Usenet Death Penalty FAQ Archive-name: UDP-faq v1.1.1 Last-modified: 01/11/2000 URL: http://www.stopspam.org/usenet/faqs/udp.html Maintainer: Ken Lucke Original-author: Ken Lucke This document is meant to address Frequently Asked Questions about a UDP, or Usenet Death Penalty. It is by no means an exhaustive list of questions and their answers. Usenet is a cooperative anarchy, in which cooperation with the other sites participating is an unwritten rule. Cooperation includes acting responsibly, and enforcing responsible action on the users which utilize the resources of the system for which you are responsible as an administrator. Since the utilization of those resources on your system also affect the tens of thousands of other sites around the world who participate in usenet, any abuse by a user of one system also affects the rest of those systems. What is a UDP? A UDP, or Usenet Death Penalty, is a means by which site administrators and others around the world attempt to enforce the cooperative nature of usenet on an uncooperative member of that community. It is accomplished, in most cases, by what is known as an "active" UDP. An Active UDP is one in which every message posted to usenet by the offending site is canceled or failed to be propagated. This is done regardless of content, posting author, or whether or not it would normally fall under the spam cancel thresholds. This simply cuts that site, and all of its users, off from being heard by the rest of usenet. A UDP can also be focused at a narrower range of targets as well, such as "everything out of sprynet in alt.sex.*", or "Everything from user "jsmith@abusiveisp.com", or "everything out of UUNET from a particular dialup pool". Why would you want to do such a thing? The main reason that a UDP is normally called for is when a site refuses to deal with consistent and continuing spam issuing from one or more of its users. Administrators realize that every site can pick up a spammer at any time. What angers them and irritates them to the point of calling for and participating in a UDP is the refusal [or inability] of a site's personnel to deal with the problem. Every channel of complaint is normally exhausted as unresponsive before a UDP is called for. Other issues might be consistent, rogue cancels from that site, or other similar abuses of usenet. Email abuses from a site are not part of the determination of UDP criteria, as email abuse and usenet abuse are wars generally fought on separate fronts. Who enforces a UDP? UDPs are enforced by site administrators and spam cancelers around the world, who either cancel the messages directly, or pathhost alias the sites so that their news software no longer accepts nor propagates articles which originate at the site under UDP. Pathhost aliasing is actually part of a "passive UDP" more than it is part of an "active UDP", but often occurs simultaneously by sites who don't even want to accept the articles to begin with while waiting for a cancel message to show up. Does the site being UDP'ed have any say in all this? In one way, the answer is No. They had the ability to have their say when they refused to deal with the problem that caused the UDP. When complaints have gone on long enough without resolution to actually cause the institution of a UDP, it is a clear indication of the policies of the offending site. The lifting of the UDP is dependent upon that site coming back into compliance with the cooperative nature of usenet. This generally means that the spam or other abuse flowing from that ISP ceases or drops dramatically. ISPs are free to accomplish this in any manner they see fit. Stopping the abuse is the purpose of the UDP, not dictating company policies or procedures to the UDP'ed site. Of course, in another way, the answer is Yes, because they can make an effective effort during the waiting period after the "Intent to UDP" announcement to make substantive changes in their policies or resolve the problem, which then makes the UDP unnecessary. Isn't this censorship? No. Firstly, the legal definition of censorship in the USA (where, unfortunately, most of the spammers are, even when they use resources outside the USA) is that it can only be done by the government - private entities can not, by definition, be guilty of censorship. Outside the US, laws are varied. Secondly, even ignoring that definition, and using the uninformed public's opinion of what censorship is [preventing someone from saying something that they don't like], this does not fall under that criteria, either. The articles being canceled or shunned by pathhost aliasing are not picked and chosen by their content - ALL articles from the offending site are canceled or shunned. It has nothing to do with likes and dislikes - it has to do with abuse by one system of all of the other systems on usenet. How can one system cause problems on all the others? When an article is propagated throughout usenet, it takes up bandwidth (transmission capability) and disk storage space for every ISP that it comes into contact with. This bandwidth is finite, and is paid for by the ISP utilizing it. Same thing for disk storage space. The ISPs who run news servers have to have huge drives to store and process all those articles that fly around usenet every day. It also takes computational power, in the form of computer CPU time to process all those articles. All those things cost money. Normally, the cooperative nature of usenet is such that each ISP says to the others, in effect, "here are the articles my users have posted - if you'll be kind enough to store them and pass them on, I'll do the same for the articles that your users have posted." However, an abusive site can pump out literally hundreds of thousands of articles a day from several spammers each, whereas most [even large] ISPs user's only post a few thousand at most every day en toto. So what happens is that every other ISP who is connected is forced to bear the costs of transmitting and storing those articles originating from the abusive site. In addition, because disk space is finite and limited, each ISP has specific amounts of disk space devoted to the newsgroups, and articles are rotated in and out of this space (called "the news spool" or just "the spool") on a first-in-first-out (FIFO) basis - which means that when the disk space is full, and a new article comes in, the oldest article(s) must be removed to make room for the new one. When you have hundreds of thousands of articles rolling in from an abusive site, the legitimate articles get "expired" off of the spool much more quickly, so that fewer people get a chance to see them, unless they are almost constantly reading the newsgroups. This causes many articles that would be of interest to a lot of people to disappear so that a lot of articles only of interest to the abusers can be stored. Another side effect is, that even though there might be storage room left on your system, you might never see the legitimate articles because the wasted bandwidth may cause articles to be dropped before they ever get to your system. Usenet is far from a perfect medium to transmit articles, and such things happen - and far more frequently the higher the volume of traffic. Who makes the decision to call for a UDP? Anyone can call for a UDP. Whether that call is taken up by others is dependent upon several things - the reputation of the person making the request, the facts laid out as to the reasoning behind the call, the nature of the complaints, whether the site in question has been attempting to solve the problems, and many other factors. Once the call has been made, generally in the news.admin.net-abuse.usenet (nana-u) newsgroup, it is discussed to determine if there is a consensus among other sites and administrators that it is justified. During this discussion, others sometimes attempt to contact the ISP in question and resolve the problem. Once the consensus is that the UDP is justified (this can be almost instantaneously agreed to, or discussed and dragged on for a long time), there is normally a notice posted to nana-u and mailed directly to all known site contacts at the offending ISP, giving notice of the impending UDP, the reasons, and the requirements to avoid/lift the UDP. A waiting period of (currently) 5 business days is normally granted to see if things improve at that point. If not, the UDP goes into effect. How do you determine what gets canceled? Internal technical information in the headers of the articles give enough data to make that determination. This is even true in the case of those who try to spoof and fake their headers, hijack open servers to post their messages, and other attempts to avoid detection. UUnet tried initially (according to one of their press releases) "technical means" to avoid the cancelbots, and found it was totally ineffective. Shortly thereafter came their infamous "we don't have a problem and we are fixing it right now" statement, back dating it to make it appear as if it had been published prior to the UDP, which fooled no one. What about stuff that just passes through the site on its way to other places? In an active UDP, articles which do not originate at the offending site are not affected. However, any site which pathhost aliases the UDP site out of its files will also cause any articles which transit through that site to not be accepted. Thus, a pathhost aliasing is even more stringent than an active UDP, even though the term "passive UDP" sounds less serious. What about legal issues? Don't you worry about being sued? As UUnet (and others) have found, there is no legal requirement for other sites to carry or post their messages. Cancel messages are advisory in nature, and the sites which accept them have to have the ability to process them enabled in their software for them to be effective (the vast majority of sites have them enabled). UUnet threatened legal action when they were UDP'ed in August of 1997, but both the US Justice Department and the FBI (and presumably their own legal department after they consulted them) stated that there had been no laws broken and that they refused to investigate or act. Because none of their own equipment or networks were attacked, compromised, or even affected, there was no legitimate Denial Of Service (DOS) complaint that could be filed. What was happening, in effect, was an organized boycott of their messages. Nothing more, nothing less - and there is nothing illegal in all that. There would also be a horrendous negative public relations wave from actually instituting any legal action. When UUnet threatened, even more people came out in support of that UDP, contributions to legal funds were offered by a large number of people, lawyers volunteered to defend those participating in the UDP, and many ISPs promised to alias UUnet permanently (and work to get others to do the same) the moment they actually instituted legal action. As another example, there was a rogue canceler, nicknamed "the Kikecanceller" [because his racially inspired cancel message paths all had "!kikecancel" (along with "!spiccancel," "!wopcancel," and others) in them], who was active for a short while. This rogue canceler nuked over 25,000 articles for no legitimate reason before his account got canceled. James M. Hawkins, the supervising agent at the FBI's Tulsa office, stated: "We don't have a case. I don't think we're going to be getting involved in the matter." The local United States Attorney's office was contacted about the cancellations and they replied that no law had been broken. (see the NY Times article about the "Kikecanceller". Note: this site requires you to enter a user name and password to access it, although it is free. There have been no reported instances of spam being sent to any test address that was used to enter the site, so it appears as if this data is only used by that site and not released to anyone who might utilize it for a spamlist). So if you cancel everything from the UDP site, don't legitimate people get canceled, too? Yes. One of the driving forces behind forcing compliance with generally accepted guidelines is that the ISP's own legitimate users (if any) can bring pressure to bear on their rogue ISP. Remember, the UDP is a near-last-resort measure. What if my ISP doesn't want to participate? Aren't you ramming this down their throat? No. Any ISP can refuse to honor cancels, and certainly pathhost aliasing is an individual ISP's decision. In addition, the cancel messages are coded with a special "psuedo-site" in the Path: header which allows ISPs to accept normal cancels but not accept UDP cancels, or only accept certain UDP cancels (if there is more than one UDP under way simultaneously). A normal spam cancel can be aliased out by pathhost aliasing the "!cyberspam" psuedo-site. In addition, there are psuedo-sites for Make Money Fast chain letter cancels ("!mmfcancel"), UDPs ("!udpcancel"), and for each individual UDP that might be in progress (![sitename]udp"). An ISP can choose to honor or ignore any or all of these if it so desires. Why doesn't the government do something about this if it is so bad? Fortunately, the government doesn't control usenet (nor the internet). This is one reason why self policing is the only possible way to stop this sort of thing. Also, which government would you prefer do something about it? Usenet is worldwide - no one government could have any authority over what happens in or from any other country. Aren't you just a bunch of Net Cops or Vigilantes? Historically, as any society has grown (and usenet is a society of a sorts), people have rules that they believe should be enforced. A consensus on those rules is achieved, and the technical means to enforce those rules are developed. People who are trusted by the majority are allowed (or requested) to enforce those rules. In this case, the rules were set down by those administrators who actually run usenet - and who own and operate the actual hardware it runs on and purchase and utilize the bandwidth that it is connected with. Those who have volunteered or been asked to perform the spam cancel functions or UDP enforcement do so under "license," so to speak, of the majority of those who made the rules. They do so under a very strict code of conduct - and are constantly monitored to see that they do not exceed that code of conduct. If they do, that "license" is revoked and they are considered rogue and are shut down just as quickly as any other abuser. Greater than 90% of the spam canceling that goes on is done entirely by volunteer effort by those few trusted enough to fulfill that role without being accused of being rogue. Just how effective is all of this? Not 100% by any means, but here are some examples: Erols.com had been a thorn in the side of usenet for a long time. With a change in policy after discussion of a UDP against them, they now have a very high reputation among both the usenet and email community. Their "abuse guy", Afterburner, is known for the speed with which he nukes spammer/UCE accounts, and the style, flair, and wit with which he reports their demises. Bell Atlantic, near the end of July, 1997, was a major spamhaus. Word got to them that they were being considered for a UDP. Spam dropped dramatically almost instantly, to their credit. No UDP was necessary. UUnet, which was the largest single spam producer around the beginning of August, 1997, mainly through their alterdial.uu.net dialup accounts, had a full active UDP applied against them. This was after months of complaints by everyone from normal users to other administrators around the world evoked not one single solitary noted response from UUnet. Within three days, UUnet back dated a press release to make it appear to have come the day before the UDP which said, in effect, "We have a zero-tolerance policy towards spam, therefore we don't have a problem, and we are fixing it right now." They subsequently dropped dramatically in spam numbers when the problem that they didn't have went away. The UDP was lifted 6 days after it started. They recently started creeping up again towards the top, and word started percolating of a possible resumption of the UDP - coincident (?) with that, they announced and apparently instituted a much tougher AUP against spamming, and nuked a couple of the most persistent spammers that usenet has ever seen. Numbers again have fallen dramatically, and we all hope that UUnet continues with this policy. In October, 1997, Compuserve was UDP'ed for failure to control mass spammers operating out of their service. Again, complaints had long fallen on deaf ears. Within 24 hours, they had announced and implemented a new anti-spam policy. The UDP was lifted. In December, 1997, TIAC appeared absolutely unwilling to deal with any of their ongoing spam problems - they were, at that time, #1 in 4 out of 5 (and sometimes 5 out of 5) spam categories that were being tracked when compared to all other sites on usenet. The UDP was announced with the 5 business day waiting period before institution. Although their owner continued to make excuses and argue about their culpability as well as bluster and threaten legal action, by the time the deadline had arrived, they had "cleaned up their act" to the point that the UDP was no longer necessary, and the deadline was extended for another 5 days to watch the numbers. After that additional 5 day period, the stats had stayed low, and the UDP deadline was lifted. In February, 1998, Netcom had been the consistent #1 spam source for almost 3 months, with complaints falling on deaf ears. On February 14, a 5 day warning of an Intent to UDP was issued for Friday, February 20 at 1700 PST. This was later amended to Monday, February 23 at 1700 PST when it was realized that the preceding Monday had been a business holiday for Netcom, so that the Friday deadline would not have allowed an actual 5 business days. By Thursday, they had installed SpamHippo, and their spam statistics had dropped down to the point where they were almost off of the charts. However, during the weekend, many of their spammers started hijacking open news servers outside of Netcom's control, and so their statistics came back up., as this is something SpamHippo cannot catch on outbound spam. Assurances were given that they were working on the problem vigorously, and due to the record of them complying by installing SpamHippo and other countermeasures, it was decided on Monday, February 23 to lift the threat of a UDP and place them on a 5 business day probationary period to monitor the statistics. In August, 1998 information was "leaked" to MCI2000.com that they were under consideration for a UDP - they immediately cleaned up their act and the announcement was not even necessary. In November, 1998, an announced PSINet UDP averted within 45 minutes of the deadline when they implemented heavy spam control procedures. They have since ceased to be a problem. In June of 1999, Starnet Inc was UDP'd - again, the UDP was lifted very quickly after they instituted some measures that reduced their spam from their POPs. Unfortunately, they seem to have a problem doing so consistently, and occasionally rise back up again. At this time,however, the are much more reactive and proactive to the situations that arise. Also in June of 1999, HKT was UDP'd, effectively cutting Hong Kong off from the world. They quickly found ways to reduce their spam that they would not even acknowledge reports of previously. In October 1999, a UDP of BBNPlanet was proposed for lack of control of spamming from BBNPLanet. Once again, merely the mention of this proposal while trying to get issues solved was enough to get them to change their policies as far as dealing with spam. A formal announcement was never made. In November of 1999, an announced Ameritech UDP was averted by one day after their spam stats dropped dramatically. Unfortunately, they come and go in the stats frequently, mainly because of the Pheromone spammers (Tang, Repsis, & Co) that like to favor them with their business, and who they seem to be unable to prevent from signing up again and again. In December of 1999, a simultaneous UDP of VSNL and SILNET, the two main carriers in India, was instituted for their failure to even begin to control the usenet terrorist who calls himself "HipCrime" and who forges, cancels, floods, and supercedes thousands of articles on a nearly daily basis in an attempt to blackmail the entire world into doing things his way - his way being a usenet without spam cancels. He had been operating from behind the VSNL/SILNET skirts for over 18 months before the UDP. Currently, VNSL and SILET have enabled port 119 (news)blocks on all outgoing connections from their services with the exception of their own servers. Home - Usenet Area - General - Email Area © 1997 Ken Lucke - all rights reserved