear up in Belgium for the conference.

    I’m not feeling very hygienic right now – could definitely use a shower. Unfortunately, the little airline (BMI) I’m travelling on for my next leg doesn’t have a shower in their “Business” class lounge, so that will have to wait until I get to the hotel in a few hours.

    At least I’m having a good time with roaming and wireless networks. Have SMS from the fiancée (yay team!) and knowing that my cats are well and likely to get good tummy rubs whilst I’m away is all good.

  • eBay: do not recommend, waste of time

    Well, I’ve just had my first experience with eBay of being kicked in the teeth for being honest. I’ve been a member for six years, and until last week, I maintained a perfect 100% reputation basically by being me in all my dealings. Here’s a hint – it’s simply not worth it as eBay will not back you up when the going gets tough.

    A woman wins one of my four auctions last week. She bid several times on a table setting, comes to my place, asks to measure the table in a lame effort to prove that the table is smaller than I said in the listing, and says she doesn’t want it as it’s too narrow and she likes to spread out. She then leaves.

    Sorry lady, on eBay, like all auction houses, if you bid on it and you win it, you own it. So I leave her negative feedback for abandoning the sale:

    Refused item even though exactly as described and as per photos. Not recommended

    She then leaves negative feedback for me, but in her case, she lied:

    item failed to meet description. do not recommend, waste of time

    This is a laugh as:

    0) the description is accurate (8 seat table with 6 chairs). The table can seat eight if you must, but six is about right.
    a) the description of the condition is accurate (as new, with minor dints from regular use)
    b) there’s photos of the item including a photo of the only chair which has (cleanable) marks
    c) there’s accurate measurements in the questions area five days before the auction ended for all to read

    I complain to eBay. They suggest asking her to withdraw the feedback. I do so, even though I know she wont. She didn’t. I complain again to eBay. They tell me that due to US law, they can’t remove even slanderous postings. Sorry fellas, Gutnick proved that Victoria, Australia defamation law trumps US defamation law. All the way to the High Court. eBay have a responsibility to deter and remove slanderous postings when they occur, and not hide behind some lame interpretation of US law which simply doesn’t apply here.

    So what’s eBay’s final offer? Ask the liar who didn’t pay for her winnings to mutually withdraw the negative feedback. I’m loathed to do this as a poor rating is a good warning to other sellers / buyers that all is not well with that person. But I want my 100% back for exactly the same reason, and I’m buggered if I’m going to pay some shiny arse lawyer $20k or more to get a clean eBay account again through winning a defamation case.

    Six years of being “me” down the drain.

    So if you want to be treated nice at eBay – shit all over the other sellers. There’s nothing that eBay will do to you. At all. eBay is not the good guy’s friend. do not recommend, waste of time.

  • Demise of BlueSecurity

    According the Register, Blue Security has decided to close up shop.

    http://www.theregister.co.uk/2006/05/17/blue_security_folds/

    The problem with Blue Security’s model is that a single attacker with sufficient resources can bring it down. Blue Security had it nearly right – if enough people took the spammers up on their offer to de-list users from spam registries, then the spam issue starts to become managable until such time it becomes law the spammers are jailed and refused access to the Internet forever and ever all over the world.

    We need to set up a (de-)centralized place for spammers to check the “do not intrude” list without blowing their cover or exposing e-mail addresses, and a totally anonymous decentralized categorization effort without causing any harm to innocent bystanders (such as Tucows or Typepad).

    The primary spammer who took out Blue Security can be considered to be essentially an organized criminal, and has committed criminal acts in taking out Blue Security. In general, fighting organized crime takes a lot of guts as it can be quite dangerous as they have nothing to lose and live in generally lawless societies. These thugs are like extremly stupid gruff dogs – they must be shown exactly who the boss is, and it’s not them. If they require a good slap on the snout or worse for shitting all over the Internet, well, it’s not for us to do so – it’s for the local police and SWAT teams to do. And in my personal opinion, I’d love to see that on COPS instead of their usual fare of poor drugged out wackos, who need social workers not arresting.

    As I do not want any innocent bystanders, developers, moderators, ISPs (who are somewhat guilty), or key infrastructure targeted, I have thought about ways to protect as many stages of the life cycle as possible. I propose the following:

    Server Infrastructure

    Use newsgroups.

    The infrastructure already exists at nearly every ISP, and is available read only at many other places to allow both the spammers and newsless ISP customers to participate, is sufficiently de-centralized, replicates relatively well, and the attacks are already well known (post flooding, etc)

    Process:

    • Spammer would upload a batch file of e-mail hashes to a particular newsgroup (say alt.evil.spammers.must.die) with a response address to which the user’s clients will respond with a lightweight message. This prevents emails from being exposed to other spammers.
    • Individuals run a plugin on their mail application, which parses each message posted to this newsgroup
    • If the plugin’s protected e-mail address(es) are found, the plugin will ping the response address in the batch file
    • The ping would traverse a peer to peer network set up via the plug-ins. All of the plug-ins communicate via a de-centralized model to prevent the sort of attacks which might take it out (flooding, rubbish pings, etc). After a random number of hops, the last random peer will perform the takedown notice to the properly categorized spammer page.
    • The Spammer receives the do not intrude ping request from the individual and they take them out of their lists.
    • Problem solved for “less evil” spammers.

    What to do about more evil spammers

    Escalate. Spammers who refuse will get 2x … 4x … 8x the number of “unsubscribe me” from various anonymized addresses spread over a few days. In time, they’ll learn. Take the e-mails out, hits go down.

    Categorizing spam

    The plugins will need to know how to deal with spam, and to do that, it must be categorized, URL form found, and regulatory reports performed (ie, BSA for pirate software, FDA and other drug regulators for meds, etc).

    However, as Blue Security demonstrated, being the centralized categorization source of truth does not work. That’s soooo Web 1.0. Let’s move on to a decentralized, people power version for several reasons:

    • If it’s a small group, they would be in severe danger. I don’t believe we could protect this model
    • If it’s a moderate sized group, taking out even one or two could cow the rest. This is how organized crime works today
    • If it’s the entire group, the risks are spread out over a large population, and taking out even a small number of users will not affect (and indeed will drive) membership.

    Being in a large anonymous group makes it harder for attackers to find or attack anyone. If no one is a permanent moderator / categorizer and can always decline the task, taking out any number of individuals simply wont work – the service continues and the spammers continue to get hit with unsubscribe requests. This makes it impossible for the most mobile and ruthless of spammers to take effective action against the network and is a first hand demonstration of people power.

    Each node is randomly chosen to be a categorizer for a few hours as per slashdot. If a user decides to participate, the nearby network will hear about it, and new uncategorized spams will be sent to current categorizers.

    The hash of the spam is noted to remove dupes and this is spread everywhere. This will help prevent the same spam being categorized more than once.
    If the categorizer can’t read the spam (say it’s in another language), it can be categorized to be a particular language, and then re-forwarded to peers who accept that language.
    Let’s make it reliable via voting. Completed categorizations are offered to three other plugin users for peer approval. If all two peers agree with the categorization, it’s accepted and spread throughout the network.
    If the spam is not categorized, for safety’s sake it is not acted upon, but instead spread to another node when the node’s time is up. This stops big spams from being lost in the system. However, there should be a maximum age for spams to prevent overload. Spammers usually send out more in a few days time.
    At install time, node owners can say they are “advanced” nodes when their turn comes to be a categorizer. Each approved categorization will be looked at by one advanced node to see if it has enough information to detail the source. Let’s get those zombies closed down – find and report each and every zombie to the ISP abuse queue. Do this politely and in batches so they can deal with a bot fleet in a managable way. ISPs are not our enemies – they need to be helped to clean up the net from being abused. Hopefully the ISPs will get the idea and close down outbound SMTP from the zombies, or even better take the customers offline until they’re cleaned up.

    An alternative I had thought of – a network of resilient web apps, which allows anonymous volunteers to contribute to categorization with voting to ensure that only good categorizations are let through, wouldn’t work. Spammers would just DDoS it out of existance. This particular model wouldn’t work.

    Another alternative is to use another newsgroup to distribute categorizations. I like this as Plan B in case the attacker manages to kill the P2P network. However, as more headers are available, the attackers may be able to identify key nodes, particularly categorizers, so I don’t really think this is a safe idea.

    Attack models

    PharmaSpammer basically threatened to take the Internet out. As it’s essentially protected infrastrucuture these days (with no real SLA though), doing so will create a real law enforcement retaliation, as well as get ISPs to finally take responsibility for their zombie customers and get them the hell off our Internet. So let’s discard this attack – the spammers want to spam, and to do so, they need the Internet to be more or less working.

    Let’s look at more realistic attacks:

    a) Attacking news servers. DDoSing each and every news server in the world is just not likely, especially if ISPs make sure their news servers can only be reached by their own customers (which is typical today).

    b) Attacking news groups. Post flooding can be dealt with via automated moderation of articles. This is a very old attack, and there are some methods to deal with it. Automatic cancellation is the wrong approach as this creates 2x replication traffic. Lastly, adding huge quantities of fake hashes to slow down client plugin processing of the newsgroup or to force the news server to archive legitimate and reasonably fresh articles to conserve disk space.

    c) Attacking the peer to peer network. The RIAA has yet to make huge inroads into their little P2P problem, so I think with a bit of research, we can come up with a manageable P2P model for our purposes. Things to worry about are: rogue clients injecting rubbish. Flooding. Rogue clients looking for identifying information, rogue or real clients injecting “unsubscribe” URLs to attack competitors. These issues would need to be looked at.

    d) Attacking the categorization volunteers / moderators. This is definitely a problem, but one which if there are enough moderators (say 100 or 150 volunteers) makes it that much less likely that attacking one or two of them will make any difference to the spam meisters – they will still be receiving one cancel message for each spam they pump out.

    e) Attacking the plug in development. I propose that like the spread of DeCSS or Linux, this could be done in a relatively de-centralized fashion – let’s propose a standard for the p2p protocol, and then allow as many implementations as possible. Individual implementations could be distributed via P2P networks with known good hashes found on the more trusted sites to prevent malware being issued. Obviously we need open source implementations, as well as allowing vendors to integrate this feature into their fat apps.

    I’d be really interested in peoples’ thoughts on this one. We can’t let organized crime win this one.

  • Moronic security is a risk in itself

    There must be a special breed of moron common in the physical security world. Much is made of how secure many office buildings are, but this is not my experience as a gifted tailgator.

    Today, after 14 months of waiting, I managed to get a car park in my building. I am chuffed as it is nice to have a fast easy way to get to work. I know I am lucky** as many people would like to park there, but there’s a … 14 month waiting list. That’s not why I write.

    My spot is on level 2. I work on level 3. The benefits of parking so close should include not having to go out in the crappy weather – what with a short lift ride between the two floors. However… moronic “security” comes to the rescue and ensures that this is not to be.

    Upon entering the carpark in my car, I can only exit via the lifts as the emergency exits are alarmed. I enter the lifts, swipe my card and press “3”. Nothing happens. It turns out I have to press “G” (ground in Australia = “1” in the US), and exit the building completely, walk *all* the way around it, re-swipe my access card to re-enter the building … walk to the same lifts, and then press “3”. I am not making this up.

    It makes no sense. I am authorized to be in the car park *and* the building. But I can’t transit one floor.

    kurios119.jpg

    (Image from Bruce Schneier’s excellent blog. See links to the right and subscribe to his blog and Cryptogram!)

    This sort of stupidity makes people disrespect actual security measures. Until we can eliminate morons in the “security” industry, real security will always be worked around. We’re all seen as fools until we rid ourselves of fools.

    ** For environmentalists reading this… I have a tiny fuel efficient car (Citroen C3), and I carpool with my girlfriend, so it’s not just a single person clogging the roads. It’s two people clogging the roads and dirtying the air. However, it’s faster and cheaper for us to drive than to take public transport, even when you take into consideration the cost of parking, fuel, depreciation, insurance, and other running costs. Peter Batchelor needs to improve public transport in the west of Melbourne. It should *never* be cheaper or faster to drive in compared to public transport. But whilst it is, I’ll drive and park at work.

  • My Mac is back. Oh yeah!

    I’ve been off the air effectively for two weeks with the temperature sensor issue. It’s been everything I could do just to do the things I had to do, like moderate the webappsec queue. Everything else – writing the Guide, responding to e-mail, doing my slides for OWASP EU, etc have all been put on hold. That really sucks.

    The AppleCenter told me that my Mac would be ready at 3 pm, so when I popped in at 4.45 pm to pick it up, I was surprised to find that it was not yet done. The tech replaced the lid and I got out of the store just after 6 pm. :(  

    AppleCenter Richmond repaired my Mac using a spare part from another G4 laptop that didn’t end up needing it, rather than wait any longer for the mythical part to come from Apple’s lephrechaun factory. The laptop now has no warranty, so hopefully it will survive long enough for me to save enough dosh to buy a MacBook Pro, or … more likely a nice shiny Dell. 

    The trackpad button is now really stiff and the temperature sensor is reading the ambient temperature of the interior of the case (around 25-40 C depending on use). This is good. However, I feel an eBay auction coming on as soon as I have the difference in dosh between the sale of the G4 and the next one. I can’t stand lemons.

    Now, to get my life back in order. If you’ve been waiting for an e-mail response from me, I can now do it. It will take most of Easter to get through them all. I beg for your patience. 🙁

     

  • Service Orientated Architecture (SOA) Security

    Recently, I’ve been doing a fair amount of work in the SOA area. It’s funny how many folks want to expose ancient code directly to untrusted third parties.

    All is not well in the SOA space, and it’s important to understand the risk of web service enabling calls to “trusted” systems. That code is generally not written to handle input from malevolent attackers – it was designed to be called from internal staff who you have a strong legal relationship with and all the motivation in the world to keep their jobs.

    This slide pack was intended for the April Melbourne OWASP chapter meeting, and it’s a basic taster of the stuff I’m going to be including in the forthcoming OWASP Guide 3.0.

    Securing SOA (927 kb, PDF)

  • Why Apple will never win the desktop dominance battle

    For the last few months, I’ve been battling a debilitating issue with my Apple G4 laptop. It has narcolepsy. The trackpad in many G4 laptops contains a faulty temperature sensor. It normally reads -16 to 4 C (which is wrong), but the operating system monitors it. From time to time (and for me all the time), the sensor will register -150 C to +260 C.

    When this happens, the OS puts the computer into emergency sleep. There is no way to turn this behavior off.

    This has not been the only battle with faulty hardware. My laptop lost half its memory shortly after I acquired it, and this required a new logic board to remedy. But not before Apple tried replacing all the RAM several times. In the end, it took Apple four or so weeks to get a new logic board. Luckily, I could struggle through with half my memory. Imagine if it was dead.

    Well, that’s where we are today. My laptop puts itself asleep almost continuously now. I can barely get 10-20 seconds out of the laptop. For all intents and purposes, it’s a $3600 silver hunk of crap.

    Apple in their infinite wisdom, must *see* the laptop fail. There are no Apple dealerships near me. I cannot easily take time off work. The Apple dealers which are open late do not have any service staff on after hours. You get the picture. I have the logs dating from January. I have the Apple support article. I know the part number. I can show the temperate sensor readings and the obvious places it goes crazy. Apple will not believe me because they haven’t seen it fail. Well, I finally managed to find some time to go take it to Apple in late March when it was totally driving me nuts. It’s now nearly 12 days later, and I still have a faulty computer.

    Compare this to the last Dell I had (I’ve had three). One morning, my hard drive crapped out. I rang them at 9 am to report the issue. The tech was there at 11 am, and I was using the recovery CD at 11.15 am. Or the HP workstation I bought in the mid-90’s after my last Mac, a Quadra 650. About two years into its three year warranty, the monitor developed a fault and I rang in to get it looked at thinking I might need to drop it off somewhere. No – HP sent out a courier the same day with a brand spanking new monitor and the courier waited for me to unpack the monitor and repack the faulty monitor. Now that’s service.

    Apple wants me to pay $530 for AppleCare to continue my warranty for another two years as my warranty runs out on Tuesday. It’s obvious that I need it with this pile of steaming feces – it’s a lemon. But why should I pay for such crappy service? As far as I’m concerned as a customer, if I tell you something is not right, you just tell me when I can bring the damn thing in and you will fix it right there and then.

    But no – Apple can’t currently tell me when the required part (a new “top” unit, which includes the temperature sensor for the trackpad) will arrive, so I’m forced to wait. They don’t provide me an alternative laptop in the meantime.

    Apple – I was considering a nice new MacBook Pro. Your truly awful customer service has turned me off your products. If you can’t be bothered to stand behind your $3600 products, when Dell stands behind their $1500 products so much better, I can’t honestly justify the additional $1100 to buy your crap.

    I’m not going to buy the $530 AppleCare. I’m going to save up for a nice new shiny Dell and end my switching experience permanently. This sucks.

  • Movie plot threat contest

    Don’t let your government be the only one to come up with insane and stupid reasons why they want to curtail your freedoms.

    Bruce Schneier has just the idea:
    Movie Plot Idea Submission Thread

    Feel free to submit a story idea – you never know, you may be the next Swordfish or Firewall!

  • greebo.net blacklisted by various terrorist organizations

    I am pissed.

    My server has been blacklisted by various spam blacklist sites… because my nameserver (something I do not control) and my netblock is owned by someone the RBLs don’t like.

    I found out today that our hoster, Quantum Tech, is owned by a convicted spammer. But unless you rub shoulders in the dark and dingy vigilante world, it’s actually pretty hard to find out that Quantum Tech and the spammer are related. Global Web have been convicted and so they must have been forced to pay up, or else QT wouldn’t still be here. My view is that once justice has been handed out, life goes on. So like IBM and Microsoft, anti-trust convicts and other nefarious firms, once the punishment is handed out, people continue to buy from them even though their reputation has been sullied. Except that I had no idea that QT were dodgy. Saying that though, QT have provided us pretty good service for the price, and the performance of the server and network has been fine, unlike our previous hosters.

    The RBLs cannot act like some cowboy sheriff from the wild west and continue their jihad against their mortal enemies. The law has had its say. If further crimes are committed, then it’s still the law’s turn, not theirs.

    But that’s all an irrelevant red herring – my problem is not with Quantum Tech. It’s with the RBL vigilantes.

    The terrorists at Spamhaus and SPEWS are blocking my nameserver and my dedicated host’s netblock. This basically means that for ISPs – who like stupid sheep are using these services – password reset e-mails from our site do not work reliably due to the black listing. Despite the fact WE DO NOT and NEVER WILL SPAM. If the RBLs had proof that our IP or host spammed, then sure, I can understand that, but to be tarred with the feathers of someone we don’t control and don’t care to know anything about is just stupid. It’s like all the people in a state of a country being convicted of a crime because one or two people in that state actually did do that crime. Convicted by people who appointed themselves as judge, jury and executioner, with no appeals.

    I’ve had two communications so far, both dismissive of my complaint. It’s harder to get off an RBL than it is to get off a spammers mail list using the “Remove me” link. As these RBL folks act illegally, there’s no natural justice, ie no recourse to arbitration, and no mediation or dispute resolution services. Why would they? They impose their view upon the world, damn the rest. It’s creating a nuclear wasteland. More to the point, their actions are illegal.

    I did some research to see what laws they are breaking in Australia. The one that got my fancy is the CyberCrime Act 2001, which amends a bunch of criminal laws to make DoS and attacks illegal. It’s pretty comprehensive and balanced for the most part. I had a hand in getting a few changes in there whilst I was president of SAGE AU – we responded to the Senate enquiry to get system admins protected whilst they were doing their job as we remember what happened to Randal Schwartz and I personally wanted to make sure that the clauses previously protecting only Commonwealth computers was extended to all computers in Australia.

    The section which I draw your attention to is 476.2:

    476.2 Meaning of unauthorised access, modification or impairment
    (1) In this Part:

    (a) access to data held in a computer; or
    (b) modification of data held in a computer; or
    (c) the impairment of electronic communication to or from a
    computer
    ; or
    (d) the impairment of the reliability, security or operation of any
    data held on a computer disk, credit card or other device used
    to store data by electronic means;

    by a person is unauthorised if the person is not entitled to cause
    that access, modification or impairment.
    (2) Any such access, modification or impairment caused by the person
    is not unauthorised merely because he or she has an ulterior
    purpose for causing it.
    (3) For the purposes of an offence under this Part, a person causes any
    such unauthorised access, modification or impairment if the
    person’s conduct substantially contributes to it.

    Therefore, any unauthorized impairment, even for supposedly good purposes like spam prevention is illegal unless authorized. And for my system, you require my authorization, and I’m not going to give it. So effectively, SPEWS and Spamhaus are acting criminally if they block any Australian IP address or system controlled by Australians.

    But far, far worse than this is the sheer arrogance demonstrated by their faceless peons who are too cowardly to sign their own names to their e-mails.

    I asked reasonably firmly but politely that they remove their blocks:

    Hi there,

    You have placed my sites into an overreaching netblock, affecting aussieveedubbers.com, a site containing 4500 VW car nuts. None of the sites hosted on my dedicated server under my direct control are spam boxes. I detest spam, but you’re not helping … at all.

    Please carve out two IP addresses from this listing:

    69.31.39.108 – aussieveedubbers.com
    69.31.39.109 – greebo.net vanderstock.com codesqa.com

    Our nameservers will also need unblocking.

    ns1.wickedtechnology.net 69.31.33.67
    ns2.wickedtechnology.net 69.31.33.68

    If your aim is to reduce spam, you are not doing it by blocking my site as we don’t spam. All you are doing is making me very angry. For the last few months, I have been hand processing 10 or 15 password resets per day that would have otherwise been handled automatically. That’s right – your useless service is blocking 10 or 15 legitimate e-mails a day. Good work, fellas. That’ll really knock the spam problem on the head.

    If you do not fix this up within 24 hours, further action will be taken.

    Here’s their response:

    “We have placed?” How long have you been hosted on these IP addresses?

    This range was listed on Feb 05, 2004 – almost exactly TWO YEARS AGO.

    We’d suggest your talk to Mike Van Essen and his “Quantum Tech Pty Ltd”, the owner of these IP addresses, why he does not tell people, 1) that they are listed by us and others, and 2) why they are listed.

    One must have due diligence as to where one hosts.


    Regards,

    The Spamhaus Project

    Despite their arrogant imputation we are clueless noobs (“due diligence as to where one hosts”), we in fact checked out Webhostingtalk (there’s one link to “Quantum Tech” back in 2002), and read over the AUP and conditions carefully. The price was right for a dedicated host for our non-profit car forum.

    But it is completely unreasonable to think that we should perform a criminal background check against the ISP. Could you imagine every customer doing this to AOL, OptusNet, BlackBerry, or Verizon? Don’t make me laugh!

    But it still misses the point – I DO NOT SPAM. Therefore, Spamhaus and friends should get their hands out of their backsides and remove their black list. Spamhaus and friends are causing us financial loss as users can’t register on our site and they can’t recover their passwords if they forget them. Spamhaus and friends are performing criminal and illegal denial of service / impairment of our legitimate service to our Australian users provided by a legitimate site run by Australians.

    If this is not resolved soon, I will be reporting them to the police. I do not take such action lightly, but I have no choice. If you’re an admin, there’s no better time to ditch the awful RBLs and go with something that works. I will also do the ring around to my mates are various large ISPs and make sure they are not using these services. Nothing would make me happier than making Spews and Spamhaus powerless.

    If I were Spamhaus or Spews, I’d be looking seriously why their efforts have failed. I get a bucket load of spam every day, and so their approach has obviously failed miserably. As a someone who respects the scientific method, you need to evaluate your own methods and results so you can improve them over time. I personally believe that RBLs are ineffective and need to be scrapped. But most of all, they need to respect the rule of law and work with their country’s anti-spam and cybercrime laws. They are effective. RBLs are not – their days are over.